Back

Monitor third parties for performance and effectiveness, as necessary.


CONTROL ID
00799
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Assess the effectiveness of third party services provided to the organization., CC ID: 13142

This Control has the following implementation support Control(s):
  • Monitor third parties' financial conditions., CC ID: 13170
  • Review the supply chain's service delivery on a regular basis., CC ID: 12010


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should have controls in place (e.g. comparison with target service level) to monitor the performance of service providers on a continuous basis. (2.3.2, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • Management of IT functions should ideally formulate a service level agreement with business units to cover system availability and performance requirements, capacity for growth, and the level of support provided to users. The responsible IT functions should ensure that adequate procedures are in pla… (5.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The licensed corporation should conduct proper initial due diligence on the EDSP and its controls relating to its infrastructure, personnel and processes for delivering its data storage services, as well as regular monitoring of the EDSP's service delivery, in each case commensurate with the critica… (12., Circular to Licensed Corporations - Use of external electronic data storage)
  • App 2-1 Item Number VI.5.4(3): The organization must monitor the progress of subcontracted operations and implement measures to properly avoid or deal with risks. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App 2-1 Item Number VI.5.… (App 2-1 Item Number VI.5.4(3), App 2-1 Item Number VI.5.4(4), App 2-1 Item Number VI.5.5(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O60.1(2): When operations are outsourced, the organization should arrange to have periodic and/or timely reporting of unusual conditions or fraud. O88.1: The organization shall check the execution of outsourcing contracts on a regular basis for adherence to the contract. O88.6: The organization shou… (O60.1(2), O88.1, O88.6, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • It is effective to conclude an SLA between the financial institution and the contractor as a benchmark to measure the results of the operations and as a part of the service contract, and to also perform periodic evaluations. Refer to [C21] for information on the conclusion of an SLA. (C23.2. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • monitoring and control; (5.5.2 (e), Guidelines on Outsourcing)
  • Establish outsourcing management control groups to monitor and control the outsourced service on an ongoing basis. There should be policies and procedures to monitor service delivery and the confidentiality and security of customer information, for the purpose of gauging ongoing compliance with agre… (5.8.2 (c), Guidelines on Outsourcing)
  • The service agreement should include reporting mechanisms for overseeing the service provider's information technology security Risk Management. (Attach C ¶ 4, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • IT security risks need to be appropriately managed regardless of whether activities and associated IT assets are under the direct control of a regulated institution or have been outsourced to a service provider. Where a service provider (including a software vendor) has been engaged, the due diligen… (Attachment C ¶ 1, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • management and monitoring of service providers that defines the framework for overseeing the management of IT security risks by third parties; (¶ 27(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The service agreement would include reporting mechanisms that ensure adequate oversight of IT security risk management by the service provider. Oversight would typically involve the assessment of the following items against a regulated institution's IT security requirements: (Attachment C ¶ 4, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • where those institutions or payment institutions outsource the operational tasks of internal control functions to a service provider within the group or the institutional protection scheme, for the monitoring and auditing of outsourcing arrangements, institutions should ensure that, also for these o… (4.2 22(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the se… (4.2 23(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangeme… (4.5 33, Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. (4.14 101, Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangemen… (4.13.1 80, Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availabilit… (4.14 100, Final Report on EBA Guidelines on outsourcing arrangements)
  • the implementation, monitoring and management of outsourcing arrangements, including: (4.7 42(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • the appropriate monitoring and management of outsourcing arrangements. (4.10 51(e), Final Report on EBA Guidelines on outsourcing arrangements)
  • identify, monitor and manage all risks; (4.4 31(c)(i), Final Report on EBA Guidelines on outsourcing arrangements)
  • The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical … (4.6 35, Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should appropriately document the assessments made under Title IV and the results of their ongoing monitoring (e.g. performance of the service provider, compliance with agreed service levels, other contractual and regulatory requirements, updates to the risk ass… (4.11 60, Final Report on EBA Guidelines on outsourcing arrangements)
  • Procedures for the regular monitoring and review of agreed services and security requirements of third parties (e.g. service providers and/or suppliers of the cloud provider) who contribute essential parts to the development or operation of the cloud service are established. The safeguards include a… (Section 5.12 DLL-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Other external procurement of IT services shall be managed in line with the strategies, taking account of the institution's risk assessment. The rendering of the service owed by the service provider shall be monitored in line with the risk assessment. (II.8.54, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • monitor the arrangement. (§ 8.3 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • the ongoing monitoring of the effectiveness of the service provider's controls, including through the exercise of access and audit rights (see Chapter 8); (§ 7.11 Bullet 11, SS2/21 Outsourcing and third party risk management, March 2021)
  • Procedures for the ongoing assessment of service providers' performance, including where appropriate: (Table 4 Column 2 Row 3 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • appropriate monitoring and oversight of their intragroup outsourcing arrangements, including appropriate visibility of the whole firm's or parent's material sub-outsourced service providers and supply chain by internal control functions and, if applicable, other areas such as technology; (§ 3.18 Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
  • The contract manager should be responsible for monitoring performance against the contract. If necessary, the organization should use a separate employee to be responsible in personnel terms for contract and agency employees. (Part I ¶ 28, HMG BASELINE PERSONNEL SECURITY STANDARD, GUIDANCE ON THE PRE-EMPLOYMENT SCREENING OF CIVIL SERVANTS, MEMBERS OF THE ARMED FORCES, TEMPORARY STAFF AND GOVERNMENT CONTRACTORS, Version 3, February 2001)
  • ¶ 11: The security controller must notify the contracting authority or MOD DE&S DHSY/PSYA, for MOD contracts, when a contract that contains security measures is completed or when the List X site no longer works on contracts that includes security measures. ¶ 79: The main contractor should be respo… (¶ 11, ¶ 79, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • ¶ 34: The contracting authority may exercise security oversight or ask MOD DE&S DHSY/PSyA to take that responsibility. If the contracting authority performs the monitoring function, the DSO should provide the contractor details to MOD DE&S DHSY/PSyA. The List X database must be updated to include t… (¶ 34, ¶ 40, The Contractual process, Version 5.0 October 2010)
  • The purpose of the supplier management practice is to ensure that the organization's suppliers and their performances are managed appropriately to support the seamless provision of quality products and services. This includes creating closer, more collaborative relationships with key suppliers to un… (5.1.13 ¶ 1, ITIL Foundation, 4 Edition)
  • The organization should monitor the activities of third parties on a regular basis. (¶ 40, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • (§ II.36, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Establish a process to monitor service delivery to ensure that the supplier is meeting current business requirements and continuing to adhere to the contract agreements and SLAs, and that performance is competitive with alternative suppliers and market conditions. (DS2.4 Supplier Performance Monitoring, CobiT, Version 4.1)
  • Verify the organization maintains a program for monitoring the service providers' compliance status for the Payment Card Industry Data Security Standard on at least an annual basis. (Testing Procedures § 12.8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • A program must be maintained for monitoring a service provider's compliance status to the Payment Card Industry Data Security Standard on at least an annual basis. (PCI DSS Requirements § 12.8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • When doing evaluations, internal auditors need to determine if the service provider is in compliance with the outsourcing contract and if their activities are transparent, unbiased, and robust. Internal auditors need to identify if a well-structured business case exists that clearly outlines busines… (§ 4.7 (Internal Audit Considerations), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Arrangements should be made to obtain independent confirmation of the security controls applied by the service provider. (CF.07.07.05b, The Standard of Good Practice for Information Security)
  • A process should be established that ensures that the use of cloud services (including generic cloud services) is reviewed on a regular basis (e.g., by business representatives or Information Protection champions). (CF.16.04.07d, The Standard of Good Practice for Information Security)
  • Contracts should require cloud service providers to provide advance notification prior to any changes being made to the way the service is delivered to the organization, including processing or storage of information in a new geographical or legal jurisdiction. (CF.16.05.07c, The Standard of Good Practice for Information Security)
  • Arrangements should be made to obtain independent confirmation of the security controls applied by the service provider. (CF.07.07.05b, The Standard of Good Practice for Information Security, 2013)
  • A process should be established that ensures that the use of cloud services (including generic cloud services) is reviewed on a regular basis (e.g., by business representatives or Information Protection champions). (CF.16.04.07d, The Standard of Good Practice for Information Security, 2013)
  • Contracts should require cloud service providers to provide advance notification prior to any changes being made to the way the service is delivered to the organization, including processing or storage of information in a new geographical or legal jurisdiction. (CF.16.05.08c, The Standard of Good Practice for Information Security, 2013)
  • Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. (CIS Control 15: Safeguard 15.6 Monitor Service Providers, CIS Controls, V8)
  • Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safegua… (CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy, CIS Controls, V8)
  • Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party ve… (CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling, CIS Controls, V8)
  • The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. (§ 8.1 ¶ 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The service provider shall monitor the supplier's performance and measure it against contractual obligations and service goals. (§ 7.2 ¶ 6, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Organizations shall regularly monitor, review and audit supplier service delivery. (A.15.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization should monitor adherence to third party agreements to ensure the information security agreements contained within are being followed and security incidents are properly handled. This responsibility should be assigned to an individual or a service management team. (§ 10.2.2, ISO 27002 Code of practice for information security management, 2005)
  • The organization shall ensure that third-party processes are controlled and monitored. (§ 8.1 ¶ 5, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the performance of external providers; (9.3.2 ¶ 1(c)(7), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall ensure that outsourced processes are controlled and monitored. (§ 8.1 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall ensure that third-party processes are controlled and monitored. (§ 8.1 ¶ 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the performance of the outsourced activities is monitored in accordance with 9.1. (Section 8.7 ¶ 4 bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • ensuring there is control of other parties involved in the service lifecycle; (§ 5.1 ¶ 1(e), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. (§ 8.3.4.1 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • At planned intervals, the organization shall monitor the performance of the external supplier. Where service level targets or other contractual obligations are not met, the organization shall ensure that opportunities for improvement are identified. (§ 8.3.4.1 ¶ 5, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • performance of other parties involved in the delivery of the services; (§ 9.3 ¶ 2(i), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Organizations should regularly monitor, review and audit supplier service delivery. (§ 15.2.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • monitor and review the supplier services to ensure that they are operated as intended and associated information security risks meet the risk acceptance criteria of the organization; and (§ 8.1 Guidance ¶ 4(t), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The entity assesses the performance of vendors and business partners, as frequently as warranted, based on the risk associated with the vendor or business partner. (CC9.2 ¶ 3 Bullet 7 Assesses Vendor and Business Partner Performance, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization has a formal program for third-party due diligence and monitoring. (DM.ED-7.1, CRI Profile, v1.2)
  • External service provider activity is monitored to detect potential cybersecurity events. (DE.CM-6, CRI Profile, v1.2)
  • The organization has identified and monitors the organizational ecosystem of external dependencies for assets/systems that are critical to the enterprise and the financial services sector. (DM.ED-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization has a formal program for third-party due diligence and monitoring. (DM.ED-7.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization should take appropriate action if personal information transferred to a third party is misused. (ID 7.2.4, AICPA/CICA Privacy Framework)
  • Assessing the performance of vendors and business partners (¶ 3.150 Bullet 6, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Interactions with third parties. Materiality considerations are based on factors such as the likelihood and magnitude of risks arising from interactions with user entities, business partners, subservice organizations, vendors, or others (referred to collectively as third parties) with access to the … (¶ 3.163 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Additionally, regardless of the method used, service organization management is responsible for designing, implementing, and operating controls and other activities to monitor the effectiveness of controls performed by the subservice organization; such monitoring should be described in the system de… (¶ 3.67, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Identifying and assessing risks and addressing such risks through effective internal control is one of the critical roles of management. When a service organization outsources tasks or functions to a subservice organization, it shifts some of the risks associated with performing those tasks or funct… (¶ 3.102, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Although a subservice organization may perform certain functions for a service organization, management of the service organization remains responsible to its user entities for performing the services it has agreed to provide, including the outsourced functions. As a result, management is responsibl… (¶ 3.168, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Assessing the performance of vendors and business partners as frequently as warranted based on the risk associated with the vendors or business partners. (¶ 3.164 Bullet 7, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Monitoring activities usually include some combination of (a) ongoing monitoring to determine that potential issues are identified timely and (b) separate evaluations to determine that subservice organization controls are effective over time. Examples of monitoring activities include reviewing and r… (¶ 3.68, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The entity periodically assesses the performance of vendors and business partners. (CC9.2 Assesses Vendor and Business Partner Performance, Trust Services Criteria)
  • The entity periodically assesses the performance of vendors and business partners. (CC9.2 ¶ 2 Bullet 6 Assesses Vendor and Business Partner Performance, Trust Services Criteria, (includes March 2020 updates))
