GV.SC-09.110

Does your organization have a documented process for ensuring that software patches, updates, and upgrades are acquired only from authenticated and trustworthy sources?

Explanation

This question assesses whether your organization has formal procedures to verify the authenticity of software sources before implementing patches or updates. Without proper verification, organizations risk installing compromised software that could contain malware or backdoors, potentially leading to data breaches or system compromise. Evidence could include a documented software update policy, vendor verification procedures, digital signature verification protocols, or change management documentation that specifically addresses source verification steps before software updates are approved for installation.

Implementation Example

Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software providers

ID: GV.SC-09.110

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub