DS2.4:
DS 2.4 Supplier Performance Monitoring
Control Objective:
Establish a process to monitor service delivery to ensure the supplier is meeting current business requirements and is continuing to adhere to the contract agreements and service level agreements, and that performance is competitive with alternative suppliers and market conditions.
Applicability:
- Sarbanes-Oxley
- HIPAA
- GLBA
- PCI
- FISMA
- NIST SP 800-66
- Ditscap
- Control Exception
- User Defined
Risk Association Control Activities:
- 1. Risk: Third party service providers may not meet business, compliance and regulatory needs of the business inducing risk.
- a. SOX.1.5 A designated individual is responsible for regular monitoring and reporting on the achievement of the third-party service-level performance criteria.
- a. SOX.1.5 A designated individual is responsible for regular monitoring and reporting on the achievement of the third-party service-level performance criteria.
- 1. Risk: Third party service providers may not meet business, compliance and regulatory needs of the business inducing risk.
Implementation Guide:
Process Narrative
Insert a description of the process narration that is applicable to the existing control statement this narrative refers to.
Process Illustration
Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.
File:Someimage.jpg
Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.
Control Exception Commentary
Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.
Evidence Archive Location
Insert Evidence Description Here.
Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.
File:Redlock.jpg
Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.
Supplemental Information:
1. ISO 17799 6.2.1: The risks to the organization’s information and information processing facilities from business processes involving external parties should be identified and appropriate controls implemented before granting access.
Implementation guidance
Where there is a need to allow an external party access to the information processing facilities or information of an organization, a risk assessment (see also Section 4) should be carried out to identify any requirements for specific controls. The identification of risks related to external party access should take into account the following issues:
- the information processing facilities an external party is required to access;
- the type of access the external party will have to the information and information processing facilities, e.g.:
- 1. physical access, e.g. to offices, computer rooms, filing cabinets;
- 2. logical access, e.g. to an organization’s databases, information systems;
- 3. network connectivity between the organization’s and the external party’s network(s), e.g. permanent connection, remote access;
- 4. whether the access is taking place on-site or off-site;
- a. the value and sensitivity of the information involved, and its criticality for business operations;
- b. the controls necessary to protect information that is not intended to be accessible by external parties;
- c. the external party personnel involved in handling the organization’s information;
- d. how the organization or personnel authorized to have access can be identified, the authorization verified, and how often this needs to be reconfirmed;
- e. the different means and controls employed by the external party when storing, processing, communicating, sharing and exchanging information;
- f. the impact of access not being available to the external party when required, and the external party entering or receiving inaccurate or misleading information;
- g. practices and procedures to deal with information security incidents and potential damages, and the terms and conditions for the continuation of external party access in the case of an information security incident;
- h. legal and regulatory requirements and other contractual obligations relevant to the external party that should be taken into account;
- i. how the interests of any other stakeholders may be affected by the arrangements.
Access by external parties to the organization’s information should not be provided until the appropriate controls have been implemented and, where feasible, a contract has been signed defining the terms and conditions for the connection or access and the working arrangement. Generally, all security requirements resulting from work with external parties or internal controls should be reflected by the agreement with the external party (see also 6.2.2 and 6.2.3).
It should be ensured that the external party is aware of their obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing the organization’s information and information processing facilities.
Other information
Information might be put at risk by external parties with inadequate security management. Controls should be identified and applied to administer external party access to information processing facilities. For example, if there is a special need for confidentiality of the information, non-disclosure agreements might be used.
Organizations may face risks associated with inter-organizational processes, management, and communication if a high degree of outsourcing is applied, or where there are several external parties involved.
The controls 6.2.2 and 6.2.3 cover different external party arrangements, e.g. including:
- service providers, such as ISPs, network providers, telephone services, maintenance, and support services;
- managed security services;
- customers;
- outsourcing of facilities and/or operations, e.g. IT systems, data collection services, call center operations;
- management and business consultants, and auditors;
- developers and suppliers, e.g. of software products and IT systems;
- cleaning, catering, and other outsourced support services;
- temporary personnel, student placement, and other casual short-term appointments.
Such agreements can help to reduce the risks associated with external parties.
2. ISO 17799 6.2.2 All identified security requirements should be addressed before giving customers access to the organization’s information or assets.
Implementation guidance
The following terms should be considered to address security prior to giving customers access to any of the organization’s assets (depending on the type and extent of access given, not all of them might apply):
a) asset protection, including:
- 1. procedures to protect the organization’s assets, including information and software, and management of known vulnerabilities;
- 2. procedures to determine whether any compromise of the assets, e.g. loss or modification of data, has occurred;
- 3. integrity;
- 4. restrictions on copying and disclosing information;
- a. description of the product or service to be provided;
- b. the different reasons, requirements, and benefits for customer access;
- c. access control policy, covering:
- 1) permitted access methods, and the control and use of unique identifiers such as user IDs and passwords;
- 2) an authorization process for user access and privileges;
- 3) a statement that all access that is not explicitly authorized is forbidden;
- 4) a process for revoking access rights or interrupting the connection between systems;
- d. arrangements for reporting, notification, and investigation of information inaccuracies (e.g. of personal details), information security incidents and security breaches;
- e. a description of each service to be made available;
- f. the target level of service and unacceptable levels of service;
- g. the right to monitor, and revoke, any activity related to the organization’s assets;
- h. the respective liabilities of the organization and the customer;
- i. responsibilities with respect to legal matters and how it is ensured that the legal requirements are met, e.g. data protection legislation, especially taking into account different national legal systems if the agreement involves co-operation with customers in other countries (see also 15.1);
- j. intellectual property rights (IPRs) and copyright assignment (see 15.1.2) and protection of any collaborative work (see also 6.1.5).
Other information
The security requirements related to customers accessing organizational assets can vary considerably depending on the information processing facilities and information being accessed. These security requirements can be addressed using customer agreements, which contain all identified risks and security requirements (see 6.2.1).
Agreements with external parties may also involve other parties. Agreements granting external party access should include allowance for designation of other eligible parties and conditions for their access and involvement.
3. ISO 17799 6.2.3 Addressing security in third party agreements
Control
Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities should cover all relevant security requirements.
Implementation guidance
The agreement should ensure that there is no misunderstanding between the organization and the third party. Organizations should satisfy themselves as to the indemnity of the third party.
The following terms should be considered for inclusion in the agreement in order to satisfy the identified security requirements (see 6.2.1):
- 1. the information security policy;
- 2. controls to ensure asset protection, including:
- a. procedures to protect organizational assets, including information, software and hardware;
- b. any required physical protection controls and mechanisms;
- c. controls to ensure protection against malicious software (see 10.4.1);
- d. procedures to determine whether any compromise of the assets, e.g. loss or modification of information, software and hardware, has occurred;
- e. controls to ensure the return or destruction of information and assets at the end of, or at an agreed point in time during, the agreement;
- f. confidentiality, integrity, availability, and any other relevant property (see 2.1.5) of the assets;
- g. restrictions on copying and disclosing information, and using confidentiality agreements (see 6.1.5);
- 3. user and administrator training in methods, procedures, and security;
- 4. ensuring user awareness for information security responsibilities and issues;
- 5. provision for the transfer of personnel, where appropriate;
- 6. responsibilities regarding hardware and software installation and maintenance;
- 7. a clear reporting structure and agreed reporting formats;
- 8. a clear and specified process of change management;
- 9. access control policy, covering:
- a. the different reasons, requirements, and benefits that make the access by the third party necessary;
- b. permitted access methods, and the control and use of unique identifiers such as user IDs and passwords;
- c. an authorization process for user access and privileges;
- d. a requirement to maintain a list of individuals authorized to use the services being made available, and what their rights and privileges are with respect to such use;
- e. a statement that all access that is not explicitly authorized is forbidden;
- f. a process for revoking access rights or interrupting the connection between systems;
- 10. arrangements for reporting, notification, and investigation of information security incidents and security breaches, as well as violations of the requirements stated in the agreement;
- 11. a description of the product or service to be provided, and a description of the information to be made available along with its security classification (see 7.2.1);
- 12. the target level of service and unacceptable levels of service;
- 13. the definition of verifiable performance criteria, their monitoring and reporting;
- 14. the right to monitor, and revoke, any activity related to the organization’s assets;
- 15. the right to audit responsibilities defined in the agreement, to have those audits carried out by a third party, and to enumerate the statutory rights of auditors;
- 16. the establishment of an escalation process for problem resolution;
- 17. service continuity requirements, including measures for availability and reliability, in accordance with an organization’s business priorities;
- 18. the respective liabilities of the parties to the agreement;
- 19. responsibilities with respect to legal matters and how it is ensured that the legal requirements are met, e.g. data protection legislation, especially taking into account different national legal systems if the agreement involves co-operation with organizations in other countries (see also 15.1);
- 20. intellectual property rights (IPRs) and copyright assignment (see 15.1.2) and protection of any collaborative work (see also 6.1.5);
- 21. involvement of the third party with subcontractors, and the security controls these subcontractors need to implement;
- 22. conditions for renegotiation/termination of agreements:
- a. a contingency plan should be in place in case either party wishes to terminate the relation before the end of the agreements;
- b. renegotiation of agreements if the security requirements of the organization change;
- c. current documentation of asset lists, licenses, agreements or rights relating to them.
