Back

Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts.


CONTROL ID
00796
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a supply chain management program., CC ID: 11742

This Control has the following implementation support Control(s):
  • Review and update all contracts, as necessary., CC ID: 11612


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • A licensed corporation should have in place an exit strategy to ensure that the external data storage or processing services can be terminated without material disruption to the continuity of any operations critical to the conduct of regulated activities, including in the case of the insolvency of t… (20., Circular to Licensed Corporations - Use of external electronic data storage)
  • The organization, when entrusting personal data to an outside organization, must guarantee through the conclusion of a contract or other legal measure that its manager's instructions are followed, personal data confidentiality is maintained, redisclosure is prohibited, and responsibility is assigned… (Art 19, Japan Handbook Concerning Protection Of Personal Data, February 1998)
  • The contents of a contract must be reexamined, if there is a change in or addition to the contents of any subcontracted operation after a contract has concluded. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. (App 2-1 Item Number VI.5.3(7), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Depending on the nature and extent of operations being outsourced, the organization should consider including contract revision procedures. (O88.4(16), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the groun… (§ III.10A ¶ 1, India Information Technology Act 2008, 2008)
  • If transmission or reception of advertising information hinders or is likely to hinder rendering the services; (Article 50-4(1)(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Any provider of information and communications services or similar shall not conclude an international contract with any term or condition in violation of this Act with respect to personal information of users. (Article 63(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). (Article 56(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • In supervising an institution, MAS will review its implementation of these Guidelines, the quality of its board and senior management oversight and governance, internal controls and risk management with regard to managing outsourcing risks. (5.1.1, Guidelines on Outsourcing)
  • developing sound and prudent outsourcing policies and procedures that are commensurate with the nature, scope and complexity of the outsourcing arrangements as well as ensuring that such policies and procedures are implemented effectively; (5.2.3 (b), Guidelines on Outsourcing)
  • The minimum period to execute a termination provision should be specified in the outsourcing agreement. Other provisions should also be put in place to ensure a smooth transition when the agreement is terminated or being amended. Such provisions may facilitate transferability of the outsourced servi… (5.5.2 (i) ¶ 2, Guidelines on Outsourcing)
  • Reports on the monitoring and control activities of the institution should be reviewed by its senior management and provided to the board for information. The institution should ensure that monitoring metrics and performance data are not aggregated with those belonging to other customers of the serv… (5.8.2 (e), Guidelines on Outsourcing)
  • Periodic reviews, at least on an annual basis, on all material outsourcing arrangements. This is to ensure that the institution's outsourcing risk management policies and procedures, and these Guidelines, are effectively implemented. Such reviews should ascertain the adequacy of internal risk manage… (5.8.2 (d), Guidelines on Outsourcing)
  • the institution's ability to effectively monitor the service provider, and execute its business continuity management plans and exit strategy. (5.10.1 ¶ 1 (d), Guidelines on Outsourcing)
  • In the event of contract termination with the service provider, either on expiry or prematurely, the FI should have the contractual power and means to promptly remove or destroy data stored at the service provider’s systems and backups. (§ 5.2.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The data controller must have an agreement, in writing, with the processor about the processing of personal data. The agreement must explicitly state the scope, purpose, and time period for when the processing will be concluded and guarantee that the processor will implement technical and organizati… (Art 6, Czech Republic Personal Data Protection Act, April 4, 2000)
  • where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and … (4.2 23(e), Final Report on EBA Guidelines on outsourcing arrangements)
  • the approval process of new outsourcing arrangements; (4.7 42(c)(vii), Final Report on EBA Guidelines on outsourcing arrangements)
  • the renewal processes; (4.7 42(d)(iv), Final Report on EBA Guidelines on outsourcing arrangements)
  • the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agre… (4.7 42(f), Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangemen… (4.13.1 80, Final Report on EBA Guidelines on outsourcing arrangements)
  • taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangeme… (4.6 38(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: (4.7 42, Final Report on EBA Guidelines on outsourcing arrangements)
  • the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so ('substitutability'); (4.4 31(h), Final Report on EBA Guidelines on outsourcing arrangements)
  • the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; (4.13 75(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • Processing personal data with a processor must be governed by a legal act or contract that binds the processor to the data controller and must stipulate the processor acts only on instructions from the data controller and that the processor implements appropriate technical and organizational securit… (Art 17.3, Art 17.4, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Unofficial Translation)
  • Financial entities shall identify and document all processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that provide services that support critical or important functions. (Art. 8.5., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial serv… (Art. 28.1.(b)(ii), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The contractual arrangements referred to in the first subparagraph shall be appropriately documented, distinguishing between those that cover ICT services supporting critical or important functions and those that do not. (Art. 28.3. ¶ 2, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provide… (Art. 28.7.(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed by public authorities for specific services. (Art. 30.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The decision referred to in the second subparagraph shall be adopted and notified to the ICT third-party service provider within 6 months of receipt of the application. (Art. 31.11. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The data processor and the data controller must have a contract, and the contract must specify the processor's obligations regarding the protection of the confidentiality and security of the data and state that the processor may only act on instructions from the data controller. (Art 35, France Data Processing, Data Files and Individual Liberties)
  • Processing on another's behalf must be governed by a written contract that binds the processor to the data controller, providing the processor acts only on instructions from the controller. (Art 22(3), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • All contracts for technical data processing must be concluded in writing. (Art 4/A(4), Hungary Protection of Personal Data and Disclosure of Data of Public Interest)
  • A data controller responsible for the data processing is allowed to contract with a third party for processing the data, in whole or in part, contingent on if the data controller can verify beforehand that the processor is able to implement the required security measures and conduct internal audits … (Art 13, Iceland Protection of Privacy as regards the Processing of Personal Data)
  • Processing on behalf of a third party must be regulated by a written contract in or a form that allows the content and performance to be assessed. The contract must state that the processor may only process data in accordance with instructions from the data controller, may not use the data for other… (Art 12.2, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
  • Processors are obligated with the following responsibilities when processing data for a data controller: use data only in ways instructed by the data controller; ensure all required safety measures are implemented; to only hire another processor with permission of the data controller; to implement t… (§ 11, Austria Data Protection Act)
  • renewal processes. (Table 4 Column 2 Row 3 Bullet 1 Sub-Bullet 4, SS2/21 Outsourcing and third party risk management, March 2021)
  • Exit strategies and termination processes, including a requirement for a documented exit plan for material outsourcing arrangements where such an exit is considered possible, explicitly catering for the unexpected termination of an outsourcing agreement (a stressed or unplanned exit), and taking int… (Table 4 Column 2 Row 4 ¶ 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The PRA expects all firms to keep appropriate records of their outsourcing arrangements. The PRA considers that a firm, in complying with 2.3(1)(e) of the Notifications Part of the PRA Rulebook, would likely already have records of its material outsourcing arrangements for this purpose. The records … (§ 4.15, SS2/21 Outsourcing and third party risk management, March 2021)
  • The security division of the Cabinet Office and MOD DE&S DHSY/PSyA must be notified when a contract is terminated due to the contactor violating security conditions. (¶ 48, The Contractual process, Version 5.0 October 2010)
  • Outsourcing contracts should be robust and clearly allocate each party's responsibilities. (¶ 39, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Downstream companies should take immediate steps to terminate with a refiner who directly or indirectly supports non-state armed groups or has not immediately suspended or terminated with suppliers who have reasonable risks of serious abuses. (Supplement on Gold Step 3: § II.C.2(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Set up a procedure for establishing, modifying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organisational, documentary, performance, security, intellectual property, and termination responsibilities and liabilities (including penalty claus… (AI5.2 Supplier Contract Management, CobiT, Version 4.1)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine written agreements with TPSPs to verify they are maintained in accordance with all elements as specified in this requirement. (12.8.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine policies and procedures to verify that processes are defined to maintain written agreements with all TPSPs in accordance with all elements specified in this requirement. (12.8.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Written agreements with TPSPs are maintained as follows: (12.8.2, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The auditors should review third-party contracts and contacts. At a minimum, the review should include language compliance with applicable laws and regulations. (§ 5.5 (Identify the Controls and Countermeasures), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Outsourcing contracts should be well defined and flexible. They should define rights, boundaries, liabilities, and expectations. The contract must provide clients with tools that manage change and retain leverage; manage new and in-scope services; monitor and manage service quality; deliver cost sav… (§ 4.6, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization shall communicate and document contract provisions that establish purchasing controls to avoid fraudulent or counterfeit products. (§ 4.2.3.1, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The external supplier security management process should include handling termination of a relationship with a supplier. (CF.16.01.01d, The Standard of Good Practice for Information Security)
  • A consistent method for securely handling the termination of relationships with external suppliers should be established, which includes designating individuals responsible for managing the termination. (CF.16.01.08a, The Standard of Good Practice for Information Security)
