CIS Control 15: Service Provider Management
Enterprises today rely on partners and vendors to help manage their data. Some companies depend on third-party infrastructure for day-to-day operations, so understanding the regulations and protection standards that a service provider is promising to uphold is very important.
Key Takeaways from Control 15
Identify your business needs and create a set of standards that can be used to grade service providers that are being proposed. Every company is different, so one set of standards will not be the same in different sectors.
Organize and monitor all service providers that are associated with your business. Keeping an inventory of all service providers will enable you to monitor them in case they update their policies. When one is updated, you can then assess and make a decision if the service provider meets the standards that have been set in your service provider management policy.
Safeguards for Control 15
15.1) Establish and Maintain an Inventory of Service Providers
Description: Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually or when significant enterprise changes that could impact this Safeguard occur.
Notes: The security function associated with this Safeguard is Identify. The objective of this control is to keep an organized inventory of service providers and to identify a point of contact with each service provider.
15.2) Establish and Maintain a Service Provider Management Policy
Description: Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually or when significant enterprise changes that could impact this Safeguard occur.
Notes: The security function associated with this Safeguard is Govern. When developing a service provider management policy, keep in mind that not all businesses are the same. There will not be one set of standards that will apply to every sector of industry. For example, a business in the financial sector will have different standards to follow than a business in the education sector. Establish the needs of your business and then create a checklist from which you can better narrow down the frameworks and/or industry standards you intend to follow.
15.3) Classify Service Providers
Description: Classify service providers. Classification consideration may include one or more characteristics such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually or when significant enterprise changes that could impact this Safeguard occur.
Notes: The security function associated with this Safeguard is Govern. Classifying service providers will be dependent upon Safeguards 15.1 and 15.2. Once you’ve identified potential service providers that meet the established policy, classification can begin. This will give a more granular representation of the service providers.
15.4) Ensure Service Provider Contracts Include Security Requirements
Description: Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incidents and/or data breach notification and response, data encryption mandates, and data disposal commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements.
Notes: The security function associated with this Safeguard is Govern. Security should be implemented in the beginning stages when developing a service provider management policy. Security is important to start off with because it can become costly in the long term if left neglected. Ensure that the service providers being considered incorporate industry standards for security, such as ISO 27001.
15.5) Assess Service Providers
Description: Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary based on classification(s) and may include a review of standardized assessment reports such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.
Notes: The security function associated with this Safeguard is Govern. Ensure that service providers are in line with the scope set forth in your service provider management policy.
15.6) Monitor Service Providers
Description: Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.
Notes: The security function associated with this Safeguard is Govern. Monitor service providers to ensure they are consistent with your service provider management policy. Review release notes on updates provided by service providers to ensure they are still in line with the scope of your service provider management policy. React if they fall outside of the scope of the policy.
15.7) Securely Decommission Service Providers
Description: Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems.
Notes: The security function associated with this Safeguard is Protect. Always make sure when you choose to decommission service providers that user/service accounts are deactivated to prevent unauthorized access. This also means securely disposing of enterprise data that has been stored on service provider systems.
Read more about the 18 CIS Controls here:
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skill Training
CIS Control 15 Service Provider Management
CIS Control 16: Application Software Security