ITM Tech Cybersecurity Essentials Booklet - Flipbook - Page 34
CONTROL 15
15 - Service Provider Management
Safeguards Total
7
IG1
1/7
IG2
4/7
IG3
7/7
Develop a process to evaluate service providers who hold sensitive data,
or are responsible for an enterprise’s critical IT platforms or processes,
to ensure these providers are protecting those platforms and data
appropriately.
THE SAFEGUARDS
15.1 Establish and Maintain an
Inventory of Service Providers
N/A
N/A
N/A
Identify
15.4 Ensure Service Provider Contracts
Include Security Requirements
Protect
15.5 Assess Service Providers
Why Is This CIS Control Critical?
N/A
Identify
15.6 Monitor Service Providers
Data
There have been numerous examples
where third-party breaches have
significantly impacted an enterprise;
for example, as early as the late 2000s,
Identify
15.3 Classify Service Providers
N/A
In our modern, connected world,
enterprises rely on vendors and partners to
help manage their data or rely on thirdparty infrastructure for core applications or
functions.
Identify
15.2 Establish and Maintain a Service
Provider Management Policy
payment cards were compromised after
attackers infiltrated smaller third-party
vendors in the retail industry. More recent
examples include ransomware attacks
that impact an enterprise indirectly, due to
one of their service providers being locked
down, causing disruption to business. Or
worse, if directly connected, a ransomware
attack could encrypt data on the main
enterprise.
Detect
15.7 Securely Decommission Service
Providers
Data
Protect
34
Did You Know?
Many Cyber Attacks originate through 3rd-party Vendors and Software so it’s important to make
sure you do Due Diligence whenever you pick a new vendor to work with. We can help you through
the vetting process when selecting new Vendors so you know what security questions to ask.
1
2
3
4
5
Asset Type Security Function
1= Asset Type
2= Security Function
3= Implentation Group 1
4= Implentation Group 2
5= Implentation Group 3
