Has your organization established formal processes for terminating critical third-party relationships under both normal and adverse circumstances?
Explanation
Critical relationships with vendors, partners, and service providers require clear termination procedures to minimize security risks when these relationships end. Without proper termination processes, organizations risk data breaches, service disruptions, or compliance violations during transitions.
This includes procedures for revoking access rights, retrieving assets, transferring data, and ensuring contractual obligations are fulfilled under both planned and emergency scenarios.
Evidence could include documented termination procedures for critical relationships, offboarding checklists specific to third parties, contract clauses addressing termination conditions, and records of previous relationship terminations that demonstrate the process in action.
Implementation Example
Establish processes for terminating critical relationships under both normal and adverse circumstances
ID: GV.SC-10.113
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

