CIS15 Service Provider Implementation Groups

The CIS 15 Service Provider Control by the Center for Internet Security sets standards for managing service providers to control 3^rd party cybersecurity risk. The controls are organized by 3 implementation groups.

CIS 15 Service Provider Implementation Group 1

Implementation group 1 covers fundamental and essential capabilities necessary for any company to remain secure.  The controls in this group represent a standard for essential cyber hygiene. Implementation group 1 includes the control 15.1 Establish and Maintain an inventory of Service Providers.

This control can be difficult to achieve especially if vendor data is distributed throughout the organization. Users frequently disclose corporate data on unapproved cloud apps. At a minimum, a business should have good control over AD credentials assigned to 3^rd parties.

Banyan can lead discovery efforts through stakeholder interviews, documentation and AD review, and by leveraging tools like Microsoft Defender for Cloud Apps. There are several Vendor Management tools that may help organize this data (Venminder and Gatekeeper). Banyan can consult on the selection of these systems.

CIS 15 Service Provider Implementation Group 2

The second Implementation Group is appropriate for any organization of substantial size. It includes

• 15.2 Establish and Maintain a Service Provider management Policy
• 15.3 Classify Service Providers
• 15.4 Ensure Service Provider Contracts Include Security Requirements

In the second implementation group, companies develop policies that support good vendor management and classification of vendors based on data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. It also ensures vendor contracts include appropriate language requiring an appropriate cybersecurity posture.

Vendor Management Systems, Contract Lifecycle Management Systems, and Vendor Risk Management systems all support this requirement.

CIS 15 Service Provider Implementation Group 3

Implementation Group 3 include advanced requirements for companies with mature cybersecurity practices. There are 2 CIS 15 Service Provider Controls in IG3:

• 15.5 Assess Service Providers
• 15.6 Monitor Service Providers
• 15.7 Securely Decommission Service Providers

Regular assessment of service providers to ensure their compliance with contractual cybersecurity terms and industry best standards helps to control 3^rd party cybersecurity risk. Companies meeting this control have processes and systems in place to monitor providers. Securely decommissioning former service providers by disabling remote access, terminating data flows, and requiring the disposal of corporate data.