GV.SC-02.076

Has your organization clearly communicated the roles and responsibilities for managing cybersecurity supply chain risks related to third parties?

Explanation

This question assesses whether your organization has established and internally communicated who is responsible for managing cybersecurity risks that come from your supply chain and third-party relationships. Clear role definition ensures accountability for tasks such as vendor risk assessments, contract security requirements, ongoing monitoring, and incident response related to third parties. Evidence could include an organizational chart showing supply chain security responsibilities, internal communications about these roles (such as emails or intranet posts), documented RACI matrices for third-party risk management, or formal policies that define these responsibilities across departments like Procurement, Legal, IT, and Security.

Implementation Example

Internally communicate cybersecurity supply chain risk management roles and responsibilities for third parties

ID: GV.SC-02.076

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub