search:
               

UCF ID: 01134

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

• Acquisition of facilities, technology, and services [UCF Control ID 01123]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Development and Acquisition, Pg 42, Pg 43; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 10; Clinger-Cohen Act (Information Technology Management Reform Act), § 5312(c)(6); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.14, Exhibit 4 SA-9, Exhibit 7; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.4.3.3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, § 2.4, App F § SA-9; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, SA-9; CobiT, Version 4.1, AI5.3; The Standard of Good Practice for Information Security, SM6.7.3; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 10.2.3; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.10.2.3; ISO/IEC 27002 Code of practice for information security management, 2005, § 10.2.3; Australian Government ICT Security Manual (ACSI 33), § 3.3.17; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 29; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCDS-1

Sarbanes Oxley Guidance

If the organization uses a third party for any services, the organization may perform tests at the third party site or require the third party give the organization a copy of its auditor's report stating the tests and results of the operating effectiveness of controls. [Pg 29, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should review all bids to ensure the third party meets the organizational requirements and should compare the bids against each other. [Pg 42, Pg 43, FFIEC IT Examination Handbook – Development and Acquisition]

The organization should develop a Request for Proposal (RFP) to solicit responses from service providers. The RFP should describe the organization's objectives; the scope and nature of the work to be performed; the expected levels of service; the timelines for delivery of service; the measurement requirements; the control measures; and the organization's policies for security, continuity, and change control. [Pg 10, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

US Federal Security Guidance

[§ 5312(c)(6), Clinger-Cohen Act (Information Technology Management Reform Act)]

System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices, such as firewalls; or key management services are supported by a formal risk analysis and approved by the DoD Component CIO. [DCDS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

US Internal Revenue Guidance

Third-party providers that process, store, or transmit Federal Tax Information must use security controls that are consistent with the security requirements.
Exhibit 7 is a sample contract for contracting with contractors who might have access to Federal Tax Information. [§ 5.6.14, Exhibit 4 SA-9, Exhibit 7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.4.3.3, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

§ 2.4 An organization must ensure that third-party providers conform to and are in compliance with organizational information system security policies. The organization should document all services provided by third-party providers and obtain assurances, by contract or agreement, that security controls are implemented for an acceptable level of risk. All third-party information services must be approved by the organizational management authorizing official. The organization must implement additional security controls when external providers services do not comply with organizational security acceptable degree of risk.
App F § SA-9 An organization must ensure that third-party providers conform to and are in compliance with organizational information system security policies. The organization should document all government requirements and user roles and responsibilities when using outsourced information services, and continuously monitor security control compliance by third-party providers. [§ 2.4, App F § SA-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure third-party providers use security controls in accordance with laws, regulations, standards, directives, and agreements; outsourced services are regularly reviewed and analyzed for inappropriate or unusual usage; suspected violations or suspicious activities are investigated; findings are reported to appropriate personnel; any necessary actions are taken to remedy the problems; and that specific responsibilities and actions are defined for the implementation of the outsourced information system services control. Any problems discovered during the implementation of the outsourced information system services control should be documented and used to improve the controls.
Interviews should be conducted with personnel who manage, review, and analyze third-party contracts. [SA-9, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Changes to the service provisions should be maintained. The change process should look at changes made by the organization, changes made by the third party, change of vendors, new technology, new releases, and changes to the physical facility. [§ 10.2.3, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Changes to the service provisions should be managed. Changes should take into account new risks, the criticality of the systems, and what processes are involved in the daily operations of the system. [Annex A.10.2.3, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Changes to the service provisions should be maintained. The change process should look at changes made by the organization, changes made by the third party, change of vendors, new technology, new releases, and changes to the physical facility. [§ 10.2.3, ISO/IEC 27002 Code of practice for information security management, 2005]

General Guidance

The organization is called upon to select suppliers according to a fair and formal practice to ensure a viable best fit based on requirements that have been developed with input from the potential suppliers and agreed between the customer and the supplier(s). [AI5.3, CobiT, Version 4.1]

Information security controls should be agreed upon by the two parties and implemented prior to the management of the environment being transferred to the outsource provider. [SM6.7.3, The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Leasing agreements should include procedures to take when the equipment needs maintenance, instructions on how to sanitize the equipment when returning the equipment, and procedures on how to destroy the equipment if it cannot be sanitized. [§ 3.3.17, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

• Report on the percentage of third-party relationships that have been reviewed for compliance with information security requirements. [UCF Control ID 02050]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.