compliance controls are associated with this Policy definition 'Monitor third-party provider compliance' (f8ded0c6-a668-9371-6bb6-661d58787198)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
PS-7 |
FedRAMP_High_R4_PS-7 |
FedRAMP High PS-7 |
Personnel Security |
Third-Party Personnel Security |
Shared |
n/a |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance.
Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.
Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21.
Control Enhancements: None.
References: NIST Special Publication 800-35. |
link |
5 |
| FedRAMP_Moderate_R4 |
PS-7 |
FedRAMP_Moderate_R4_PS-7 |
FedRAMP Moderate PS-7 |
Personnel Security |
Third-Party Personnel Security |
Shared |
n/a |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance.
Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.
Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21.
Control Enhancements: None.
References: NIST Special Publication 800-35. |
link |
5 |
| hipaa |
0105.02a2Organizational.1-02.a |
hipaa-0105.02a2Organizational.1-02.a |
0105.02a2Organizational.1-02.a |
01 Information Protection Program |
0105.02a2Organizational.1-02.a 02.01 Prior to Employment |
Shared |
n/a |
Risk designations are assigned for all positions within the organization as appropriate, with commensurate screening criteria, and reviewed/revised every 365 days. |
|
6 |
| hipaa |
0111.02d2Organizational.2-02.d |
hipaa-0111.02d2Organizational.2-02.d |
0111.02d2Organizational.2-02.d |
01 Information Protection Program |
0111.02d2Organizational.2-02.d 02.03 During Employment |
Shared |
n/a |
Non-employees are provided the organization's data privacy and security policy requirements prior to accessing system resources and data. |
|
9 |
| hipaa |
1407.05k2Organizational.1-05.k |
hipaa-1407.05k2Organizational.1-05.k |
1407.05k2Organizational.1-05.k |
14 Third Party Assurance |
1407.05k2Organizational.1-05.k 05.02 External Parties |
Shared |
n/a |
The specific limitations of access, arrangements for compliance auditing, penalties, and the requirement for notification of third-party personnel transfers and terminations are identified in the agreement with the third-party. |
|
5 |
| hipaa |
1409.09e2System.1-09.e |
hipaa-1409.09e2System.1-09.e |
1409.09e2System.1-09.e |
14 Third Party Assurance |
1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization develops, disseminates and annually reviews/updates a list of current service providers, which includes a description of services provided. |
|
15 |
| hipaa |
1429.05k1Organizational.34-05.k |
hipaa-1429.05k1Organizational.34-05.k |
1429.05k1Organizational.34-05.k |
14 Third Party Assurance |
1429.05k1Organizational.34-05.k 05.02 External Parties |
Shared |
n/a |
The organization maintains written agreements (contracts) that include: (i) an acknowledgement that the third-party (e.g., a service provider) is responsible for the security of the data and requirements to address the associated information security risks; and, (ii) requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain. |
|
14 |
| hipaa |
1431.05k1Organizational.7-05.k |
hipaa-1431.05k1Organizational.7-05.k |
1431.05k1Organizational.7-05.k |
14 Third Party Assurance |
1431.05k1Organizational.7-05.k 05.02 External Parties |
Shared |
n/a |
The organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers that are coordinated and aligned with internal security roles and responsibilities. |
|
5 |
| hipaa |
1432.05k1Organizational.89-05.k |
hipaa-1432.05k1Organizational.89-05.k |
1432.05k1Organizational.89-05.k |
14 Third Party Assurance |
1432.05k1Organizational.89-05.k 05.02 External Parties |
Shared |
n/a |
The organization ensures a screening process is carried out for contractors and third-party users, and, where contractors are provided through an organization, the contract with the organization clearly specifies (i) the organization's responsibilities for screening and the notification procedures they need to follow if screening has not been completed, or if the results give cause for doubt or concern; and, (ii) all responsibilities and notification procedures for screening. |
|
7 |
| hipaa |
1455.05kCSPOrganizational.4-05.k |
hipaa-1455.05kCSPOrganizational.4-05.k |
1455.05kCSPOrganizational.4-05.k |
14 Third Party Assurance |
1455.05kCSPOrganizational.4-05.k 05.02 External Parties |
Shared |
n/a |
Third-party service providers demonstrate compliance with information security and confidentiality, access control, service definitions, and service-level agreements included in third-party contracts. Third-party reports, records, and services undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements. |
|
9 |
| hipaa |
1801.08b1Organizational.124-08.b |
hipaa-1801.08b1Organizational.124-08.b |
1801.08b1Organizational.124-08.b |
18 Physical & Environmental Security |
1801.08b1Organizational.124-08.b 08.01 Secure Areas |
Shared |
n/a |
Visitor and third-party support access is recorded and supervised unless previously approved. |
|
3 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
A.7.2.1 |
ISO27001-2013_A.7.2.1 |
ISO 27001:2013 A.7.2.1 |
Human Resources Security |
Management responsibilities |
Shared |
n/a |
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. |
link |
26 |
| NIST_SP_800-53_R4 |
PS-7 |
NIST_SP_800-53_R4_PS-7 |
NIST SP 800-53 Rev. 4 PS-7 |
Personnel Security |
Third-Party Personnel Security |
Shared |
n/a |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance.
Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.
Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21.
Control Enhancements: None.
References: NIST Special Publication 800-35. |
link |
5 |
| NIST_SP_800-53_R5 |
PS-7 |
NIST_SP_800-53_R5_PS-7 |
NIST SP 800-53 Rev. 5 PS-7 |
Personnel Security |
External Personnel Security |
Shared |
n/a |
a. Establish personnel security requirements, including security roles and responsibilities for external providers;
b. Require external providers to comply with personnel security policies and procedures established by the organization;
c. Document personnel security requirements;
d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and
e. Monitor provider compliance with personnel security requirements. |
link |
5 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
| SOC_2 |
CC9.2 |
SOC_2_CC9.2 |
SOC 2 Type 2 CC9.2 |
Risk Mitigation |
Vendors and business partners risk management |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement
that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
• Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic
basis, the risks that vendors and business partners (and those entities’ vendors and
business partners) represent to the achievement of the entity's objectives.
• Assigns Responsibility and Accountability for Managing Vendors and Business
Partners — The entity assigns responsibility and accountability for the management
of risks associated with vendors and business partners.
• Establishes Communication Protocols for Vendors and Business Partners — The
entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.
• Establishes Exception Handling Procedures From Vendors and Business Partners
— The entity establishes exception handling procedures for service or product issues related to vendors and business partners.
• Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners.
• Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships.
• Implements Procedures for Terminating Vendor and Business Partner Relationships
— The entity implements procedures for terminating vendor and business partner
relationships.
Additional points of focus that apply only to an engagement using the trust services criteria for
confidentiality:
• Obtains Confidentiality Commitments from Vendors and Business Partners — The
entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who
have access to confidential information.
• Assesses Compliance With Confidentiality Commitments of Vendors and Business
Partners — On a periodic and as-needed basis, the entity assesses compliance by
vendors and business partners with the entity’s confidentiality commitments and requirements.
Additional points of focus that apply only to an engagement using the trust services criteria for
privacy:
• Obtains Privacy Commitments from Vendors and Business Partners — The entity
obtains privacy commitments, consistent with the entity’s privacy commitments and
requirements, from vendors and business partners who have access to personal information.
• Assesses Compliance with Privacy Commitments of Vendors and Business Partners
— On a periodic and as-needed basis, the entity assesses compliance by vendors
and business partners with the entity’s privacy commitments and requirements and
takes corrective action as necessary |
|
20 |