IG3

Monitor Service Providers

Control Group: 15. Service Provider Management

Asset Type: Data

Security Function: Detect

Description

Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Draft policy/procedure document

7

Obtain stakeholder review and approval

8

Communicate to affected personnel

9

Schedule periodic review and updates

10

Inventory all third-party service providers

11

Classify third parties by risk level

12

Conduct security assessments of critical vendors

13

Include security requirements in contracts

Tool Recommendations

ServiceNow Vendor Risk Management Gartner MQ Leader, IT Risk Management 2024

Third-party risk management with automated vendor assessments, continuous monitoring, and risk scoring

ServiceNow · Enterprise subscription

OneTrust Third-Party Risk Forrester Wave Leader, Privacy Management 2024

Third-party risk management platform with vendor assessment automation, continuous monitoring, and compliance mapping

OneTrust · Enterprise subscription

BitSight Security Ratings Forrester Wave Leader, Security Ratings 2024

Security ratings platform providing continuous monitoring of vendor cybersecurity posture with data-driven risk scoring

BitSight · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Provider Breach Detected Months After Occurrence

Confidentiality

A monitored service provider suffers a breach that is not discovered for months because the organization has no ongoing monitoring program to track provider security posture changes or dark web exposure.

Critical Provider Vulnerability Left Unpatched Without Enterprise Knowledge

Integrity

A key service provider delays patching a critical vulnerability in their platform, and the organization is unaware because it does not monitor provider release notes or security advisories.

Enterprise Credentials Found on Dark Web Linked to Provider Breach

Confidentiality

Enterprise user credentials appear on dark web markets following a provider compromise, but the organization has no monitoring capability to detect this exposure and trigger credential rotation.

Vulnerabilities (When Safeguard Absent)

No Ongoing Monitoring of Service Provider Security

Without continuous monitoring, the organization cannot detect changes in a provider's security posture, compliance status, or exposure to breaches between periodic assessments.

No Dark Web or Threat Intelligence Monitoring for Provider Exposure

Absence of dark web monitoring means the organization cannot detect when provider-related credentials, data, or access are being traded or exploited by threat actors.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Record	Third-party risk assessment reports and scorecards	Annually per vendor
Document	Vendor contracts with security requirements	Per contract cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Third-Party Risk Management Policy

Control 15

Related Safeguards in Control 15

15.1 Establish and Maintain an Inventory of Service Providers

15.2 Establish and Maintain a Service Provider Management Policy

15.3 Classify Service Providers

15.4 Ensure Service Provider Contracts Include Security Requirements

15.5 Assess Service Providers

15.7 Securely Decommission Service Providers