|SA-9 (1) Risk Assessments / Organizational Approvals || |
Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services.
The organization: SA-9 (1)(a)
Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and SA-9 (1)(b)
Ensures that the acquisition or outsourcing of dedicated information security services is approved by Assignment: organization-defined personnel or roles.
|SA-9 (2) Identification Of Functions / Ports / Protocols / Services ||MODERATE |
Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols.
The organization requires providers of Assignment: organization-defined external information system services to identify the functions, ports, protocols, and other services required for the use of such services.
|SA-9 (3) Establish / Maintain Trust Relationship With Providers || |
The degree of confidence that the risk from using external services is at an acceptable level depends on the trust that organizations place in the external providers, individually or in combination. Trust relationships can help organization to gain increased levels of confidence that participating service providers are providing adequate protection for the services rendered. Such relationships can be complicated due to the number of potential entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and the types of interactions between the parties. In some cases, the degree of trust is based on the amount of direct control organizations are able to exert on external service providers with regard to employment of security controls necessary for the protection of the service/information and the evidence brought forth as to the effectiveness of those controls. The level of control is typically established by the terms and conditions of the contracts or service-level agreements and can range from extensive control (e.g., negotiating contracts or agreements that specify security requirements for the providers) to very limited control (e.g., using contracts or service-level agreements to obtain commodity services such as commercial telecommunications services). In other cases, levels of trust are based on factors that convince organizations that required security controls have been employed and that determinations of control effectiveness exist. For example, separately authorized external information system services provided to organizations through well-established business relationships may provide degrees of trust in such services within the tolerable risk range of the organizations using the services. External service providers may also outsource selected services to other external entities, making the trust relationship more difficult and complicated to manage. Depending on the nature of the services, organizations may find it very difficult to place significant trust in external providers. This is not due to any inherent untrustworthiness on the part of providers, but to the intrinsic level of risk in the services.
The organization establishes, documents, and maintains trust relationships with external service providers based on Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.
|SA-9 (4) Consistent Interests Of Consumers And Providers || |
As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities.
The organization employs Assignment: organization-defined security safeguards to ensure that the interests of Assignment: organization-defined external service providers are consistent with and reflect organizational interests.
|SA-9 (5) Processing, Storage, And Service Location || |
The location of information processing, information/data storage, or information system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions/business functions. This situation exists when external providers control the location of processing, storage or services. The criteria external providers use for the selection of processing, storage, or service locations may be different from organizational criteria. For example, organizations may want to ensure that data/information storage locations are restricted to certain locations to facilitate incident response activities (e.g., forensic analyses, after-the-fact investigations) in case of information security breaches/compromises. Such incident response activities may be adversely affected by the governing laws or protocols in the locations where processing and storage occur and/or the locations from which information system services emanate.
The organization restricts the location of Selection (one or more): information processing; information/data; information system services to Assignment: organization-defined locations based on Assignment: organization-defined requirements or conditions.