SA-9: External System Services
NIST Baseline: Low
Privacy Baseline: Yes
DIR Required By: 07/20/2023
Review Date: 08/08/2024
- The information resource owner, or designee, is responsible for:
- Requiring that providers of external information system services comply with university information security controls, and applicable federal laws, state laws, executive orders, directives, policies, regulations, standards, and guidance;
- In accordance with Texas Department of Information Resources (DIR) Security Control Catalog requirements, information resources assigned from or shared between one state agency to another or from/between a state agency to a contractor or other third party shall be protected in accordance with the conditions imposed by the providing state agency at a minimum.
- Defining and documenting oversight and user roles and responsibilities with regard to external information system services; and
- Employing processes and procedures to monitor security control compliance by external service providers on an ongoing basis.
- Requiring that providers of external information system services comply with university information security controls, and applicable federal laws, state laws, executive orders, directives, policies, regulations, standards, and guidance;