Control Summary
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Why is it needed?
In our contemporary interconnected environment, enterprises heavily depend on vendors and partners for assistance in data management, and they often rely on third-party infrastructure to support crucial applications and operations.
Over the years, there have been numerous instances where breaches affecting third-party entities have exerted significant repercussions on enterprises. For instance, dating back to the late 2000s, breaches occurred when attackers infiltrated smaller third-party vendors within the retail sector, leading to the compromise of payment card data. More recent examples encompass ransomware attacks that indirectly impact an enterprise due to the lockdown of one of their service providers, resulting in business disruptions. In more dire situations, if directly connected, a ransomware attack could extend its reach to encrypt data within the primary enterprise’s systems.
Implementing Control
You cannot manage what you are unaware of, and therefore implementing this control starts with creating and maintaining an inventory of all service providers. All businesses should have this inventory.
Implementation Group 1 requires the following one safeguard:
15.1 Establish and Maintain an Inventory of Service Providers
Create and sustain a comprehensive list of service providers. This inventory should encompass all identified service providers, categorise them appropriately, and assign an enterprise contact for each one. Periodically review and update the inventory on an annual basis, or whenever significant enterprise changes occur that could affect this security measure.
Additional safeguards at level 2 or 3:
15.2 Establish and Maintain a Service Provider Management Policy
15.3 Classify Service Providers
15.4 Ensure Service Provider Contracts Include Security Requirements
15.5 Assess Service Providers
15.6 Monitor Service Providers
15.7 Securely Decommission Service Providers
Incident Response Solutions 