AR-03-727 Privacy Requirements for Contractors and Service Providers

Privacy Requirements for Contractors and Service Providers

Control ID

AR-03-727

Control Name

Privacy Requirements for Contractors and Service Providers

Control Category

Accountability, Audit and Risk Management

Functional Areas

Identify

Sub-Areas

External Vendors and Third Party Providers, Information Security Risk Management, Privacy and Confidentiality

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Customer information is improperly disclosed when transmitted to a third party.

Control Description

The organization: a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and b. Includes privacy requirements in contracts and other acquisition-related documents.

Control Example

Service providers are subject to agency privacy requirements and held accountable for such.

State Implementation

No statewide control

Testing Procedures

Obtain contracts and service agreements with third parties and service providers; other relevant documents or records and ascertain if: (I) the organization establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and (ii) the organization includes privacy related requirements in contracts and other acquisition-related documents.