Back

Assess the effectiveness of third party services provided to the organization.


CONTROL ID
13142
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Third Party and supply chain oversight, CC ID: 08807

This Control has the following implementation support Control(s):
  • Monitor third parties for performance and effectiveness, as necessary., CC ID: 00799
  • Identify red flags in the supply chain., CC ID: 08873


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • When enterprises use third parties, they can become a key component in an enterprise's controls and its achievement of related control objectives. Management should evaluate the role that the third party performs in relation to the IT environment, related controls and control objectives. (Critical components of information security 23) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • audit and inspection; (5.5.2 (f), Guidelines on Outsourcing)
  • An outsourced cloud services register is maintained and regularly audited. (Security Control: 1637; Revision: 0, Australian Government Information Security Manual)
  • Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months. (Security Control: 0100; Revision: 10, Australian Government Information Security Manual)
  • Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months. (Security Control: 1570; Revision: 0, Australian Government Information Security Manual)
  • Third parties and related party agreements often take advantage of sub-contracting/on-sourcing arrangements, whether at the start of the arrangement or over time. Consequently, in order to effectively evaluate the design of information security controls, an APRA-regulated entity would consider what … (64., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Where an APRA-regulated entity's information assets are managed by a related party or third party, the APRA-regulated entity must evaluate the design of that party's information security controls that protects the information assets of the APRA-regulated entity. (22., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • the ongoing assessment of the service provider's performance in line with Section 14; (4.7 42(d)(i), Final Report on EBA Guidelines on outsourcing arrangements)
  • evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and (4.14 104(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: (4.14 104, Final Report on EBA Guidelines on outsourcing arrangements)
  • The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. (4.10 50, Final Report on EBA Guidelines on outsourcing arrangements)
  • the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: (4.4 31(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • The PRA expects firms to exercise their access, audit, and information rights in respect of material outsourcing arrangements in an outcomes-focused way, to assess whether the service provider is providing the relevant service effectively and in compliance with the firm's legal and regulatory obliga… (§ 8.6, SS2/21 Outsourcing and third party risk management, March 2021)
  • day-to-day oversight, including incident reporting, periodic performance assessment against service level agreements, and periodic strategic assessments; (Table 4 Column 2 Row 3 Bullet 1 Sub-Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization shall ensure that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process(es) shall be defined within the environmental management system. (§ 8.1 ¶ 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall ensure that externally provided processes, products or services, that are relevant to the compliance management system, are controlled. (§ 8.1 ¶ 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented inform… (8.4.1 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the performance of external providers; (9.1.3 ¶ 2(f), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted. (DM.ED-7, CRI Profile, v1.2)
  • Holding periodic discussions with the subservice organization personnel and evaluating subservice organization performance against established service level objectives and agreements (¶ 2.53 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the IT internal audit function, or any portion of it, is outsourced to external vendors, determine its effectiveness and whether the institution can appropriately rely on it. (TIER I OBJECTIVES AND PROCEDURES Objective 11, FFIEC IT Examination Handbook - Audit, April 2012)
  • Management has assessed the impact of external and internal trends and other factors on the ability of the vendor to support continued servicing of client financial institutions, (TIER II OBJECTIVES AND PROCEDURES F.2. Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Suppliers and third-party partners are routinely assessed to confirm that they are meeting their contractual obligations. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted (ID.SC-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services. (PM-30(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)