Status: Live
The organization will maintain a procedure for establishing, modifying and terminating contracts for all suppliers. [UCF ID 00796]
Supporting and supported controls
This control directly supports:
- • Management of third party services [UCF Control ID 00789]
There are no supporting controls.
Authority documents complied with:
AICPA/CICA Privacy Framework, ID 1.2.3, ID 10.2.3; AICPA Suitable Trust Services Principles and Criteria, ¶ .29 § 3.2, ¶ .29 § 3.3; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj C.1, Exam Tier II Obj F.1, Exam Tier II Obj F.2; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg E-7; FFIEC IT Examination Handbook – Management, Pg 37; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 12, Exam Tier I Obj 3.4, Exam Tier II Obj C.1, Exam Tier II Obj C.2; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 35, Pg 36, Exam Tier I Obj 3.5, Exam Tier I Obj 4.4; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 7-102; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 7; CobiT 4.1, AI5.2; The Standard of Good Practice for Information Security, SM6.7.6; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 39; Archer Control Table, ATCS-255, ATCS-395, ATCS-611; North Carolina Statutes Chapter 75 Article 2A. Identity Theft Protection Act § 75-60 through § 75-66, § 75-64(c); EU Directive on Data Protection, 95/46/EC, Unofficial Translation, Art 17.3, Art 17.4; Austria Data Protection Act, § 11; Czech Republic Personal Data Protection Act, April 4, 2000, Art 6; France Data Processing, Data Files and Individual Liberties, Art 35; Hungary Protection of Personal Data and Disclosure of Data of Public Interest, Art 4/A(4); Iceland Protection of Privacy as regards the Processing of Personal Data, Art 13; Luxembourg Data Protection Law, Art 22(3); ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data, Art 12.2
Sarbanes Oxley Guidance
All contracts should be reviewed periodically to ensure they are consistent with the privacy policies. If inconsistencies are found, they should be addressed. [ID 1.2.3, ID 10.2.3, AICPA/CICA Privacy Framework]
The organization should ensure the confidentiality requirements of the third party are included in all service contracts. The organization should have procedures in place to ensure all users are made aware of the new requirements when it makes changes to the confidentiality policy. [¶ .29 § 3.2, ¶ .29 § 3.3, AICPA Suitable Trust Services Principles and Criteria]
Banking and Finance Guidance
[Exam Tier II Obj C.1, Exam Tier II Obj F.1, Exam Tier II Obj F.2, FFIEC IT Examination Handbook – Audit, August 2003]
The outsourcing contract should include the third party's responsibilities for maintaining and testing the continuity plan. The organization should consider the following questions when contracting with third-party recovery services: How much system time is available for processing? How many third-party technical support staff will be made available? Does the organization have a guaranteed spot at the back-up site in case of an emergency? Does the recovery site have the hardware and software needed by the organization? Can the organization perform testing at the recovery site? If other organizations use the alternate site, does the provider ensure the confidentiality of information? Does the site have appropriate telecommunications services? Does the site have space for the organization's employees? Does the site maintain files and forms and have an adequate number of printers for business functions? Who is authorized to initiate the backup? How much lead time does the third party require? [Pg E-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]
The organization should have contracts with all outsource providers. The contracts should include assurances for performance, confidentiality, security, reliability, and reporting. [Pg 37, FFIEC IT Examination Handbook – Management]
Before signing a contract, the organization should ensure the contract clearly defines the rights and responsibilities of both parties; includes adequate and measurable service level agreements; includes the pricing method; does not contain provisions that have an adverse impact on the organization; and has been reviewed by the legal department. [Pg 12, Exam Tier I Obj 3.4, Exam Tier II Obj C.1, Exam Tier II Obj C.2, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]
The organization should ensure third party contracts have provisions that enable operations to be conducted appropriately. The provisions should also define acceptable access to the organization's system and state what the potential liabilities are for fraud or processing errors. [Pg 35, Pg 36, Exam Tier I Obj 3.5, Exam Tier I Obj 4.4, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]
Outsourcing contracts should be robust and clearly allocate each party's responsibilities. [¶ 39, BIS Sound Practices for the Management and Supervision of Operational Risk]
US Federal Security Guidance
The prime contractor must ensure a "Contract Security Classification Specification" is input into every classified subcontract. [§ 7-102, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]
US Internal Revenue Guidance
This exhibit is a sample contract for contractors who might have access to Federal Tax Information. [Exhibit 7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]
US State Laws and Protectorates Guidance
