Formalize client and third party relationships with contracts or nondisclosure agreements.
CONTROL ID 00794
CONTROL TYPE Process or Activity
CLASSIFICATION Detective
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a supply chain management program., CC ID: 11742
This Control has the following implementation support Control(s):
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist., CC ID: 06505
Establish, implement, and maintain software exchange agreements with all third parties., CC ID: 11615
Include a description of the product or service to be provided in third party contracts., CC ID: 06509
Establish, implement, and maintain rules of engagement with third parties., CC ID: 13994
Establish, implement, and maintain information flow agreements with all third parties., CC ID: 04543
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts., CC ID: 06528
Include a description of the data or information to be covered in third party contracts., CC ID: 06510
Include text about trade secrets and intellectual property in third party contracts., CC ID: 06503
Include text about participation in the organization's testing programs in third party contracts., CC ID: 14402
Include the contract duration in third party contracts., CC ID: 16221
Include roles and responsibilities in third party contracts., CC ID: 13487
Include cryptographic keys in third party contracts., CC ID: 16179
Include bankruptcy provisions in third party contracts., CC ID: 16519
Include cybersecurity supply chain risk management requirements in third party contracts., CC ID: 15646
Include text that organizations must meet organizational compliance requirements in third party contracts., CC ID: 06506
Include a reporting structure in third party contracts., CC ID: 06532
Include the right of the organization to conduct compliance audits in third party contracts., CC ID: 06514
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts., CC ID: 06516
Include training requirements in third party contracts., CC ID: 16367
Include an indemnification and liability clause in third party contracts., CC ID: 06517
Include a third party delegation clause and subcontractor to third party clause in third party contracts., CC ID: 06521
Include change control clauses in third party contracts, as necessary., CC ID: 06523
Include a choice of venue clause in third party contracts., CC ID: 06520
Include a dispute resolution clause in third party contracts., CC ID: 06519
Include a termination provision clause in third party contracts., CC ID: 01367
Include text about obtaining adequate insurance in third party contracts., CC ID: 06880
Include incident management procedures and incident reporting procedures in third party contracts., CC ID: 01214
Include a usage limitation of restricted data clause in third party contracts., CC ID: 13026
Include end-of-life information in third party contracts., CC ID: 15265
Include third party requirements for personnel security in third party contracts., CC ID: 00790
Include third party acknowledgment of their data protection responsibilities in third party contracts., CC ID: 01364
Include disclosure requirements in third party contracts., CC ID: 08825
Include requirements for alternate processing facilities in third party contracts., CC ID: 13059
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Legal requirements shall still be enforceable upon agreements that were concluded partly or wholly by a data message. (§ 15(1), The Electronic Communications and Transactions Act, 2002)
Where the service provider is a wholly-owned subsidiary of an AI or the head office or another branch of a foreign AI, a memorandum of understanding may be acceptable. (2.4.3, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
In any outsourcing arrangement, AIs should ensure that they have effective procedures for monitoring the performance of, and managing the relationship with, the service provider and the risks associated with the outsourced activity. (2.6.1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
AIs should seek to protect the interests of all types of customers when offering e-banking services to them. In particular, AIs should respect the spirit of the Code and the Treat Customers Fairly Charter (TCF) when offering e-banking services to their personal customers. For instance, AIs should se… (§ 4.5.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
AIs should seek to protect the interests of all types of customers when offering e-banking services to them. In particular, AIs should respect the spirit of the Treat Customers Fairly Charter (TCF) and comply with the Code when offering e-banking services to their personal customers. This includes, … (§ 4.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
AIs should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware). AIs should satisfy themselves that such vendors do actually hav… (5.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
If a licensed or registered person has any arrangement to outsource any activities associated with its internet trading to a third-party service provider, it should enter into a formal service-level agreement with the service provider which specifies the terms of service and the responsibilities of … (2.10. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
The organization, when entrusting personal data to an outside organization, must guarantee through the conclusion of a contract or other legal measure that its manager's instructions are followed, personal data confidentiality is maintained, redisclosure is prohibited, and responsibility is assigned… (Art 19, Japan Handbook Concerning Protection Of Personal Data, February 1998)
App 2-1 Item Number VI.5.3(2): When concluding a contract, measures must be taken to prevent misconduct and protect confidential information. This is a control item that constitutes a greater risk to financial information. This is an IT general control.
