SA-09-727 External Information System Services

External Information System Services

SA-09-727
External Information System Services
Security Assessment and Authorization
Identify
Cloud Usage and Security, External Vendors and Third Party Providers
LOW, MOD, HIGH
P1
Yes
May 20, 2016

Information resource owners procuring third-party information services (e.g., cloud service providers) shall ensure the provider adheres to industry accepted security baselines, such as Cloud Security Alliance's Cloud Controls Matrix, and demonstrated adherence to standards through auditing such as SSAE 16 SOC II. In cases where additional compliance requirements exist, additional security baselines such as FedRAMP accrediation may be used to determine the provider's suitability to operate information resources on behalf of the Agency.

Services, reports and records provided by a third party are not consistently monitored and reviewed by management.
The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.
The organization explicitly defines usage of external systems.
The state organization requires that providers of external information system services employ adequate security controls in accordance with these standards and monitors security control compliance.
Obtain system and services acquisition policy; procedures addressing external information system services; acquisition contracts and service level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; other relevant documents or records and ascertain if: (I)the organization requires that providers of external information system services employ adequate security controls in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, guidance, and established service-level agreements. (ii)the organization monitors security control compliance.