Back

Determine third party compliance with third party contracts.


CONTROL ID
08866
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Conduct all parts of the supply chain due diligence process., CC ID: 08854

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • contract performance; (2.6.2 Bullet 1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • In the event of data pertaining to Indian operations being stored and/or processed abroad, for example, by foreign banks, there needs to be suitable controls like segregation of data and strict access controls based on 'need to know' and robust change controls. The bank should be in a position to ad… (Critical components of information security 11) c.29., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • ensuring that there is independent review and audit for compliance with outsourcing policies and procedures; (5.2.3 (f), Guidelines on Outsourcing)
  • ability to comply with applicable laws and regulations and track record in relation to its compliance with applicable laws and regulations. (5.4.3 (j), Guidelines on Outsourcing)
  • Compliance will be determined by the audit review committee based on the testimony, information, and conclusions of the auditor. (Auditee and Auditor must provide the following after the audit period: (15), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The audit result is compliant if adequate documentation is available and reasonably shows all sources of purchase or receipt during the audit period as being conflict-free minerals. (Summary results of the audit (1), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The audit result is non-compliant if the auditee refuses to participate or does not provide adequate information or access to conduct the audit. (Summary results of the audit (2), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The audit result is non-compliant if there is insufficient documentation to determine the origin of all materials. (Summary results of the audit (3), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The audit result is non-compliant if material from a level 3 country that was exported absent an organization for economic cooperation and development guidance compliant scheme was found in the auditee records. (Summary results of the audit (4), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The audit result is compliant if additional documentation is furnished to the auditor inside of 2 months to address the documentation deficiencies and a follow-up assessment is conducted inside of 1 month and determines the documentation shows the source of the minerals. (Summary results of the audit (5), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The audit result is non-compliant if additional documentation is not furnished to the auditor when inadequate documentation exists. (Summary results of the audit (5), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The audit review committee will determine if the auditee is compliant or if additional actions are required after reviewing the information from the second audit. (Continuous Improvement Plans ¶ 3(6), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • A company will be removed from the compliant smelter list if a re-audit is not requested inside of 1 month of the compliance expiration date and conducted inside of 2 months of the compliance expiration date. (§ A(I) Audit period and re-audit frequency ¶ 2, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • Audits conducted on smelters that are removed from the compliance list will cover the entire period of noncompliance, up to 2 years. (§ A(I) Audit period and re-audit frequency ¶ 2, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • Smelters must show that they have implemented the Organization for Economic Cooperation and Development "due diligence guidance for responsible supply chains on minerals from conflict-affected and high-risk areas". (§ B(III)(2) Level 3 Country Documentation Expectations ¶ 2, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • The audit result is non-compliant if the refinery refuses to participate or does not provide adequate information or access to conduct the audit. (§ D(1)(A), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The audit result is non-compliant if conflict material was received or bought during the audit period. (§ D(1)(B), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The audit result is non-compliant if there is not enough documentation to substantiate the gold origin of all gold-bearing materials and the refinery cannot or does not agree to furnish further information. (§ D(1)(C), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The audit result is compliant if additional documentation is furnished to the auditor inside of 2 months to address the documentation deficiencies and a follow-up assessment is conducted inside of 1 month and determines the documentation shows the source of the minerals. (§ D(1)(D), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The audit result is non-compliant if additional documentation is not furnished to the auditor when inadequate documentation exists. (§ D(1)(D), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The audit result is compliant if adequate documentation is available and reasonably shows all sources of purchase or receipt during the audit period as being from non-conflict sources. (§ D(1)(E), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The audit review committee must determine if the refinery is compliant or if additional actions are required after reviewing the information from the second audit. (§ D ¶ 3(2), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • A refinery is non-compliant if it has the same noncompliance issue identified for a second time. (§ D ¶ 3(3), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • Protect and enforce the organisation's interests in all acquisition contractual agreements, including the rights and obligations of all parties in the contractual terms for the acquisition of software, development resources, infrastructure and services. (AI5.4 IT Resources Acquisition, CobiT, Version 4.1)