App 2-1 Item Number VI.5.3(3): To prevent prob… (App 2-1 Item Number VI.5.3(2) thru App 2-1 Item Number VI.5.3(6), App 2-1 Item Number VI.5.3(8), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
O88: The organization shall include, in a written outsourcing contract, the items relating to protecting safe operation and corporate secrets.
O88.1: The organization shall include requirements for protecting corporate secrets, performing operations safely, and other provisions in outsourcing contra… (O88, O88.1, O88.4, O89.1(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
Salary deposit (P33.2. ¶ 1(5) 1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Stock dividend (P33.2. ¶ 1(5) 5), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
For conclusion of any contracts for data transmission through line connections, it is essential to fully understand the conditions of contracts and eliminate possible erroneous connection. This requires implementation of written confirmation of requirements for connections and other standardization. (P33.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
In the case of transferring data through line connections, it is necessary to establish a method to identify the connect-to party, and terminals based on contracts and established regulations to perform the appropriate management. (P34.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Upon doing so, the financial institution should consider the scope of operations to be outsourced, the nature of services provided by the contractor, and the role division of the financial institution and contractor in terms of use pattern, and then evaluate the contractor based on the information o… (C20.3. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
The relationship between the enterprise and a third-party provider should be documented in the form of an executed contract. The various details and requirements on the matter are covered under chapter on "IT outsourcing". (Critical components of information security 23) vi., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and … (Article 50-7(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
An institution should, in principle, enter into outsourcing arrangements only with service providers operating in jurisdictions that generally uphold confidentiality clauses and agreements. (5.10.2 (a), Guidelines on Outsourcing)
The FI should ensure that contractual terms and conditions governing the roles, relationships, obligations and responsibilities of all contracting parties are set out fully in written agreements. The requirements and conditions covered in the agreements would usually include performance targets, ser… (§ 5.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements. (Security Control: 1575; Revision: 0, Australian Government Information Security Manual, March 2021)
A formal agreement must exist between the organization and the third party when a third party provides, installs, integrates, maintains, configures, modifies, or retains a computerized system or for Data Processing. (¶ 3.1, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of pers… (Art. 28.3., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, o… (Art. 30.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT thirdparty service provider to notify the financial entity in advance… (Art. 30.2.(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Mechanisms for shared responsibilities are specified and implemented. (1.2.4 Requirements (must) Bullet 4, Information Security Assessment, Version 5.1)
contractual arrangements between third parties outside their group and the whole firm or group (see Chapter 6); (§ 3.19 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
Contracts or invitations to tender must include appropriate security measures and have an attached detailed security aspects letter. (¶ 15, Industrial Security - Departmental Responsibilities, Version 5.0 October 2010)
¶ 4: The contracting authority must verify that the Office of Government Commerce Model Contract terms and conditions are included in contracts for work that involves access to personal data at the contractor's facilities or when personal data is provided to the contractor and the contractor is not… (¶ 4, ¶ 20, ¶ 22, ¶ 67, The Contractual process, Version 5.0 October 2010)
Supply chain companies should establish long-term relationships with their suppliers. (Supplement on Tin, Tantalum, and Tungsten Step 1: D.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Companies in the supply chain should establish long-term relationships with their suppliers. (Supplement on Gold Step 1: § I.D.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
The organization enters into written agreements with contractors that specify those responsibilities delegated to the contractor and those retained by the organization. (CORE - 8(a), URAC Health Utilization Management Standards, Version 6)
Formalise the supplier relationship management process for each supplier. The relationship owners should liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through SLAs). (DS2.2 Supplier Relationship Management, CobiT, Version 4.1)
Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider. (§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 2.0)
Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider. (§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 2.0)
Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider. (§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider. (§ 12.8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Establish processes and procedures for engaging service providers, including proper due diligence prior to engagement. (§ 12.8.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider. (§ 12.8.3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
A written agreement must be maintained that includes an acknowledgment that the service provider is responsible for the security of cardholder data it stores, processes, or transmits for a customer, or to the extent it could impact the security of the customer's cardholder data environment. (PCI DSS Requirements § 12.8.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine policies and procedures to verify that processes are defined to maintain a list of TPSPs, including a description for each of the services provided, for all TPSPs with whom account data is shared or that could affect the security of account data. (12.8.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider possesses or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of… (PCI DSS Question 12.8.2, PCI DSS Self-Assessment Questionnaire A and Attestation of Compliance, Version 3.0)
Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider possesses or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of… (PCI DSS Question 12.8.2, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider possesses or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of… (PCI DSS Question 12.8.2, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider possesses or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of… (PCI DSS Question 12.8.2, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider possesses or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of… (PCI DSS Question 12.8.2, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider possesses or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of… (PCI DSS Question 12.8.2, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider possesses or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of… (PCI DSS Question 12.8.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider possesses or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of… (PCI DSS Question 12.8.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider possesses or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of… (PCI DSS Question 12.8.2, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. (12.8.2 Bullet 1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
Before signing a contract with a service provider, the organization should research the service provider to see if it can keep the cardholder data safe and minimize losses due to fraud and read and understand all contracts before signing. The contract should state who is liable for fraudulent transa… (Pg 17, Pg 24, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
A well-written contract should address the following legal and contractual issues: service levels and incentives; vendor personnel; data protection, privacy, and intellectual property; price protections; third-party assignments; ownership of assets; legal system conflicts; contingency management and… (§ 4.3 (Legal and Contractual Considerations When Contracting with Service Providers), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
The clauses in Section D.1.1, or substantially similar language, should be included in all contracts or purchase orders for electronic parts. (App D § D.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
Dealings with other organizations should not be conducted in vague and unclear methods. Agreements between companies should be in writing whenever possible, and oral agreements should be avoided; it should be noted in writing that written agreements cannot be changed by oral statements; and the cont… (Pg 21-I-8, Pg 21-I-9, Protection of Assets Manual, ASIS International)
Critical suppliers should be subject to a relationship assessment (sometimes referred to as a due diligence review), which covers contract requirements (e.g., non-disclosure agreements, sub-contracting, roles and responsibilities, and termination clauses). (CF.16.01.03b, The Standard of Good Practice for Information Security)
Additional, specialized controls should be agreed and signed by all parties (i.e., the organization and the external supplier). (CF.16.01.05b, The Standard of Good Practice for Information Security)
A contract should be established with each external supplier, which includes agreed security arrangements (baseline and additional), such as the 'right to audit' and contract termination / exit activities. (CF.16.01.06, The Standard of Good Practice for Information Security)
Contracts should be established with all outsource providers (including cloud service providers), which are approved by executive management. (CF.16.03.04b, The Standard of Good Practice for Information Security)
Contracts should be established with all outsource providers (including cloud service providers), which are agreed and signed by both parties. (CF.16.03.04c, The Standard of Good Practice for Information Security)
A process should be established that ensures that the use of cloud services (including generic cloud services) is supported by a contract. (CF.16.04.07c, The Standard of Good Practice for Information Security)
Each use of cloud computing services should be supported by a contract (including Terms and Conditions or equivalent), which covers all clauses that apply to standard external supplier contracts and include special provisions related to the use of cloud services. (CF.16.05.01, The Standard of Good Practice for Information Security)
Contracts (including those for generic, 'off-the-shelf' cloud services) should be approved and signed by a senior business representative. (CF.16.05.02b, The Standard of Good Practice for Information Security)
Contracts should be established with all outsource providers (including cloud service providers), which are approved by executive management. (CF.16.03.04b, The Standard of Good Practice for Information Security, 2013)
Contracts should be established with all outsource providers (including cloud service providers), which are agreed and signed by both parties. (CF.16.03.04c, The Standard of Good Practice for Information Security, 2013)
A process should be established that ensures that the use of cloud services (including generic cloud services) is supported by a contract. (CF.16.04.07c, The Standard of Good Practice for Information Security, 2013)
Each use of cloud computing services should be supported by a contract (including Terms and Conditions or equivalent), which covers all clauses that apply to standard external supplier contracts and include special provisions related to the use of cloud services. (CF.16.05.01, The Standard of Good Practice for Information Security, 2013)
Contracts (including those for generic, 'off-the-shelf' cloud services) should be approved and signed by a senior business representative. (CF.16.05.02b, The Standard of Good Practice for Information Security, 2013)
Critical suppliers should be subject to a relationship assessment (sometimes referred to as a due diligence review), which covers contract requirements (e.g., non-disclosure agreements, sub-contracting, roles and responsibilities, and termination clauses). (CF.16.01.04b, The Standard of Good Practice for Information Security, 2013)
Additional, specialized controls should be agreed and signed by all parties (i.e., the organization and the external supplier). (CF.16.01.06a, The Standard of Good Practice for Information Security, 2013)
A contract should be established with each external supplier, which includes agreed security arrangements (baseline and additional), such as the 'right to audit' and contract termination / exit activities. (CF.16.01.07, The Standard of Good Practice for Information Security, 2013)
The agreement shall include the person who is responsible for Risk Management. (§ 4.3.4 ¶ 3(a), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The agreement shall state who is responsible for requesting cooperation, if additional cooperation is needed, in addition to the supplied documents, between the manufacturers, suppliers, and other organizations. (§ 4.3.4 ¶ 3(h) Bullet 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The agreement shall state who is responsible for responding to cooperation requests, if additional cooperation is needed, in addition to the supplied documents, between the manufacturers, suppliers, and other organizations. (§ 4.3.4 ¶ 3(h) Bullet 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The agreement shall state the criteria to judge the cooperation request response, if additional cooperation is needed, in addition to the supplied documents, between the manufacturers, suppliers, and other organizations. (§ 4.3.4 ¶ 3(h) Bullet 3, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
The organization shall develop a written agreement or verbal understanding with the supplier, to include requirements, milestones, change control procedures, exception handling, verification procedures, and payments. (§ 6.1.1.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The supplier shall make an agreement or oral understanding with the organization, confirming it can meet all requirements and milestones. (§ 6.1.2.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
An agreement should be formally established between the transferring party and the custodian when records are transferred to an external storage provider or an external archives authority to document the continuing obligation to maintain and manage the records appropriately, safeguard their retentio… (§ 4.3.9.2 ¶ 8, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The service provider and the supplier shall have a documented contract for their relationship. (§ 7.2 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
The responsibilities and liabilities for outsourced vendors, including their subcontractors, should be formally defined by the service provider in a contractual agreement. Prior agreements should be established between the service provider and organization, be documented, and communicated to all rel… (§ 5.6.3, § 5.8.2, § 5.8.3, § 5.8.4, § 5.8.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organizationâs information. (A.15.1.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
An agreement should be made with all third parties who access, manage, and/or process the organization's data. The agreement should be clear so that there are no misunderstandings between the two parties. To satisfy security requirements, the following should be included in the agreement: the inform… (§ 6.2.3, ISO 27002 Code of practice for information security management, 2005)
contracts with external suppliers; (§ 7.5.4 ¶ 1(i), ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
For each internal supplier or customer acting as a supplier, the organization shall develop, agree and maintain a documented agreement to define the service level targets, other commitments, activities and interfaces between the parties. (§ 8.3.4.2 ¶ 1, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
For each external supplier, the organization shall agree a documented contract. The contract shall include or contain a reference to: (§ 8.3.4.1 ¶ 2, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
new or changed SLAs, contracts and other documented agreements that support the services; (§ 8.5.2.2 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organizationâs information. (§ 15.1.2 Control, ISO/IEC 27002:2013(E), Information technology â Security techniques â Code of practice for information security controls, Second Edition)
The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). (§ 5.1.1 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). (§ 5.1.1 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
The parties should consider entering into nonwaiver agreements, which states the procedures to follow to protect against a waiver of privileges or work product protection due to the inadvertent production of data and documents and provides for the return, sequestering, and/or deletion of this inform… (Comment 10.a ¶ 1, The Sedona Principles Addressing Electronic Document Production)
A person may enter into an undertaking at any time. (Section 21(1), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
The organization should ensure that a consumer or business is fully informed before entering into an agreement. The agreement should include what services or product is being offered, the total price for the product or service, the payment terms, the third parties' commitment and obligation in conti… (§ I14.1, Canadian Marketing Association Code of Ethics and Standards of Practice)
The organization should not disclose personal information to any third party, unless an agreement exists stating that the third party will protect the personal information from loss, misuse, disclosure, unauthorized access, destruction, and alteration. (ID 7.2.2, AICPA/CICA Privacy Framework)
Establishing specific requirements for vendor and business partner arrangements that include (¶ 3.150 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Establishing specific requirements for vendor and business partner arrangements that include scope of services and product specifications, roles and responsibilities, compliance requirements, and service levels. (¶ 3.164 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Principle: Firms should manage cybersecurity risk that can arise across the lifecycle of vendor relationships using a risk-based approach to vendor management. Effective practices to manage vendor risk include: - performing pre-contract due diligence on prospective service providers; - establishing … (Vendor Management, Report on Cybersecurity Practices)
Does management require the use of confidentiality agreements or nondisclosure agreements for all third parties? (§ C.2.5, § C.2.6.1, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
Are there contracts with third parties who have access to scoped systems and data? (§ C.2.6, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
Warehousing and distribution agreements of unclassified defense articles between U.S. persons and foreign persons must be approved by the Directorate of Defense Trade Controls. The agreements must include a description of the defense articles, the duration of the agreement, the terms and conditions … (§ 124.14, US The International Traffic in Arms Regulations, April 1, 2008)
§ 412.616(b): Information that can identify a patient to an agent may be released only in accordance with a written contract under which the agent agrees not to use or disclose the information, except for purposes stated in the contract and only to the extent that the facility is allowed to disclos… (§ 412.616(b), § 495.348(g), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
The organization must require the CMS Core Security Requirements to be included in written contracts or other arrangements to protect the confidentiality, integrity, and availability of electronically exchanged data. (CSR 1.11.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Measures appropriate for the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to ensure third parties or customers are not authorized to acquire or access sensitive personally identifiable information without the business entity perfor… (§ 302(a)(4)(B)(vi), § 302(d)(1), § 401(c)(2)(C), § 403(b)(3)(B)(iii), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
The Information Assurance Officer/Network Security Officer will ensure that all vendor connections have an associated up-to-date Business Associate Agreement. (§ 5.3 (MED0570: CAT I), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agen… (II.2.b., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agen… (§ II.2.b., EU-U.S. Privacy Shield Framework Principles)
By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agen… (ii.2.b., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agen… (II.2.b., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
In addition to the above requirements, the FedRAMP Control Specific Contract Clauses v278, also states the following: "Agencies leveraging FedRAMP Provisional Authorizations will be responsible for conducting their own Background Investigations and or accepting reciprocity from other agencies that h… (Section 5.6.2.3 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Engaging and funding the services of organizations performing MCD Actions to provide for the defense of the Mission Owner's systems, applications, and virtual networks in any CSP's IaaS/PaaS infrastructure (whether DoD operated or operated by a commercial/non-DoD entity). (Section 6.4 ¶ 1 Bullet 5, sub-bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
The security requirements must be incorporated into classified contracts, request for proposals, and other solicitations. (§ 4-103, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
A medical device manufacturer shall establish and maintain data describing or referencing the requirements, including requirements for quality, for purchased or other received services and products. The purchasing documents shall include an agreement that contractors, consultants, and suppliers will… (§ 820.50(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
The assurances required by § 164.502(e)(1) must be documented in a written contract or agreement that meets the requirements of § 164.504(e). (§ 164.502(e)(2), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
The required satisfactory assurances of § 164.308(b)(1) shall be documented in a written contract or other arrangement with the business associate who meets the requirements of § 164.314(a). (§ 164.308(b)(4), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
The required contract shall meet the requirements of § 164.314(a)(2)(i) or § 164.314(a)(2)(ii). (§ 164.314(a)(1)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Contracts shall require the business associate to implement physical, technical, and administrative safeguards to reasonably and appropriately protect the availability, integrity, and confidentiality of electronic protected health information it creates, maintains, transmits, or receives on behalf o… (§ 164.314(a)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
When the covered entity and business associate are both governmental agencies, the covered entity is in compliance with section 164.314(a)(1) if it has a memorandum of understanding containing terms to accomplish the objectives of section 164.314(a)(2)(i) or if another law contains requirements to a… (§ 164.314(a)(2)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
A contract must meet the requirements of § 164.504(e)(2) or § 164.504(e)(3). (§ 164.504(e)(1)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314… (§ 164.308(b)(3), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of §164.504(e). (§ 164.502(e)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covere… (§ 164.504(e)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
The covered entity may comply with this paragraph and §164.314(a)(1), if applicable, by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section and §164.314(a)(2), if applicable. (§ 164.504(e)(3)(i)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if suc… (§ 164.504(e)(2)(ii)(J), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Standard: Business associate contracts or other arrangements. The contract or other arrangement required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (§ 164.314(a)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Importers must have documented and verifiable processes for the selection of any business partners (manufacturers, vendors, and suppliers). (Business Partner Requirement, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria)
§ 552a(q)(2): Unless the nonfederal or recipient agency has certified that it complied with the agreement's provisions, and the source agency does not have a reason to believe otherwise, a source agency may not renew matching agreements.
§ 552a(u)(4): Except as stated in § 552a(4)(B) and § 552a(… (§ 552a(q)(2), § 552a(u)(4), § 552a(u)(5)(B), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
A criminal justice agency that receives access to criminal justice information shall have a signed written agreement with the appropriate signatory authority of the agency that is providing the access. (§ 5.1.1.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The noncriminal justice agency shall sign a management control agreement with the criminal justice agency that states that the management control of the criminal justice function remains solely with the criminal justice agency. (§ 5.1.1.4, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Channelers that access criminal justice information shall be subject to the terms and conditions contained in the compact council security and management control outsourcing standard. (§ 5.1.1.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Any CJA receiving access to CJI shall enter into a signed written agreement with the appropriate signatory authority of the CSA providing the access. The written agreement shall specify the FBI CJIS systems and services to which the agency will have access, and the FBI CJIS Division policies to whic… (§ 5.1.1.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Timeliness. (§ 5.1.1.3 ¶ 1(8), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Each CSA head or SIB Chief shall execute a signed written user agreement with the FBI CJIS Division stating their willingness to demonstrate conformity with this Policy before accessing and participating in CJIS records information programs. This agreement shall include the standards and sanctions g… (§ 5.1.1.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Information exchange agreements shall be supported by documentation committing both parties to the terms of information exchange. As described in subsequent sections, different agreements and policies apply, depending on whether the parties involved are CJAs or NCJAs. See Appendix D for examples of … (§ 5.1.1 ¶ 3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
A NCJA (private) designated to request civil fingerprint-based background checks, with the full consent of the individual to whom a background check is taking place, for noncriminal justice functions, shall be eligible for access to CJI. Access shall be permitted when such designation is authorized … (§ 5.1.1.6 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
A NCJA (public) designated to request civil fingerprint-based background checks, with the full consent of the individual to whom a background check is taking place, for noncriminal justice functions, shall be eligible for access to CJI. Access shall be permitted when such designation is authorized p… (§ 5.1.1.6 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Channelers designated to request civil fingerprint-based background checks or noncriminal justice ancillary functions on behalf of a NCJA (public) or NCJA (private) for noncriminal justice functions shall be eligible for access to CJI. Access shall be permitted when such designation is authorized pu… (§ 5.1.1.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Any CJA receiving access to CJI shall enter into a signed written agreement with the appropriate signatory authority of the CSA providing the access. The written agreement shall specify the FBI CJIS systems and services to which the agency will have access, and the FBI CJIS Division policies to whic… (§ 5.1.1.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Information exchange agreements shall be supported by documentation committing both parties to the terms of information exchange. As described in subsequent sections, different agreements and policies apply, depending on whether the parties involved are CJAs or NCJAs. See Appendix D for examples of … (§ 5.1.1 ¶ 3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
A NCJA (public) designated to request civil fingerprint-based background checks, with the full consent of the individual to whom a background check is taking place, for noncriminal justice functions, shall be eligible for access to CJI. Access shall be permitted when such designation is authorized p… (§ 5.1.1.6 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
A NCJA (private) designated to request civil fingerprint-based background checks, with the full consent of the individual to whom a background check is taking place, for noncriminal justice functions, shall be eligible for access to CJI. Access shall be permitted when such designation is authorized … (§ 5.1.1.6 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Channelers designated to request civil fingerprint-based background checks or noncriminal justice ancillary functions on behalf of a NCJA (public) or NCJA (private) for noncriminal justice functions shall be eligible for access to CJI. Access shall be permitted when such designation is authorized pu… (§ 5.1.1.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Formal contracts that address relevant security and privacy requirements are in place for all third parties that process, store, or transmit confidential data or provide critical services. (Domain 4: Assessment Factor: Relationship Management, CONTRACTS Baseline 2 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Services offered and SLA, OLA, or contractual provisions. (App A Objective 16:1a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
There are contracts with all customers (affiliated and nonaffiliated) and whether the institution's legal staff has approved them; (TIER II OBJECTIVES AND PROCEDURES F.1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
Formal contracts with each wire servicer exist (i.e., Federal Reserve Bank (FRB), correspondent financial institutions, and others); (TIER II OBJECTIVES AND PROCEDURES E.1. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
Exam Tier II Obj A.1 Determine whether audit procedures for management adequately consider
⪠The ability of management to plan for and initiate new activities or products in response to information needs and to address risks that may arise from changing business conditions;
⪠The ability of mana… (Exam Tier II Obj A.1, Exam Tier II Obj E.2, FFIEC IT Examination Handbook - Audit, August 2003)
A formal contract should be developed that addresses the duties and responsibilities of all involved parties. The contract should be tailored for e-banking. Some e-banking contract issues are: requirements for security controls to protect data; restrictions on the use of nonpublic personal informati… (Pg 23, Pg 24, Obj 3.2, FFIEC IT Examination Handbook - E-Banking, August 2003)
The organization should receive current financial information from third party providers at least annually. (Pg 37, FFIEC IT Examination Handbook - Management)
The service provider contract should clearly define the roles and responsibilities of both parties. The contract should prohibit the service provider from disclosing the organization's information, require the service provider to follow the privacy requirements if it gains access to nonpublic custom… (Pg 13, Exam Tier I Obj 3.4, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
If the institution uses a technology service provider, determine whether it performed appropriate due diligence prior to engagement and has appropriate contractual agreements governing the relationship. Determine whether the institution monitors compliance with the governing contract. Determine if t… (App A Tier 1 Objectives and Procedures Objective 8:4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Roles, responsibilities, and performance standards of the parties, including those related to the sale or lease of equipment needed for RDC at the customer location. (App A Tier 2 Objectives and Procedures N.5 Bullet 2 Sub-Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Contract duration, termination, and assignment; and (App A Tier 2 Objectives and Procedures O.1 Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Contracts with regional EFT/POS network switch and gateway operators and bankcard processors clearly set forth the rights and responsibilities of all parties, including the integrity and confidentiality of customer information, ownership of data, settlement terms, contingency and business recovery p… (App A Tier 2 Objectives and Procedures A.1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Other originator obligations such as security and audit requirements. (App A Tier 2 Objectives and Procedures H.1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Written agreements with third parties should define roles and responsibilities, detail-control procedures, and problem-resolution procedures. (Pg 40, Exam Tier II Obj 1.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
Obtain any material agreements or contracts concerning funds transfer services between the financial institution and correspondent banks, service providers and operators (e.g., Federal Reserve Bank and CHIPS). Review the agreements to determine if they:
⪠Establish responsibilities and accountabil… (Exam Tier II Obj 6.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
The organization should require service providers to sign a contract stating that they will implement and maintain safeguards to protect customer information. (§ 314.4(d)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
The joint authorization board must approve and accept the documented agreement on how the service providers will furnish verification of the results. (Column F: AC-8, FedRAMP Baseline Security Controls)
Have written agreements been established for significant web linking partners? (IT - Compliance Q 16, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Does the Credit Union have a contract with the account aggregation provider? (IT - Member Online Services Q 45, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
§ 4.9.2 Bullet 1: Document the required satisfactory assurances through a written contract or other arrangement with the business associate.
