The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied for any high or moderate impact information resource that is hosted by an external information system service.

The information resource owner, or designee, is responsible for:

• 1.1

  Requiring that providers of external information system services comply with university information security controls, and applicable federal laws, state laws, Executive Orders, directives, policies, regulations, standards, and guidance;

• 1.2

  Defining and documenting oversight and user roles and responsibilities with regard to external information system services; and

• 1.3

  Employing processes and procedures to monitor security control compliance by external service providers on an ongoing basis (i.e., annual risk assessment process).

  Related Resource

  IT Risk Management