Back

Establish, implement, and maintain a supply chain management policy.


CONTROL ID
08808
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a supply chain management program., CC ID: 11742

This Control has the following implementation support Control(s):
  • Require supply chain members to accept and sign the organization's code of conduct., CC ID: 12397
  • Require third parties to employ a Chief Information Security Officer., CC ID: 12057
  • Include supplier assessment principles in the supply chain management policy., CC ID: 08809
  • Include the third party selection process in the supply chain management policy., CC ID: 13132
  • Include refraining from depending on any individual third party in the supply chain management policy., CC ID: 13133
  • Include a clear management process in the supply chain management policy., CC ID: 08810
  • Include roles and responsibilities in the supply chain management policy., CC ID: 15499
  • Include third party due diligence standards in the supply chain management policy., CC ID: 08812
  • Disseminate and communicate the supply chain management policy to all interested personnel and affected parties., CC ID: 15493
  • Require suppliers to commit to the supply chain management policy., CC ID: 08813
  • Support third parties in building their capabilities., CC ID: 08814
  • Implement measurable improvement plans with all third parties., CC ID: 08815
  • Post a list of compliant third parties on the organization's website., CC ID: 08817
  • Use third parties that are compliant with the applicable requirements., CC ID: 08818
  • Establish, implement, and maintain a conflict minerals policy., CC ID: 08943
  • Establish and maintain a conflict materials report., CC ID: 08823


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number IV.8(6): The organization must develop organizational policies for services provided by network operators. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. App 2-1 Item Number VI.5.1(1): Entrustment or consig… (App 2-1 Item Number IV.8(6), App 2-1 Item Number VI.5.1(1), App 2-1 Item Number VI.5.1(2), App 2-1 Item Number VI.5.1(3), App 2-1 Item Number VI.5.4(1), App 2-1 Item Number VI.5.5(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Practice Standard § I.5(1): Management should ensure a structure is developed for collecting material information from external organizations. Practice Standard § III.4(2)[2].B.d: External auditors should evaluate if the organization is effectively managing all outsourcing contracts. Practice Stan… (Practice Standard § I.5(1), Practice Standard § III.4(2)[2].B.d, Practice Standard § III.4(2)[3], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization shall specify the management responsibilities of third parties when it outsources the maintenance and operation of facility-related equipment and provide the third party with safety guidance. (O76.3(7), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • From the perspective of facilitating the proper operation of the outsourced duties, the financial institution needs to establish an outsourcing management system, as well as verify the state of performance of the outsourced operations based on the service contract, according to the content of the ou… (C23.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • A VDPD operator may outsource the installation and operation of visual data processing devices to a third party: Provided, That the public institutions shall comply with the procedures and requirements prescribed by Presidential Decree when outsourcing the installation and operation of visual data p… (Article 25(8), Personal Information Protection Act)
  • A supplier relationship management policy is developed, implemented and maintained. (Control: ISM-1785; Revision: 1, Australian Government Information Security Manual, June 2023)
  • A supplier relationship management policy is developed, implemented and maintained. (Control: ISM-1785; Revision: 1, Australian Government Information Security Manual, September 2023)
  • The organization should develop an Information Security industry engagement plan for managing the approved service providers that provide the Information Technology services and functions. (Control: 1052, Australian Government Information Security Manual: Controls)
  • The policy framework should include monitoring and managing service providers. (¶ 27(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should manage the risks of a service provider commensurate with the criticality and sensitivity of the Information Technology assets. (Attach C ¶ 1, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolid… (4.7 41, Final Report on EBA Guidelines on outsourcing arrangements)
  • the implementation, monitoring and management of outsourcing arrangements, including: (4.7 42(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • approve and periodically review the financial entity's policy on arrangements regarding the use of ICT services provided by ICT third-party service providers; (Art. 5.2. ¶ 2(h), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider's ability to effectively provide the ICT services supporting critical or impor… (Art. 30.3. ¶ 1(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • When providing the resources for information security, implementers should utilize external resources if necessary. (3.5 Bullet 4, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • The definition of the requirements is integrated into the risk management of the cloud provider. According to requirements OIS-07, they are checked at regular intervals for their appropriateness. (Section 5.12 DLL-01 Basic requirement ¶ 2, Cloud Computing Compliance Controls Catalogue (C5))
