GV.SC-05.091

Does your organization require suppliers to implement employee vetting procedures and insider threat controls in contractual agreements?

Explanation

This question assesses whether your organization formally requires suppliers to screen their employees and implement safeguards against malicious insider activities through contractual obligations. Supplier employees often have access to your sensitive data or systems, and inadequate vetting by suppliers creates security vulnerabilities that could impact your organization. Evidence of compliance could include sample contract language with security requirements, supplier security addendums that specifically address employee vetting and insider threat controls, or a supplier security policy that mandates these requirements in all supplier agreements.

Implementation Example

Contractually require suppliers to vet their employees and guard against insider threats

ID: GV.SC-05.091

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub