3.3.5 Select and Manage Sub-Providers Control Objectives
Using cloud services implies the coordinated involvement of multiple providers. Each of the providers in the provisioning chain carries a share of the responsibility for meeting the obligations which are the objects of accountability. These control objectives address the associated requirements. A coordinated program to manage sub-providers is an essential attribute of managing sub-providers.
|
Identifier |
Control Objective |
Lifecycle Phase |
|
1.11 |
Ensure that all service and provisioning contracts are compliant with relevant obligations, define appropriate standards and practices in regards to engagement with third-parties. Maintain and update a registry of third-party engagements and their relationship with obligations. Ensure 3rd party providers are regularly reviewed and that non-compliance is dealt with. |
1+2 - Governance |
|
3.04 |
Identify assets handled by the 3rd parties, the related obligations and associated accountability requirements. Ensure continuous interoperability of policies, reporting, and incident management with the 3rd party. Identify the certifications and other levels of guarantees that must be offered by the provider. Ensure the proper contractual clauses are in place. Ensure the provider exploits the data only as intended. |
3 - Analyse and Design |
|
6.02 |
Audit third-parties, either directly as provisioned by contract or through the reports they provide. Validate functionality and compliance to obligations, at a frequency based on risks and sensitivity (normally yearly). |
6 - Audit and Validate |
Download the preliminary release of the Cloud Accountability Reference Architecture and the relevant A4Cloud Toolkit.