  • Firms' boards should approve, regularly review, and implement a written outsourcing policy. As noted in Chapter 2 of this SS, firms may apply this policy or parts thereof to all third party arrangements. This policy should align to and draw upon other relevant firm policies and strategies. For insta… (§ 4.10, SS2/21 Outsourcing and third party risk management, March 2021)
  • There is no 'one-size-fits-all' template for firms' outsourcing policies, and the policy does not have to be contained in a single document. Firms and groups are responsible for developing and maintaining a policy that is appropriate to their complexity, organisational structure, and size (see Chapt… (§ 4.13, SS2/21 Outsourcing and third party risk management, March 2021)
  • The outsourcing policy should be principles-based and may be supported by detailed procedures developed, approved, and maintained below board level. However, it should be sufficiently detailed to provide adequate guidance for firms' staff on how to apply its requirements in practice. At a minimum, i… (§ 4.14, SS2/21 Outsourcing and third party risk management, March 2021)
  • intragroup outsourcing vs outsourcing to external service providers; (Table 4 Column 2 Row 1 Bullet 7 Sub-Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • outsourcing to service providers in specific jurisdictions outside the UK. (Table 4 Column 2 Row 1 Bullet 7 Sub-Bullet 4, SS2/21 Outsourcing and third party risk management, March 2021)
  • outsourcing to service providers regulated or overseen by the Bank, PRA, or FCA vs unregulated service providers; and (Table 4 Column 2 Row 1 Bullet 7 Sub-Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
  • material vs non-material outsourcing; (Table 4 Column 2 Row 1 Bullet 7 Sub-Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • For contractors, the organization must regularly monitor their compliance to the contract; ensure they use employees who meet legal requirements; verify they are part of a recognized professional association for accrediting standards, if appropriate; use a joint system that involves passes, photo ID… (Part I ¶ 27, HMG BASELINE PERSONNEL SECURITY STANDARD, GUIDANCE ON THE PRE-EMPLOYMENT SCREENING OF CIVIL SERVANTS, MEMBERS OF THE ARMED FORCES, TEMPORARY STAFF AND GOVERNMENT CONTRACTORS, Version 3, February 2001)
  • List X companies must maintain a minimum of 50% British nationals on their board of directors in order to prevent the possibility of Foreign Ownership Control or Influence by an overseas government or contractor. During the due diligence clearance process, the contracting authorities must ensure thi… (¶ 4, Industrial Security - Departmental Responsibilities, Version 5.0 October 2010)
  • ¶ 21: Security arrangements for work on departmental premises are best managed by the contracting authority and must be clearly identified in the contract. ¶ 68: For defense subcontractors, once competency and security aspects are confirmed and the main contractor has authority to begin work, the … (¶ 21, ¶ 68, ¶ 80, The Contractual process, Version 5.0 October 2010)
  • Contract and notice periods should be set to 1 year or less. If a longer period is required for recruiting an outside director, the period should be reduced to 1 year or less after the initial period has passed. (§ B.1.6, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
  • A person who provides goods, services, or facilities to a section of the public or the public must not require the other person or third party to supply him/her with relevant records or produce relevant records for him/her as a condition for providing the goods, services, or facilities. Table 56(6) … (§ 56(2), UK Data Protection Act of 1998)
  • The Board of Directors and senior management should ensure the third party operates in a safe and sound manner and complies with all applicable laws. (¶ 39, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The organization should develop a supply chain policy for minerals that originates from a conflict-affected and high-risk area. (Annex I ¶ 1(A), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should establish and maintain a supply chain policy for minerals that originate from conflict-affected and high-risk areas. (Supplement on Tin, Tantalum, and Tungsten Step 1: A, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should establish and maintain a supply chain policy for identifying and managing risks for gold potentially from conflict-affected and high-risk areas. (Supplement on Gold Step 1: § I.A, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Do external partners implement the 13 layer security model? (Table Row I.25, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Policies, procedures, and standards that govern security requirements for outsourced service providers, customers, and business associates should address the due diligence requirements. (Table Row II.42.a, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The organization enters into written agreements with contractors that require that services be performed in accordance with the organization's requirements and URAC standards. (CORE - 8(b), URAC Health Utilization Management Standards, Version 6)
  • Prior to delegating functions to another entity, the organization should outline and follow criteria and processes for approving contractors. (CORE - 7(b), URAC Health Utilization Management Standards, Version 6)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (§ 12.8, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.1)
