PS-07 Third-Party Personnel Security

Control: The organization establishes personnel security requirements including security roles and responsibilities for third-party providers and monitors provider compliance.

Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. The organization explicitly includes personnel security requirements in acquisition-related documents. NIST Special Publication 800-35 provides guidance on information technology security services.

Control Enhancements: (0) None.

Baseline: LOW PS-7 MOD PS-7 HIGH PS-7

Family: Personnel Security

Class: Operational

ISO 17799 mapping: 6.2.1, 6.2.3, 8.1.1, 8.1.2, 8.1.3, 8.2.1, 8.2.2, 11.2.1

COBIT 4.1 mapping: PO4.14, DS2.2

PCI-DSS v2 mapping: 8.5.6, 7.2.2