Date: Fri, 29 Mar 2024 08:08:00 +0000 (UTC) Message-ID: <927608030.7665.1711699680392@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7664_67443496.1711699680390" ------=_Part_7664_67443496.1711699680390 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
When beginning the process of evaluating supplier relationships, the fol= lowing information and material will be needed:
Identify and document various suppliers and the typ= es of information that they access or manipulate. Use the Comparison of Service Organization Contr= ol (SOC) Reports table below to better understand the different types o= f SOC reports.
Identify current policies and standards that descri= be or include third party responsibilities and any compliance requirements = associated with external providers (e.g., HIPAA, PCI DSS).
Review data classification standards (see Suppl= ier Service Delivery Management section) and how these relate to the s= uppliers and information that they handle. Where applicable, work with your= institution's risk manager and/or general counsel to ensure inclusion of i= nformation security and data protection in any supplier contracts.
Review or develop a supplier lifecycle process, inc= luding initial reviews, monitoring, validation, and ongoing assessments. Re= ference the Risk= Management chapter for assistance in modeling for a supplier lifecycle= process.
Organizations with more mature programs will have some or all of thi= s information previously aggregated.
Top of page
External suppliers are a vital component of business operations. S= uppliers may have access to a wide range of information from the supported = organization. Once shared with a supplier, direct control of this informati= on is lost, regardless of sensitivity or value. As a result, appropriate te= chnical and contractual controls and mitigation processes must be establish= ed with all external suppliers. One essential control would be to ensure th= e existence of a data sharing agreement that clearly delineates roles and r= esponsibilities. Some data privacy regulations may have specific data shari= ng requirements that must be met. As an example FERPA (34 CFR = =C2=A799.31(a)(3)) requires the execution of a written a= greement with certain data protection elements that must be met. A data sha= ring checklist can be found on the U.S. Department of Education's Privacy Technical Assistanc= e Center (PTAC) website.
The contracting organization should understand that the management= of external providers is a lifecycle. Part of this cycle is a process to m= onitor and continuously assess provider performance and compliance. A varie= ty of tools may be used to assess and validate external supplier data prote= ction practices. In almost all cases, some mitigation will be contractual, = and requires extensive documentation.
In addition to protecting information handled and used by external= suppliers, the organization must also assess service availability. If busi= ness critical data or functions are supported by an external entity, then t= he provider's disaster recovery processes are integral with the recovery pr= ocesses of the hiring entity. Agreements regarding the return of data in th= e event of contract termination or unexpected closure should also be consid= ered within the lifecycle.
Additional important elements to consider:
Information Classification
Incident Management
Top of page
Objective: Institutions shou= ld ensure that third parties adequately secure the information and technolo= gy resources that they access, process, and manage. This includes informati= on sharing, defining legal obligations, and ensuring non disclosure agreeme= nts are executed to protect confidential information.
Institutions should identify and r= equire information security controls that specifically address external par= ties (contractors, service providers) gaining authorized access to the orga= nization's information in a policy. The controls should also specify proces= ses and procedures that should be followed, either when third party contrac= tors work within the organization or when there are service provider/hostin= g arrangements.
Suppliers should be managed throu= ghout the lifecycle of a relationship with them--from initially reviewing t= heir contracts and security methods to monitoring their SLAs and performanc= e agreements once they are engaged to perform services and/or provide solut= ions.
Access control, especially f= or sensitive information must be accurately defined, managed and monitored.= Awareness training for both the organization's staff and supplier staff th= at handle or interact with this data must be addressed. Finally, service tr= ansitions should be documented and include procedures for secure data trans= fers and availability as the relationship changes during the lifecycle.
For additional guidance, see= ISO/IEC 27036:2013+ =E2=80=94 IT Security =E2= =80=94 Security techniques =E2=80=94 Information security for supplier rela= tionships and Praxiom=E2=80=99s Third Party Service Provider Audit Tool= a>. Materials related to NIST SP 800-171 for higher education are also avai= lable in the Resources= section below.
