compliance controls are associated with this Policy definition 'Document security assurance requirements in acquisition contracts' (13efd2d7-3980-a2a4-39d0-527180c009e8)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
SA-4 |
FedRAMP_High_R4_SA-4 |
FedRAMP High SA-4 |
System And Services Acquisition |
Acquisition Process |
Shared |
n/a |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.
References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. |
link |
11 |
FedRAMP_Moderate_R4 |
SA-4 |
FedRAMP_Moderate_R4_SA-4 |
FedRAMP Moderate SA-4 |
System And Services Acquisition |
Acquisition Process |
Shared |
n/a |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.
References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. |
link |
11 |
hipaa |
0640.10k2Organizational.1012-10.k |
hipaa-0640.10k2Organizational.1012-10.k |
0640.10k2Organizational.1012-10.k |
06 Configuration Management |
0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. |
|
22 |
hipaa |
0837.09.n2Organizational.2-09.n |
hipaa-0837.09.n2Organizational.2-09.n |
0837.09.n2Organizational.2-09.n |
08 Network Protection |
0837.09.n2Organizational.2-09.n 09.06 Network Security Management |
Shared |
n/a |
Formal agreements with external information system providers include specific obligations for security and privacy. |
|
20 |
hipaa |
0888.09n2Organizational.6-09.n |
hipaa-0888.09n2Organizational.6-09.n |
0888.09n2Organizational.6-09.n |
08 Network Protection |
0888.09n2Organizational.6-09.n 09.06 Network Security Management |
Shared |
n/a |
The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. |
|
17 |
hipaa |
1406.05k1Organizational.110-05.k |
hipaa-1406.05k1Organizational.110-05.k |
1406.05k1Organizational.110-05.k |
14 Third Party Assurance |
1406.05k1Organizational.110-05.k 05.02 External Parties |
Shared |
n/a |
A standard agreement with third-parties is defined and includes the required security controls in accordance with the organization's security policies. |
|
11 |
hipaa |
1409.09e2System.1-09.e |
hipaa-1409.09e2System.1-09.e |
1409.09e2System.1-09.e |
14 Third Party Assurance |
1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization develops, disseminates and annually reviews/updates a list of current service providers, which includes a description of services provided. |
|
15 |
hipaa |
1410.09e2System.23-09.e |
hipaa-1410.09e2System.23-09.e |
1410.09e2System.23-09.e |
14 Third Party Assurance |
1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization addresses information security and other business considerations when acquiring systems or services; including maintaining security during transitions and continuity following a failure or disaster. |
|
11 |
hipaa |
1416.10l1Organizational.1-10.l |
hipaa-1416.10l1Organizational.1-10.l |
1416.10l1Organizational.1-10.l |
14 Third Party Assurance |
1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes |
Shared |
n/a |
Where software development is outsourced, formal contracts are in place to address the ownership and security of the code and application. |
|
11 |
hipaa |
1417.10l2Organizational.1-10.l |
hipaa-1417.10l2Organizational.1-10.l |
1417.10l2Organizational.1-10.l |
14 Third Party Assurance |
1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes |
Shared |
n/a |
Where software development is outsourced, the development process is monitored by the organization and includes independent security and code reviews. |
|
12 |
hipaa |
1419.05j1Organizational.12-05.j |
hipaa-1419.05j1Organizational.12-05.j |
1419.05j1Organizational.12-05.j |
14 Third Party Assurance |
1419.05j1Organizational.12-05.j 05.02 External Parties |
Shared |
n/a |
The organization ensures that customers are aware of their obligations and rights, and accept the responsibilities and liabilities prior to accessing, processing, communicating, or managing the organization's information and information assets. |
|
11 |
hipaa |
1421.05j2Organizational.12-05.j |
hipaa-1421.05j2Organizational.12-05.j |
1421.05j2Organizational.12-05.j |
14 Third Party Assurance |
1421.05j2Organizational.12-05.j 05.02 External Parties |
Shared |
n/a |
Access by customers to the organization's information is not provided until the appropriate controls have been implemented and, where feasible, a contract has been signed defining the terms and conditions for the connection or access and the working arrangement, including specific terms around asset protection, access control policy, arrangements for the resolution of inaccuracies, a description of each service provided, service levels, benefits to the customer, legal responsibilities of the organization and the customer, and any intellectual property rights. |
|
10 |
hipaa |
1429.05k1Organizational.34-05.k |
hipaa-1429.05k1Organizational.34-05.k |
1429.05k1Organizational.34-05.k |
14 Third Party Assurance |
1429.05k1Organizational.34-05.k 05.02 External Parties |
Shared |
n/a |
The organization maintains written agreements (contracts) that include: (i) an acknowledgement that the third-party (e.g., a service provider) is responsible for the security of the data and requirements to address the associated information security risks; and, (ii) requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain. |
|
14 |
hipaa |
1430.05k1Organizational.56-05.k |
hipaa-1430.05k1Organizational.56-05.k |
1430.05k1Organizational.56-05.k |
14 Third Party Assurance |
1430.05k1Organizational.56-05.k 05.02 External Parties |
Shared |
n/a |
The agreement ensures that there is no misunderstanding between the organization and the third-party and satisfies the organization as to the indemnity of the third-party. |
|
13 |
hipaa |
1438.09e2System.4-09.e |
hipaa-1438.09e2System.4-09.e |
1438.09e2System.4-09.e |
14 Third Party Assurance |
1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The service provider protects the company's data with reasonable controls (e.g., policies and procedures) designed to detect, prevent, and mitigate risk. |
|
14 |
hipaa |
17100.10a3Organizational.5 |
hipaa-17100.10a3Organizational.5 |
17100.10a3Organizational.5 |
17 Risk Management |
17100.10a3Organizational.5 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization includes specific security-related requirements in information system acquisition contracts based on applicable laws, policies, standards, guidelines and business needs. |
|
8 |
hipaa |
17120.10a3Organizational.5-10.a |
hipaa-17120.10a3Organizational.5-10.a |
17120.10a3Organizational.5-10.a |
17 Risk Management |
17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization documents all existing outsourced information services and conducts an organizational assessment of risk prior to the acquisition or outsourcing of information services. |
|
10 |
hipaa |
1783.10a1Organizational.56-10.a |
hipaa-1783.10a1Organizational.56-10.a |
1783.10a1Organizational.56-10.a |
17 Risk Management |
1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
A formal acquisition process is followed for purchased commercial products, and supplier contracts include the identified security requirements. |
|
8 |
ISO27001-2013 |
A.14.1.1 |
ISO27001-2013_A.14.1.1 |
ISO 27001:2013 A.14.1.1 |
System Acquisition, Development And Maintenance |
Information security requirements analysis and specification |
Shared |
n/a |
The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. |
link |
24 |
ISO27001-2013 |
A.14.2.7 |
ISO27001-2013_A.14.2.7 |
ISO 27001:2013 A.14.2.7 |
System Acquisition, Development And Maintenance |
Outsourced development |
Shared |
n/a |
The organization shall supervise and monitor the activity of outsourced system development. |
link |
28 |
ISO27001-2013 |
A.14.2.9 |
ISO27001-2013_A.14.2.9 |
ISO 27001:2013 A.14.2.9 |
System Acquisition, Development And Maintenance |
System acceptance testing |
Shared |
n/a |
Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. |
link |
14 |
ISO27001-2013 |
A.15.1.2 |
ISO27001-2013_A.15.1.2 |
ISO 27001:2013 A.15.1.2 |
Supplier Relationships |
Addressing security within supplier agreement |
Shared |
n/a |
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. |
link |
24 |
ISO27001-2013 |
A.15.2.2 |
ISO27001-2013_A.15.2.2 |
ISO 27001:2013 A.15.2.2 |
