IBM Cloud Docs
SA-9 - External System Services

SA-9 - External System Services

Control requirements

SA-9 (a)

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [IBM Assignment: business continuity service level agreements].

SA-9 (b)

Define and document organizational oversight and user roles and responsibilities with regard to external system services.

SA-9 (c)

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [IBM Assignment: Continuous monitoring requirements must be met for external systems where customer information is processed or stored].

Additional IBM Cloud for Financial Services specifications

Requirements for contingency planning and business continuity must be negotiated with third party service providers.

Degradation of performance by the same external vendor to the organization across different regions should be documented.

Authorized individuals include Federal Regulators in the event of insolvency.

Supply chain threats to the information system, system component, or information system service must be protected by employing IBM-defined personnel security requirements, approved HW/SW vendor list/ process, and secure SDLC procedures, as part of a comprehensive, defense-in-breadth information security strategy.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

NIST supplemental guidance

External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.