ID.DE-P3: Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization’s privacy program.
CSF v1.1 References:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
SA-4: Acquisition Process
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Assignment (one or more): standardized contract language, [Assignment: organization-defined contract language] ] in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements; Strength of mechanism requirements; Security and privacy assurance requirements; Controls needed to satisfy the…
SA-9: External System Services
Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; Define and document organizational oversight and user roles and responsibilities with regard to external system services; and Employ the following processes, methods, and techniques to monitor control compliance by external service providers on…
SR-2: Supply Chain Risk Management Plan
Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services]; Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as…
SR-3: Supply Chain Controls and Processes
Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit…
SR-5: Acquisition Strategies, Tools, and Methods
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].
SR-8: Notification Agreements
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Assignment (one or more): notification of supply chain compromises, results of assessments or audits, [Assignment: organization-defined information] ].
Cloud Controls Matrix v3.0.1
CCC-01: New Development / Acquisition
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function.
CCC-02: Outsourced Development
External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes).
STA-05: Supply Chain Agreements
Supply chain agreements (e.g., SLAs) between providers and customers (tenants) shall incorporate at least the following mutually-agreed upon provisions and/or terms: Scope of business relationship and services offered (e.g., customer (tenant) data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities…
Critical Security Controls Version 8
15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
NIST Special Publication 800-53 Revision 4
SA-4: Acquisition Process
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements; Security strength requirements; Security assurance requirements; Security-related documentation…
SA-9: External Information System Services
The organization: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and Employs…
Critical Security Controls Version 7.1
18: Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.