  • Is there an annual security review of third party vendors? (§ G.4.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are there risk assessments or reviews of third party vendors? (§ G.4.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the cloud computing audit program allow onsite assessments by clients? (§ V.1.18.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The organization must define performance expectations, identify remedies and response requirements for non-compliance, and describe measurable outcomes in service level agreements. (CSR 1.11.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Acquisition or outsourcing of it services explicitly addresses government, service provider, and end user ia roles and responsibilities. (DCIT-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Unless a written agreement exists that allows the comptroller general to have access to all records the comptroller general considers necessary to verify or monitor compliance with the agreement, records in a system of records may not be disclosed to a nonfederal or recipient agency for computer mat… (§ 552a(o)(1)(K), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • The records, services, and reports that are furnished by a service provider shall be monitored and reviewed on a regular basis. (§ 5.1.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • As specified in the interagency agreements, MCAs, and contractual agreements with private contractors, the services, reports and records provided by the service provider shall be regularly monitored and reviewed. The CJA, authorized agency, or FBI shall maintain sufficient overall control and visibi… (§ 5.1.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • As specified in the interagency agreements, MCAs, and contractual agreements with private contractors, the services, reports and records provided by the service provider shall be regularly monitored and reviewed. The CJA, authorized agency, or FBI shall maintain sufficient overall control and visibi… (§ 5.1.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine if management has taken sufficient steps to ensure third-party technology service providers (TSPs) employ the most recent techniques and technologies (or identify where gaps exist) to mitigate against: (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Evaluate the financial institution's third-party ongoing monitoring program, including the adequacy of information reviewed to determine that the service provider can continue to meet its obligations to provide financial services and support the institution's business resilience. Consider: (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Monitoring relationships with telecommunications providers to manage risks. (App A Objective 6:6g, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that management reports to the board on the effectiveness of any AIO activities performed by third-party service providers. Assess whether the reporting included any issues uncovered through the entity's third-party risk management processes. (App A Objective 7:5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Receives reports that include effectiveness of security controls, performance metrics, resolved versus outstanding issues, and root causes of problems in reports from third-party service providers. (App A Objective 17:1d Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Oversight of third parties when they supplement an institution's technical and managerial capabilities. (App A Objective 2.9.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management appropriately oversees the effectiveness of information security controls over outsourced operations and is accountable for the mitigation of risks involved with the use of third-party service providers. Review the due diligence involved, security controls to mitigate ri… (App A Objective 6.31, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • As part of a financial institution's third-party management program, management should ensure that third-party providers effectively provide support by doing the following: - Negotiating clear and comprehensive contracts with appropriate terms that meet the institution's requirements. - Ensuring rec… (III.C.8 Third-Party Management, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Has an effective ongoing monitoring process of its third-party providers. (App A Objective 4:7 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • A framework for management to identify, measure, mitigate, and monitor the risks associated with third-party relationships. (App A Objective 12:14 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • When reviewing information provided by the institution's third-party providers, determine the adequacy of third-party provider audit reports in terms of scope, independence, expertise, frequency, and corrective actions taken on identified issues. Work with the examiner reviewing the third-party mana… (App A Objective 12:17, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management effectively oversees and monitors any significant data processing services provided by technology service providers: (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 13, FFIEC IT Examination Handbook - Audit, April 2012)
  • The ability of management to monitor the services delivered and to measure the institution's progress toward identified goals in an effective and efficient manner; (TIER II OBJECTIVES AND PROCEDURES A.1 Bullet 7, FFIEC IT Examination Handbook - Audit, April 2012)
