Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-9(4)

external information system services  | consistent  interests of consumers and providers

assessment objective:

Determine if the organization:

sa-9(4)[1]

defines external service providers whose interests are to be consistent with and reflect organizational interests;

sa-9(4)[2]

defines security safeguards to be employed to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests; and

sa-9(4)[3]

employs organization-defined security safeguards to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing external information system services; acquisition contracts for the information system, system component, or information system service; solicitation documentation; acquisition documentation; service-level agreements; organizational security requirements/safeguards for external service providers; personnel security policies for external service providers; assessments performed on external service providers; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; external providers of information system services].

Test: [select from: Organizational processes for defining and employing safeguards to ensure consistent interests with external service providers; automated mechanisms supporting and/or implementing safeguards to ensure consistent interests with external service providers].