7.10.2 8.10.2 (MONITORING AND REVIEW OF THIRD-PARTY SERVICES (This…
MONITORING AND REVIEW OF THIRD-PARTY
Monitoring and review of third-party services should ensure ,
INFORMATION SECURITY TERMS AND CONDITIONS of the agreements are being adhered to
INFORMATION SECURITY INCIDENTS AND PROBLEMS
are managed properly.
This should involve a service management relationship and process between the organization and the third party to accomplish the following:
SERVICE PERFORMANCE LEVELS to check adherence to the agreements
Review service reports
produced by the third party and
arrange regular progress meetings
as required by the agreements.
information about information security incidents and review of this information by the third party and the organization,
as required by the agreements and any supporting guidelines and procedures.
• Review third-party
audit trails and records of security events,
tracing of faults, and
disruptions related to the service delivered.
• Resolve and manage any identified problems.
Service Improvement and User Satisfaction
SLAs set the baseline by which outsourcers perform the IT function.
Service improvements should be agreed on by users and IT with the
goals of improving user satisfaction and attaining business objectives.
User satisfaction should be monitored by interviewing and surveying users.
organizations can set service improvement expectations into the contracts with associated penalties and rewards. Examples of service improvements include:
• Reductions in the number of help desk calls
• Reductions in the number of system errors
• Improvements to system availability
MANAGING CHANGES TO THIRD-PARTY
The process of managing changes to a third-party service needs to consider
Changes made by the organization to implement:
– Enhancements to the current services offered
– Development of any new applications and systems
– Modifications or updates of the organization’s policies and procedures
– New controls to resolve information security incidents and improve security
– Updates to policies, including the IT security policy
Changes in third-party services to implement:
– Changes and enhancements to networks
– Use of new technologies
– Adoption of new products or newer versions/releases
– New development tools and environments
:• Changes to physical location of service facilities
• Change of vendors or subcontractors