  • Observe personnel, review policies and procedures, and review supporting documentation to verify that processes are implemented for managing service providers with whom cardholder data is being shared and who could affect the security of cardholder data. (Testing Procedures § 12.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure the service provider policies and procedures includes a list of all service providers, how the organization will monitor the compliance of the service provider with the PCI DSS requirements, and due diligence. (§ 12.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components, examine the following and verify that PINs and encrypted PIN blocks are not stored under any circumstance. (§ 3.2.3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Policies and procedures for managing service providers with whom cardholder data is shared or could affect cardholder data security must be maintained and implemented. (PCI DSS Requirements § 12.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine policies and procedures to verify that processes are defined for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • When choosing an Acquirer to accept Visa cards, the services they offer should be reviewed for expertise in security measures, risk management tools, and solutions that meet the unique Internet business needs of the organization, and to ensure they support Visa's Cardholder Information Security Prog… (Pg 23, Pg 24, Pg 60, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The organization needs to consider certain factors when purchasing continuity services from an outside source, including the following: syndication management (the risk of one event causing multiple, simultaneous activations); syndication ratios (how many clients are allowed to concurrently subscrib… (§ 11, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Outsourced relationships should be effectively managed to ensure the integrity of the computing environment. (§ 3.1, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • As part of the outsourced data services review, auditors need to determine whether or not the service provider has the capacity to host the outsourced services; the service provider has segregated each client's data and systems to ensure integrity and confidentiality; and the service provider has th… (§ 3 (Data Center Management), § 4.1 ¶ 2, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • If the organization is going to contract out the guard duties, it should develop a Request for Proposal (RFP). The RFP should detail exactly what is required. See the "Revised Protection of Assets Manual," Volume 1, Chapter 7, Part 1, Pages 7-I-44 through 7-I-46 for recommended RFP headings. (Revised Volume 1 Pg 7-I-44 thru Revised Volume 1 Pg 7-I-47, Protection of Assets Manual, ASIS International)
  • Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safegua… (CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy, CIS Controls, V8)
  • Personnel. An organization should implement safeguards to reduce the security risks resulting from errors or intentional or unintentional breaking of security rules by personnel (permanent or contracted). Safeguards in this area are listed below. 2. Safeguards for Contracted Personnel Contracted per… (¶ 8.1.4(2), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The service management policy shall be communicated and understood by the service provider's personnel. (§ 4.1.2 ¶ 1(e), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Top management shall ensure the service management authorities and responsibilities have been defined and maintained. (§ 4.1.3 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall establish and maintain documents, to include the service management plan. (§ 4.3.1 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Service providers should have procedures to ensure the quality and integrity of vendor staff that are directly involved in supporting the recovery services. These procedures should include personnel that are supplied by a vendor to maintain and repair equipment and facilities, both on and off site a… (§ 5.5.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • All employees, contractors, and third parties should sign and agree to the terms of their employment contract, which should state the security responsibilities for both the employee and organization. The contract should state and clarify the following: Personnel are required to sign a confidentialit… (§ 8.1.3, ISO 27002 Code of practice for information security management, 2005)
  • Third parties should ensure the services they implement, operate, and maintain include the security controls and levels included in the agreement. (§ 10.2.1, ISO 27002 Code of practice for information security management, 2005)
  • The organization controls planned changes and reviews the consequences of unintended changes, and ensures that outsourced processes are identified, defined and controlled. (§ 8.1 Required activity ¶ 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization should be responsible for the practices of its suppliers. (§ E, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • In the event the organization engages a service provider to perform an activity in connection with one or more covered accounts, the organization will take steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, an… (§ V.B., AICPA Red Flag Rule Identity Theft Prevention Program, November 1, 2009)
  • For cloud computing services, is there a client management portal which allows distributed business accounts (business units/departments) to be managed under a single central corporate account? (§ V.1.40, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • A transmittal letter must be written to request approval of warehousing and distribution agreements. The letter must contain the applicant's Directorate of Defense Trade Controls registration number, the name of the foreign party, the defense articles that are being distributed, a statement that no … (§ 124.14(e), US The International Traffic in Arms Regulations, April 1, 2008)
