SA-09-727 External Information System Services

External Information System Services

Control ID

SA-09-727

Control Name

External Information System Services

Control Category

Security Assessment and Authorization

Functional Areas

Identify

Sub-Areas

Cloud Usage and Security, External Vendors and Third Party Providers

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

Information resource owners procuring third-party information services (e.g., cloud service providers) shall ensure the provider adheres to industry accepted security baselines, such as Cloud Security Alliance's Cloud Controls Matrix, and demonstrated adherence to standards through auditing such as SSAE 16 SOC II. In cases where additional compliance requirements exist, additional security baselines such as FedRAMP accrediation may be used to determine the provider's suitability to operate information resources on behalf of the Agency.

Risk Statement

Services, reports and records provided by a third party are not consistently monitored and reviewed by management.

Control Description

The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Control Example

The organization explicitly defines usage of external systems.

State Implementation

The state organization requires that providers of external information system services employ adequate security controls in accordance with these standards and monitors security control compliance.

Testing Procedures

Obtain system and services acquisition policy; procedures addressing external information system services; acquisition contracts and service level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; other relevant documents or records and ascertain if: (I)the organization requires that providers of external information system services employ adequate security controls in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, guidance, and established service-level agreements. (ii)the organization monitors security control compliance.