UCF ID: 00796 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain a policy regarding management of third party services. [UCF Control ID 00789]
There are no supporting controls.
Authority documents complied with:
AICPA/CICA Privacy Framework, ID 1.2.3, ID 10.2.3; AICPA Suitable Trust Services Principles and Criteria, ¶ .29 § 3.2, ¶ .29 § 3.3; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj C.1, Exam Tier II Obj F.1, Exam Tier II Obj F.2; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg E-7; FFIEC IT Examination Handbook – Management, Pg 37; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 12, Exam Tier I Obj 3.4, Exam Tier II Obj C.1, Exam Tier II Obj C.2; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 35, Pg 36, Exam Tier I Obj 3.5, Exam Tier I Obj 4.4; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 7-102; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 7; CobiT, Version 4.1, AI5.2; The Standard of Good Practice for Information Security, SM6.7.6; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 39; North Carolina Statutes Chapter 75 Article 2A. Identity Theft Protection Act § 75-60 through § 75-66, § 75-64(c); EU Directive on Data Protection, 95/46/EC, Unofficial Translation, Art 17.3, Art 17.4; Austria Data Protection Act, § 11; Czech Republic Personal Data Protection Act, April 4, 2000, Art 6; France Data Processing, Data Files and Individual Liberties, Art 35; Hungary Protection of Personal Data and Disclosure of Data of Public Interest, Art 4/A(4); Iceland Protection of Privacy as regards the Processing of Personal Data, Art 13; Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, Art 22(3); ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data, Art 12.2; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCIT-1; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.6.1, § 5.6.5; Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress, § 302(d)(2), § 401(a), § 401(b), § 403(b)
Banking and Finance Guidance
[Exam Tier II Obj C.1, Exam Tier II Obj F.1, Exam Tier II Obj F.2, FFIEC IT Examination Handbook – Audit, August 2003]
The outsourcing contract should include the third party's responsibilities for maintaining and testing the continuity plan. The organization should consider the following questions when contracting with third-party recovery services: How much system time is available for processing? How many third-party technical support staff will be made available? Does the organization have a guaranteed spot at the back-up site in case of an emergency? Does the recovery site have the hardware and software needed by the organization? Can the organization perform testing at the recovery site? If other organizations use the alternate site, does the provider ensure the confidentiality of information? Does the site have appropriate telecommunications services? Does the site have space for the organization's employees? Does the site maintain files and forms and have an adequate number of printers for business functions? Who is authorized to initiate the backup? How much lead time does the third party require? [Pg E-7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]
The organization should have contracts with all outsource providers. The contracts should include assurances for performance, confidentiality, security, reliability, and reporting. [Pg 37, FFIEC IT Examination Handbook – Management]
Before signing a contract, the organization should ensure the contract clearly defines the rights and responsibilities of both parties; includes adequate and measurable service level agreements; includes the pricing method; does not contain provisions that have an adverse impact on the organization; and has been reviewed by the legal department. [Pg 12, Exam Tier I Obj 3.4, Exam Tier II Obj C.1, Exam Tier II Obj C.2, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]
The organization should ensure third party contracts have provisions that enable operations to be conducted appropriately. The provisions should also define acceptable access to the organization's system and state what the potential liabilities are for fraud or processing errors. [Pg 35, Pg 36, Exam Tier I Obj 3.5, Exam Tier I Obj 4.4, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]
Outsourcing contracts should be robust and clearly allocate each party's responsibilities. [¶ 39, BIS Sound Practices for the Management and Supervision of Operational Risk]
US Federal Security Guidance
The prime contractor must ensure a "Contract Security Classification Specification" is input into every classified subcontract. [§ 7-102, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]
Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities. [DCIT-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]
US Federal Privacy Guidance
When a business entity subject to Subtitle A of Title III of this Act uses a service provider that is not subject to Subtitle A of Title III of this Act, it must contractually require that the service provider implement and maintain security measures that meet the objectives and requirements of Sections 301 and 302 and Subtitle B of Title III. The Administrator of the General Services Administration (GSA), when considering a contract award for more than $500,000 with a data broker, must evaluate the data broker's data privacy and security program to ensure personally identifiable information is kept private and secure, including whether the program addresses security and privacy threats caused by malicious code or software or the use of peer-to-peer file sharing software; the data broker's compliance with its data privacy and security program; the extent that systems and databases that contain personally identifiable information have been compromised in the past by security breaches; and the data broker's responses to security breaches, including the efforts to mitigate the impact of the security breach. If the data broker complies with or provides protection that is equal to industry standards as identified by the Federal Trade Commission and applicable to personally identifiable information involved in the ordinary course of the data broker's business, his/her data privacy and security program will be deemed sufficient for purposes of the GSA evaluation (Section 401(a)). Notwithstanding other provisions of law, Federal agencies may not enter into contracts with data brokers to access fee-based databases that consist primarily of personally identifiable information about United States persons (other than telephone directories or news reports), unless the head of the agency or department (1) completes a privacy impact assessment under Section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note) and includes a description of the database, the data broker's name, and the dollar amount of the contract for using the database; (2) develops regulations that specify personnel who are permitted to analyze, access, or use the database; the standards for access, analysis, or use of the databases; the standards for ensuring the personally identifiable information accessed, used, or analyzed is the minimum necessary to accomplish the legitimate purpose of the Federal agency; the standards to limit the redisclosure and retention of the personally identifiable information collected from the database; the procedures to ensure accuracy, relevance, completeness, and timeliness standards are met; the security and auditing measures for protecting the data against unauthorized access, analysis, use, or modification; the mechanisms individuals have to secure timely redress of adverse consequences incurred due to access, use, or analysis of the databases; mechanisms for enforcing and independently overseeing existing or planned policies, procedures, or guidelines; and the outline of mechanisms to enforce accountability for protecting the public and individuals against illegitimate or unlawful access or use of databases; and (3) incorporates provisions into contracts or agreements that total more than $500,000 that provide for penalties for failing to comply with Title III of this Act or for providing the Federal department or agency inaccurate information that the entity knows or has reason to know is inaccurate and incorporates provisions that require data brokers who hire service providers who are not subject to Subtitle A of Title III to exercise due diligence in selecting service providers, to take reasonable steps to select and retain service providers that are capable of maintaining safeguards for the security, privacy, and integrity of personally identifiable information, and require, by contract, that service providers implement and maintain appropriate measures to meet the requirements and objectives of Title III of this Act. The aforementioned penalties do not apply to a data broker who provides information that has been accurately and completely recorded from a public record source. [§ 302(d)(2), § 401(a), § 401(b), § 403(b), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress]
US Internal Revenue Guidance
This exhibit is a sample contract for contractors who might have access to Federal Tax Information. [Exhibit 7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]
US State Laws and Protectorates Guidance
Businesses may use another party to destroy personal information, if, after due diligence, they enter a into a written contract and monitor the other party's compliance. Due diligence includes one or more of the following: reviewing an independent audit of the disposal business' compliance with this statute or of its operations; gaining information from several references or reliable sources and requiring the disposal company to be certified; and reviewing and evaluating the information security policies or procedures or taking other measures to determine the disposal business' competency and integrity. [§ 75-64(c), North Carolina Statutes Chapter 75 Article 2A. Identity Theft Protection Act § 75-60 through § 75-66]
ISO Guidance
Service providers could have outsourcing arrangements with vendors on a temporary or permanent basis and they may have a lesser degree of control, so greater emphasis should be placed on selecting and managing outsourced vendors. This emphasis includes ensuring vendor awareness of the service provider's peculiar business needs; contractual agreements that are more stringent; more periodic reviews of the outsourced arrangements; a review of the vendor's security controls; and the quality of the vendor's staff. Outsourcing arrangements should not affect the service provider's ability to fulfill their services. The service provider maintains the primary service responsibility and cannot be transferred to outsourced parties. Service providers should regularly audit logical, physical, and other relevant security controls that are implemented by outsourced parties. [§ 5.6.1, § 5.6.5, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]
