GV.SC-09.109

Does your organization provide regular risk reporting to leadership regarding the authenticity and integrity of acquired components?

Explanation

This question assesses whether your organization has a formal process to verify and report on the authenticity of components (hardware, software, services) acquired from third parties, and communicates these findings to leadership. Supply chain attacks often target organizations through compromised components, making verification and leadership awareness critical security controls. Evidence could include quarterly or monthly reports to leadership that document component verification activities, findings from integrity checks, summaries of vendor security assessments, or dashboards showing supply chain risk metrics with authenticity verification results.

Implementation Example

Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic

ID: GV.SC-09.109

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub