We recommend that the Chief Information Security Officer identify qualitative and quantitative metrics on service level agreements held with third parties, then perform an analysis with monthly reporting received from those third parties to identify metrics that can be measured and documented, on either a monthly or quarterly basis, to ensure that EAC is receiving all contracted services.