compliance controls are associated with this Policy definition 'Ensure external providers consistently meet interests of the customers' (3eabed6d-1912-2d3c-858b-f438d08d0412)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-9(4) |
FedRAMP_High_R4_SA-9(4) |
FedRAMP High SA-9 (4) |
System And Services Acquisition |
Consistent Interests Of Consumers And Providers |
Shared |
n/a |
The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests.
Supplemental Guidance: As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. |
link |
1 |
| FedRAMP_Moderate_R4 |
SA-9(4) |
FedRAMP_Moderate_R4_SA-9(4) |
FedRAMP Moderate SA-9 (4) |
System And Services Acquisition |
Consistent Interests Of Consumers And Providers |
Shared |
n/a |
The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests.
Supplemental Guidance: As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. |
link |
1 |
| hipaa |
0837.09.n2Organizational.2-09.n |
hipaa-0837.09.n2Organizational.2-09.n |
0837.09.n2Organizational.2-09.n |
08 Network Protection |
0837.09.n2Organizational.2-09.n 09.06 Network Security Management |
Shared |
n/a |
Formal agreements with external information system providers include specific obligations for security and privacy. |
|
20 |
| hipaa |
0888.09n2Organizational.6-09.n |
hipaa-0888.09n2Organizational.6-09.n |
0888.09n2Organizational.6-09.n |
08 Network Protection |
0888.09n2Organizational.6-09.n 09.06 Network Security Management |
Shared |
n/a |
The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. |
|
17 |
| hipaa |
1422.05j2Organizational.3-05.j |
hipaa-1422.05j2Organizational.3-05.j |
1422.05j2Organizational.3-05.j |
14 Third Party Assurance |
1422.05j2Organizational.3-05.j 05.02 External Parties |
Shared |
n/a |
All security requirements resulting from work with external parties or internal controls are reflected by the agreement with the external party. |
|
6 |
| hipaa |
1423.05j2Organizational.4-05.j |
hipaa-1423.05j2Organizational.4-05.j |
1423.05j2Organizational.4-05.j |
14 Third Party Assurance |
1423.05j2Organizational.4-05.j 05.02 External Parties |
Shared |
n/a |
For all system connections that allow customers to access the organization's computing assets such as websites, kiosks, and public access terminals, the organization provides appropriate text or a link to the organization's privacy policy for data use and protection as well as the customer's responsibilities when accessing the data. |
|
9 |
| hipaa |
1438.09e2System.4-09.e |
hipaa-1438.09e2System.4-09.e |
1438.09e2System.4-09.e |
14 Third Party Assurance |
1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The service provider protects the company's data with reasonable controls (e.g., policies and procedures) designed to detect, prevent, and mitigate risk. |
|
14 |
| hipaa |
1453.05kCSPOrganizational.2-05.k |
hipaa-1453.05kCSPOrganizational.2-05.k |
1453.05kCSPOrganizational.2-05.k |
14 Third Party Assurance |
1453.05kCSPOrganizational.2-05.k 05.02 External Parties |
Shared |
n/a |
Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. |
|
10 |
| hipaa |
1577.11aCSPOrganizational.1-11.a |
hipaa-1577.11aCSPOrganizational.1-11.a |
1577.11aCSPOrganizational.1-11.a |
15 Incident Management |
1577.11aCSPOrganizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
Cloud service providers make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals). |
|
2 |
| NIST_SP_800-53_R4 |
SA-9(4) |
NIST_SP_800-53_R4_SA-9(4) |
NIST SP 800-53 Rev. 4 SA-9 (4) |
System And Services Acquisition |
Consistent Interests Of Consumers And Providers |
Shared |
n/a |
The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests.
Supplemental Guidance: As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. |
link |
1 |
| NIST_SP_800-53_R5 |
SA-9(4) |
NIST_SP_800-53_R5_SA-9(4) |
NIST SP 800-53 Rev. 5 SA-9 (4) |
System and Services Acquisition |
Consistent Interests of Consumers and Providers |
Shared |
n/a |
Take the following actions to verify that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: [Assignment: organization-defined actions]. |
link |
1 |
| SWIFT_CSCF_v2022 |
1.1 |
SWIFT_CSCF_v2022_1.1 |
SWIFT CSCF v2022 1.1 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
Shared |
n/a |
A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. |
link |
22 |