  • Establish a process to monitor service delivery to ensure that the supplier is meeting current business requirements and continuing to adhere to the contract agreements and SLAs, and that performance is competitive with alternative suppliers and market conditions. (DS2.4 Supplier Performance Monitoring, CobiT, Version 4.1)
  • Suspect or confirmed fraudulent or counterfeit parts shall be controlled to prevent their use or reentry into the supply chain by placing them in quarantine. (§ 4.1.8.b, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • The documented material control processes shall control suspect or confirmed fraudulent or counterfeit parts to prevent their use or reentry into the supply chain by physically segregating them and putting them in quarantine. (§ 4.2.8 ¶ 1.c, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity's privacy commitments and requirements and takes corrective action as necessary. (CC9.2 ¶ 5 Bullet 2 Assesses Compliance with Privacy Commitments of Vendors and Business Partners, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • During planning, the service auditor should determine whether the subservice organization will provide a written assertion and representation letter. In addition, the service auditor should determine whether it will be possible to obtain evidence that supports the portion of the opinion that address… (¶ 2.99, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity's privacy commitments and requirements and takes corrective action as necessary. (CC9.2 Assesses Compliance with Privacy Commitments of Vendors and Business Partners, Trust Services Criteria)
  • On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity's privacy commitments and requirements and takes corrective action as necessary. (CC9.2 ¶ 4 Bullet 2 Assesses Compliance with Privacy Commitments of Vendors and Business Partners, Trust Services Criteria, (includes March 2020 updates))
  • Verifies that the third-party providers can continue to support current contract requirements and future changes (e.g., that the third party has a satisfactory financial condition). (App A Objective 4:7 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Management's determination of the service provider's compliance with applicable financial institution and consumer regulations and with third-party requirements (e.g., NACHA, GLBA, bankcard company, and interchange). (App A Tier 1 Objectives and Procedures Objective 3:2 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • If the institution has bilateral clearing arrangements with other institutions, review the underlying contracts and determine how the institution monitors compliance with the contracts. (App A Tier 1 Objectives and Procedures Objective 8:3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • If the institution uses a technology service provider, determine whether it performed appropriate due diligence prior to engagement and has appropriate contractual agreements governing the relationship. Determine whether the institution monitors compliance with the governing contract. Determine if t… (App A Tier 1 Objectives and Procedures Objective 8:4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • If the financial institution accepts RCCs from retail business customers or payment processing customers, assess the appropriateness of, and adherence to, policies and procedures regarding customer due diligence, customer contracts, third-party service provider's due diligence, and activity/transact… (App A Tier 2 Objectives and Procedures M.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Oversight and monitoring of cloud service provider-managed controls. Management should evaluate and monitor the cloud service provider's technical, administrative, and physical security controls that support the financial institution's systems and information assets that reside in the cloud environm… (Risk Management Audit and Controls Assessment Bullet 2, FFIEC Security in a Cloud Computing Environment)
  • Participate in the implementation and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements and responsibilities are addressed (T0909, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Participate in the implementation and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements and responsibilities are addressed (T0909, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • A controller that uses de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data are subject and shall take appropriate steps to address any breaches of contractual commitments. (§ 6-1-1307 (2), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • A controller that discloses pseudonymous data, deidentified data, or aggregate consumer information shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the data or information is subject and shall take appropriate steps to address any breach of the con… (§ 501.714(4), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual… (IC 24-15-7-3 ¶ 1, Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Controllers that disclose pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual c… (§ 715D.6.4., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • A controller that discloses pseudonymous data or deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data is subject and shall take appropriate steps to address any breaches of those contractual c… (§ Section 10. (5), Montana Consumer Data Privacy Act 2023)
  • A controller that discloses deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and shall take appropriate steps to address any breaches of the contractual commitments. (Section 7 (1)(b), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address breaches of those contractual commitm… (§ 47-18-3207.(d), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)