Third-Party Management Controls
Purpose
Bramble ensures that security and privacy risks associated with third-parties are minimized and enable measures to sustain operations should a third-party become defunct and operates so that only trustworthy third-parties are used.
Scope
This control applies to all third party providers that interact with data within the Bramble production environment, or any third party providers that a Bramble production system relies upon.
Ownership
The control owner is Security Compliance
Controls
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| TPM-01 | Third-Party Management | Bramble Group Corp. has implemented mechanisms for third-party management security controls. | Does the organization facilitate the implementation of third-party management controls? | 1. Identify policies, procedures, or other relevant documentation responsible for the implementation of third-party management security controls. 2. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements. |
1. Examine relevant policies, procedures and other documentation that support the security for managing third-parties. 2. Interview key organizational personnel within Bramble to discuss high level workflows that support the implementation of confidentiality and integrity of information with the implementation of third-parties. |
| TPM-02 | Third-Party Criticality Assessments | Bramble Group Corp. has implemented mechanisms to identify, prioritize and assess suppliers and partners of critical systems, components and services using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services. | Does the organization identify, prioritize and assess suppliers and partners of critical systems, components and services using a supply chain risk assessment process? | 1. Identify policies, procedures, or other relevant documentation responsible for the implementation of third-party management security controls. 2. Interview key organizational personnel within Bramble to discuss high level workflows that support the assessment of third-party vendors to deliver high-value services. |
1. Examine relevant policies, procedures and other documentation that support the security for vetting third-parties. 2. Examine security control risk assessments for evidence of documented and planned remedial activities as outlined in the ToD. |
| TPM-03 | Supply Chain Protection | Bramble Group Corp. has implemented security safeguard mechanisms when evaluating security risks and addressing identified weaknesses or deficiencies in the security associated with the services and product supply chain and to limit harm from potential adversaries who identify and target the organization’s supply chain by utilizing tailored acquisition strategies, contract tools and procurement methods for the purchase of unique systems, system components or services. | Does the organization evaluate security risks associated with the services and product supply chain? | 1. Identify industry-recognized cybersecurity and privacy practices utilized for threat awareness addressing security risks and identifying weaknesses or deficiencies via third-party services. 2. Identify the policies, procedures and related documents outlining the organization-wide implementation and management of baseline secure procurement processes. |
1. Examine the procurement processes for evidence they follow the industry-recognized cybersecurity and privacy standards. 2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to reduce the likelihood of unauthorized modifications and protect systems and components and document in accordance to TOD. |
| TPM-04 | Third-Party Services | Bramble Group Corp. has implemented mechanisms to mitigate the risks associated with third-party access to the organization’s systems and data and to ensure that the interests of third-party service providers are consistent with and reflect organizational interests. | Does the organization mitigate the risks associated with third-party access to the organization’s systems and data? | 1. Establish personnel security requirements including security roles and responsibilities for third-party providers. 2. Identify the policies, procedures and related documents outlining the organization-wide security requirements third-parties must comply with. |
1. Examine formal policies, procedures or other relevant documentation to appropriately identify the security requirements for third-party providers. 2. If any change in third-party personnel roles such as transfers/terminations reference testing plan for HRS-08 and HRS-09. 3. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to conduct third-party personnel security controls and document in accordance to TOD. |
| TPM-05 | Third-Party Contract Requirements | Bramble Group Corp. has implemented mechanisms to identify, regularly review and document third-party confidentiality, Non-Disclosure Agreements (NDAs) and other contracts that reflect the organization’s needs to protect systems and data. | Does the organization identify, regularly review and document third-party confidentiality, Non-Disclosure Agreements (NDAs) and other contracts that reflect the organization’s needs to protect systems and data? | Reference HRS-06 - Access Agreements | Reference HRS-06 - Access Agreements |
| TPM-06 | Third-Party Personnel Security | Bramble Group Corp. has implemented mechanisms to control personnel security requirements including security roles and responsibilities for third-party providers. | Does the organization control personnel security requirements including security roles and responsibilities for third-party providers? | Reference HRS-10 - Third-Party Personnel Security. | Reference HRS-10 - Third-Party Personnel Security. |
| TPM-07 | Monitoring for Third-Party Information Disclosure | Bramble Group Corp. has implemented mechanisms to monitor for evidence of unauthorized exfiltration or disclosure of organizational information. | Does the organization monitor for evidence of unauthorized exfiltration or disclosure of organizational information? | Reference HRS-06 - Access Agreements | Reference HRS-06 - Access Agreements |
| TPM-08 | Review of Third-Party Services | Bramble Group Corp. has implemented mechanisms to monitor, regularly review and audit supplier service delivery for compliance with established contract agreements. | Does the organization monitor, regularly review and audit supplier service delivery for compliance with established contract agreements? | Reference CPL-04 - Audit Activities and MON-16 - Anomalous Behavior. | Reference CPL-04 - Audit Activities and MON-16 - Anomalous Behavior. |
| TPM-09 | Third-Party Deficiency Remediation | Bramble Group Corp. has implemented mechanisms to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. | Does the organization address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements? | Reference IRO-04 - Incident Response Plan (IRP) | Reference IRO-04 - Incident Response Plan (IRP) |
| TPM-10 | Managing Changes To Third-Party Services | Bramble Group Corp. has implemented mechanisms to control changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party. | Does the organization control changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party? | 1. Identify the policies, procedures and related documents outlining the organization-wide security requirements third-parties must comply with and the communication requirements to stakeholders outlining the impact and approval of proposed changes prior to initiating a change. | 1. Examine formal policies, procedures or other relevant documentation to appropriately identify the security requirements for third-party providers. 2. Identify if any changes have occurred via third-party services. 3. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to communicate with third-party personnel regarding signed contracts and document in accordance to TOD. 4. Confirm potential security and business impacts were identified, assessed and approved prior to initiating the change of service via the third-party provider. |
| TPM-11 | Third-Party Incident Response & Recovery Capabilities | Bramble Group Corp. has implemented mechanisms to ensure response/recovery planning and testing are conducted with critical suppliers/providers. | Does the organization ensure response/recovery planning and testing are conducted with critical suppliers/providers? | Reference IRO-10 - Incident Stakeholder Reporting | Reference IRO-10 - Incident Stakeholder Reporting |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.
Policy Reference
- Contract types
- Legal Handbook page
- PCI-DSS SAQ-A 12.8.4 - Monitor Service Providers' PCI DSS Compliance Status
- Process for modifying sales contracts
- Process for negotiating terms
- Procure to Pay process
- Procure to Pay section of the handbook
- Third Party Risk Management Procedure
- Vendor compliance monitoring process in the Compliance repo runbook