Back

Review and update all contracts, as necessary.


CONTROL ID
11612
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts., CC ID: 00796

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should regularly (e.g. annually) review their outsourcing agreements. They should assess whether the agreements should be renegotiated and renewed to bring them in line with current market standards and to cope with changes in their business strategies. (2.4.2, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • App 2-1 Item Number VI.5.4(1): The organization must assess the consistencies between the actual operations and the operations described in the subcontracting contract. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App 2-1 Item Number… (App 2-1 Item Number VI.5.4(1), App 2-1 Item Number VI.5.5(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Since it also can be expected that the wording of contracts would need to be revised depending on the results of continuous risk assessment, it is recommended to establish regular opportunities for exchange of information among parties including the security sections and legal sections of both parti… (C21.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Upon doing so, the financial institution should consider the scope of operations to be outsourced, the nature of services provided by the contractor, and the role division of the financial institution and contractor in terms of use pattern, and then evaluate the contractor based on the information o… (C20.3. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Contractual terms and conditions governing relationships, obligations, responsibilities, rights and expectations of the contracting parties in the outsourcing arrangement should be carefully and properly defined in written agreements. They should also be vetted by a competent authority (e.g., the in… (5.5.1, Guidelines on Outsourcing)
  • An institution should ensure that every outsourcing agreement addresses the risks identified at the risk evaluation and due diligence stages. Each outsourcing agreement should allow for timely renegotiation and renewal to enable the institution to retain an appropriate level of control over the outs… (5.5.2, Guidelines on Outsourcing)
  • Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose. (Control: ISM-0072; Revision: 9, Australian Government Information Security Manual, June 2023)
  • Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose. (Control: ISM-0072; Revision: 9, Australian Government Information Security Manual, September 2023)
  • customer requirements and existing contracts, (§ 7.1 Subsection 2 ¶ 2 Bullet 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Compliance with contractual agreements is verified. (6.1.1 Requirements (must) Bullet 4, Information Security Assessment, Version 5.1)
  • The entity's internal personnel or advisers review contracts for consistency with privacy policies and procedures and address any inconsistencies. (M1.2 Consistency of commitments with privacy policies and procedures, Privacy Management Framework, Updated March 1, 2020)
  • Set up a procedure for establishing, modifying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organisational, documentary, performance, security, intellectual property, and termination responsibilities and liabilities (including penalty claus… (AI5.2 Supplier Contract Management, CobiT, Version 4.1)
  • Regularly review SLAs and underpinning contracts (UCs) with internal and external service providers to ensure that they are effective and up to date and that changes in requirements have been taken into account. (DS1.6 Review of Service Level Agreements and Contracts, CobiT, Version 4.1)
  • Contracts regarding customer access to the organization's business applications should be assessed by an Information Security specialist. (CF.05.02.01a, The Standard of Good Practice for Information Security)
  • Contracts regarding customer access to the organization's business applications should be reviewed on a regular basis (e.g., annually). (CF.05.02.01c, The Standard of Good Practice for Information Security)
  • Contracts should be established with all outsource providers (including cloud service providers), which are reviewed independently (e.g., by a legal representative, lawyer, or equivalent). (CF.16.03.04a, The Standard of Good Practice for Information Security)
  • Contracts should be established with all outsource providers (including cloud service providers), which are kept up-to-date. (CF.16.03.04d, The Standard of Good Practice for Information Security)
  • Contracts (including those for generic, 'off-the-shelf' cloud services) should be reviewed by a legal representative (e.g., a lawyer or equivalent) and an Information Security specialist. (CF.16.05.02a, The Standard of Good Practice for Information Security)
  • Contracts with specialist business continuity arrangements providers (or equivalent) should be reviewed independently (e.g., by a legal representative, lawyer, or equivalent), approved by executive management, agreed and signed by each party, and kept up-to-date. (CF.20.06.09, The Standard of Good Practice for Information Security)
  • Contracts regarding customer access to the organization's business applications should be assessed by an Information Security specialist. (CF.05.02.01a, The Standard of Good Practice for Information Security, 2013)
  • Contracts regarding customer access to the organization's business applications should be reviewed on a regular basis (e.g., annually). (CF.05.02.01c, The Standard of Good Practice for Information Security, 2013)
  • Contracts should be established with all outsource providers (including cloud service providers), which are reviewed independently (e.g., by a legal representative, lawyer, or equivalent). (CF.16.03.04a, The Standard of Good Practice for Information Security, 2013)
  • Contracts should be established with all outsource providers (including cloud service providers), which are kept up-to-date. (CF.16.03.04d, The Standard of Good Practice for Information Security, 2013)
  • Contracts (including those for generic, 'off-the-shelf' cloud services) should be reviewed by a legal representative (e.g., a lawyer or equivalent) and an Information Security specialist. (CF.16.05.02a, The Standard of Good Practice for Information Security, 2013)
  • Contracts with specialist business continuity arrangements providers (or equivalent) should be reviewed independently (e.g., by a legal representative, lawyer, or equivalent), approved by executive management, agreed and signed by each party, and kept up-to-date. (CF.20.06.09, The Standard of Good Practice for Information Security, 2013)
  • The organization shall ensure that contract or order requirements differing from those previously defined are resolved. (8.2.3.1 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • How the use of AI, especially AI systems using continuous learning, can affect the ability of the organization to meet contractual obligations and guarantees. Consequently, organizations should carefully consider the scope of relevant contracts. (§ 5.4.1 Table 2 Column 2 Row 5 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • At planned intervals, the organization shall review the contract against current service requirements. Changes identified for the contract shall be assessed for the impact of the change on the SMS and the services before the change is approved. (§ 8.3.4.1 ¶ 6, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Internal personnel and advisers review contracts to ensure they are consistent with the organization's privacy policies and procedures. (Generally Accepted Privacy Principles and Criteria § 1.2.5, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization identifies and addresses the effect of changes to Service Level Agreements and contracts on privacy requirements. (Generally Accepted Privacy Principles and Criteria § 1.2.11 Bullet 2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should review and document its compliance with privacy policies, laws, regulations, standards, contracts, and Service Level Agreements, and report the results to management. (Generally Accepted Privacy Principles and Criteria § 10.2.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and relevant to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria. When making this evalua… (¶ 3.41, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading sample contracts with subservice organizations and vendors (for example, contract templates or a selection of contracts) and associated performance or service level agreements and other documentation to understand (¶ 3.59 Bullet 11, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading contracts with user entities and business partners (such as performance or service level agreements), marketing materials distributed to user entities and business partners or posted on the service organization's website, and other available documentation to (¶ 3.59 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading contracts and other communications with the subservice organization to determine whether they identify the types of controls expected to be implemented at the subservice organization (¶ 3.99 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading contracts with customers and business partners, such as performance or service-level agreements, marketing materials distributed to customers and business partners or posted on the service organization's website, and other available documentation to evaluate whether the controls the service … (¶ 3.50 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As it relates to CUECs, the description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and necessary as discussed in paragraph 3.53. When making this evaluation, the service auditor may review system documentation and contracts with user ent… (¶ 3.54, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If the service organization uses the carve-out method for a subservice organization, the service auditor would also need to evaluate whether the types of controls expected to be implemented at the subservice organization would, if operating effectively in combination with the controls at the service… (¶ 3.113, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Reading contracts with customers and business partners (such as performance or service-level agreements), marketing materials distributed to customers and business partners or posted on the service organization's website, and other available documentation to better understand the specific services p… (¶ 3.25 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Reading sample contracts with users (for example, contract templates or a selection of contracts) and associated performance or service-level agreements and other documentation to understand the nature of the inputs provided by users (¶ 3.36 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Reading sample contracts with subservice organizations and associated performance or service-level agreements and other documentation to understand how the service organization's contracting process addresses security-related matters; the interrelationship between the service organization and its su… (¶ 3.50 Bullet 5, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Reading contracts and other communications with the subservice organization to determine whether they identify the types of controls expected to be implemented at the subservice organization (¶ 3.114 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Principle: Firms should manage cybersecurity risk that can arise across the lifecycle of vendor relationships using a risk-based approach to vendor management. Effective practices to manage vendor risk include: - performing pre-contract due diligence on prospective service providers; - establishing … (Vendor Management, Report on Cybersecurity Practices)
  • Contractual arrangements addressing infrastructure, if applicable. (V Action Summary ¶ 2 Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The adequacy of contracts and management's ability to monitor relationships with technology service providers; (TIER II OBJECTIVES AND PROCEDURES A.1 Bullet 8, FFIEC IT Examination Handbook - Audit, April 2012)
  • The adequacy of contracts and the ability to monitor relationships with service providers. (TIER II OBJECTIVES AND PROCEDURES C.1. Bullet 5, FFIEC IT Examination Handbook - Audit, April 2012)
  • There are contracts with all customers (affiliated and nonaffiliated) and whether the institution's legal staff has approved them; (TIER II OBJECTIVES AND PROCEDURES F.1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • There are contracts in place that have been approved by the institution's legal staff, (TIER II OBJECTIVES AND PROCEDURES F.2. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • The institution's processing architecture, including processing outsourcing arrangements. (App A Tier 1 Objectives and Procedures Objective 2:2 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Review a sample of contracts authorizing the institution to originate ACH items for customers and determine whether they adequately set forth the responsibilities of the institution and customer. Determine: (App A Tier 1 Objectives and Procedures Objective 8:11, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • If the financial institution accepts RCCs from retail business customers or payment processing customers, assess the appropriateness of, and adherence to, policies and procedures regarding customer due diligence, customer contracts, third-party service provider's due diligence, and activity/transact… (App A Tier 2 Objectives and Procedures M.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether legal counsel was involved in drafting any RDC-related contracts or agreements with technology service providers or customers. (App A Tier 2 Objectives and Procedures N.5 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Obtain and review a sample contract or agreement between the financial institution and the RDC customer and technology service provider, where applicable. Consider whether contracts or agreements address the following: (App A Tier 2 Objectives and Procedures N.5 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Have the vendor contracts been reviewed by corporate legal personnel, when vendors have access to the firewall? (IT - Firewalls Q 34, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Was the internet banking contract with the third party reviewed by legal counsel? (IT - Member Online Services Q 2, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Was the bill pay contract reviewed by legal counsel? (IT - Member Online Services Q 27, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Was the vendor contract for outsourcing the e-statement service reviewed by legal counsel? (IT - Member Online Services Q 37, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the Credit Union have legal counsel review the account aggregator contract? (IT - Member Online Services Q 46, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the Credit Union submit the third party contract to legal counsel for reviewing before it was signed? (IT - Vendor Oversight Q 29, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Was the contract with the third party web host reviewed by legal counsel? (IT - Web Site Review Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Evaluate contracts to ensure compliance with funding, legal, and program requirements. (T0098, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Evaluate contracts to ensure compliance with funding, legal, and program requirements. (T0098, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • A bank should periodically review existing contracts. ("Contract Negotiation" ¶ 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must review and approve third party contracts. ("Senior Bank Management" Bullet 5, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)