“Relationships with IT TPS (Third Party Service) providers” cover all relationships where external parties are providing IT services to Company either directly or indirectly. Direct involvement means third party staff working in Company IT environments while indirect involvement means IT third party staff who are working in their own IT environment but are receiving, processing, storing or transmitting information from and to Company IT.
Minimum control objectives specified for internal Company IT must be attained in relationships with IT TPS providers where the contracted service impacts IT services of Company- or requires access to Company information or IT assets. This does not imply that the IT TPS provider must have the same (set of) controls as Company internally, nor does it imply that control specifications in all contracts need to be identical. However, an acceptable level of consistency is expected with the security objectives stipulated in Company policies, standards and architecture.
The Managing IS Risks in IT Services Provided by Third Parties Standard requires the use of risk management techniques to stipulate controls necessary for the management of the relationship with IT third parties and those controls required in formal agreements with the IT third parties. It also requires measurement of the effectiveness of controls (through testing and reporting) to be implemented by the IT TPS provider and the Company TPS relationship manager.
This standard covers all key aspects of IT TPS provider relationships, which include:
a. Setup of the relationship (initial idea, request for proposal, contract and detailed agreements)
b. Operational relationship till termination (deployment, periodic and continuous monitoring, improvements, changes and termination)
c. Any post-termination activities, such as return or secure deletion of confidential information
CONTENT
1. OVERVIEW
1.1 PROCEDURE OWNER
1.2 CLASSIFICATION
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.5 OBJECTIVES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
3. ROLES AND RESPONSIBILITIES
3.1 GENERAL
3.2 COMPANY THIRD PARTY SERVICE RELATIONSHIP MANAGER
3.3 IT RISK FUNCTION
3.4 LEGAL AND COMPLIANCE FUNCTION
3.5 THIRD PARTY SERVICE OWNER
3.6 THIRD PARTY SERVICE USER MANAGERS
4. COMPANY POLICIES AND STANDARDS
5. INFORMATION SECURITY RISK MANAGEMENT REQUIREMENTS
5.1 RISK ASSESSMENT
5.2 DUE DILIGENCE
5.3 CONTROLS
5.4 SUB-CONTRACTING BY THE THIRD PARTY SERVICE PROVIDER
5.5 MONITORING & IMPROVEMENT
5.6 THIRD PARTY SERVICE PROVIDER NON-COMPLIANCE
6. THIRD PARTY SERVICE PROVIDER EMPLOYEES
6.1 BACKGROUND CHECKS
6.2 CONFIDENTIALITY AGREEMENTS
7. CONTROL & OVERSIGHT
8. COMPLIANCE WITH THIS STANDARD
9. EXCEPTIONS
10. FINAL CONSIDERATIONS
10.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
10.2 DOCUMENT REVISION
11. APPENDIX A –CONTROL AREAS OF SUPERVISION BY COMPANY TPS RELATIONSHIP MANAGERS
Pages: 16
This bundle contains all the products listed in the Risk Management section. Take advantage of the 25% OFF when buying the bundle!
The Datacenter Policy defines guidelines and controls that will ensure smooth operations and adequate access control mechanisms.
The Cryptographic Control Policy intends to draw the general principles acceptable to the Company for the usage of cryptography. This policy applies to all employees and partners and to all electronic transactions wherein one or more of the abovementioned parties are involved. The Company will select appropriate cryptographic controls based on a risk assessment.
Review Managing IS Risks in IT Services Provided by Third Parties Standard.
You must be logged in to post a review.