Has your organization implemented a formal supplier termination process that addresses data security and system access risks?
Explanation
When supplier relationships end, there are significant risks if access to systems and data isn't properly revoked, or if data transfer/destruction isn't managed securely. This question assesses whether your organization has formalized procedures to mitigate these risks during supplier offboarding.
Evidence could include a documented supplier termination procedure that covers: system access revocation timelines, data return/destruction requirements, final security assessments, and contractual obligations enforcement. This might be part of your vendor management policy or a standalone process document with associated checklists.
Implementation Example
Mitigate risks to data and systems created by supplier termination
ID: GV.SC-10.118
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

