GV.SC-01.067
Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
Explanation
A cybersecurity supply chain risk management program helps identify, assess, and mitigate risks from third-party vendors, suppliers, and service providers that may have access to your systems or data. This program should include formal policies defining roles and responsibilities, procedures for vendor assessment and monitoring, and a roadmap for continuous improvement with clear milestones. Evidence could include: a formal supply chain risk management policy document, implementation roadmap with milestones, vendor assessment procedures, stakeholder communication plan, and documentation showing the program has been shared with relevant internal and external stakeholders.
Implementation Example
Develop the cybersecurity supply chain risk management program, including a plan (with milestones), policies, and procedures that guide implementation and improvement of the program, and share the policies and procedures with the organizational stakeholders
ID: GV.SC-01.067
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
