Back

Establish, implement, and maintain a critical third party list.


CONTROL ID
06815
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Disseminate and communicate critical third party dependencies to interested personnel and affected parties., CC ID: 06816


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualit… (3.7.1 78, Final Report EBA Guidelines on ICT and security risk management)
  • If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in th… (4.13.1 77, Final Report on EBA Guidelines on outsourcing arrangements)
  • Member States shall ensure that their competent authorities under this Directive and their competent authorities under Directive (EU) 2022/2557 cooperate and exchange information on a regular basis with regard to the identification of critical entities, on risks, cyber threats, and incidents as well… (Article 13 5., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • identify key dependencies on ICT third-party service providers; (Art. 16.1. ¶ 2(e), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial serv… (Art. 28.1.(b)(ii), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Is a list of service providers maintained? (§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.1)
  • A list of all service providers must be maintained. (PCI DSS Requirements § 12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Maintain a list of service providers. (12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Maintain a list of service providers including a description of the service provided. (12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Maintain a list of service providers including a description of the service provided. (12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Verify that a list of service providers is maintained and includes a description of the service provided. (12.8.1, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire A and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including arrangements with external parties (e.g., outsource providers, cloud service providers, and customers). (CF.20.01.04g, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including arrangements with external parties (e.g., outsource providers, cloud service providers, and customers). (CF.20.01.04g, The Standard of Good Practice for Information Security, 2013)
  • Develop and maintain an inventory of all supply chain relationships. (STA-07, Cloud Controls Matrix, v4.0)
  • a list of key personnel and aid agencies, including contact details, e.g. fire department and spillage clean-up services; (8.2 ¶ 4 Bullet 10, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • the interested parties that are relevant to the BCMS, and (§ 4.2.1 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization has prioritized external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. (DM.ED-5.4, CRI Profile, v1.2)
  • The organization has prioritized external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. (DM.ED-5.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • For cloud computing services, are any critical vendors necessary to provide the scoped services to clients? (§ V.1.57, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are all critical technology service providers described on an architecture diagram that includes physical systems and facilities? (§ V.1.67, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Backups stored with a different provider reduce the risk of data loss/corruption in the case of a CSO ceasing operations or catastrophic event that affects a CSP's entire infrastructure. Maintenance of such backups may also mitigate the risk of data loss sustained from of a data spillage response. M… (Section 5.12 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Key suppliers/business partners; and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Third-party service providers and software vendor listings. (App A Objective 1:3e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the BCP lists alternatives for core operations, facilities, infrastructure systems, suppliers, utilities, interdependent business partners, and key personnel. (App A Objective 8:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The development of internal pilot programs and partnerships with technology service providers introducing new retail payment systems and delivery channels. (App A Tier 1 Objectives and Procedures Objective 9:1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Names and contact information of vendors, including alternate and offsite vendor POCs; (§ 3.6 ¶ 2 Bullet 6, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Notifications also should be sent to POCs of external organizations or interconnected system partners that may be adversely affected if they are unaware of the situation. Depending on the type of outage or disruption, the POC may have recovery responsibilities. For each system interconnection with a… (§ 4.2.2 ¶ 6, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Document systems configurations and vendors. Document the server architecture and the configurations of its various components. In addition, the contingency plan should identify vendors and model specifications to facilitate rapid equipment replacement after a disruption. (§ 5.2.1 ¶ 3 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Document system configurations and vendor information. Well-documented system configurations ease recovery. Similarly, vendor names and emergency contact information for vendors that supply essential hardware, software, and other components should be listed in the contingency plan so that replacemen… (§ 5.2.1 ¶ 1 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Document system configurations and vendors. Maintaining detailed records of system configurations enhances system recovery capabilities. In addition, vendors that supply essential hardware, software, and other components should be identified in the contingency plan. (§ 5.4.1 ¶ 1 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • System configuration and vendor information documentation. Document configurations of network connective devices that facilitate telecommunication (e.g., circuits, switches, bridges, and hubs) to ease recovery. Vendors and their contact information should be documented in the contingency plan to pro… (§ 5.3.1 ¶ 1 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • identify third parties that are necessary to the continued operations of the covered entity's information systems. (§ 500.16 Incident Response and Business Continuity Management (a)(2)(vi), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)