T6 Third Party Security

OBJECTIVE

To maintain a third party security policy covering the security of acquired services

PERFORMANCE INDICATOR

Extent of third party security policy deployment and adoption across the entity

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

1. Unsuitable third party security policy
2. Unawareness of third party security policy among IT staff

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T6.1.1 - P4 - THIRD PARTY SECURITY POLICY

OBJECTIVE:

To ensure third parties implement and maintain the appropriate level of information security and service delivery

PERFORMANCE INDICATOR:

Frequency of information security incidents involving third parties

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

1. Abuse of functionality
2. Data from untrustworthy sources

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T6.2.1 - P2 - SERVICE DELIVERY
• T6.2.2 - P2 -MONITORING AND REVIEW OF THIRD PARTY SERVICES
• T6.2.3 - P2 - MANAGING CHANGES TO THIRD PARTY SERVICES

OBJECTIVE:

To secure information stored, processed, and retrieved through cloud services

PERFORMANCE INDICATOR:

Percentage of service level agreements capturing all relevant cloud security requirements

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

1. Abuse of functionality
2. Accidental leaks / sharing of data
3. Illegal processing of data

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T6.3.1 - P2 - INFORMATION SECURITY REQUIREMENTS FOR CLOUD ENVIRONMENTS
• T6.3.2 - P2 - SERVICE DELIVERY AGREEMENTS WITH CLOUD PROVIDERS