Audit the security and regulatory requirements of third parties.

UCF ID: 00798
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a policy regarding management of third party services. [UCF Control ID 00789]

There are no supporting controls.

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 7.1.2; AICPA Suitable Trust Services Principles and Criteria, ¶ .29 § 3.2; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.D.3; FFIEC IT Examination Handbook – Audit, August 2003, Pg 24, Exam Tier I Obj 11.2, Exam Tier I Obj 13.1; FFIEC IT Examination Handbook – Information Security, Pg 77, Pg 93, Exam Tier II Obj J.6; FFIEC IT Examination Handbook – Management, Pg 37; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 16; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 35, Exam Tier II Obj 1.2; Protection of Assets Manual, ASIS International, Revised Volume 1 Pg 7-I-57; Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria, Security Procedures; CobiT, Version 4.1, DS2.3; The Standard of Good Practice for Information Security, SM6.7.7, CB6.1.3(c); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 10.2.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.10.2.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 10.2.2; OECD / World Bank Technology Risk Checklist, Version 7.3, § II.37; Canadian Marketing Association Code of Ethics and Standards of Practice, § O3; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 29; Italy Personal Data Protection Code, Annex B.25; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.6.4; Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress, § 402

Sarbanes Oxley Guidance

If the organization uses a third party for any services, the organization may perform tests at the third party site or require the third party give the organization a copy of its auditor's report stating the tests and results of the operating effectiveness of controls. [Pg 29, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should monitor service providers to ensure they have implemented all required security requirements. The organization should review test results and audits to aid in the process of ensuring all required security requirements are met. [App B § III.D.3, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The organization should effectively manage third party service providers by directly auditing the service provider's operations and controls; using external auditors to audit the service provider's operations and controls; or reviewing an independent audit report from the service provider. [Pg 24, Exam Tier I Obj 11.2, Exam Tier I Obj 13.1, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should ensure it has the ability to audit the service provider to ensure the security controls are implemented. If the organization cannot audit the service provider, the service provider should provide the organization with the audit report from an independent third party auditor. [Pg 77, Pg 93, Exam Tier II Obj J.6, FFIEC IT Examination Handbook – Information Security]

The third party provider should give the organization access to its data center or make the audit reports and independent reviews available to the organization in order for the organization to meet its oversight responsibilities. [Pg 37, FFIEC IT Examination Handbook – Management]

The service provider contract should include an agreement that the service provider will comply with all regulatory requirements, will provide accurate information, and will provide access to regulatory agencies, as required. [Pg 16, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The organization should monitor the service provider for compliance with all security and regulatory requirements of the organization. [Pg 35, Exam Tier II Obj 1.2, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

US Federal Security Guidance

If a business partner is eligible for C-TPAT certification, the importer must have a copy of the documentation stating if the partner is or is not C-TPAT certified. If the business partner is not eligible for C-TPAT certification, the importer must require the partner to meet or exceed the C-TPAT requirements. Non C-TPAT eligible partners must be subjected to a risk assessment to verify their compliance with C-TPAT security criteria. [Security Procedures, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria]

US Federal Privacy Guidance

Business entities or agencies must implement procedures to evaluate and audit the information security practices of third-party business entities or contractors that support the agencies' operations or information systems involving personally identifiable information and must ensure remedial action is taken to address any significant deficiencies. [§ 402, Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress]

ISO Guidance

Audits of third party agreements should be reviewed regularly. [§ 10.2.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Audits of all third parties should be conducted on a regular basis. The organization should also monitor and review all reports and services provided by third parties for compliance with all agreements. [Annex A.10.2.2, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Audits of third party agreements should be reviewed regularly. [§ 10.2.2, ISO/IEC 27002 Code of practice for information security management, 2005]

Service providers should review the vendors' financial health and viability and new avenues for alternate supplies at least once a year. [§ 5.6.4, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should ensure that the privacy policies of the third party are equivalent to the organization's privacy policies before sharing personal information. [ID 7.1.2, AICPA/CICA Privacy Framework]

The organization should receive copies of the third parties auditor reports. [¶ .29 § 3.2, AICPA Suitable Trust Services Principles and Criteria]

The organization should schedule regular meetings with the security guard company to review the security guards' operations. The organization should use unannounced site inspections to check on the contract guards. [Revised Volume 1 Pg 7-I-57, Protection of Assets Manual, ASIS International]

The organization should identify and mitigate risks relating to suppliers’ ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure contracts conform to universal business standards in accordance with legal and regulatory requirements. Risk management should further consider nondisclosure agreements (NDAs), escrow contracts, continued supplier viability, conformance with security requirements, alternative suppliers, penalties and rewards, etc. [DS2.3, CobiT, Version 4.1]

Third party agreements should contain provisions for the organization to be able to audit the third party's activities. [SM6.7.7, CB6.1.3(c), The Standard of Good Practice for Information Security]

EU Guidance

[§ II.37, OECD / World Bank Technology Risk Checklist, Version 7.3]

UK and Canadian Guidance

If the organization is selling lists, it should ensure it receives and reviews representative samples of the communications being sent to the names on the list to ensure the third party using the list is complying with all regulations and contracts. [§ O3, Canadian Marketing Association Code of Ethics and Standards of Practice]

Other European and African Guidance

When a data controller uses an external entity to implement the minimum security measures, he/she must, prior to implementation, require the installing technician(s) to supply a written description of what activities were performed to certify that the implemented measures are compliant with the provisions in these technical specifications. [Annex B.25, Italy Personal Data Protection Code]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of strategic or third party partners for which all information assurance requirements have been implemented in accordance with the agreements. [UCF Control ID 01675]
    Report on the percentage of third-party agreements that include/demonstrate a requirement for external verification of policies and procedures. [UCF Control ID 02049]
    Report on the percentage of out-of-compliance review findings that have been corrected since the last review. [UCF Control ID 02051]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.