Back

Include a provision that third parties are responsible for their subcontractors in the outsourcing contract.


CONTROL ID
13130
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain outsourcing contracts., CC ID: 13124

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • While AIs are expected to take into account the general guidance specified in SA-2 “Outsourcing” when managing technology outsourcing, they should also have regard to the following controls: - technology service providers should have sufficient resources and expertise to comply with the substanc… (7.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • An institution should retain the ability to monitor and control its outsourcing arrangements when a service provider uses a sub-contractor. An outsourcing agreement should contain clauses setting out the rules and limitations on sub-contracting. An institution should include clauses making the servi… (5.5.2 (j) ¶ 1, Guidelines on Outsourcing)
  • specify that the service provider is obliged to oversee those services that it has subcontracted to ensure that all contractual obligations between the service provider and the institution or payment institution are continuously met; (4.13.1 78(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • Subcontractors of the cloud provider are contractually obliged to grant the cloud provider auditing rights regarding the effectiveness of the service-related internal control system as well as with respect to the compliance of the security requirements agreed upon. The subcontractor can also demonst… (Section 5.12 DLL-01 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Firms should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm's relevant policy or policies. This includes establishing that the service provider has in place robust testing, monitoring, and … (§ 9.6, SS2/21 Outsourcing and third party risk management, March 2021)
  • establish the conditions to be complied with in the case of permissible sub-outsourcing, including specifying that the service provider is obliged to oversee those services that it has sub-contracted to ensure that all contractual obligations between the service provider and the firm are continuousl… (§ 9.9 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • Provisions for the use of sub-contractors to process PII should be transparent in the contract between the public cloud PII processor and the cloud service customer. The contract should specify that sub-contractors can only be commissioned on the basis of a consent that can generally be given by the… (§ A.8.1 ¶ 4, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • TSP accountability for actions/inactions of subcontractors should the subcontractor fail to provide necessary service(s) for business recovery capabilities; (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Flow-down control requirements to subcontractors, if and when applicable, including C-SCRM performance objectives linked to the method of inspection in a Quality Assurance Surveillance Plan or equivalent method for monitoring performance; (3.1.2. ¶ 11 Bullet 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)