PCI-DSS-DOC-12-11 Information Security Policy for Service Provider Relationships

Page 1

Information Security Policy for Service Provider Relationships

PCI DSS Toolkit: Version 6 ©CertiKit


Information Security Policy for Service Provider Relationships [Insert classification]

Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document This document describes how relationships with service providers will be created and managed to ensure effective information security.

Areas of the standard addressed The following areas of the PCI DSS standard are addressed by this document: •

Requirement 12: Maintain a policy that addresses information security for all personnel o 12.8 Maintain and implement policies and procedures to manage service providers

General guidance This is an important area which is increasing in focus with the growth of cloud computing. You need to make sure you understand what your service providers are doing in terms of their storing, processing or transmitting cardholder data. You may have many service providers of varying types and the key to meeting the requirements of the standard in this area is to categorise them in the way described in this document. The highest degree of effort may then be used appropriately in managing the service providers that are strategic to the organization rather than trying to treat them all equally. Ensure you keep minutes of all service provider meetings and that service provider records are kept up to date with contact details and references to contractual documentation.

Review frequency We would recommend that this document is reviewed annually.

Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document):

Version 1

Page 2 of 12

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification] 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

Version 1

Page 3 of 12

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification] You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 12

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification]

Information Security Policy for Service Provider Relationships

Version 1

DOCUMENT CLASSIFICATION

[Insert classification]

DOCUMENT REF

PCI-DSS-DOC-12-11

VERSION

1

DATED

[Insert date]

DOCUMENT AUTHOR

[Insert name]

DOCUMENT OWNER

[Insert name/role]

Page 5 of 12

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification]

Revision history VERSION

DATE

REVISION AUTHOR

SUMMARY OF CHANGES

Distribution NAME

TITLE

Approval NAME

Version 1

POSITION

SIGNATURE

Page 6 of 12

DATE

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification]

Contents 1

Introduction ........................................................................................................................ 8

2

Information security policy for service provider relationships ............................................... 9 2.1

General provisions ....................................................................................................... 9

2.2

Cloud services ............................................................................................................ 10

2.3

Due diligence ............................................................................................................. 10

2.4

Addressing security within service provider agreements ............................................. 10

2.5

Evaluation of existing service providers ...................................................................... 10

2.6

Monitoring and review of service provider services .................................................... 11

2.7

Managing changes to service provider services ........................................................... 11

2.7.1 2.7.2 2.7.3

Changes within contract ............................................................................................................ 11 Contractual disputes.................................................................................................................. 12 End of contract .......................................................................................................................... 12

Tables Table 1: Meeting frequencies by service provider category ......................................................... 11

Version 1

Page 7 of 12

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification]

1 Introduction [Organization Name] and its core business exists in a wider economic environment in which effective relationships with service providers are critical to its continued success. However, recent information security breaches have shown that sometimes a third-party service provider can represent a significant weakness in the defences of our information assets. It is very important therefore that our relationships with service providers are based on a clear understanding of our expectations and requirements in the area of information security, in particularly around the storing, processing and transmitting of Cardholder Data (CHD). These requirements must be documented and agreed in a way that leaves no doubt about the importance we place on the maintenance of effective controls to reduce risk. It is up to [Organization Name] to demonstrate to our stakeholders that the choices we make regarding service providers are done with due diligence and that the ongoing monitoring and review of the service supplied is performed in an effective way. The purpose of this document is to set out the organization’s information security policy in the area of service provider relationships. The following documents are relevant to this policy: •

Agreement for the Security of Cardholder Data

Version 1

Page 8 of 12

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification]

2 Information security policy for service provider relationships 2.1 General provisions In general, information security requirements will vary according to the type of contractual relationship that exists with each service provider and the goods or services delivered. However, the following will generally apply: •

• • •

• • • •

• • • •

The information security requirements and controls must be formally documented in a contractual agreement which may be part of, or an addendum to, the main commercial contract Separate Non-Disclosure Agreements must be used where a more specific level of control over confidentiality is required Appropriate due diligence must be exercised in the selection and approval of new service providers before contracts are agreed The information security provisions in place at existing service providers (where due diligence was not undertaken as part of initial selection) must be clearly understood and improved where necessary Remote access by service providers must be via approved methods that comply with our information security policies Access to [Organization Name] information must be limited where possible according to clear business need Basic information security principles such as least privilege, separation of duties and defence in depth must be applied The service provider will be expected to exercise adequate control over the information security policies and procedures used within sub-contractors who play a part in the supply chain of delivery of goods or services to [Organization Name] [Organization Name] will have the right to audit the information security practices of the service provider and, where appropriate, sub-contractors Incident management and contingency arrangements must be put in place based on the results of a risk assessment Awareness training will be carried out by both parties to the agreement, based on the defined processes and procedures Where card payment processing occurs, the service provider must be actively PCI DSS compliant

The selection of required controls must be based upon a comprehensive risk assessment considering information security requirements, the product or service to be supplied, its criticality to the organization and the capabilities of the service provider.

