GV.SC-09.112

Does your organization have documented policies and procedures for verifying critical hardware upgrades against unauthorized changes before implementation?

Explanation

This control ensures that hardware upgrades are thoroughly inspected for potential tampering, unauthorized modifications, or supply chain compromises before being deployed in your environment. For example, firmware updates for network devices, server components, or security appliances should be verified for integrity and authenticity to prevent the introduction of backdoors or malicious code. Evidence could include a formal hardware change management procedure document that specifically addresses verification steps for detecting unauthorized changes, such as digital signature verification processes, hash comparison records, or vendor verification checklists used during recent critical hardware upgrades.

Implementation Example

Policies and procedure require checking upgrades to critical hardware for unauthorized changes

ID: GV.SC-09.112

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub