Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Why Is This Control Critical?
In our modern, connected world, enterprises rely on vendors and partners to help manage their data or rely on third-party infrastructure for core applications or functions. There have been numerous examples where third-party breaches have significantly impacted an enterprise; for example, as early as the late 2000s, payment card compromises were tied to third-party, point-of-sale vendors. More recently, a healthcare enterprise found that data for millions of patients was exposed because a billing services vendor had been compromised. This is not only a technology problem -- legal and regulatory operations within an enterprise must establish and maintain standards for any and all third parties.
Related Policy Templates
Safeguards (7)
| ID | Title | Asset Type | Function | Implementation Groups |
|---|---|---|---|---|
| 15.1 | Establish and Maintain an Inventory of Service Providers | N/A | Identify |
IG1
IG2
IG3
|
| 15.2 | Establish and Maintain a Service Provider Management Policy | N/A | Identify |
IG2
IG3
|
| 15.3 | Classify Service Providers | N/A | Identify |
IG2
IG3
|
| 15.4 | Ensure Service Provider Contracts Include Security Requirements | N/A | Protect |
IG2
IG3
|
| 15.5 | Assess Service Providers | N/A | Identify |
IG3
|
| 15.6 | Monitor Service Providers | Data | Detect |
IG3
|
| 15.7 | Securely Decommission Service Providers | Data | Protect |
IG3
|