Other information
The agreements can vary considerably for different organizations and among the different types of third parties. Therefore, care should be taken to include all identified risks and security requirements (see also 6.2.1) in the agreements. Where necessary, the required controls and procedures can be expanded in a security management plan.
If information security management is outsourced, the agreements should address how the third party will guarantee that adequate security, as defined by the risk assessment, will be maintained, and how security will be adapted to identify and deal with changes to risks.
Some of the differences between outsourcing and the other forms of third party service provision include the question of liability, planning the transition period and potential disruption of operations during this period, contingency planning arrangements and due diligence reviews, and collection and management of information on security incidents. Therefore, it is important that the organization plans and manages the transition to an outsourced arrangement and has suitable processes in place to manage changes and the renegotiation/termination of agreements.
The procedures for continuing processing in the event that the third party becomes unable to supply its services need to be considered in the agreement to avoid any delay in arranging replacement services.
Agreements with third parties may also involve other parties. Agreements granting third party access should include allowance for designation of other eligible parties and conditions for their access and involvement.
Generally agreements are primarily developed by the organization. There may be occasions in some circumstances where an agreement may be developed and imposed upon an organization by a third party. The organization needs to ensure that its own security is not unnecessarily impacted by third party requirements stipulated in imposed agreements.
ISO 17799 10.2 Third party service delivery management Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
The organization should check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed with the third party.
ISO 17799 10.2.1 Service deliveryControl
It should be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party.
Implementation guidance Service delivery by a third party should include the agreed security arrangements, service definitions, and aspects of service management. In case of outsourcing arrangements, the organization should plan the necessary transitions (of information, information processing facilities, and anything else that needs to be moved), and should ensure that security is maintained throughout the transition period.
The organization should ensure that the third party maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster (see 14.1).
ISO 17799 10.2.2 Monitoring and review of third party services
Control
The services, reports and records provided by the third party should be regularly monitored and reviewed, and audits should be carried out regularly.
Implementation guidance Monitoring and review of third party services should ensure that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly. This should involve a service management relationship and process between the organization and the third party to:
- 1. monitor service performance levels to check adherence to the agreements;
- 2. review service reports produced by the third party and arrange regular progress meetings as required by the agreements;
- 3. provide information about information security incidents and review of this information by the third party and the organization as required by the agreements and any supporting guidelines and procedures;
- 4. review third party audit trails and records of security events, operational problems, failures, tracing of faults and disruptions related to the service delivered;
- 5. resolve and manage any identified problems.
The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team. In addition, the organization should ensure that the third party assigns responsibilities for checking for compliance and enforcing the requirements of the agreements. Sufficient technical skills and resources should be made available to monitor that requirements of the agreement (see 6.2.3), in particular the information security requirements, are being met. Appropriate action should be taken when deficiencies in the service delivery are observed.
The organization should maintain sufficient overall control and visibility into all security aspects for sensitive or critical information or information processing facilities accessed, processed or managed by a third party. The organization should ensure they retain visibility into security activities such as change management, identification of vulnerabilities, and information security incident reporting / response through a clearly defined reporting process, format and structure.
Other information In case of outsourcing, the organization needs to be aware that the ultimate responsibility for information processed by an outsourcing party remains with the organization.
ISO 17799 10.2.3 Managing changes to third party services
Control
Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks.
Implementation guidance
The process of managing changes to a third party service needs to take account of:
- 1. changes made by the organization to implement:
- a. enhancements to the current services offered;
- b. development of any new applications and systems;
- c. modifications or updates of the organization’s policies and procedures;
- d. new controls to resolve information security incidents and to improve security;
- 2. changes in third party services to implement:
- a. changes and enhancement to networks;
- b. use of new technologies;
- c. adoption of new products or newer versions/releases;
- d. new development tools and environments;
- e. changes to physical location of service facilities;
- f. change of vendors.
ITIL Service Delivery, Service Level Management ITIL 4.4.7 Establish monitoring capabilities The Business Perspective ITIL Supplier Relationship Management ITIL 7.4 Contract management
ISO 4.3 Outsourcing ISO 6.1 Security in job definition and resources ISO 10.5 Security in development and support processes