Report on the percentage of third-party relationships that have been reviewed for compliance with information security requirements.

UCF ID: 02050
Control Type: Actionable Reports or measurements
Status: Live
Metric guidance

Calculation: The calculation for this metric is # of third party relationships that have been reviewed for compliance with information security requirements / # of third party relationships.

Calculation source: No authority document source of information exists. The following formula was used: the number of third-parties whose information security requirements have been reviewed for compliance by the organization divided by the number of third-party signed agreements for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

    Formalize all third party relationships with written contracts. [UCF Control ID 00794]
    Ensure third parties acknowledge their responsibilities for data in their possession and control. [UCF Control ID 01364]
    Ensure third-party outsourcing providers meet organizational standards and employ adequate compliance controls. [UCF Control ID 01134]
    Ensure third parties comply with organizational security requirements. [UCF Control ID 00359]
    Comply with all policies, standards, and procedures. [UCF Control ID 00818]

Supporting and supported controls

This control directly supports:

    Establish and maintain an information security requirements metrics program for strategic partners and other third-parties. [UCF Control ID 02043]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE11.7; Performance Measurement Guide for Information Security, NIST 800-55, Revision 1, App A Measure 17; Guide for Developing Performance Metrics for Information Security, NIST SP 800-80, Table 19; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of third-party relationships that have been reviewed for compliance with information security requirements. [ISPE11.7, CISWG Information Security Program Elements, January 10,2005]

NIST Guidance

The calculation for this metric should be stated as the # of system and service acquisition contracts that include security requirements / # of system and service acquisition contracts. Use the number of system and service acquisition contracts for each business unit (or the organization as a whole) as the base number divided by the number of system and service acquisition contracts that have information security requirements listed in the contract. [App A Measure 17, Performance Measurement Guide for Information Security, NIST 800-55, Revision 1]

This metric must be calculated using # of third party relationships that have been reviewed for compliance with information security requirements / # of third party relationships [Table 19, Guide for Developing Performance Metrics for Information Security, NIST SP 800-80]

General Guidance

The purpose of this measurement is to measure the percentage of third-party relationships that have been reviewed for compliance with information security requirements. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.