Establish and maintain an information security requirements metrics program for strategic partners and other third-parties.

UCF ID: 02043
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Report on the percentage of known information security risks that are related to third-party relationships. [UCF Control ID 02044]
    Report on the percentage of critical information assets or functions for which access by third-party personnel is not allowed. [UCF Control ID 02045]
    Report on the percentage of third-party personnel who have current information access privileges. [UCF Control ID 02046]
    Report on the percentage of systems with critical information assets or functions for which electronic connection by third-party systems is not allowed. [UCF Control ID 02047]
    Report on the percentage of security incidents that involved third-party personnel. [UCF Control ID 02048]
    Report on the percentage of third-party agreements that include/demonstrate a requirement for external verification of policies and procedures. [UCF Control ID 02049]
    Report on the percentage of third-party relationships that have been reviewed for compliance with information security requirements. [UCF Control ID 02050]
    Report on the percentage of out-of-compliance review findings that have been corrected since the last review. [UCF Control ID 02051]

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE11; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.4(2)

US Federal Security Guidance

The organization must measure and report on the for the security of its own information, an organization often depends on third parties (e.g., strategic partners, consulting, outsourcing, and other parties) to whom it gives access to its information assets, or to whom it allows electronic connection with its networks. To mitigate risks associated with these relationships, it should include information security requirements in the agreements it has with these parties, and require demonstration of compliance. [ISPE11, CISWG Information Security Program Elements, January 10,2005]

ISO Guidance

Personnel. An organization should implement safeguards to reduce the security risks resulting from errors or intentional or unintentional breaking of security rules by personnel (permanent or contracted). Safeguards in this area are listed below.
2. Safeguards for Contracted Personnel
Contracted personnel (e.g. cleaning or maintenance staff) should be controlled, as well as any other visitor. Contracted, certainly long-term, personnel should sign a confidentiality agreement before having access (physical or logical) to the organization's IT facilities. [¶ 8.1.4(2), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.