II.C.20     Oversight of Third-Party Service Providers

Action Summary

Management should oversee outsourced operations through the following:

  • Appropriate due diligence in third-party research, selection, and relationship management.
  • Contractual assurances for security responsibilities, controls, and reporting.
  • Nondisclosure agreements regarding the institution's systems and data.
  • Independent review of the third party's security through appropriate reports from audits and tests.
  • Coordination of incident response policies and contractual notification requirements.
  • Verification that information and cybersecurity risks are appropriately identified, measured, mitigated, monitored, and reported.

Management should conduct appropriate due diligence in selecting and monitoring third-party service providers. Management should be responsible for ensuring that such third parties use suitable information security controls when providing services to the institution. When indicated by the institution's risk assessment, management should monitor third-party service providers to confirm that they are maintaining appropriate controls. If the third-party service provider stores, transmits, processes, or disposes of customer information, management should require third-party service providers by contract to implement appropriate measures designed to meet the Information Security Standards.

Management should evaluate information security considerations of potential third-party service providers during initial due diligence. Refer to the IT Handbook's "Outsourcing Technology Services" booklet for more information.

Management should verify that third-party service providers implement and maintain controls sufficient to appropriately mitigate risks. The institution's contracts should do the following:

  • Include minimum control and reporting standards.
  • Provide for the right to require changes to standards as external and internal environments change.
  • Specify that the institution or an independent auditor has access to the service provider to perform evaluations of the service provider's performance against the Information Security Standards.

Refer to the "Third-Party Reviews of Technology Service Providers" section of the IT Handbook's "Audit" booklet for more information.

Additionally, as part of the oversight of third-party service providers, management should determine whether cyber risks are identified, measured, mitigated, monitored, and reported by such third parties as third-party cyber threats can have an impact on the institution. Information security reporting by the institution should incorporate an assessment of these third-party risks to facilitate a comprehensive understanding of the institution's exposure to third-party cyber threats.


Previous Section
II.C.19 Encryption
Next Section
II.C.20(a) Outsourced Cloud Computing