GV.SC-05.087

Does your organization include security requirements in agreements with vendors and partners based on the criticality of the data or systems involved?

Explanation

Including security requirements in agreements helps ensure that third parties handling your data or accessing your systems maintain appropriate security controls. The level of security requirements should be proportional to the criticality of the data/systems and the potential impact if compromised. For example, a vendor processing sensitive customer data would have stricter requirements than one providing office supplies. Evidence could include a vendor security assessment framework, contract templates with security clauses that vary by risk level, or a documented process for determining which security requirements to include in different types of agreements based on risk classification.

Implementation Example

Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised

ID: GV.SC-05.087

Context

Function
GV: GOVERN
Category
GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category
Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron