Back

Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements.


CONTROL ID
00359
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Conduct all parts of the supply chain due diligence process., CC ID: 08854

This Control has the following implementation support Control(s):
  • Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information., CC ID: 13353


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization, when entrusting personal data to an outside organization, must guarantee through the conclusion of a contract or other legal measure that its manager's instructions are followed, personal data confidentiality is maintained, redisclosure is prohibited, and responsibility is assigned… (Art 19, Japan Handbook Concerning Protection Of Personal Data, February 1998)
  • Art 22: When business operators that handle personal information entrust a business operator or an individual to handle personal information in whole or in part, they must supervise the trustee to ensure the security control of the personal data. Art 41: A target business operator of authorized pers… (Art 22, Art 41, Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003))
  • Financial institutions must verify the state of compliance with the above rules. For that purpose, financial institutions must audit the state of performance of the operations by the contractor, receive reports on operations from the contractor, or take other measures in line with the content of out… (C22.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • takes reasonable steps to ensure compliance with those measures. (Part II Division 1 9. (2) (b), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • Accountability for security is increased through clear job descriptions, employment agreements and policy awareness acknowledgements. It is important to communicate the general and specific security roles and responsibilities for all employees within their job descriptions. The job descriptions for … (Critical components of information security 1) 3), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • security and internal controls, audit coverage, reporting and monitoring environment; (5.4.3 (d), Guidelines on Outsourcing)
  • An institution should assess all relevant aspects of the service provider, including its capability to employ a high standard of care in the performance of the outsourcing arrangement as if the service is performed by the institution to meet its obligations as a regulated entity. The due diligence s… (5.4.2, Guidelines on Outsourcing)
  • confidentiality and security; (5.5.2 (c), Guidelines on Outsourcing)
  • Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains. (Security Control: 1632; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Service providers, including any subcontractors, provide an appropriate level of protection for any data entrusted to them or their services. (Control: ISM-1395; Revision: 7, Australian Government Information Security Manual, June 2023)
  • Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose. (Control: ISM-0072; Revision: 9, Australian Government Information Security Manual, June 2023)
  • Service providers, including any subcontractors, provide an appropriate level of protection for any data entrusted to them or their services. (Control: ISM-1395; Revision: 7, Australian Government Information Security Manual, September 2023)
  • Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose. (Control: ISM-0072; Revision: 9, Australian Government Information Security Manual, September 2023)
  • Oversight of the service agreement should assess the service provider's audit testing results, information technology security testing results, and compliance testing results and follow-up actions. (Attach C ¶ 4(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Effective service agreements normally embody a regulated institution's IT security principles and associated requirements. A regulated institution would normally reflect relevant areas of its IT security framework in the agreement, thereby ensuring that its IT security stance is not compromised or w… (Attachment C ¶ 3, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • service provider (including vendor) management controls to ensure that a regulated institution's IT security requirements are met by service providers. (¶ 54(g), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The data controller must have an agreement, in writing, with the processor about the processing of personal data. The agreement must explicitly state the scope, purpose, and time period for when the processing will be concluded and guarantee that the processor will implement technical and organizati… (Art 6, Czech Republic Personal Data Protection Act, April 4, 2000)
  • appropriate and proportionate information security-related objectives and measures including requirements such as minimum cybersecurity requirements; specifications of the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring pr… (3.2.3 8(a), Final Report EBA Guidelines on ICT and security risk management)
  • where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and (4.13.4 98(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue ad… (4.12.2 64, Final Report on EBA Guidelines on outsourcing arrangements)
  • supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (Article 21 2(d), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • If processing is carried out on the data controller's behalf, the data controller must choose a processor who provides guarantees that it has technical security and organizational measures for the processing and is in compliance with those measures. (Art 17.2, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Unofficial Translation)
  • requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framew… (Art. 30.3. ¶ 1(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangeme… (Art. 28.5., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • External service providers and suppliers of the cloud provider, who contribute to the development or operation of the cloud service, are obliged by contract to make their employees and subcontractors aware of the specific security requirements of the cloud provider and train their employees generall… (Section 5.3 HR-03 Basic requirement ¶ 2, Cloud Computing Compliance Controls Catalogue (C5))
  • Requirements for a secure software development process (especially design, development and testing) (Section 5.11 BEI-02 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
  • When using another body to process, collect, or use personal data, it must be selected carefully with particular attention to the technical and organizational measures implemented by it. A commission must be in writing and states the collecting, processing, and use of the data, the technical and org… (§ 11(2), German Federal Data Protection Act, September 14, 1994)
  • External IT services are not used without explicit assessment and implementation of the information security requirements: (1.3.3 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • An appropriate level of information security is ensured by contractual agreements with contractors and cooperation partners. (6.1.1 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • The data processor must have guarantees in place to ensure the security and confidentiality measures stated in Article 34 have been implemented. This requirement does not exempt the data controller from his/her obligation of supervising the observance of these measures to ensure they have been imple… (Art 35, France Data Processing, Data Files and Individual Liberties)
  • If data processing is carried out on behalf of a controller, the data controller must choose a processor that provides guarantees that the technical and organizational security measures that pertain to data processing are executed. (Art 22(2), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • A data controller responsible for the data processing is allowed to contract with a third party for processing the data, in whole or in part, contingent on if the data controller can verify beforehand that the processor is able to implement the required security measures and conduct internal audits … (Art 13, Iceland Protection of Privacy as regards the Processing of Personal Data)
  • When a data controller uses an external entity to implement the minimum security measures, he/she must, prior to implementation, require the installing technician(s) to supply a written description of what activities were performed to certify that the implemented measures are compliant with the prov… (Annex B.25, Italy Personal Data Protection Code)
  • When a processor is in charge of the data processing, the data controller must ensure the processor can implement organizational and technical security measures to protect personal data against loss or alteration; unauthorized disclosure, abuse, or other processing; and unlawful or accidental destru… (§ 42, Denmark, The Act on Processing of Personal Data)
  • The contract with a third party must lay out the security measures that the processor is obliged to implement, as referred to in Article 9. (Art 12.2, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
  • If the personal data controller uses an assistant, the controller must ensure the assistant is able to implement the appropriate security measures and then ensure the assistant has actually implemented the security measures. (§ 31 ¶ 2, Sweden Personal Data Act (1998:204))
  • Responsible parties must ensure that their processor provides guarantees for its technical and organizational security measures for processing. The responsible parties must ensure these security measures are complied with by the processor. The two parties must have an agreement in place, and the par… (Art 14, Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92, REVISED BILL (as approved by the Lower House on 23 November 1999), Unofficial Translation)
  • When processing is being conducted on behalf of the data controller, the data controller must choose a processor that guarantees the technical security and organizational measures governing the data processing are carried out and ensures compliance with these measures. A contract must exist, in writ… (Art 14.2 thru Art 14.4, Portuguese Act on the Protection of Personal Data 67/98)
  • Processors may be employed by data controllers, if they warrant the secure and legitimate use of data. Agreements must exist between the data controller and the processor and the data controller must be satisfied that the processor is complying with the agreements by determining the actual measures … (§ 10(1), Austria Data Protection Act)
  • Value added service providers and telecommunications operators are responsible for ensuring that third parties who provide a communication service, value added service, or network service, in whole or part, have information security practices implemented. (§ 19(2), Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation)
  • Organizations that operate on behalf of a data controller must provide the data controller with commitments and guarantees of data security before the processing of data may begin. (§ 32(2), Finland Personal Data Protection Act (523/1999))
  • The subject, authorized by the controller to process data must provide security measures to protect the data filing system in accordance with Articles 36 - 39 and must meet the requirements referred to in Article 39A. The requirements of Articles 14 - 19 will apply to supervising the data processing… (Art 31.3, Art 31.5, Poland Protection of Personal Data Act)
  • If personal data is processed jointly by Federal authorities with other Federal authorities, private persons, or cantonal authorities, the Federal council may regulate the specific responsibilities for protection of the personal data. (Art 16.2, Switzerland Federal Act of 19 June 1992 on Data Protection (FADP))
