Куда я попал?
CIS Critical Security Controls v8 (The 18 CIS CSC)
Для проведения оценки соответствия по документу войдите в систему.
15.1 Establish and Maintain an Inventory of Service Providers
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard.Обязательно для implementation Group 1 2 3
15.2 Establish and Maintain a Service Provider Management Policy
Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard.Обязательно для implementation Group 2 3
15.3 Classify Service Providers
Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard.Обязательно для implementation Group 2 3
15.4 Ensure Service Provider Contracts Include Security Requirements
Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements.Обязательно для implementation Group 2 3
15.5 Assess Service Providers
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.Обязательно для implementation Group 3
15.6 Monitor Service Providers
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.Обязательно для implementation Group 3