Back

Include the organization approving subcontractors in the outsourcing contract.


CONTROL ID
13131
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain outsourcing contracts., CC ID: 13124

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • While AIs are expected to take into account the general guidance specified in SA-2 “Outsourcing” when managing technology outsourcing, they should also have regard to the following controls: - technology service providers should have sufficient resources and expertise to comply with the substanc… (7.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • It is necessary to obtain the approval of the person in charge when deciding on a contractor. At the time of obtaining an approval for computer systems development or operation, or the use of services, the additional approval for outsourcing should also be obtained from the responsible personnel. (C20.5., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to identify the procedures for selecting contractors. Specifically, procedures for selecting contractors can be established as regulations. If the entrusted operations are to be subcontracted in whole or in part, it is necessary to also identify the procedures to evaluate subcontract… (C20.4., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In addition, if evaluation and verification of the appropriateness of outsourced work can not be sufficiently performed only with the submitted information, it is necessary to verify it on site by auditing/monitoring the outsourcees' offices or data centers. Furthermore, when the specified system is… (A1.5. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • A trustee may re-entrust a third party with affairs entrusted pursuant to paragraph (1) only where the trustee obtains consent from the provider, etc. of information and communications services. (Article 25(7), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • An institution should retain the ability to monitor and control its outsourcing arrangements when a service provider uses a sub-contractor. An outsourcing agreement should contain clauses setting out the rules and limitations on sub-contracting. An institution should include clauses making the servi… (5.5.2 (j) ¶ 1, Guidelines on Outsourcing)
  • require the service provider to obtain prior specific or general written authorisation from the institution or payment institution before sub-outsourcing data; (4.13.1 78(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required; (4.13.1 78(f), Final Report on EBA Guidelines on outsourcing arrangements)
  • specify any types of activities that are excluded from sub-outsourcing; (4.13.1 78(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • Restrictions on, or prior approval for, subcontractors; (App A Tier 2 Objectives and Procedures O.4 Bullet 14, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with subsection (5) of this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. (§ 6-1-1305 (3)(b), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)