Description
The organization establishes personnel security requirements including security roles and responsibilities for third-party providers and monitors provider compliance.\n
Supplemental Guidance
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. The organization explicitly includes personnel security requirements in acquisition-related documents. NIST Special Publication 800-35 provides guidance on information technology security services.\n
Enhancements
(0) None.\n
Compliance Mappings
SOC 2 TSC
CC5.3
ISO 17799 (legacy)
6.2.16.2.38.1.18.1.28.1.38.2.18.2.211.2.1
COBIT 4.1 (legacy)
PO4.14DS2.2