  • When an individual transfers from one organization to another, the receiving organization must ensure the baseline personnel security standard (BPSS) requirements have been met. The receiving organization may request copies of the BPSS verification record and any associated documentation to help det… (Part IV ¶ 4, HMG BASELINE PERSONNEL SECURITY STANDARD, GUIDANCE ON THE PRE-EMPLOYMENT SCREENING OF CIVIL SERVANTS, MEMBERS OF THE ARMED FORCES, TEMPORARY STAFF AND GOVERNMENT CONTRACTORS, Version 3, February 2001)
  • The organization must verify it and its main delivery partners are compliant with this framework and the extent they are required to comply. (Mandatory Requirement 2, HMG Security Policy Framework, Version 6.0 May 2011)
  • ¶ 1: Departments and agencies are required to ensure contractors and delivery partners implement an acceptable level of protective security and are compliant with the security policy framework requirements. ¶ 8: Departments and agencies that are separate from the Ministry of Defense must ensure co… (¶ 1, ¶ 8, Industrial Security - Departmental Responsibilities, Version 5.0 October 2010)
  • ¶ 4: The contracting authority must verify that the Office of Government Commerce Model Contract terms and conditions are included in contracts for work that involves access to personal data at the contractor's facilities or when personal data is provided to the contractor and the contractor is not… (¶ 4, App 2 ¶ 25, The Contractual process, Version 5.0 October 2010)
  • The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement. (8. ¶ 1, Cloud Security Guidance, 1.0)
  • The service provider should ensure that its supply chain supports all of the security principles which the service claims to implement. (8: ¶ 1, Cloud Security Guidance, 1.0)
  • Third party supply chains should support all of the security principles which the service claims to implement. (8. ¶ 1, Cloud Security Guidance, 2)
  • When a data processor carries out the processing on behalf of a data controller, the data controller must choose a data processor who provides sufficient guarantees to the organizational and technical security measures for the processing and take reasonable steps to ensure compliance with these meas… (Sched 1 Part II.11, Sched 1 Part II.12, UK Data Protection Act of 1998)
  • An internal auditor can help an organization meet privacy objectives and contribute to good governance and accountability by conducting assessments of a service provider, to include reviews of procedures and controls for providers who manage sensitive data or personally identifiable information. (§ 2.2 (Privacy Controls) ¶ 3, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Implement policies requiring all CSPs throughout the supply chain to comply with information security, confidentiality, access control, privacy, audit, personnel policy and service level requirements and standards. (STA-12, Cloud Controls Matrix, v4.0)
  • Third party service providers shall demonstrate compliance with Information Security and information confidentiality, service definitions and delivery level agreements included in third party contracts. (CO-03, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be co… (CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements, CIS Controls, V8)
  • Commitment. Management should be committed to ICT security if appropriate protection of corporate assets is to be realized. Any actual or perceived lack of such commitment will undermine the position of corporate ICT security officer and considerably weaken corporate defenses to threats. Visible sup… (§ 5.2.1, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Approval of IT Systems. Organizations should ensure that approval takes place for all or selected IT systems that they meet the requirements of the IT system security policy and the IT security plan. This approval process should be based on techniques such as security compliance checking, security t… (¶ 10.4, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • Personnel. An organization should implement safeguards to reduce the security risks resulting from errors or intentional or unintentional breaking of security rules by personnel (permanent or contracted). Safeguards in this area are listed below. 2. Safeguards for Contracted Personnel Contracted per… (¶ 8.1.4(2), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • If a third party requires access to the organization's data, a risk assessment should be conducted to identify risks associated with the third party's access. The third party should meet the same information security requirements as the organization. (§ 6.2.1, ISO 27002 Code of practice for information security management, 2005)
  • The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations. (§ 18.1.5 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being proc… (Schedule 1 4.1.3, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Contractual or other means must be used by the organization to provide comparable levels of protection while a third party is processing the information. (Sched 1 Clause 4.1.3, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • Dependency management processes may allow the organization to the adopt security program(s) of its "affiliate(s)" as long as such program provides an appropriate level of control and assurance. (DM.ED-2.4, CRI Profile, v1.2)
  • The organization's contracts require third-parties to implement minimum cybersecurity requirements and to maintain those practices for the life of the relationship. (DM.ED-6.2, CRI Profile, v1.2)
  • The organization's contracts require third-parties to implement minimum cybersecurity requirements and to maintain those practices for the life of the relationship. (DM.ED-6.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, including return or destruction of data during cloud or virtualization use and upon relationship termination. (DM.ED-6.7, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Dependency management processes may allow the organization to the adopt security program(s) of its "affiliate(s)" as long as such program provides an appropriate level of control and assurance. (DM.ED-2.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should take action if personal information is misused by any third party. (ID 7.2.4, AICPA/CICA Privacy Framework)