Supplier Relationships |
Managing changes to supplier services |
Shared |
n/a |
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
link |
15 |
ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
ISO27001-2013 |
A.6.1.5 |
ISO27001-2013_A.6.1.5 |
ISO 27001:2013 A.6.1.5 |
Organization of Information Security |
Information security in project management |
Shared |
n/a |
Information security shall be addressed in project management, regardless of the type of the project. |
link |
25 |
ISO27001-2013 |
A.7.1.2 |
ISO27001-2013_A.7.1.2 |
ISO 27001:2013 A.7.1.2 |
Human Resources Security |
Terms and conditions of employment |
Shared |
n/a |
The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. |
link |
24 |
ISO27001-2013 |
A.7.2.1 |
ISO27001-2013_A.7.2.1 |
ISO 27001:2013 A.7.2.1 |
Human Resources Security |
Management responsibilities |
Shared |
n/a |
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. |
link |
26 |
ISO27001-2013 |
C.4.3.c |
ISO27001-2013_C.4.3.c |
ISO 27001:2013 C.4.3.c |
Context of the organization |
Determining the scope of the information security management system |
Shared |
n/a |
The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
c) interfaces and dependencies between activities performed by the organization, and those that are
performed by other organizations.
The scope shall be available as documented information. |
link |
18 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
|
mp.per.2 Duties and obligations |
mp.per.2 Duties and obligations |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
60 |
NIST_SP_800-53_R4 |
SA-4 |
NIST_SP_800-53_R4_SA-4 |
NIST SP 800-53 Rev. 4 SA-4 |
System And Services Acquisition |
Acquisition Process |
Shared |
n/a |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.
References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. |
link |
11 |
NIST_SP_800-53_R5 |
SA-4 |
NIST_SP_800-53_R5_SA-4 |
NIST SP 800-53 Rev. 5 SA-4 |
System and Services Acquisition |
Acquisition Process |
Shared |
n/a |
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (OneOrMore): standardized contract language; [Assignment: organization-defined contract language] ] in the acquisition contract for the system, system component, or system service:
a. Security and privacy functional requirements;
b. Strength of mechanism requirements;
c. Security and privacy assurance requirements;
d. Controls needed to satisfy the security and privacy requirements.
e. Security and privacy documentation requirements;
f. Requirements for protecting security and privacy documentation;
g. Description of the system development environment and environment in which the system is intended to operate;
h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
i. Acceptance criteria. |
link |
11 |
|
op.ext.1 Contracting and service level agreements |
op.ext.1 Contracting and service level agreements |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
op.ext.2 Daily management |
op.ext.2 Daily management |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
op.nub.1 Cloud service protection |
op.nub.1 Cloud service protection |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
op.pl.5 Certified components |
op.pl.5 Certified components |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
PCI_DSS_v4.0 |
12.8.2 |
PCI_DSS_v4.0_12.8.2 |
PCI DSS v4.0 12.8.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
Written agreements with TPSPs are maintained as follows:
• Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. |
link |
15 |
PCI_DSS_v4.0 |
12.8.5 |
PCI_DSS_v4.0_12.8.5 |
PCI DSS v4.0 12.8.5 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. |
link |
13 |
SOC_2 |
CC5.2 |
SOC_2_CC5.2 |
SOC 2 Type 2 CC5.2 |
Control Activities |
COSO Principle 11 |
Shared |
The customer is responsible for implementing this recommendation. |
• Determines Dependency Between the Use of Technology in Business Processes and
Technology General Controls — Management understands and determines the dependency and linkage between business processes, automated control activities, and
technology general controls.