  • The CMS business partner System Security Profile shall be maintained and include the following: a description of the Medicare operations, records, and resources necessary to process Medicare claims; risk assessments; security plans; self-assessments; certifications; contingency plans; security revie… (CSR 1.9.9, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Director of the Office of Management and Budget must oversee agency information security policies and practices, including requiring agencies to identify and provide information security protections that are commensurate with the magnitude and risk of harm resulting from unauthorized access to o… (§ 3543(a)(2), § 3543(b), § 3543(c), § 3544(a)(1)(A), § 3547(1), Federal Information Security Management Act of 2002, Deprecated)
  • Measures appropriate for the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to ensure third parties or customers are not authorized to acquire or access sensitive personally identifiable information without the business entity perfor… (§ 302(a)(4)(B)(vi), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • All contractors must include the abbreviation "ctr", all foreign nationals must include their two character country code, and contractors who are foreign nationals must include both in Department of Defense e-mail addresses, Department of Defense e-mail display names, and automated signature blocks … (ECAD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Prime contractors must determine the security requirements and clearance level for each of their subcontractors and allow sufficient time for the Facility Clearance process to be completed in order to release or disclose classified information to the subcontractor. (§ 7-101, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • A covered entity is not in compliance with the standards in § 164.502(e) and § 164.314(a) if it knows of a business associates pattern of activity or practice that is a material breach or violation of their obligation under the contract or other arrangement, unless the covered entity takes reasona… (§ 164.314(a)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A covered entity does not comply with the standards of § 164.514(e), if it knew of a practice or pattern of the limited data set recipient that was a material breach or violation of the data use agreement, unless it took steps to correct the breach or end the violation and if the steps were unsucce… (§ 164.514(e)(4)(iii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The agency coordinator shall understand the needs, communications, and records capabilities of each contractor that accesses federal and state records through the relationship with the contracting government agency. (§ 3.2.7(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The institution has policies commensurate with its risk and complexity that address the concepts of external dependency or third-party management. (Domain 1: Assessment Factor: Governance, STRATEGY/POLICIES Baseline 2 ¶ 5, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Third-party risk management. (App A Objective 12:4 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Board oversight and senior management development and implementation of enterprise-wide policies to govern the third-party management program. (App A Objective 12:14 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • If an organization outsources the internal audit function, management should ensure there are no conflicts of interest and the use of the outsource provider does not compromise the independence of the auditing function. (Pg 20, Exam Tier I Obj 11.9, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should periodically evaluate the third party arrangement to ensure it meets the current needs and the anticipated future needs. (Pg 23, Obj 1.4, Obj 3.3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should develop policies and procedures for outsourcing. The policies and procedures should include the objectives of the program, how to select a provider, how to negotiate a contract, and how to monitor the relationship. The oversight of outsourcing agreements should be the respons… (Pg 32, Exam Obj 1.3, FFIEC IT Examination Handbook - Management)
  • The organization should receive performance, capacity, availability, and other metrics reports from the third party provider if the organization outsources the management of the telecommunications services. (Pg 29, Exam Tier I Obj 1.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • Policies should exist for managing outsourcing agreements and should include establishing servicing requirements and strategies; selecting a service provider; negotiating a contract; and monitoring, changing, and discontinuing outsourced agreements. (Pg 3, Exam Tier I Obj 1.3, Exam Tier I Obj 3.1, Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Obtain and review the financial institution's policies and procedures for RDC. Assess whether they define the function, responsibilities, operational controls, vendor management, customer due diligence, BSA/AML compliance monitoring, and reporting functions, etc. Identify the date they were last rev… (App A Tier 2 Objectives and Procedures N.9 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Describe any service-level agreements between the financial institution and its service providers, and determine whether management of these relationships conforms to the Outsourcing Technology Services booklet. (App A Tier 2 Objectives and Procedures N.4 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Exam Tier I Obj 1.3 Determine if the quality of management and staff, and the staffing levels are adequate for the specific retail payment products and processes the institution provides. • Obtain and review the following: o Reports showing staffing levels, turnover, and trends. o Biographies of m… (Exam Tier I Obj 1.3, Exam Tier I Obj 2.2, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization should have appropriate monitoring procedures, contract provisions, and due diligence processes when dealing with third party providers. (Pg 34, Exam Tier I Obj 1.3, Exam Tier I Obj 2.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization should oversee all service providers. (§ 314.4(d), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