  • The entity has procedures for obtaining representation or assurance from the third party that the information is being transferred to that it complies with the entity's confidentiality and related security policies and is in compliance with its own policies. (Confidentiality Prin. and Criteria Table § 3.6, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • how the service organization's contracting process addresses security-related matters; (¶ 3.59 Bullet 11 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If your organization uses a clearing firm or other service providers in connection with its covered accounts, it must ensure that the providers comply with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. (§ VII., FTC FACT Act Red Flags Rule Template, July 1, 2009)
  • Is a controls assessment performed on third parties? (§ C.2.3, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
  • Are there appropriate contractual provisions and control mechanisms to ensure that privacy and security obligations of the organization extend to its suppliers, vendors, or subcontractors? (§ P.2.3, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • § 412.616(b): Information that can identify a patient to an agent may be released only in accordance with a written contract under which the agent agrees not to use or disclose the information, except for purposes stated in the contract and only to the extent that the facility is allowed to disclos… (§ 412.616(b), § 422.202(c), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • The Director of the Office of Management and Budget must oversee agency information security policies and practices, including requiring agencies to identify and provide information security protections that are commensurate with the magnitude and risk of harm resulting from unauthorized access to o… (§ 3543(a)(2), § 3543(b), § 3543(c), § 3544(a)(1)(A), § 3547(1), Federal Information Security Management Act of 2002, Deprecated)
  • Measures appropriate for the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to ensure third parties or customers are not authorized to acquire or access sensitive personally identifiable information without the business entity perfor… (§ 302(a)(4)(B)(vi), § 302(d)(2), § 401(c)(2)(C), § 403(b)(3)(B)(iii), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • The Information Assurance Officer, for vendor computers that access the Military Treatment Facility from remote and on-site locations, will ensure that vendors comply with DoD IA standards. (§ 5.2 (MED0520: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonab… (§ II.3.b., EU-U.S. Privacy Shield Framework Principles)
  • Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate… (§ 252.204-7012(b)(3), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
  • Except as provided in paragraph (b)(2)(ii) of this clause, the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal … (§ 252.204-7012(b)(2)(i), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
  • A covered entity may disclose protected health information to business associates and allow business associates to create or receive information on its behalf, if it receives satisfactory assurances the information will be appropriately safeguarded. This does not apply to disclosures to health care … (§ 164.502(e)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Group health plan documents shall incorporate provisions requiring plan sponsors to ensure any agent or subcontractor that information is provided to agrees to implement reasonable and appropriate security measures to protect the information. (§ 164.314(b)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Contracts wil ensure the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law. (§ 164.504(e)(2)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Contracts wil ensure the business associate will use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract. (§ 164.504(e)(2)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Contracts wil ensure the business associate will report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware. (§ 164.504(e)(2)(ii)(C), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Contracts wil ensure the business associate will ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that ap… (§ 164.504(e)(2)(ii)(D), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • If necessary, the group health plan must be corrected to incorporate the following: protected health information will be disclosed to the plan sponsor upon certification that the plan documents include the following and the plan sponsor agrees to them: ensure agents and subcontractors that receive t… (§ 164.504(f)(2)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (§ 164.504(e)(2)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • § 552a(m)(1): When an agency contracts with another organization to operate by or operate on their behalf a system of records for accomplishing an agency function, the agency shall ensure the requirements of this section are applied to the system. § 552a(q)(2): Unless the nonfederal or recipient a… (§ 552a(m)(1), § 552a(q)(2), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • Security. (§ 5.1.1.3 ¶ 1 7., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Users' email accounts and Internet browsers are common access points used by threat actors to gain unauthorized access, obtain or compromise sensitive data, or initiate fraud. These attacks frequently take advantage of misconfigured applications, operating systems, and unpatched vulnerabilities by u… (Section 7 ¶ 1, Authentication and Access to Financial Institution Services and Systems)
  • Third-party service providers that facilitate operational activities (e.g., core processing, mobile financial services, cloud storage and computing, and managed security services). (App A Objective 6.31.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • If the institution outsources activities to a third-party service provider, determine whether management integrates those activities with the information security program. Verify that the third-party management program evidences expectations that align with the institution's information security pro… (App A Objective 3.3, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Third-party integration (e.g., managed security services and incident detection services). (App A Objective 8.1.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources (e.g., staff and technology). (App A Objective 8, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management establishes defined processes and appropriate governance to facilitate the performance of security operations. Determine whether management coordinates security operations activities with the institution's lines of business and with the institution's third-party service … (App A Objective 8.2, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should design policies and procedures to effectively manage security operations with the following characteristics: - Broadly scoped to address all ongoing security-related functions. - Guided by defined processes. - Integrated with lines of business and third parties. - Appropriately… (III Security Operations, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Other originator obligations such as security and audit requirements. (App A Tier 2 Objectives and Procedures H.1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Management of the virtual infrastructure. The ability to create secure virtual infrastructures is managed through cloud security tools, such as the hypervisor, and should be closely controlled by the cloud service provider. The cloud service provider should be able to provide assurance that it has a… (Risk Management Audit and Controls Assessment Bullet 3 Sub-bullet 1, FFIEC Security in a Cloud Computing Environment)
  • Financial institutions must require their service providers, by contract, to implement measures for protecting against unauthorized access to or use of customer information that could lead to inconvenience or substantial harm to any of their customers. (Supplement A.I Service Providers, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice)
  • Require the service provider or affiliate to maintain an information security program that protects you in accordance with the requirements of this part. (§ 314.4 ¶ 1(a)(3), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Financial institutions or creditors that are required to implement an Identity Theft Prevention Program must ensure effective and appropriate oversight is maintained over all service provider arrangements. The financial institution or creditor should also ensure the service provider conducts its act… (§ 41.90(e)(4), § 222.90(e)(4), § 334.90(e)(4), § 571.90(e)(4), § 681.2(e)(4), § 717.90(e)(4), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [FedRAMP Assignment: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] in accordance with applicable f… (SA-9a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [FedRAMP Assignment: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] in accordance with applicable f… (SA-9a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [FedRAMP Assignment: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] in accordance with applicable f… (SA-9a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [FedRAMP Assignment: Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system]; (SA-9a., FedRAMP Security Controls High Baseline, Version 5)
  • Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [FedRAMP Assignment: Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system]; (SA-9a., FedRAMP Security Controls Low Baseline, Version 5)
  • Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [FedRAMP Assignment: Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system]; (SA-9a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines; and (§ 748 Appendix A. III.D.2., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Did the Credit Union obtain adequate information that details the implemented security procedures for protecting the facility, member data, etc.? (IT - Vendor Oversight Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; (SA-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; (SA-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; (SA-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; (SA-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • During the 'plan procurement' step, the need for and the criticality of the good or service to be procured needs to be identified, along with a description of the factors driving the determination of the need and level of criticality as this informs how much risk may be tolerated, who should be invo… (3.1.2. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The satisfaction of applicable security requirements in contracts and mechanisms as a qualifying condition for award; (3.1.2. ¶ 11 Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The periodic revalidation of supplier adherence to security requirements to ensure continual compliance; (3.1.2. ¶ 11 Bullet 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Integrate C-SCRM considerations into every aspect of the system and product life cycle, and implement consistent, well-documented, repeatable processes for systems engineering, cybersecurity practices, and acquisition. (3.4.2. ¶ 1 Bullet 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. (ID.SC-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Suppliers and third-party partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan. (ID.SC-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The security requirements of an organization outsourcing the management and control of all or some of its information systems, networks, and desktop environments should be addressed in a contract agreed between the parties. External suppliers that have an impact on the security of the organization m… (§ 6.2.15 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals. (T0277, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop contract language to ensure supply chain, system, network, and operational security are met. (T0302, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization's privacy program. (ID.DE-P3, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Alternate sites may be owned and operated by the organization (internal recovery), or commercial sites may be available under contract. If contracting for the site with a commercial vendor, adequate testing time, work space, security requirements, hardware requirements, telecommunications requiremen… (§ 3.4.3 ¶ 7, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Security requirements, including special security needs; (§ 3.4.3 ¶ 9 Bullet 14, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Organizations may use third-party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The se… (§ 5.1.3 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must enforce the security requirements it has for third parties and contractors. (SG.PS-7 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • An organization must ensure that third-party providers conform to and are in compliance with organizational information system security policies. The organization should document all services provided by third-party providers and obtain assurances, by contract or agreement, that security controls ar… (§ 2.4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Develop contract language to ensure supply chain, system, network, and operational security are met. (T0302, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals. (T0277, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; (SA-9a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; (SA-9a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and… (SA-9a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • If the organization uses a third party and discloses personal information to that third party, a written contract must exist ensuring the third party implements security measures to protect the information against unauthorized disclosure, use, access, modification, or destruction and that the measur… (§ 14-3503(b), Maryland Commercial Law, Subtitle 35, Maryland Personal Information Protection Act, Sections 14-3501 thru 14-3508)
  • If the organization uses a third party and discloses personal information to that third party, a written contract must exist ensuring the third party implements security measures to protect the personal information against unauthorized access, acquisition, disclosure, use, modification, or destructi… (§ 603A.210(2), Nevada Revised Statutes, Chapter 603A, Security of Personal Information)
  • require the Third Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this Part. (§ 500.04 Chief Information Security Officer (a)(3), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity; (§ 500.11 Third Party Service Provider Security Policy (a)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity t… (§ 500.11 Third Party Service Provider Security Policy (c), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • require the third-party service provider or affiliate to maintain a cybersecurity program that protects the covered entity in accordance with the requirements of this Part. (§ 500.4 Cybersecurity Governance (a)(3), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the covered entity; (§ 500.11 Third-Party Service Provider Security Policy (a)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Businesses may use another party to destroy personal information, if, after due diligence, they enter a into a written contract and monitor the other party's compliance. Due diligence includes one or more of the following: reviewing an independent audit of the disposal business' compliance with this… (§ 75-64(c), North Carolina Statutes, Chapter 75, Article 2A, Identity Theft Protection Act, Sections 75-60 thru 75-66)
  • Selecting service providers that are capable of maintaining appropriate safeguards, and requiring the service providers by contract to maintain the safeguards; and (§ 646A.622(2)(d)(A)(v), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • If the organization discloses unencrypted personal information to a third party, it must ensure a contract is in place with the third party to require the third party to have appropriate security procedures in place to protect the personal information from unauthorized access, use, disclosure, modif… (§ 11-49.2-2(3), Rhode Island General Law, Chapter 11-49.2, Identity Theft Protection, Sections 11-49.2-1 thru 11-49. 2-4, 2008 General Laws)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [TX-RAMP Assignment: TX-RAMP Security Controls Baseline(s) if State information is processed or stored within the external system] in accordance with applicable fed… (SA-9a., TX-RAMP Security Controls Baseline Level 1)
  • Requires that providers of external information system services comply with organizational information security requirements and employ [TX-RAMP Assignment: TX-RAMP Security Controls Baseline(s) if State information is processed or stored within the external system] in accordance with applicable fed… (SA-9a., TX-RAMP Security Controls Baseline Level 2)
  • The recipient of personal data is subject to the same legal and regulatory obligations as the person who is responsible for the data file. The person responsible for the data file must respond jointly and distinctly to the observance of these obligations before the relevant information owner and the… (§ 11.4, Argentina Personal Data Protection Act)