Notes from the Field: CIS Control 15 – Service Provider Management 

by Greg Halpin / March 7th, 2024

The client I was conducting a gap analysis for had an incredibly detailed Service Provider Management Policy. It required the company compliance team to conduct due diligence on all prospective service providers, including a risk analysis of each. The policy required the compliance team to review the prospective vendor’s SOC 2 audit report and research the vendor’s financial stability and reputation. The compliance team was to conduct annual reviews of each vendor that included many of the same steps. Great stuff. 

When I asked them to provide evidence of activity in support of due diligence of their newly added service providers from the past year and evidence of the reviews of current vendors, they provided a couple of emails listing questions about the service and references to a completed demo of the services. They didn’t have the completed risk analyses or any documentation that they performed reviews of the audit reports or any of the work required by their policy and industry standards. Why? They found a template policy on the internet and used that as their own. They didn’t actually do much in support of service provider management or think it was important. Like many clients, they thought simply having a policy was sufficient.  

What is Service Provider Management? 

After this discovery, I referred my client to the Center for Internet Security Control 15 – Service Provider Management. We discussed some of the activities they could do in support of Service Provider Management so they would have assurance that they had done their due diligence and can be confident working with vendors.  

The overview for Control 15 is: Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately

Control 15 includes 7 sub-controls or safeguards:  

15.1 Establish and Maintain an Inventory of Service Providers 

15.2 Establish and Maintain a Service Provider Management Policy   

15.3 Classify Service Providers 

15.4. Ensure Service Provider Contracts Include Security Requirements 

15.5. Assess Service Providers 

15.6. Monitor Service Providers 

15.7 Securely Decommission Service Providers 

Why is service provider management critical?  

Companies often rely on service providers for many services, such as data center providers, cloud service providers, and third parties to manage technology and security solutions. There have been many cases where service providers have been breached or experienced service outages that impacted companies. It’s important that your company has practices in place to vet vendors and review them annually.  

I recommend to clients that don’t have anything in place to begin with a list 

Let’s take a look at some of the safeguards: 

15.1 – Establish and Maintain an Inventory of Service Providers  

Safeguard 15.1 is the logical place to start. Just like CIS Controls 1 and 2 for system and software inventories, it’s necessary to know what you have in order to protect it. It’s the same with service providers. Often the clients I work with don’t have a list of the service providers they work with. It may be a decentralized process in which the department that needs the service is responsible for the due diligence and review activities. No one else in the company is aware the provider is used. The easiest way to start is with a spreadsheet listing each vendor and the service they provide. Include on the list what data they store, process or transmit on your company’s behalf.  

15.2 Establish and Maintain a Service Provider Management Policy  

Safeguard 15.2 is pretty straight forward. For many areas of information security, a policy is required that outlines what the mandate is, such as maintaining an inventory of service providers, conducting due diligence on new vendors, and performing annual reviews of them. The policy will also outline the activities in support of the policy – who is responsible for the activities, annual policy reviews, and so on.  

15.5. Assess Service Providers  

Safeguard 15.5 is basically conducting due diligence of service providers before engaging them for services. This entails reviewing their SOC 2 audit report or Attestation of Compliance for PCI-DSS to understand their security controls. For large companies, such as AWS and AZure, that’s as much as you might be able to do, as they are not going to allow your company to audit them directly. Nor would it be practical.  

For smaller companies that have not undergone SOC 2 or other audits, you can request they complete a due diligence questionnaire (DDQ) that addresses their security controls. While they answer your questions about security, that’s not evidence that the controls are actually in place and operating effectively. Additionally, you may request evidence, such as completed vulnerability scans, pen tests, reports on patching of systems, and their information security policy.  

15.7 Securely Decommission Service Providers 

Safeguard 15.7 is a crucial process for protecting your company. Service Providers often store critical data, such as PII, ePHI, or credit card holder data. What happens to your data after you stop using a provider? Is it stored by the service provider or securely deleted? The clients I work with that have a Software as a Service platform often store their customer data forever, unless the customer specifically requests their data to be deleted. Some don’t even have methods to purge their databases of individual customers even if they request it.  

You want to make sure and see evidence that your service providers have deleted all of your sensitive data after you stop using their service. There is no good reason for them to maintain it. If the vendor is compromised years later, the attackers have access to your sensitive data when it never should have been with the former service provider in the first place.  

Additionally, you want to revoke service provider access to your network at the end of a contract. Often companies engage managed service providers with accounts on their networks to manage systems. Remember to disable and delete their accounts after you stop using their services. You don’t want a rogue employee of the service provider or an automated scheduled task to impact your systems. 

Partner with KirkpatrickPrice to Help Implement Service Provider Management in Your Organization 

Service provider management can feel overwhelming whether you’ve been working with service providers for years or you’re new to the process. For more information on Service Provider Management safeguards to protect your company networks and data, see the Center for Internet Security Controls Document. However, if you have questions about proper implementation of service provider management, connect with a KirkpatrickPrice expert today. We’d be happy to help.  

About the Author

Greg Halpin

Greg Halpin has 25 years of experience in information technology and security. He has a Master’s in Information Sciences – Cybersecurity and Information Assurance from Penn State University, and he has earned the CISSP, CISA, and CCSP certifications. He has experience and additional
certifications in Amazon Web Services, Azure Cloud Services, Linux and Windows systems administration, vulnerability scanning, intrusion detection/prevention, and project management. He enjoys working with people and organizations to help them secure their networks and systems.