The organization will maintain a standard and appropriate procedures to audit the security and regulatory requirements of third parties. [UCF ID 00798]
Supporting and supported controls
This control directly supports:
• Management of third party services [UCF Control ID 00789]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
Gramm-Leach-Bliley Act (GLB) 16 CFR § 314.4(d)(2); Safety and Soundness Standards, Appendix of OCC 12 CFR 30 App B-III.D.3; FFIEC IT Examination Handbook – Information Security Pg 77, Pg 93, Exam Tier II Obj J.6; FFIEC IT Examination Handbook – Audit Pg 24, Exam Tier I Obj 11.2, Exam Tier I Obj 13.1; FFIEC IT Examination Handbook – Management Pg 37; FFIEC IT Examination Handbook – Outsourcing Technology Services Pg 16; FFIEC IT Examination Handbook – Retail Payment Systems Pg 35, Exam Tier II Obj 1.2; OECD / World Bank Technology Risk Checklist II.37; CobiT 4.1 DS2.3; The Standard of Good Practice for Information Security SM6.7.7, CB6.1.3(c ); ISO 17799:2000, Code of Practice for Information Security Management § 6.1.3; ISO 17799:2005 Code of Practice for Information Security Management § 10.2.2; ISO 27001:2005, Information Security Management Systems - Requirements § A.10.2.2; ISO/IEC 27002-2005 Code of practice for information security management § 10.2.2; AICPA/CICA Privacy Framework § 7.1.2; AICPA Suitable Trust Services Criteria ¶ .29 § 3.2; Canadian Marketing Association Code of Ethics and Standards of Practice ¶ O3
Sarbanes Oxley Guidance
§ 7.1.2 of AICPA/CICA Privacy Framework states that the organization should ensure that the privacy policies of the third party are equivalent to the organization's privacy policies before sharing personal information.
¶ .29 § 3.2 of AICPA Suitable Trust Services Criteria states that the organization should receive copies of the third parties auditor reports.
P. 29 of Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control states that if the organization uses a third party for any services, the organization may perform tests at the third party site or require the third party give the organization a copy of its auditor's report stating the tests and results of the operating effectiveness of controls.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Management Pg 37 states that the third party provider should give the organization access to its data center or make the audit reports and independent reviews available to the organization in order for the organization to meet its oversight responsibilities.
International Standards Organization Guidance
The ISO/IEC 27002-2005 Code of practice for information security management § 10.2.2 states that audits of third party agreements should be reviewed regularly.
The ISO 27001:2005 Information Security Management Systems - Requirements § A.10.2.2 states that audits of all third parties should be conducted on a regular basis. The organization should also monitor and review all reports and services provided by third parties for compliance with all agreements.
The ISO 17799:2005 Code of Practice for Information Security Management § 10.2.2 states that audits of third party agreements should be reviewed regularly.
UK and Canadian Guidance
¶ O3 of Canadian Marketing Association Code of Ethics and Standards of Practice states that if the organization is selling lists, it should ensure it receives and reviews representative samples of the communications being sent to the names on the list to ensure the third party using the list is complying with all regulations and contracts.
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 01675.doc
• Metric Reporting Standard 02049.doc
• Metric Reporting Standard 02051.doc