Monitor the delivery of services by third parties.

UCF ID: 00799
Control Type: Monitor and Evaluate Occurrences
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a policy regarding management of third party services. [UCF Control ID 00789]

There are no supporting controls.

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 7.2.4; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj F.2; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 24; FFIEC IT Examination Handbook – Information Security, Pg 7, Pg 21, Pg 93; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.14; CobiT, Version 4.1, DS2.4; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 10.2.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.10.2.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 10.2.2; OECD / World Bank Technology Risk Checklist, Version 7.3, § II.36; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 40; California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 8; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCIT-1

Banking and Finance Guidance

[Exam Tier II Obj F.2, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should monitor the third party in order to identify and control any risks. This monitoring is accomplished by receiving periodic reports from the third party. Some example reports are service availability, performance efficiency, security incidents, vendor stability, and quality assurance. [Pg 24, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should have controls in place to ensure the third party is meeting its responsibilities. [Pg 7, Pg 21, Pg 93, FFIEC IT Examination Handbook – Information Security]

The organization should monitor the activities of third parties on a regular basis. [¶ 40, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities. [DCIT-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

US Internal Revenue Guidance

Third-party providers who process, store, or transmit Federal Tax Information must use security controls that are consistent with the organization's security requirements. [§ 5.6.14, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

US State Laws and Protectorates Guidance

Monitor and enforce third-party compliance with your privacy and security policies and procedures. [Part I ¶ 8, California OPP Recommended Practices on Notification of Security Breach, May 2008]

ISO Guidance

The organization should monitor adherence to third party agreements to ensure the information security agreements contained within are being followed and security incidents are properly handled. This responsibility should be assigned to an individual or a service management team. [§ 10.2.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

The organization should ensure that all requirements in the service delivery agreement are implemented and being used by the third party. [Annex A.10.2.1, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

The organization should monitor adherence to third party agreements to ensure the information security agreements contained within are being followed and security incidents are properly handled. This responsibility should be assigned to an individual or a service management team. [§ 10.2.2, ISO/IEC 27002 Code of practice for information security management, 2005]

General Guidance

The organization should take appropriate action if personal information transferred to a third party is misused. [ID 7.2.4, AICPA/CICA Privacy Framework]

The organization should establish a process to monitor service delivery to ensure the supplier is meeting current business requirements and is continuing to adhere to the contract agreements and service level agreements, and that performance is competitive with alternative suppliers and market conditions. [DS2.4, CobiT, Version 4.1]

EU Guidance

[§ II.36, OECD / World Bank Technology Risk Checklist, Version 7.3]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of known information security risks that are related to third-party relationships. [UCF Control ID 02044]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.