Back

Establish, implement, and maintain outsourcing contracts.


CONTROL ID
13124
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Third Party and supply chain oversight, CC ID: 08807

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain contracts with asset disposition vendors, as necessary., CC ID: 14826
  • Specify asset ownership in outsourcing contracts., CC ID: 13141
  • Include performance standards in outsourcing contracts., CC ID: 13140
  • Include the organization approving subcontractors in the outsourcing contract., CC ID: 13131
  • Include a provision that third parties are responsible for their subcontractors in the outsourcing contract., CC ID: 13130


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • It is effective to conclude an SLA between the financial institution and the contractor as a benchmark to measure the results of the operations and as a part of the service contract, and to also perform periodic evaluations. Refer to [C21] for information on the conclusion of an SLA. (C23.2. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When outsourcing (including the use of shared data center and/or cloud service), it is necessary to identify the purpose and scope beforehand. However, some outsourcing may have a significant impact on the relevant financial institution as a whole, such as sharing the core banking system. In such a … (C20.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Financial institutions should clarify the rules, including the security policy, to be followed by the contractor's staff in accordance with the content of the outsourced operations and the scope of the tasks during their course of performing the outsourced operations, and ensure their compliance wit… (C22.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Upon doing so, the financial institution should consider the scope of operations to be outsourced, the nature of services provided by the contractor, and the role division of the financial institution and contractor in terms of use pattern, and then evaluate the contractor based on the information o… (C20.3. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • developing sound and prudent outsourcing policies and procedures that are commensurate with the nature, scope and complexity of the outsourcing arrangements as well as ensuring that such policies and procedures are implemented effectively; (5.2.3 (b), Guidelines on Outsourcing)
  • Contractual terms and conditions governing relationships, obligations, responsibilities, rights and expectations of the contracting parties in the outsourcing arrangement should be carefully and properly defined in written agreements. They should also be vetted by a competent authority (e.g., the in… (5.5.1, Guidelines on Outsourcing)
  • having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers. (Art. 29.1. ¶ 1(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • full service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without… (Art. 30.3. ¶ 1(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important. (Art. 28.3. ¶ 5, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The decision referred to in the second subparagraph shall be adopted and notified to the ICT third-party service provider within 6 months of receipt of the application. (Art. 31.11. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • If an organisation opts for involvement of external service providers, both the contractual framework conditions and the prerequisites for implementation of the requirements of IT-Grundschutz must be met. In general, modelling of the modules must be performed separately with regard to the own organi… (§ 8.3.7 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In line with Article 31(3) of MODR (banks) and 274(3)(c) of the Solvency II Delegated Regulation (insurers), all outsourcing arrangements must be set out in a written agreement. (§ 6.1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Identify all supplier services, and categorise them according to supplier type, significance and criticality. Maintain formal documentation of technical and organisational relationships covering the roles and responsibilities, goals, expected deliverables, and credentials of representatives of these… (DS2.1 Identification of All Supplier Relationships, CobiT, Version 4.1)
  • the processes and activities that are to be outsourced (including the scope and boundaries of the outsourced processes and activities and their interfaces with the organization's own processes and activities); (Section 8.7 ¶ 3(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • manage changes to the supplier services as necessary. (§ 8.1 Guidance ¶ 4(u), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The entity shall discuss its policies for engagement in zero-rating. (TC-TL-520a.3. 3, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Vendor and customer contracts are in effect and detail the responsibilities of all parties to the agreement; (TIER II OBJECTIVES AND PROCEDURES E.2. Bullet 8, FFIEC IT Examination Handbook - Audit, April 2012)
  • Whether outsourcing arrangements are governed by contracts and service level agreements. (App A Tier 1 Objectives and Procedures Objective 1:5 Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Adequacy of contract provisions including service level, performance agreements, responsibilities, liabilities, and management monitoring. (App A Tier 1 Objectives and Procedures Objective 3:2 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Agent bank programs (where the financial institution performs merchant processing for other institutions), and the level of liability assumed by the acquiring financial institution. (App A Tier 1 Objectives and Procedures Objective 6:9 Bullet 7, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • A critical first step is to ensure that there is a current and accurate inventory of the enterprise's supplier relationships, contracts, and any products or services those suppliers provide. This information allows for a mapping of these suppliers into strategically relevant groupings as determined … (3.1.1. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • If feasible, disconnect modems when not in use or consider automating this disconnection process by having modems disconnect after being on for a given amount of time. It should be noted that sometimes modem connections are part of the legal support service agreement with the vendor (e.g., 24x7 supp… (§ 6.2.1.4 ICS-specific Recommendations and Guidance Bullet 5, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Offload [Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider. (PM-7(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Offload [Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider. (PM-7(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)