GV.SC-02.071
Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?
Explanation
This question assesses whether your organization has clearly defined who is responsible for managing cybersecurity risks associated with your supply chain and vendors. Documenting these roles ensures accountability, prevents gaps in oversight, and establishes clear procedures for addressing supply chain security incidents or vulnerabilities. Evidence could include a formal supply chain risk management policy document that explicitly defines roles and responsibilities for activities such as vendor security assessments, continuous monitoring, incident response related to supply chain, and remediation processes. The policy should identify specific positions or teams responsible for each aspect of supply chain security management.
Implementation Example
Document cybersecurity supply chain risk management roles and responsibilities in policy
ID: GV.SC-02.071
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
