ID.RA-08.173
Does your organization have a formal process for sharing vulnerability information with suppliers as specified in contractual agreements?
Explanation
This question assesses whether your organization has established protocols for exchanging vulnerability information with suppliers in accordance with contractual requirements. Effective vulnerability information sharing helps both parties address security issues promptly, reducing the risk window and potential impact of vulnerabilities in the supply chain. This includes sharing details about newly discovered vulnerabilities, mitigation strategies, and coordinated response actions. Evidence could include documented vulnerability sharing procedures, supplier contract clauses specifying information sharing requirements, communication logs demonstrating vulnerability information exchange, or a secure portal/platform used for sharing vulnerability information with suppliers.
Implementation Example
Conduct vulnerability information sharing between the organization and its suppliers following the rules and protocols defined in contracts
ID: ID.RA-08.173
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Processes for receiving, analyzing, and responding to vulnerability disclosures are established
