Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation » II.C.20 Oversight of Third-Party Service Providers
Management should oversee
outsourced operations through the following:
Management should conduct appropriate due diligence in selecting
and monitoring third-party service providers. Management should be
responsible for ensuring that such third parties use suitable
information security controls when providing services to the
institution. When indicated by the institution's risk assessment,
management should monitor third-party service providers to confirm
that they are maintaining appropriate controls. If the third-party
service provider stores, transmits, processes, or disposes of
customer information, management should require third-party service
providers by contract to implement appropriate measures designed to
meet the Information Security Standards.
Management should evaluate information security considerations
of potential third-party service providers during initial due
diligence. Refer to the IT Handbook's "Outsourcing
Technology Services" booklet for more information.
Management should verify that third-party service providers
implement and maintain controls sufficient to appropriately
mitigate risks. The institution's contracts should do the
Refer to the "Third-Party Reviews of Technology Service
Providers" section of the IT Handbook's "Audit" booklet
for more information.
Additionally, as part of the oversight of third-party service
providers, management should determine whether cyber risks are
identified, measured, mitigated, monitored, and reported by such
third parties as third-party cyber threats can have an impact on
the institution. Information security reporting by the institution
should incorporate an assessment of these third-party risks to
facilitate a comprehensive understanding of the institution's
exposure to third-party cyber threats.