GV.SC-09.111

Does your organization have policies requiring that only approved supplier personnel perform maintenance on supplier products?

Explanation

This question assesses whether your organization has formal policies that restrict maintenance activities on supplier products to only those personnel who have been explicitly approved by the supplier. Such policies help prevent unauthorized modifications, reduce the risk of introducing vulnerabilities, and maintain warranty compliance. Evidence could include documented maintenance policies that explicitly state this requirement, supplier agreements that specify authorized maintenance personnel, or maintenance logs showing verification of approved personnel credentials before maintenance activities are performed.

Implementation Example

Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products

ID: GV.SC-09.111

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub