Does your organization have a documented process for ensuring that software patches, updates, and upgrades are acquired only from authenticated and trustworthy sources?
Explanation
Software supply chain integrity is at issue here: whether you have a documented process to ensure patches, updates, and upgrades come only from authenticated, trustworthy sources. Without proper verification, organizations risk installing compromised software that could contain malware or backdoors, potentially leading to data breaches or system compromise.
Evidence could include a documented software update policy, vendor verification procedures, digital signature verification protocols, or change management documentation that specifically addresses source verification steps before software updates are approved for installation.
Implementation Example
Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software providers
ID: GV.SC-09.110
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