  • A consistent method for securely handling the termination of relationships with external suppliers should be established, which includes rehearsal and refinement of termination activities. (CF.16.01.08e, The Standard of Good Practice for Information Security)
  • The external supplier security management process should include handling termination of a relationship with a supplier. (CF.16.01.01h, The Standard of Good Practice for Information Security, 2013)
  • A consistent method for securely handling the termination of relationships with external suppliers should be established, which includes designating individuals responsible for managing the termination. (CF.16.01.10a, The Standard of Good Practice for Information Security, 2013)
  • A consistent method for securely handling the termination of relationships with external suppliers should be established, which includes rehearsal and refinement of termination activities. (CF.16.01.10f, The Standard of Good Practice for Information Security, 2013)
  • A consistent method for exiting, terminating, renewing, and renegotiating contracts with external suppliers should be established, which includes establishing a method to determine whether to exit, terminate, renew, or renegotiate a contract (e.g., based on whether the impact of any major incident(s… (CF.16.01.10b, The Standard of Good Practice for Information Security, 2013)
  • Renewal or renegotiation of contracts with external suppliers should include verifying information security arrangements and proposing revised information security terms and conditions. (CF.16.01.12, The Standard of Good Practice for Information Security, 2013)
  • Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be co… (CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements, CIS Controls, V8)
  • The service management policy shall provide a framework to establish and review the service management objectives. (§ 4.1.2 ¶ 1(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Service providers could have outsourcing arrangements with vendors on a temporary or permanent basis and they may have a lesser degree of control, so greater emphasis should be placed on selecting and managing outsourced vendors. This emphasis includes ensuring vendor awareness of the service provid… (§ 5.6.1, § 5.6.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • approach to be taken for working with other parties involved in the service lifecycle; (§ 6.3 ¶ 2(f), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. (§ 8.3.4.1 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The public cloud PII processor should be transparent about its capabilities during the process of entering into a contract. However, it is ultimately the cloud service customer’s responsibility to ensure that the measures implemented by the public cloud PII processor meet its obligations. (§ A.11.11 ¶ 6, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • Provisions for the use of sub-contractors to process PII should be transparent in the contract between the public cloud PII processor and the cloud service customer. The contract should specify that sub-contractors can only be commissioned on the basis of a consent that can generally be given by the… (§ A.8.1 ¶ 4, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. (CC9.2 ¶ 3 Bullet 1 Establishes Requirements for Vendor and Business Partner Engagements, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • All contracts should be reviewed periodically to ensure they are consistent with the privacy policies. If inconsistencies are found, they should be addressed. (ID 1.2.3, ID 10.2.3, AICPA/CICA Privacy Framework)
  • With respect to the acceptance and continuance of client relationships and specific engagements, paragraph .27 of QC section 10, A Firm's System of Quality Control, states that the firm should establish policies and procedures for the acceptance and continuance of client relationships and specific e… (¶ 2.31, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Implementing procedures for addressing issues identified with vendor and business partner relationships (¶ 3.150 Bullet 7, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • With respect to the acceptance and continuance of client relationships and specific engagements, paragraph .27 of QM section 10A, A Firm's System of Quality Control, states that the firm should establish policies and procedures for the acceptance and continuance of client relationships and specific … (¶ 2.37, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Appropriate procedures being performed regarding the acceptance and continuance of client relationships and engagements (¶ 2.50 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Implementing procedures for addressing issues identified with vendor and business partner relationships. (¶ 3.164 Bullet 8, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. (CC9.2 Establishes Requirements for Vendor and Business Partner Engagements, Trust Services Criteria)
  • The entity implements procedures for addressing issues identified with vendor and business partner relationships. (CC9.2 Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments, Trust Services Criteria)
  • The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. (CC9.2 ¶ 2 Bullet 1 Establishes Requirements for Vendor and Business Partner Engagements, Trust Services Criteria, (includes March 2020 updates))
  • The entity implements procedures for addressing issues identified with vendor and business partner relationships. (CC9.2 ¶ 2 Bullet 7 Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments, Trust Services Criteria, (includes March 2020 updates))
