IG3

Securely Decommission Service Providers

Control Group: 15. Service Provider Management

Asset Type: Data

Security Function: Protect

Description

Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Inventory all third-party service providers

7

Classify third parties by risk level

8

Conduct security assessments of critical vendors

9

Include security requirements in contracts

Tool Recommendations

ServiceNow Vendor Risk Management Gartner MQ Leader, IT Risk Management 2024

Third-party risk management with automated vendor assessments, continuous monitoring, and risk scoring

ServiceNow · Enterprise subscription

OneTrust Third-Party Risk Forrester Wave Leader, Privacy Management 2024

Third-party risk management platform with vendor assessment automation, continuous monitoring, and compliance mapping

OneTrust · Enterprise subscription

BitSight Security Ratings Forrester Wave Leader, Security Ratings 2024

Security ratings platform providing continuous monitoring of vendor cybersecurity posture with data-driven risk scoring

BitSight · Enterprise subscription

SecurityScorecard Forrester Wave Leader, Security Ratings 2024

Cybersecurity ratings and third-party risk management platform with continuous monitoring and vendor assessment automation

SecurityScorecard · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Former Provider Retains Active Access to Enterprise Systems

Confidentiality

After contract termination, a former service provider's service accounts and VPN credentials remain active, providing continued access to enterprise systems because no decommissioning process revoked access.

Sensitive Data Persists in Former Provider's Environment

Confidentiality

Enterprise data including customer records and intellectual property remains in a decommissioned provider's systems indefinitely because no secure disposal was performed during offboarding.

Data Flow Continues to Decommissioned Provider

Confidentiality

Automated data feeds continue sending sensitive information to a former provider's systems after contract termination because data flows were not terminated as part of a decommissioning process.

Vulnerabilities (When Safeguard Absent)

No Formal Service Provider Decommissioning Process

Without a decommissioning process, user accounts, service accounts, API keys, data feeds, and network connections associated with former providers are not systematically revoked or terminated.

No Verification of Enterprise Data Disposal by Former Providers

Absence of a decommissioning process means the organization cannot verify that former providers have securely destroyed all enterprise data from their systems after the relationship ends.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Record	Third-party risk assessment reports and scorecards	Annually per vendor
Document	Vendor contracts with security requirements	Per contract cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Third-Party Risk Management Policy

Control 15

Related Safeguards in Control 15

15.1 Establish and Maintain an Inventory of Service Providers

15.2 Establish and Maintain a Service Provider Management Policy

15.3 Classify Service Providers

15.4 Ensure Service Provider Contracts Include Security Requirements

15.5 Assess Service Providers

15.6 Monitor Service Providers