Version 1

Page 9 of 12

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification]

2.2 Cloud services Cloud service providers (CSPs) must be clearly recognized as such so that the risks associated with the CSP’s access to and management of [Organization Name] cloud data may be managed appropriately. When acting as a CSP, [Organization Name] will clearly set out the relevant information security measures it will implement as part of the agreement. [Organization Name] will also ensure that information security objectives are set for third parties who provide components of the cloud service to customers and that they carry out adequate risk assessment in order to achieve an acceptable level of security.

2.3 Due diligence Before contracting with a service provider, it is incumbent upon [Organization Name] to exercise due diligence in reaching as full an understanding as possible of the information security approach and controls the company has in place. This is particularly important where cloud computing services are involved, as legal considerations regarding the location and storage of personal data must be considered.

2.4 Addressing security within service provider agreements Once a potential service provider has been subject to a positive due diligence assessment, the information security requirements of [Organization Name] must be reflected within the written contractual agreement that is entered into. This agreement must take into account the classification of any information that is to be processed by the service provider (including any required mapping between [Organization Name] classifications and those in use within the service provider), legal and regulatory requirements and any additional information security controls that are required. For cloud service contracts, information security roles and responsibilities must be clearly defined in areas such as backups, incident management, vulnerability assessment and cryptographic controls. A template [Organization Name] Protect Cardholder Data Service Provider Agreement may be used as a starting point. Appropriate legal advice must be obtained to ensure that contractual documentation is valid within the country or countries in which it is to be applied.

2.5 Evaluation of existing service providers For those service providers that were not subject to an information security due diligence assessment prior to an agreement being made, an evaluation process must be subsequently undertaken in order to identify any required improvements.

Version 1

Page 10 of 12

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification]

2.6 Monitoring and review of service provider services In order to focus resources on the areas of greatest need, service providers will be categorized based on an assessment of their value to the organization. Each service provider will be placed into one of the following four categories: 1. 2. 3. 4.

Commodity Operational Tactical Strategic

The recommended frequency of service provider review meetings between [Organization Name] and each service provider will be determined by the service provider’s category according to the following table:

SERVICE PROVIDER CATEGORY

RECOMMENDED MEETING FREQUENCY

Commodity

None

Operational

On contract renewal

Tactical

Annually

Strategic

Monthly/Quarterly

Table 1: Meeting frequencies by service provider category

Each service provider will have a designated contract manager within [Organization Name] who is responsible for arranging, chairing and documenting the meetings. The performance of strategic service providers will be monitored on a regular basis in line with the recommended meeting frequency. This will take the form of a combination of service provider reports against the contract and internally produced reports. Where possible, a frequent cross-check will be made between the service provider reports and those created internally in order to make sure the two present a consistent picture of service provider performance. Both sets of reports will be reviewed at service provider meetings and any required actions agreed.

2.7 Managing changes to service provider services 2.7.1 Changes within contract Changes to services delivered by service providers will be subject to the [Organization Name] change management process. This process includes the requirement to assess any information security implications of changes so that the effectiveness of controls is maintained.

Version 1

Page 11 of 12

[Insert date]


Information Security Policy for Service Provider Relationships [Insert classification]

2.7.2 Contractual disputes In the event of a contractual dispute, the following initial guidelines must be followed: • • • • •

The Chief Financial Officer must be informed that a dispute exists The CFO will then decide on next steps, based on an assessment of the dispute Where applicable, legal advice should be obtained via the CFO All correspondence with the service provider in dispute must be in writing and with the approval of the CFO An assessment of the risk to the organization should be carried out prior to escalating any dispute, and contingency plans put in place

At all times the degree of risk to the business must be managed and if possible minimised.

2.7.3 End of contract The following process will be followed for scheduled end of contract, early end of contract or transfer of contract to another party: • • • •

The end of contract will be requested in writing within the agreed terms Transfer to another party shall be planned as a project and appropriate change control procedures followed An assessment of the risk to the organization must be carried out prior to ending or transferring the contract, and contingency plans put in place Any budgetary implications shall be incorporated into the financial model

The implications of ending a contract must be carefully considered at initial contract negotiation time.

Version 1

Page 12 of 12

[Insert date]


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.