  • The lead (or coordinating) audit partner (having primary responsibility for the audit) may not act in that capacity for more than five (5) consecutive years. The person shall be disqualified from acting in that or a similar capacity for the same company or its insurance subsidiaries or affiliates fo… (Section 7.D.(1), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • A Medicare Advantage (MA) organization must follow a documented process regarding suppliers and providers who have signed participation agreements or contracts. Regarding providers, the contract/agreement must require determination and redetermination at specified intervals, ensure the provider is l… (§ 422.204(b), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • With respect to a security-based swap, copies of the security-based swap trade acknowledgment and verification made in compliance with § 240.15Fi-2. (§ 240.17a-3 (a)(8)(ii), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • Copies of all Forms X-17F-1A filed pursuant to § 240.17f-1, all agreements between reporting institutions regarding registration or other aspects of § 240.17f-1, and all confirmations or other information received from the Commission or its designee as a result of inquiry. (§ 240.17a-3 (a)(14), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • Of all agreements pertaining to the relationship between each associated person and the member, broker or dealer including a summary of each associated person's compensation arrangement or plan with the member, broker or dealer, including commission and concession schedules and, to the extent that c… (§ 240.17a-3 (a)(19)(ii), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • A record for each account indicating that each customer or owner was furnished with a copy of each written agreement entered into on or after the effective date of this paragraph pertaining to that account and that, if requested by the customer or owner, the customer or owner was furnished with a fu… (§ 240.17a-3 (a)(17)(iii), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • If the records required to be maintained and preserved by a registered transfer agent pursuant to the requirements of §§ 240.17Ad-6 and 240.17Ad-7 are maintained and preserved on behalf of the registered transfer agent by an outside service bureau, other recordkeeping service or the issuer, the re… (§ 240.17Ad-7(g), 17 CFR Part 240.17Ad-7 - Record retention)
  • When a business entity subject to Subtitle A of Title III of this Act uses a service provider that is not subject to Subtitle A of Title III of this Act, it must contractually require that the service provider implement and maintain security measures that meet the objectives and requirements of Sect… (§ 302(d)(2), § 401(a), § 401(b), § 403(b), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • The prime contractor must ensure a "Contract Security Classification Specification" is input into every classified subcontract. (§ 7-102, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • A covered entity is not in compliance with § 164.502(e) and § 164.504(e) if it knew of a business associate's pattern of activity or practice that was a material breach or violation of the associate's obligation under the contract, unless it took steps to correct the breach or end the violation an… (§ 164.504(e)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate. (§ 164.504(e)(3)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other ar… (§ 164.504(e)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Exam Tier II Obj C.1 Determine whether audit procedures for operations consider ▪ The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. ▪ The adequacy of data controls over preparation, input, processing, a… (Exam Tier II Obj C.1, Exam Tier II Obj F.1, Exam Tier II Obj F.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • The outsourcing contract should include the third party's responsibilities for maintaining and testing the continuity plan. The organization should consider the following questions when contracting with third-party recovery services: How much system time is available for processing? How many third-p… (Pg E-7, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should have contracts with all outsource providers. The contracts should include assurances for performance, confidentiality, security, reliability, and reporting. (Pg 37, FFIEC IT Examination Handbook - Management)
  • Before signing a contract, the organization should ensure the contract clearly defines the rights and responsibilities of both parties; includes adequate and measurable service level agreements; includes the pricing method; does not contain provisions that have an adverse impact on the organization;… (Pg 12, Exam Tier I Obj 3.4, Exam Tier II Obj C.1, Exam Tier II Obj C.2, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Conformance with the contract, including the service level agreement; and (App A Tier 2 Objectives and Procedures O.6 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Inadequate performance is met with appropriate sanctions, such as reduction in contract fees or contract termination. (App A Tier 2 Objectives and Procedures O.5 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should ensure third party contracts have provisions that enable operations to be conducted appropriately. The provisions should also define acceptable access to the organization's system and state what the potential liabilities are for fraud or processing errors. (Pg 35, Pg 36, Exam Tier I Obj 3.5, Exam Tier I Obj 4.4, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • This exhibit is a sample contract for contractors who might have access to Federal Tax Information. (Exhibit 7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the third party contract include the parties rights to modify the existing services performed under the contract? (IT - Vendor Oversight Q 27, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Lead and oversee budget, staffing, and contracting. (T0493, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Lead and oversee budget, staffing, and contracting. (T0493, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • A bank should develop a contingency plan to terminate third party relationships, as part of the third party Risk Management process. ("Risk Management Life Cycle" ¶ "Termination:", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The termination plan or contract default plan should include the resources, capabilities, and timeframes required for the transition. ("Termination" ¶ 2 Bullet 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The termination plan or contract default plan should cover the risks that are associated with Information System connections and access control issues, data destruction and data retention, or other concerns which require additional Risk Management and monitoring during and after the end of the third… ("Termination" ¶ Bullet 2, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The