Define, implement and evaluate processes, procedures and technical and/or contractual measures to maintain proper security of third-party endpoints with access to organizational assets.
The organization should perform due diligence before granting third party access to the organization's data or establishing connectivity (and periodically thereafter, commensurate with the risk level of the third-party relationship). Written agreements (contracts) should be maintained and include an acknowledgment that the third party is responsible for the security of the data the third party possesses or otherwise stores, processes, or transmits on the organization’s behalf. In addition, agreements should include requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and the product supply chain. These requirements are subsequently applicable to relevant, third-party (i.e., fourth parties) subcontractors (and so on) throughout the supply chain. Personnel security requirements should be established and documented—including security roles and responsibilities for third-party providers coordinated and aligned with internal security roles and responsibilities. Monitor providers for compliance. Additionally, the organization should have a screening process for contractors and third-party users. When organizations provide contractors, the contract should specify the organization's responsibilities for screening and relevant notification procedures if screening has not been completed (or if the results cause doubts or concerns). Similarly, third-party agreements should specify all responsibilities and notification procedures for screening. Third-party providers should notify a designated individual or role (e.g., a member of the contracting or supply chain function) of any personnel transfers or terminations of third-party personnel who possess organizational credentials, badges, or have information system privileges. Formal contracts should be employed that, at a minimum, specify:
- The covered information’s confidential nature and value.
- The security measures to be implemented and/or complied with. These include the organization's information security requirements and appropriate controls required by applicable federal laws, executive orders, directives, policies, regulations, standards and guidance, and third-party access limitations.
- The service levels to be achieved in the services provided.
- The format and frequency of reporting to the organization's information security management forum.
- The arrangement for representation of the third party in appropriate organizational meetings and working groups.
- The arrangements for third-party compliance auditing.
- The penalties exacted if any of the preceding specifications fail.
Mutually agreed-upon provisions and/or terms should be established to satisfy customer (tenant) requirements for service-to-service application (API), information processing interoperability, portability for application development and information exchange, usage, and integrity persistence.
- Examine procedures for adequacy, currency, communication, and effectiveness.
- Determine the organization's definition of third-party endpoints.
- Determine the extent and applicability of the processes, procedures, and technical measures over third-party endpoints.
- Examine policy and procedures for evidence of review, with respect to effectiveness.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.