Third-Party Management
The primary objective behind this activity set is to help maintain the security of organization's information systems and data when entering into any arrangement with a third-party supplier/vendor as well as to identify elements of managing vendors, due diligence, risk assessments as well as contract management.
Category | Sub-Category | Name | Activity |
|---|---|---|---|
Third Party Management | Vendor Assessments | Third Party Assurance | [In accordance with the organization-defined frequency], management reviews controls within third party assurance reports to ensure that they meet ensure that they meet organizational requirements; if control gaps are identified in the assurance reports, management takes action to address impact the disclosed gaps have on the organization. |
Third Party Management | Vendor Assessments | Vendor Risk Management | [The organization] performs a risk assessment to determine the data types that can be shared with a managed service provider. |
Third Party Management | Vendor Assessments | Forensic Investigations | [The organization] enables procedures to conduct a forensic investigation in the event that a hosted merchant or service provider is compromised. |
Third Party Management | Vendor Agreements | Network Access | Third party entities which gain access to [the organization's] network sign a network access agreement. |
Third Party Management | Vendor Agreements | Vendor Non- disclosure Agreements | [Workforce personnel as defined by the organization] consent to a non-disclosure clause. |
Third Party Management | Vendor Agreements | Cardholder Data Security Agreement | [The organization] managed service providers that manage, store, or transmit cardholder data on behalf of the customer must provide written acknowledgement to customers of their responsibility to protect cardholder data and the cardholder data environment. |
Third Party Management | Vendor Agreements | Network Service | Vendors providing networking services to [the organization] are contractually bound to provide secure and available services as documented in SLAs. |
Third Party Management | Vendor Procurement | Approved Service Provider Listing | [The organization] maintains a list of approved managed service providers and the services they provide to [the organization]. |
Third Party Management | Vendor Agreements | HIPAA Business Associate Subcontractor Agreement | [The organization] requires a Business Associate Subcontractor Agreement with Business Associates from which it receives or transmits protected health information (PHI); Business Associates under contract are required to provide assurance that they adhere to [the organization] security standards, which includes the security of PHI and reporting security events that potentially expose PHI. |
Third Party Management | Vendor Agreements | Vendor Information Security Standard | [The organization] has documented a Vendor Information Security Standard that defines the responsibilities and governance requirements regarding vendor information security engagements. Contractual agreements are entered into with vendors who process or store [The organization's] data that define information Security terms and service level agreements. |