§ 4.9.2 Bullet 2: Execute new, or update existing, agreements or arrangements as appropriate.
§ 4.9.3 Bullet 4: Update the Memorandum of Understanding or ot… (§ 4.9.2 Bullet 1, § 4.9.2 Bullet 2, § 4.9.3 Bullet 4, § 4.9.4 Bullet 1, § 4.9.4 Bullet 2, § 4.19.1 Bullet 1, § 4.19.1 Bullet 2, § 4.19.2 Bullet 1, § 4.19.3 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
Develop and enter into a computer matching agreement; (PT-8b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Apply expertise in policy and processes to facilitate the development, negotiation, and internal staffing of plans and/or memorandums of agreement. (T0571, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Participate in the implementation and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements and responsibilities are addressed (T0909, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
The Incident Response policies and procedures should state the Personally Identifiable Information that is maintained by the organization. (§ 4.1.1 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
Organizations may use third-party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The se… (§ 5.1.3 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Contracts or other formal agreements must use the risk management framework and associated national institutes of science and technology security standards and guidelines to express security requirements, including security controls for processing, storing, or transmitting federal information, for e… (§ 2.4 ¶ 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must develop explicit agreements and require the use of security controls stated in Special Publication 800-53, whenever feasible and practical. When the organization cannot require explicit agreements, it must establish explicit assumptions about security. (§ 2.4 ¶ 5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
By using the appropriate contractual vehicles, the organization can require external providers, in collaboration with the organization, to execute the security categorization and security control selection steps. this information can help the organization determine what security controls are in plac… (§ 3.3 ¶ Applying Gap Analyses to External Service Providers, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Participate in the implementation and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements and responsibilities are addressed (T0909, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Apply expertise in policy and processes to facilitate the development, negotiation, and internal staffing of plans and/or memorandums of agreement. (T0571, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Develop and enter into a computer matching agreement; (PT-8b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Develop and enter into a computer matching agreement; (PT-8b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Third-party senders should sign an agreement binding them by the NACHA rules. The agreement should state that entries that violate federal laws may not be initiated. (Third-Party Senders, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004)
¶ 40 Bank management should ensure necessary controls are in place to manage risks associated with outsourcing and external alliances. Management should ensure that vendors have the necessary expertise, experience, and financial strength to fulfill their obligations. They also should ensure that th… (¶ 40, ¶ 41, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
A bank should develop a third party contract that clearly defines responsibilities and expectations, as part of the third party Risk Management process. ("Risk Management Life Cycle" ¶ "Contract negotiation:", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
Senior management must develop plans for using third parties and identifying the ones that involve critical activities, then presenting the plans to the Board of Directors. ("Senior Bank Management" Bullet 3, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
Make privacy and security obligations of third parties enforceable by contract. (Part I ¶ 8, California OPP Recommended Practices on Notification of Security Breach, May 2008)
Oversight of third parties with which such company enters into contracts or agreements that have or will have access to personal information compiled or maintained by the company, by (§ 38a-999b(b)(2)(H), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to third-party service providers including to the extent applicable guidelines addressing: (§ 500.11 Third-Party Service Provider Security Policy (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
