CIS Control 15: Service Provider
The CIS Control 15 outlines a process to evaluate service providers that work with sensitive data or are responsible for an enterprise’s critical IT platforms or processes. This evaluation is necessary in order to ensure that these vendors are adequately protecting the data and infrastructure they are responsible for, and to ensure compliance with various data security and privacy regulations.
The CIS Control 15: Service Provider Management outlines a process to evaluate service providers that are responsible for an enterprise’s critical IT platforms or processes to ensure they have the necessary measures in place to protect sensitive data. Additionally, by understanding the various industry standards, enterprises can ensure they are consistently assessing third-party vendors appropriately.
15.1 Establish and Maintain an Inventory of Service Providers
Control 15.1 of the Controls Assessment Specification states that organizations must maintain an inventory of service providers. Inventories should identify the Enterprise contact as well as other classifications like level of access, criticality, contractually required cybersecurity posture, spend, etc.
15.2 Establish and Maintain a Service Provider Management Policy
It is crucial to have an effective service provider management policy in place. This policy should include categories for classifying, inventorying, assessing, monitoring, and decommissioning service providers. It is essential to review and update the policy on an annual basis or when any major changes occur that could potentially affect this protective measure.
15.3 Classify Service Providers
The classification of service providers should be updated and reviewed at least once a year, or when major changes to the enterprise occur that could affect the Safeguard. When considering classifications, various factors should be taken into account, such as the sensitivity of the data, the volume of data, the availability requirements, the relevant regulations, the inherent risk, and the mitigated risk.
15.4 Ensure Service Provider contracts Include Security Requirements
It is important to ensure that all service provider contracts include comprehensive security requirements that are aligned with the enterprise’s service provider management policy. These requirements should include a minimum security program requirement, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. It is also essential to review service provider contracts on an annual basis to ensure that all security requirements are included. Doing so can help ensure the protection of sensitive data and reduce the overall risk of a data breach.
15.5 Assess Service Providers
All service providers must be consistently assessed according to the company’s service provider management policy. The assessment may be different depending on the classification of the service provider, but it can include reviewing pre-set reports such as SOC 2 and PCI AoC, filling out customized questionnaires, or going through other rigorous processes. Every service provider should be reassessed at least once a year or with the renewal of contracts.
15.6 Monitor Service Providers
It is essential for organizations to monitor service providers based on their service provider management policy. This monitoring can cover a variety of areas, such as the periodic and continuous review of the service provider’s compliance with regulations, checking the service provider’s release notes, and dark web scanning to detect threats. All of these activities help ensure that the organization’s service providers are secure and can be trusted to keep data and information secure.
15.7 Securely Decommission Service Providers
When decommissioning service providers, it is important to ensure that all user and service accounts are deactivated, data flows are terminated, and enterprise data is securely disposed of within the service provider systems. This will help ensure the security of the system, as well as protect sensitive data from unauthorized access. Additionally, it is important to consider any contractual obligations that may be associated with the service provider before decommissioning.