Organizational controls with different types of contractors

Vendor Contractor (Agency)

This is a vendor that provides qualified individuals to perform specific work for a period of time. The vendor contractor may handle all or just a few of the applicable organizational controls for the individuals it provides. The manager or personnel responsible for utilizing the vendor contractor would also be responsible for ensuring all of the proper controls are followed, whether that is provisioning access or endpoint requirements, trainings, or policy acceptance.

 

Because this is a business decision allowing access to sensitive data, auditors will typically request thorough documentation about what process a vendor contractor will follow to gain access to that data and how that process will apply. An example of evidence requested might be the MSA agreement showing that the agreement states all contractors provided to your company undergo a background check.

 

However similar the process may be to access provisioning for employees, it is important that your company specifically documents how this vendor access was provisioned and granted. 

 

Contractor

This is an individual that your company pays directly, and your company would be responsible for operating the organizational controls for this individual. Typically, any contractors in scope are subject to the same security controls as employees. For example, your company would perform the background checks and provide security training.

 

However there are certain controls you can "scope out" for contractors, as long as they are clearly outlined within the policies. For example, many companies scope out performance reviews for contractors. 

 

Professional Services Firm

This is a vendor from whom you purchase discrete services. If they have access to your in scope systems, that access would be in scope for the audit. Organizational controls would fall under due diligence done in accordance with the vendor risk assessment.

 

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.