T6.2.2 - MONITORING AND REVIEW OF THIRD PARTY SERVICES Implementation Guidance

Back to T6.2.2 - P2 -MONITORING AND REVIEW OF THIRD PARTY SERVICES

Monitoring and review of third party services should involve a service management relationship and process between the entity and the third party to:

• A. Monitor service performance levels to check adherence to the agreements;
• B. Review service reports produced by the third party and arrange regular progress meetings as required by the agreements;
• C. Provide information about information security incidents and review of this information by the third party and the entity as required by the agreements and any supporting guidelines and procedures;
• D. Review third party audit trails and records of security events, operational problems, failures, tracing of faults and disruptions related to the service delivered;
• E. Resolve and manage any identified problems.

The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team. In addition, the entity should ensure that the third party assigns responsibilities for checking for compliance and enforcing the requirements of the agreements. Sufficient technical skills and resources should be made available to monitor the requirements of the agreement, in particular the information security requirements, are being met. Appropriate action should be taken when deficiencies in the service delivery are observed.

The entity should maintain sufficient overall control and visibility into all security aspects for sensitive or critical information or information systems accessed, processed or managed by a third party. The entity should ensure they retain visibility into security activities such as change management, identification of vulnerabilities, and information security incident reporting/response through a clearly defined reporting process, format and structure

Back to T6.2.2 - P2 -MONITORING AND REVIEW OF THIRD PARTY SERVICES