Back

Establish, implement, and maintain a critical third party list.


CONTROL ID
06815
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

This Control has the following implementation support Control(s):
  • Disseminate and communicate critical third party dependencies to interested personnel and affected parties., CC ID: 06816


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualit… (3.7.1 78, Final Report EBA Guidelines on ICT and security risk management)
  • If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in th… (4.13.1 77, Final Report on EBA Guidelines on outsourcing arrangements)
  • Is a list of service providers maintained? (§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.1)
  • A list of all service providers must be maintained. (PCI DSS Requirements § 12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Maintain a list of service providers. (12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Maintain a list of service providers including a description of the service provided. (12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Maintain a list of service providers including a description of the service provided. (12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is a list of service providers maintained? (12.8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Verify that a list of service providers is maintained and includes a description of the service provided. (12.8.1, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire A and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data by maintaining a list of service providers? (PCI DSS Question 12.8.1, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including arrangements with external parties (e.g., outsource providers, cloud service providers, and customers). (CF.20.01.04g, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including arrangements with external parties (e.g., outsource providers, cloud service providers, and customers). (CF.20.01.04g, The Standard of Good Practice for Information Security, 2013)
  • Develop and maintain an inventory of all supply chain relationships. (STA-07, Cloud Controls Matrix, v4.0)
  • a list of key personnel and aid agencies, including contact details, e.g. fire department and spillage clean-up services; (8.2 ¶ 4 Bullet 10, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • the interested parties that are relevant to the BCMS, and (§ 4.2.1 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization has prioritized external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. (DM.ED-5.4, CRI Profile, v1.2)
  • The organization has prioritized external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. (DM.ED-5.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • For cloud computing services, are any critical vendors necessary to provide the scoped services to clients? (§ V.1.57, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are all critical technology service providers described on an architecture diagram that includes physical systems and facilities? (§ V.1.67, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Backups stored with a different provider reduce the risk of data loss/corruption in the case of a CSO ceasing operations or catastrophic event that affects a CSP's entire infrastructure. Maintenance of such backups may also mitigate the risk of data loss sustained from of a data spillage response. M… (Section 5.12 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 4 Sub-Bullet 8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether a process exists to rank third parties based on criticality, risk, and testing scope. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the financial institution and service provider have made advance arrangements for both third-party computer forensics and incident management services in advance of a wide-scale cyber security event. (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Key suppliers/business partners; and (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Third-party service providers and software vendor listings. (App A Objective 1:3e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the BCP lists alternatives for core operations, facilities, infrastructure systems, suppliers, utilities, interdependent business partners, and key personnel. (App A Objective 8:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The development of internal pilot programs and partnerships with technology service providers introducing new retail payment systems and delivery channels. (App A Tier 1 Objectives and Procedures Objective 9:1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)