Enterprises today rely on partners and vendors to help manage their data. Some companies depend on third-party infrastructure for day-to-day operations, so understanding the regulations and protection standards that a service provider is promising to uphold is very important.

Key Takeaways from Control 15

Identify your business needs and create a set of standards that can be used to grade services providers that are being proposed. Every company is different, so one set of standards will not be the same in different sectors.

Organize and monitor all services providers that are associated with your business. Keeping an inventory of all services providers will enable you to monitor them in case they update their policies. When one is updated, you can then assess and make a decision if the service provider meets the standards that have been set in your service provider management policy.

Safeguards for Control 15

15.1 Establish and Maintain an Inventory of Service Providers

Description: Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually or when significant enterprise changes that could impact this Safeguard occur.

Notes: The security function associated with this Safeguard is Identify. The objective of this control is to keep an organized inventory of services providers and to identify a point of contact with each service provider. 

15.2 Establish and Maintain a Service Provider Management Policy

Description: Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually or when significant enterprise changes that could impact this Safeguard occur.

Notes: The security function associated with this Safeguard is Identify. When (Read more...)