Many (but not all) sup= plier relationships will involve cloud computing services and processes, wh= ich should be carefully considered as a part of Supplier Relationship Manag= ement. One essential control th= at the institution can implement is the development of a checklist to asses= s contractual cloud service providers. If regulated and/or sensitive data i= s being put out in the cloud, then the institution should consider obtainin= g formal written assurances from cloud service providers, including the reg= ular submission of independent assessments and/or audits. The institution s= hould always consider asking these cloud service providers for a copy of a = SOC2 report, which= focuses strictly on reviewing controls related to the confidentiality, int= egrity, and availability of information and systems. Key findings cited in the 2015 ECAR IT Service Delivery in Higher Education study reinforce the importance= of this trend including:<= /p>
&n= bsp; | SO= C 1 Reports | SO= C 2 Reports | SO= C 3 Reports |
---|---|---|---|
Sa= me as a SOC 2 | |||
Also known as | Statement= on Standards for Attestation Engagements (SSAE), formerly known as a  = ;SAS 70 report | ||
&n= bsp; | &n= bsp; | &n= bsp; | |
Ty= pe 1 |
Type 1 SSAE 1= 6 assessments determine whether security controls are designed to meet cont= rol objectives and if the controls were in place at a point in time | Type 1 report= s assess the service organization's control environment and the suitability= of the control design | |
&n= bsp; | |||
Inten= ded Users of the Reports | Auditor= s, management of the service organization and management of the service org= anization=E2=80=99s users | Parties kn= owledgeable about the service provided by the service organization and eval= uating the effectiveness of internal controls Often re= quires signing of an NDA |
Anyone |
SSAE 16: Reporting on Controls at a Service Organization |
Attestation Standards Section 101: Reporting on Controls at a Service Or= ganization Relevant to Security, Availability, Processing Integrity, Confid= entiality, or Privacy |
Useful Resources
Top of page
Supplier agreements should be established and documented to = ensure there is no misunderstanding regarding both parties obligations to f= ulfill relevant security, legal, and/or regulatory requirements. Institutio= ns of higher education are increasingly using outsourced services. While se= nsitive data processes and services might be outsourced, responsibility for= the associated risk remains with the institution. Supplier agreements shou= ld include (as appropriate) clear and concise information regarding:=
It is important to address the risk early in the procurement= phase of the relationship with external parties so that roles, responsibil= ities and expectations can be clearly defined in agreements or contracts. T= he following EDUCAUSE resources may provide help with contract language and= legal issues:
Top of page
Agreements with suppliers should include requirements to address t= he information security risks associated with information and communication= s technology services and product supply chains.
This section is largely physical in nature and defines addit= ional points to include in supplier agreements, specifically related to the= ir use of technology, both hardware and software. There should be a process= to identify a product or service that is a critical capability, and requir= e increased scrutiny. This is especially true for components built outside = the supplier organization. The ability to trace origins and compliance with= security requirements is integral in ensuring both integrity and avai= lability. Finally, the organization should address the risks of a component= or service becoming unavailable or no longer supported.
Objective: Supplier agreements should be established and documented to e= nsure there is no misunderstanding regarding both parties' obligations to f= ulfill relevant security requirements.
Once operations of service providers have started, ensuring = that the services delivered conform to the specifications of third-party co= ntracts is important. This can include everything from availability levels = of the service to something more granular, such as examining the security c= ontrols the service provider agreed to in the contract. If there is a great= level of dependency upon third-party service providers, checking into serv= ice capabilities, plans for handling information security incidents or serv= ice disruptions, and business continuity testing may be warranted. Systemat= ic monitoring and reviews of services and controls is also recommended, inc= luding scrutinizing service reports provided by the third-party to ensure t= he information is sufficient and relevant. As business or information techn= ology requirements are modified, this may also require a change in the prov= ision of third-party services, and procedures should be in place to handle = any new requirements. Additionally, modifications may also call for a revie= w of existing information security controls to ensure they are adequate.
Organizations should regularly monitor, review and audit sup= plier service delivery. Institutions can not overlook the need to manage th= e risk to their information assets that are accessed, processed, communicat= ed to, or managed by external parties (partners, vendors, contractors, etc.= ). The service provider should be continuously monitored to assure that ser= vices provided are meeting the terms of the contract and security is mainta= ined. There should be ongoing review of service reports, a process to addre= ss concerns and issues and periodic audits. This section also encompasses d= ocumentation and procedures for handling security incidents, including inci= dent reporting, mitigation and subsequent reviews. Finally, service capabil= ity levels must be monitored to insure that the service provider continues = to meet the contract terms and needs of the business. In addition to regula= r review and monitoring of the services provided, the contracting organizat= ion should:
Some external parties provide independent audits based on the Statement on Standards for Attestation Engagements (SSA= E) No. 16 (formerly SAS 70) which focuses on the design of controls and= their operating effectiveness. When independent audit opinions are not ava= ilable, institutions might choose to evaluate the risk themselves.