  • Management monitors vendor performance of contracted services and the financial condition of the vendor, (TIER II OBJECTIVES AND PROCEDURES F.2. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for outsourced activities are adequate. Evaluate whether ▪ There are contracts in place that have been approved by the institution's legal staff, ▪ Management monitors vendor performance of contracted services and the financial condition of the vendor, ▪ Appl… (Exam Tier II Obj F.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should monitor the third party in order to identify and control any risks. This monitoring is accomplished by receiving periodic reports from the third party. Some example reports are service availability, performance efficiency, security incidents, vendor stability, and quality ass… (Pg 24, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Evaluate the institution's periodic monitoring of the service provider relationship(s), including: (App A Tier 2 Objectives and Procedures O.6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Timeliness of review, given the risk from the relationship; (App A Tier 2 Objectives and Procedures O.6 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The Agencies coordinate the interagency programs for the supervision of TSPs through the FFIEC. The programs establish responsibilities and requirements for the collaborative efforts of the Agencies to ensure effective supervision while making efficient use of examiner resources and reducing burden … (Supervisory Programs ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Oversight and monitoring of cloud service provider-managed controls. Management should evaluate and monitor the cloud service provider's technical, administrative, and physical security controls that support the financial institution's systems and information assets that reside in the cloud environm… (Risk Management Audit and Controls Assessment Bullet 2, FFIEC Security in a Cloud Computing Environment)
  • Designate a senior member of your personnel responsible for direction and oversight of the Qualified Individual; and (§ 314.4 ¶ 1(a)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Third-party providers who process, store, or transmit Federal Tax Information must use security controls that are consistent with the organization's security requirements. (§ 5.6.14, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Where indicated by the credit union's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a credit union should review audits, summaries of test results, or other equivalent evaluations of its … (§ 748 Appendix A. III.D.3., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Does the third party contract identify the monthly, quarterly, and annual reports which will be furnished to the Credit Union in order to evaluate the third parties adherence to the service levels identified in the contract? (IT - Vendor Oversight Q 22, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Establish contract performance metrics. (§ 4.9.3 Bullet 3, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • During the planning phase, the enterprise should develop and define requirements to address cybersecurity risks throughout the supply chain in addition to specifying performance, schedule, and cost objectives. This process is typically initiated by the acquirer mission and business process owner or … (3.1.2. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Establish formal processes and intervals for continuous monitoring and reassessment of suppliers, supplied products and services, and the supply chain itself for potential changes to the risk profile. (3.4.2. ¶ 1 Bullet 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • External service provider activity is monitored to detect potential cybersecurity events (DE.CM-6, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • External service provider activity is monitored to detect potential cybersecurity events (DE.CM-6, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • External service provider activity is monitored to detect potential cybersecurity events. (DE.CM-6, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Maintain situational awareness of partner capabilities and activities. (T0742, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Maintain situational awareness of partner capabilities and activities. (T0742, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle (GV.SC-09, The NIST Cybersecurity Framework, v2.0)
  • External service provider activities and services are monitored to find potentially adverse events (DE.CM-06, The NIST Cybersecurity Framework, v2.0)
  • Agencies must have a process for monitoring the service organization's performance in relation to various metrics, as typically defined in a service-level agreement. Most of these metrics must be tailored to specific operations. For example, agencies regularly review the security, availability, and … (Section III (B1) ¶ 1 Bullet 2 Sub-bullet 2 Performance Monitoring, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • A bank should conduct ongoing monitoring of the third party relationship, as part of the third party Risk Management process. ("Risk Management Life Cycle" ¶ "Ongoing monitoring:", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The third party contract should include the bank's right to audit the third party, monitor their performance, and require them to remediate issues that are identified. ("Contract Negotiation" ¶ 2 "The Right to Audit and Require Remediation", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Bank management should dedicate enough staff who have the necessary authority, expertise, and accountability to monitor and oversee the third party after entering a contract with a third party. ("Ongoing Monitoring" ¶ 2, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Management should verify that the third party's activities and performance are being monitored by the employees managing the third party relationship. ("Ongoing Monitoring" ¶ 2, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must provide ongoing monitoring of third parties, respond to identified issues, and escalate significant issues to the Board of Directors. ("Senior Bank Management" Bullet 6, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Employees who directly manage third-party relationships must conduct ongoing monitoring of third parties. ("Bank Employees Who Directly Manage Third-Party Relationships" Bullet 3, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Monitor and enforce third-party compliance with your privacy and security policies and procedures. (Part I ¶ 8, California OPP Recommended Practices on Notification of Security Breach, May 2008)