termination plan or the contract default plan should include how to handle joint intellectual property that was developed during the relationship. ("Termination" ¶ 2 Bullet 3, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The termination plan or contract default plan should cover any reputation risk to the bank due to the third party's inability to meet expectations. ("Termination" ¶ 2 Bullet 4, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must terminate third party contracts that do not meet expectations or align with organizational objectives, goals, or risk appetite. ("Senior Bank Management" Bullet 10, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Employees who directly manage third party relationships should recommend that third party arrangements that do not meet the organizational expectations or align with the strategic goals, objectives, or risk appetite be terminated. ("Bank Employees Who Directly Manage Third-Party Relationships" Bullet 11, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract; (§ 6-1-1304 (3)(a)(VIII), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; (§ 10 (a)(6), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • take steps at the request of a consumer prior to entering into a contract; (§ 10 (a)(7), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; (§ 10 (a)(6), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • take steps at the request of a consumer prior to entering into a contract; (§ 10 (a)(7), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • Take steps at the request of a consumer prior to entering into a contract. (§ 12D-110.(a)(7), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty. (§ 12D-110.(a)(6), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Take steps at the request of a consumer prior to entering into a contract. (§ 12D-110.(a)(7), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty. (§ 12D-110.(a)(6), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer before entering into a contract. (§ 501.716(1)(d), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer before entering into a contract. (§ 501.716(1)(d), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Provide a product or service specifically requested by a consumer, perform a contract to which the consumer, or a parent of a child, is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent before entering into a contract. (IC 24-15-8-1(a)(5), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Provide a product or service specifically requested by a consumer, perform a contract to which the consumer, or a parent of a child, is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent before entering into a contract. (IC 24-15-8-1(a)(5), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Provide a product or service specifically requested by a consumer or parent or guardian of a child, perform a contract to which the consumer or parent or guardian of a child is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent or gu… (§ 715D.7.1.e., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Provide a product or service specifically requested by a consumer or parent or guardian of a child, perform a contract to which the consumer or parent or guardian of a child is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent or gu… (§ 715D.7.1.e., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • If a person knows or has reason to know that said person experienced an incident that requires notice pursuant to section 3 and such breach of security includes a social security number, the person shall contract with a third party to offer to each resident whose social security number was disclosed… (Section 3A (a), Massachusetts General Law Title XV Chapter 93H, Security Breaches)
  • take steps at the request of a consumer prior to entering a contract; (§ Section 11. (1)(g), Montana Consumer Data Privacy Act)
  • perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; (§ Section 11. (1)(f), Montana Consumer Data Privacy Act)
  • perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; (§ Section 11. (1)(f), Montana Consumer Data Privacy Act 2023)
  • take steps at the request of a consumer prior to entering a contract; (§ Section 11. (1)(g), Montana Consumer Data Privacy Act 2023)
  • Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; (§ 507-H:10 I.(f), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • Take steps at the request of a consumer prior to entering into a contract; (§ 507-H:10 I.(g), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • Businesses may use another party to destroy personal information, if, after due diligence, they enter a into a written contract and monitor the other party's compliance. Due diligence includes one or more of the following: reviewing an independent audit of the disposal business' compliance with this… (§ 75-64(c), North Carolina Statutes, Chapter 75, Article 2A, Identity Theft Protection Act, Sections 75-60 thru 75-66)
  • Negotiating, entering into or performing a contract with a consumer, including fulfilling the terms of a written warranty; (Section 2 (3)(h), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Provide a product or service specifically requested by a consumer or the parent or legal guardian of a known child, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contrac… (§ 47-18-3208.(a)(5), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Provide a product or service specifically requested by a consumer or the parent or legal guardian of a known child, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contrac… (§ 47-18-3208.(a)(5), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer before entering into a contract; (§ 541.201 (a)(4), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer before entering into a contract; (§ 541.201 (a)(4), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer or parent or legal guardian before entering into the contract with the consumer; (13-61-304 (1)(f), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer or parent or legal guardian before entering into the contract with the consumer; (13-61-304 (1)(f), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract; (§ 59.1-582.A.5., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract; (§ 59.1-582.A.5., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)