• Establishes Relevant Technology Infrastructure Control Activities — Management
selects and develops control activities over the technology infrastructure, which are
designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
• Establishes Relevant Security Management Process Controls Activities — Management selects and develops control activities that are designed and implemented
to restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
• Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities — Management selects and develops control activities over the acquisition, development and maintenance of technology and its infrastructure to achieve management's objectives. |
|
18 |
SOC_2 |
CC9.2 |
SOC_2_CC9.2 |
SOC 2 Type 2 CC9.2 |
Risk Mitigation |
Vendors and business partners risk management |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement
that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
• Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic
basis, the risks that vendors and business partners (and those entities’ vendors and
business partners) represent to the achievement of the entity's objectives.
• Assigns Responsibility and Accountability for Managing Vendors and Business
Partners — The entity assigns responsibility and accountability for the management
of risks associated with vendors and business partners.
• Establishes Communication Protocols for Vendors and Business Partners — The
entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.
• Establishes Exception Handling Procedures From Vendors and Business Partners
— The entity establishes exception handling procedures for service or product issues related to vendors and business partners.
• Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners.
• Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships.
• Implements Procedures for Terminating Vendor and Business Partner Relationships
— The entity implements procedures for terminating vendor and business partner
relationships.
Additional points of focus that apply only to an engagement using the trust services criteria for
confidentiality:
• Obtains Confidentiality Commitments from Vendors and Business Partners — The
entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who
have access to confidential information.
• Assesses Compliance With Confidentiality Commitments of Vendors and Business
Partners — On a periodic and as-needed basis, the entity assesses compliance by
vendors and business partners with the entity’s confidentiality commitments and requirements.
Additional points of focus that apply only to an engagement using the trust services criteria for
privacy:
• Obtains Privacy Commitments from Vendors and Business Partners — The entity
obtains privacy commitments, consistent with the entity’s privacy commitments and
requirements, from vendors and business partners who have access to personal information.
• Assesses Compliance with Privacy Commitments of Vendors and Business Partners
— On a periodic and as-needed basis, the entity assesses compliance by vendors
and business partners with the entity’s privacy commitments and requirements and
takes corrective action as necessary |
|
20 |
SOC_2 |
P6.1 |
SOC_2_P6.1 |
SOC 2 Type 2 P6.1 |
Additional Criteria For Privacy |
Personal information third party disclosure |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates Privacy Policies to Third Parties — Privacy policies or other specific
instructions or requirements for handling personal information are communicated
to third parties to whom personal information is disclosed.
• Discloses Personal Information Only When Appropriate — Personal information is
disclosed to third parties only for the purposes for which it was collected or created
and only when implicit or explicit consent has been obtained from the data subject,
unless a law or regulation specifically requires otherwise.
• Discloses Personal Information Only to Appropriate Third Parties — Personal information
is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the
entity’s privacy notice or other specific instructions or requirements. The entity has
procedures in place to evaluate that the third parties have effective controls to meet
the terms of the agreement, instructions, or requirements.
• Discloses Information to Third Parties for New Purposes and Uses — Personal information
is disclosed to third parties for new purposes or uses only with the prior
implicit or explicit consent of data subjects. |
|
15 |
SOC_2 |
P6.5 |
SOC_2_P6.5 |
SOC 2 Type 2 P6.5 |
Additional Criteria For Privacy |
Third party unauthorized disclosure notification |
Shared |
The customer is responsible for implementing this recommendation. |
• Remediates Misuse of Personal Information by a Third Party — The entity takes
remedial action in response to misuse of personal information by a third party to
whom the entity has transferred such information.
• Reports Actual or Suspected Unauthorized Disclosures — A process exists for obtaining
commitments from vendors and other third parties to report to the entity actual
or suspected unauthorized disclosures of personal information. |
|
12 |
SWIFT_CSCF_v2022 |
2.8A |
SWIFT_CSCF_v2022_2.8A |
SWIFT CSCF v2022 2.8A |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. |
Shared |
n/a |
Critical outsourced activities are protected, at a minimum, to the same standard of care as if operated within the originating organisation. |
link |
11 |