  • Financial institutions or creditors that are required to implement an Identity Theft Prevention Program must ensure effective and appropriate oversight is maintained over all service provider arrangements. The financial institution or creditor should also ensure the service provider conducts its act… (§ 41.90(e)(4), § 222.90(e)(4), § 334.90(e)(4), § 571.90(e)(4), § 681.2(e)(4), § 717.90(e)(4), App J to Part 41.VI(c), App J to Part 222.VI(c), App J to Part 334.VI(c), App J to Part 571.VI(c), App A to Part 681.VI(c), App J to Part 717.VI(c), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • The organization must ensure personnel security requirements are developed for third-party providers. (§ 5.6.11, Exhibit 4 PS-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the written audit plan include reviewing the vendor management process? (IT - Audit Program Q 3d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include vendor management? (IT - Policy Checklist Q 17, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has the Board of Directors approved a vendor oversight policy? (IT - Vendor Oversight Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Identify the individual or department responsible for coordinating business associate agreement execution. (§ 4.9.1 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • During the planning phase, the enterprise should develop and define requirements to address cybersecurity risks throughout the supply chain in addition to specifying performance, schedule, and cost objectives. This process is typically initiated by the acquirer mission and business process owner or … (3.1.2. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The Authorizing Official is ultimately responsible for mitigating unacceptable risks posed by using external information system services. A chain of trust is required between the organization and external service providers for information system security issues. If a sufficient level of trust cannot… (§ 2.4 ¶ 6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization employs {organizationally documented security safeguards} to limit harm from potential adversaries identifying and targeting the organizational supply chain. (SA-12(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight … (Bullet 4: Vendor Management, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • Management remains responsible for the performance and actions of its vendors while the vendors are performing work for the bank. Without adequate controls, the use of vendors to design or support new bank technologies and systems could increase a bank's exposure to risk. (¶ 22, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • A bank should implement more rigorous and comprehensive Risk Management and oversight of third party relationships that involve critical activities. ("Risk Management Life Cycle" ¶ 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • A bank should develop a plan for managing third party relationships, as part of the third party Risk Management process. ("Risk Management Life Cycle" ¶ "Planning:", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • A bank should clearly assign the roles and responsibilities for managing third party relationships throughout the relationship for continuous oversight and accountability. ("Risk Management Life Cycle" ¶ "Oversight and accountability:", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • A bank should include documentation and reporting on the accountability, oversight, monitoring, and Risk Management of third parties as part of the continuous third party Risk Management process. ("Risk Management Life Cycle" ¶ "Documentation and reporting:", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management should develop a plan for managing third party relationships before entering the relationship. ("Planning" ¶ 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must establish and maintain the third party Risk Management process. ("Senior Bank Management" Bullet 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must establish the risk-based policies for managing the third party Risk Management process. ("Senior Bank Management" Bullet 2, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must document and report throughout the lifecycle of the third party relationship. ("Senior Bank Management" Bullet 7, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must oversee the Risk Management and reporting of third party relationships. ("Senior Bank Management" Bullet 11, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Auditors should assess the bank's ability to manage and oversee third party relationships. ("Supervisory Reviews of Third-Party Relationships" ¶ 2 Bullet 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Require service providers and business partners who handle personal information on behalf of your organization to follow your security policies and procedures. (Part I ¶ 8, California OPP Recommended Practices on Notification of Security Breach, May 2008)