General Guidance
All contracts should be reviewed periodically to ensure they are consistent with the privacy policies. If inconsistencies are found, they should be addressed. [ID 1.2.3, ID 10.2.3, AICPA/CICA Privacy Framework]
The organization should ensure the confidentiality requirements of the third party are included in all service contracts. The organization should have procedures in place to ensure all users are made aware of the new requirements when it makes changes to the confidentiality policy. [¶ .29 § 3.2, ¶ .29 § 3.3, AICPA Suitable Trust Services Principles and Criteria]
The organization should set up a procedure for establishing, modifying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organizational, documentary, performance, security, intellectual property and termination responsibilities and liabilities (including penalty clauses). All contracts and contract changes should be reviewed by legal advisors. [AI5.2, CobiT, Version 4.1]
All security issues should be dealt with through agreed upon personnel within both the organization and the outsource provider. [SM6.7.6, The Standard of Good Practice for Information Security]
EU Guidance
Processing personal data with a processor must be governed by a legal act or contract that binds the processor to the data controller and must stipulate the processor acts only on instructions from the data controller and that the processor implements appropriate technical and organizational security measures. The parts of the legal act or contract that relates to data protection and the technical and organizational security measures must be in writing or another equivalent form as proof. [Art 17.3, Art 17.4, EU Directive on Data Protection, 95/46/EC, Unofficial Translation]
Other European and African Guidance
Processors are obligated with the following responsibilities when processing data for a data controller: use data only in ways instructed by the data controller; ensure all required safety measures are implemented; to only hire another processor with permission of the data controller; to implement technical and organizational requirements for fulfilling the data controller's obligation to the right of information, correction, and erasure; to return all processing results and documentation containing data or keep or destroy the data at the end of the agreement; and to ensure any necessary information is given to the data controller to ensure compliance with all obligations. This agreement must be in writing. [§ 11, Austria Data Protection Act]
The data controller must have an agreement, in writing, with the processor about the processing of personal data. The agreement must explicitly state the scope, purpose, and time period for when the processing will be concluded and guarantee that the processor will implement technical and organizational measures to secure the protection of the personal data. [Art 6, Czech Republic Personal Data Protection Act, April 4, 2000]
The data processor and the data controller must have a contract, and the contract must specify the processor's obligations regarding the protection of the confidentiality and security of the data and state that the processor may only act on instructions from the data controller. [Art 35, France Data Processing, Data Files and Individual Liberties]
All contracts for technical data processing must be concluded in writing. [Art 4/A(4), Hungary Protection of Personal Data and Disclosure of Data of Public Interest]
A data controller responsible for the data processing is allowed to contract with a third party for processing the data, in whole or in part, contingent on if the data controller can verify beforehand that the processor is able to implement the required security measures and conduct internal audits in accordance with Article 12. The contract between the data controller and third party must be in writing, in duplicate, and maintained by the data controller and the data processor. The contract must state that the processor must act only on instructions from the data controller and must fulfill the obligations of this Act with regard to the carrying out of the data processing. For processors established in another state within the European Economic Area, the contract must state that the laws and regulations of the processor's state will govern the security measures. [Art 13, Iceland Protection of Privacy as regards the Processing of Personal Data]
Processing on another's behalf must be governed by a written contract that binds the processor to the data controller, providing the processor acts only on instructions from the controller. [Art 22(3), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data]
Processing on behalf of a third party must be regulated by a written contract in or a form that allows the content and performance to be assessed. The contract must state that the processor may only process data in accordance with instructions from the data controller, may not use the data for other purposes, and may not communicate the data to other persons, even for preservation, and the contract must state the security measures that the processor must implement. [Art 12.2, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of known information security risks that are related to third-party relationships. [UCF Control ID 02044]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.