GV.SC-08.103

Has your organization established formal incident response communication protocols with suppliers that define rules for reporting incidents, recovery activities, and status updates?

Explanation

This question assesses whether your organization has clear procedures for communicating with suppliers during security incidents, ensuring timely information sharing and coordinated response efforts. Effective supplier communication protocols help minimize incident impact by establishing when and how suppliers should report incidents that may affect your organization, and how your organization communicates incidents that may impact suppliers. Evidence could include a documented Supplier Incident Communication Plan, communication templates for different incident types, contact matrices for key supplier security personnel, or sections in supplier contracts that specify incident reporting requirements and timeframes.

Implementation Example

Define and use rules and protocols for reporting incident response and recovery activities and the status between the organization and its suppliers

ID: GV.SC-08.103

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub