Ensure the continuity of third party services

Status: Live

The organization will maintain a standard and appropriate procedures to ensure the continuity of third party services. [UCF ID 00797]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj F.2; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-6, Exam Tier I Obj 8.8; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 24; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 35; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 6.1; Record retention SEC 17 CFR 240.17Ad-7, § 240.17Ad-7(f)(5)(ii); CobiT 4.1, DS2.3; The Standard of Good Practice for Information Security, SM6.7.5(c); ISO 17799:2005 Code of Practice for Information Security Management, § 10.2.1; ISO/IEC 27002-2005 Code of practice for information security management, § 10.2.1; OECD / World Bank Technology Risk Checklist, Version 7.3, § II.42; Canadian Marketing Association Code of Ethics and Standards of Practice, § I14.3; Archer Control Table, ATCS-397

Banking and Finance Guidance

[Exam Tier II Obj F.2, FFIEC IT Examination Handbook – Audit, August 2003]

Alternate forms of communications should be established for downloading, uploading, and accessing information in a timely manner to ensure continuity of services. [Pg C-6, Exam Tier I Obj 8.8, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The service provider contract should include provisions for changing and updating the contract, as needed, due to changes in the economic environment, regulations, competition, and other factors not in the contract. [Pg 24, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The service provider should have a continuity plan to provide for the restoration of service in an acceptable timeframe. [Pg 35, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 6.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

NASD NYSE Guidance

[§ 240.17Ad-7(f)(5)(ii), Record retention SEC 17 CFR 240.17Ad-7]

ISO Guidance

The third party should have controls in place to maintain the agreed upon levels of service in the event of a major failure or disaster. [§ 10.2.1, ISO 17799:2005 Code of Practice for Information Security Management]

The third party should have controls in place to maintain the agreed upon levels of service in the event of a major failure or disaster. [§ 10.2.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The organization should identify and mitigate risks relating to suppliers’ ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure contracts conform to universal business standards in accordance with legal and regulatory requirements. Risk management should further consider nondisclosure agreements (NDAs), escrow contracts, continued supplier viability, conformance with security requirements, alternative suppliers, penalties and rewards, etc. [DS2.3, CobiT 4.1]

Outsource providers should have a continuity plan in place. [SM6.7.5(c), The Standard of Good Practice for Information Security]

EU Guidance

[§ II.42, OECD / World Bank Technology Risk Checklist, Version 7.3]

UK and Canadian Guidance

The organization should ensure changes in the agreement require new consent from both parties. [§ I14.3, Canadian Marketing Association Code of Ethics and Standards of Practice]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.