Monitoring can mean different things to different people. It can s= imply mean to assess, to watch, to keep track of, or to check, usually, wit= h a special purpose. It does not mean or imply to verify or even to test. A= ctually, monitoring is more of a spectrum that ranges from just "keeping an= eye" in the low end to requiring a site audit in the high end. Given the a= vailability of resources at institutions of higher education, verification = could be an impractical and significantly costly requirement if applied to = all or most suppliers
Effective monitoring of suppliers requires a process or methodolog= y in place that defines the approach to take based on the risk of the suppl= ier or engagement - activities should be more stringent and closer to the h= igh end of the spectrum as risk increases or when exceptional situations wa= rrant them. Institutional policy may refer to instances in which the sharin= g of sensitive data will result in a significant risk. Again, "significant"= can mean a number of things but, ultimately, depends on the institution's = risk management practices and risk tolerance (i.e., what is acceptable risk= ). Only in cases of very high risk or when exceptional situations may warra= nt it should supplier monitoring include a requirement to perform a site au= dit, or results of a Statem= ent on Standards for Attestation Engagements (SSAE) No. 16= (formerly SAS 70) audit, or results of an audit performed by an independen= t auditor.
What should an institution do to monitor compliance with agreement= requirements in most cases? Define the incremental risk to the institution= when engaging a supplier as well as defining a due diligence process for m= itigating those risks - third-party risk from remote access, data transmiss= ion and offsite storage.
Consider the following as an outline for a contract monitori= ng process:
During System / Application / Process Implementation
Identify the individual(s) responsible for monitoring the rela= tionship with the supplier.
During project status meetings:
Assess and review status reports regarding progress made in th= e implementation of the security requirements included in the contract and/= or statement of work.
Identify new areas or security requirements that may arise fro= m changes in scope
If applicable, perform or request audit of vendor security pra= ctices and procedures and/or perform penetration test. It may be necessary = to include a legal review by general counsel, as well.
During final test and prior to sign-off
Test system/application/process security functionality require= d in the contract
Review progress reports and determine if all security requirem= ents included in the contract and/or statement of work were completed.
If applicable, perform application scan
Post Implementation
Follow up with system/application/process owner.
Require owner to perform a risk assessment based on policy (an= nual if high risk or mission critical and bi-annual for the rest)
Review with the owner the risk assessment results. Any concern= s? Any problems? Any unknowns that need to be addressed with the vendor?
Follow up with the supplier. Access logs available? Any pendin= g items resolved? Are things on their end as expected? Any owner concerns? = Risk assessment identified deficiencies?
Based on risk (annually or bi-annually), resubmit third-party = information security risk assessment to assess what has changed, what needs= closer scrutiny, or identify inconsistencies with previous assessments
Establish a working relationship with your supplier
=Participate in supplier=E2=80=99s product improvement committe= e. What changes are been considered? How would they impact the institution'= s risk and security postures
Review security incidents involving the system/application/pro= cess. Are these due to non-compliance?
For current established suppliers, assess their risk (if it has no= t already been done), and start with the steps listed in the Post Implement= ation section above as needed.
It is important to keep in mind that supplier mo=
nitoring is the last step of a cascading progression. The initial identific=
ation of process and data impacted as well as initial security requirements=
are used to formulate purchasing requirements. The answers to the requirem=
ents are used to evaluate potential suppliers and refine the security requi=
rements. The evaluation and risk assessment of finalists refine the securit=
y requirements that will, in turn, be added as language to the contract or =
statement of work. And, finally, it is the final contract and corresponding=
risk level that determine the appropriate supplier monitoring approach.
All technology systems are undergoing continuous upgrade, ch= ange and repair. Changes to service provisions by suppliers should be manag= ed and documented, taking into account the sensitivity of information and s= ervices and re-assessment of risks. The contracting organization should det= ermine how to integrate their change management process with that of the su= pplier. Items to consider include:
Where possible, supplier changes should be integrated with the contracti= ng organizations change management processes.
Top of page
EDUCAUSE Resources
Initiatives, Collaborations, & Other Resources
Top of page
27002:2013 Information Security Manag=
ement |
800-53: Recommended Security=
Controls for Federal Information |
DS2 | Req 6.4 |
ID.AM-6 |
45 CFR 160.103 |
Top of page
Questions or= comments? Contact us.
Except wher= e otherwise noted, this work is licensed under a Creative Commons Attributi= on-NonCommercial-ShareAlike 4.0 International License (= CC BY-NC-SA 4.0).