Ensure the continuity of third party services.

UCF ID: 00797
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a policy regarding management of third party services. [UCF Control ID 00789]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj F.2; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg C-6, Exam Tier I Obj 8.8; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 24; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 35; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 6.1; Record retention SEC 17 CFR 240.17Ad-7, § 240.17Ad-7(f)(5)(ii); CobiT, Version 4.1, DS2.3; The Standard of Good Practice for Information Security, SM6.7.5(c); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 10.2.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 10.2.1; OECD / World Bank Technology Risk Checklist, Version 7.3, § II.42; Canadian Marketing Association Code of Ethics and Standards of Practice, § I14.3; BS 25999-1, Business continuity management. Code of practice, 2006, § 4.5; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.11, § 7.14.7; PAS 77 IT Service Continuity Management. Code of Practice, 2006, § 5.6 ¶ 2(g); Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 40, ¶ 41

Banking and Finance Guidance

[Exam Tier II Obj F.2, FFIEC IT Examination Handbook – Audit, August 2003]

Alternate forms of communications should be established for downloading, uploading, and accessing information in a timely manner to ensure continuity of services. [Pg C-6, Exam Tier I Obj 8.8, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The service provider contract should include provisions for changing and updating the contract, as needed, due to changes in the economic environment, regulations, competition, and other factors not in the contract. [Pg 24, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The service provider should have a continuity plan to provide for the restoration of service in an acceptable timeframe. [Pg 35, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 6.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

NASD NYSE Guidance

[§ 240.17Ad-7(f)(5)(ii), Record retention SEC 17 CFR 240.17Ad-7]

US Federal Security Guidance

¶ 40 Bank management should ensure necessary controls are in place to manage risks associated with outsourcing and external alliances. Management should ensure that vendors have the necessary expertise, experience, and financial strength to fulfill their obligations. They also should ensure that the expectations and obligations of each party are clearly defined, understood and otherwise enforceable. For example, management should make certain that the bank has audit rights for vendors so that the bank can monitor performance under the vendor contract.
¶ 41 If a bank joins or forms alliances with other banks or companies, management should perform adequate due diligence to ensure that the joint-venture partners are competent and have the financial strength to fulfill their obligations. Adequate bank resources will be required to monitor and measure performance under the terms of any third-party agreement. [¶ 40, ¶ 41, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

ISO Guidance

The third party should have controls in place to maintain the agreed upon levels of service in the event of a major failure or disaster. [§ 10.2.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

The third party should have controls in place to maintain the agreed upon levels of service in the event of a major failure or disaster. [§ 10.2.1, ISO/IEC 27002 Code of practice for information security management, 2005]

Service providers should ensure they have addressed business continuity, including disaster recovery. All business functions should have business continuity plans produced, tested, maintained, and updated. The service providers should first identify business priorities and the correct and most cost effective business continuity strategy for their business before producing, using, and testing the business continuity plans. To reduce the likelihood of invoking a plan and/or reducing a disaster's or failure's impact, they should manage the risks. The recommended approach to achieve a comprehensive and viable business continuity plan involves the following stages: (1) establish recovery priorities, timescales, and requirements; (2) business continuity strategy formulation; (3) business continuity plan production; (4) business continuity plan testing; (5) business continuity staff awareness; (6) ongoing business continuity plan maintenance; and (7) risk reduction. The first five stages are to be completed consecutively. After the plan has been developed and tested, the sixth stage will occur over time and should be performed at regular intervals and after significant changes. The seventh stage is completed in parallel with the other stages. Changes in the capabilities of outsource service providers should not affect their continuing ability to support existing contracted services. [§ 5.11, § 7.14.7, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should identify and mitigate risks relating to suppliers’ ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure contracts conform to universal business standards in accordance with legal and regulatory requirements. Risk management should further consider nondisclosure agreements (NDAs), escrow contracts, continued supplier viability, conformance with security requirements, alternative suppliers, penalties and rewards, etc. [DS2.3, CobiT, Version 4.1]

Outsource providers should have a continuity plan in place. [SM6.7.5(c), The Standard of Good Practice for Information Security]

EU Guidance

[§ II.42, OECD / World Bank Technology Risk Checklist, Version 7.3]

UK and Canadian Guidance

The organization should ensure changes in the agreement require new consent from both parties. [§ I14.3, Canadian Marketing Association Code of Ethics and Standards of Practice]

The organization should ensure that key suppliers or outsourced partners have an effective business continuity management plan. This may be accomplished by obtaining audited evidence of the continuity plan, along with their testing and maintenance programs. [§ 4.5, BS 25999-1, Business continuity management. Code of practice, 2006]

A key factor for ensuring the Information Technology Service Continuity (ITSC) strategy and plans are appropriate as the organization and its environment changes is to regularly assess each supplier's ability to maintain appropriate levels of service. [§ 5.6 ¶ 2(g), PAS 77 IT Service Continuity Management. Code of Practice, 2006]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.