Businesses may use another party to destroy personal information, if, after due diligence, they enter a into a written contract and monitor the other party's compliance. Due diligence includes one or more of the following: reviewing an independent audit of the disposal business' compliance with this statute or of its operations; gaining information from several references or reliable sources and requiring the disposal company to be certified; and reviewing and evaluating the information security policies or procedures or taking other measures to determine the disposal business' competency and integrity. [§ 75-64(c), North Carolina Statutes Chapter 75 Article 2A. Identity Theft Protection Act § 75-60 through § 75-66]
General Guidance
The organization should set up a procedure for establishing, modifying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organizational, documentary, performance, security, intellectual property and termination responsibilities and liabilities (including penalty clauses). All contracts and contract changes should be reviewed by legal advisors. [AI5.2, CobiT 4.1]
All security issues should be dealt with through agreed upon personnel within both the organization and the outsource provider. [SM6.7.6, The Standard of Good Practice for Information Security]
EU Guidance
Processing personal data with a processor must be governed by a legal act or contract that binds the processor to the data controller and must stipulate the processor acts only on instructions from the data controller and that the processor implements appropriate technical and organizational security measures. The parts of the legal act or contract that relates to data protection and the technical and organizational security measures must be in writing or another equivalent form as proof. [Art 17.3, Art 17.4, EU Directive on Data Protection, 95/46/EC, Unofficial Translation]
Other European and African Guidance
Processors are obligated with the following responsibilities when processing data for a data controller: use data only in ways instructed by the data controller; ensure all required safety measures are implemented; to only hire another processor with permission of the data controller; to implement technical and organizational requirements for fulfilling the data controller's obligation to the right of information, correction, and erasure; to return all processing results and documentation containing data or keep or destroy the data at the end of the agreement; and to ensure any necessary information is given to the data controller to ensure compliance with all obligations. This agreement must be in writing. [§ 11, Austria Data Protection Act]
The data controller must have an agreement, in writing, with the processor about the processing of personal data. The agreement must explicitly state the scope, purpose, and time period for when the processing will be concluded and guarantee that the processor will implement technical and organizational measures to secure the protection of the personal data. [Art 6, Czech Republic Personal Data Protection Act, April 4, 2000]
The data processor and the data controller must have a contract, and the contract must specify the processor's obligations regarding the protection of the confidentiality and security of the data and state that the processor may only act on instructions from the data controller. [Art 35, France Data Processing, Data Files and Individual Liberties]
All contracts for technical data processing must be concluded in writing. [Art 4/A(4), Hungary Protection of Personal Data and Disclosure of Data of Public Interest]
A data controller responsible for the data processing is allowed to contract with a third party for processing the data, in whole or in part, contingent on if the data controller can verify beforehand that the processor is able to implement the required security measures and conduct internal audits in accordance with Article 12. The contract between the data controller and third party must be in writing, in duplicate, and maintained by the data controller and the data processor. The contract must state that the processor must act only on instructions from the data controller and must fulfill the obligations of this Act with regard to the carrying out of the data processing. For processors established in another state within the European Economic Area, the contract must state that the laws and regulations of the processor's state will govern the security measures. [Art 13, Iceland Protection of Privacy as regards the Processing of Personal Data]
Processing on another's behalf must be governed by a written contract that binds the processor to the data controller, providing the processor acts only on instructions from the controller. [Art 22(3), Luxembourg Data Protection Law]
Processing on behalf of a third party must be regulated by a written contract in or a form that allows the content and performance to be assessed. The contract must state that the processor may only process data in accordance with instructions from the data controller, may not use the data for other purposes, and may not communicate the data to other persons, even for preservation, and the contract must state the security measures that the processor must implement. [Art 12.2, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of known information security risks that are related to third-party relationships [UCF Control ID 02044]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.