Does your organization have documented procedures for managing data leakage risks when terminating supplier relationships?
Explanation
When supplier relationships end, there's a risk that sensitive data may be retained by the supplier or improperly handled during the transition.
This question assesses whether your organization has formal processes to ensure data is either returned, securely destroyed, or properly transferred when a supplier relationship ends.
These procedures should include data identification, access revocation, contractual obligations enforcement, and verification of data removal.
Evidence could include a supplier offboarding policy document, termination clauses from supplier contracts addressing data handling, checklists used during supplier termination, or documentation of completed supplier termination processes showing data protection measures.
Implementation Example
Manage data leakage risks associated with supplier termination
ID: GV.SC-10.119
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

