Back

Categorize all suppliers in the supply chain management program.


CONTROL ID
00792
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a supply chain management program., CC ID: 11742

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • External auditors should review system specifications to ensure that master data on customers, suppliers, and others are maintained and managed. (Practice Standard § III.4(2)[2].C.b, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • Establish multi-disciplinary outsourcing management groups with members from different risk and internal control functions including legal, compliance and finance, to ensure that all relevant technical issues and legal and regulatory requirements are met. The institution should allocate sufficient r… (5.8.2 (b), Guidelines on Outsourcing)
  • intragroup outsourcing arrangements, outsourcing arrangements within the same institutional protection scheme (including entities fully owned individually or collectively by institutions within the institutional protection scheme) and outsourcing to entities outside the group; and (4.7 43(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • outsourcing to service providers located within a Member State and third countries. (4.7 43(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a rec… (4.3 26, Final Report on EBA Guidelines on outsourcing arrangements)
  • When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact… (4.1 19, Final Report on EBA Guidelines on outsourcing arrangements)
  • As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriatel… (4.11 52, Final Report on EBA Guidelines on outsourcing arrangements)
  • the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing; (4.11 55(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme; (4.11 55(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • a category assigned by the institution or payment institution that reflects the nature of the function as described under point (c) (e.g. information technology (IT), control function), which should facilitate the identification of different types of arrangements; (4.11 54(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • entire 'regulated activity', eg portfolio management ; or (§ 5.12 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • 'internal control' or 'key function', unless the firm is satisfied that a defect or failure in performance would not adversely affect the relevant function. (§ 5.12 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization may consider identifying and verifying the identity of all customers, business partners, and suppliers as part of its risk mitigation measures. (Annex III - Table Supply Chain Policy - Money Laundering Bullet 2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The downstream company should identify the smelters and refiners in its supply chain. (Supplement on Tin, Tantalum, and Tungsten Step 2: II.A, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include the ownership and corporate structure. (Supplement on Gold Step 2: § I.C.3(h)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include any related businesses, affiliates, parents, and subsidiaries. (Supplement on Gold Step 2: § I.C.3(h)(ii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include the use of reliable and independent information, data, or source documents to verify the companies identity. (Supplement on Gold Step 2: § I.C.3(h)(iii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include checking government watchlist information. (Supplement on Gold Step 2: § I.C.3(h)(iv), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include any affiliations with the government, military, political parties, criminal networks, and non-state armed groups. (Supplement on Gold Step 2: § I.C.3(h)(v), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include the ownership and corporate structure. (Supplement on Gold Step 2: § I.C.4(f)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include any related businesses, affiliates, parents, and subsidiaries. (Supplement on Gold Step 2: § I.C.4(f)(ii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include the use of reliable and independent information, data, or source documents to verify the companies identity. (Supplement on Gold Step 2: § I.C.4(f)(iii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include checking government watchlist information. (Supplement on Gold Step 2: § I.C.4(f)(iv), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include any affiliations with the government, military, political parties, criminal networks, and non-state armed groups. (Supplement on Gold Step 2: § I.C.4(f)(v), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include the ownership and corporate structure. (Supplement on Gold Step 2: § II.C.3(a)(vii)(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include any related businesses, affiliates, parents, and subsidiaries. (Supplement on Gold Step 2: § II.C.3(a)(vii)(2), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include the use of reliable and independent information, data, or source documents to verify the companies identity. (Supplement on Gold Step 2: § II.C.3(a)(vii)(3), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include checking government watchlist information. (Supplement on Gold Step 2: § II.C.3(a)(vii)(4), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include any affiliations with the government, military, political parties, criminal networks, and non-state armed groups. (Supplement on Gold Step 2: § II.C.3(a)(vii)(5), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include the ownership and corporate structure. (Supplement on Gold Step 2: § II.C.3(b)(vi)(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include any related businesses, affiliates, parents, and subsidiaries. (Supplement on Gold Step 2: § II.C.3(b)(vi)(2), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include the use of reliable and independent information, data, or source documents to verify the companies identity. (Supplement on Gold Step 2: § II.C.3(b)(vi)(3), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include checking government watchlist information. (Supplement on Gold Step 2: § II.C.3(b)(vi)(4), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The identification of third party service providers that handle the gold or provides security at the mine sites and transportation routes should include any affiliations with the government, military, political parties, criminal networks, and non-state armed groups. (Supplement on Gold Step 2: § II.C.3(b)(vi)(5), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Verify that a list of service providers is maintained. (§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data, Version 2.0)
  • Verify that a list of service providers is maintained. (§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 2.0)
  • Verify that a list of service providers is maintained. (§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • Verify that a list of service providers is maintained. (§ 12.8.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Review policies and procedures and supporting documentation to verify a list of service providers is being maintained. (Testing Procedures § 12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Maintain a list of service providers. (§ 12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that a list of service providers is maintained. (§ 12.8.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • A list of all service providers must be maintained. (PCI DSS Requirements § 12.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The organization should clearly identify the transaction role the supplier provides when the authorized supplier provides services which are not authorized by original manufacturer. (App B § B.2, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • The security profile shall contain important details about business processes and information, including external suppliers used to support the local environment (e.g., outsource providers or cloud service providers). (CF.12.01.04d, The Standard of Good Practice for Information Security)
  • The external supplier security management process should include identifying and categorising all types of external supplier used by the organization, enterprise-wide. (CF.16.01.01a, The Standard of Good Practice for Information Security)
  • All external suppliers working with the organization should be identified (typically by business owners) and recorded in a register (or equivalent). (CF.16.01.02a, The Standard of Good Practice for Information Security)
  • All external suppliers working with the organization should be categorized from an Information Security perspective (e.g., as critical, important, or standard). (CF.16.01.02b, The Standard of Good Practice for Information Security)
  • Hardware / software should be acquired (e.g., purchased or leased) from approved suppliers (i.e., those with a proven record of providing robust and resilient equipment). (CF.16.02.04a, The Standard of Good Practice for Information Security)
  • The security profile shall contain important details about business processes and information, including external suppliers used to support the local environment (e.g., outsource providers or cloud service providers). (CF.12.01.04d, The Standard of Good Practice for Information Security, 2013)
  • Hardware / software should be acquired (e.g., purchased or leased) from approved suppliers (i.e., those with a proven record of providing robust and resilient equipment). (CF.16.02.04a, The Standard of Good Practice for Information Security, 2013)
  • The process for managing the information risks associated with external suppliers should include providing alternative arrangements in the event one or more external suppliers become unavailable. (CF.16.01.01i, The Standard of Good Practice for Information Security, 2013)
  • The external supplier security management process should include identifying and categorising all types of external supplier used by the organization, enterprise-wide. (CF.16.01.01b, The Standard of Good Practice for Information Security, 2013)
  • All external suppliers working with the organization should be identified (typically by business owners) and recorded in a register (or equivalent). (CF.16.01.03a, The Standard of Good Practice for Information Security, 2013)
  • All external suppliers working with the organization should be categorized from an Information Security perspective (e.g., as critical, important, or standard). (CF.16.01.03b, The Standard of Good Practice for Information Security, 2013)
  • Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could … (CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers, CIS Controls, V8)
  • Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise ch… (CIS Control 15: Safeguard 15.3 Classify Service Providers, CIS Controls, V8)
  • Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safegua… (CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy, CIS Controls, V8)
  • Most entities, including service organizations, outsource various functions to other organizations (vendors). The functions provided by these vendors may affect the delivery of services to user entities. When controls at the vendors are necessary in combination with the service organization's contro… (¶ 2.06, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Controls at the vendor are necessary, in combination with the service organization's controls, to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria. (¶ 2.07 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The services provided by the vendor are likely to be relevant to report users' understanding of the service organization's system as it relates to the applicable trust services criteria. (¶ 2.07 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If services are provided to the service organization by other entities, evaluating the effect of those services on the service organization's achievement of its service commitments and system requirements and concluding whether those other entities are subservice organizations (paragraph 2.06) (¶ 2.04 Bullet 1 Sub-Bullet 7, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If services are provided to the service organization by other entities, evaluating the effect of those services on the service organization's achievement of its service commitments and system requirements and concluding whether those other entities are subservice organizations (paragraph 2.07) (¶ 2.05 Bullet 1 Sub-Bullet 8, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The services provided by the vendor are likely to be relevant to report users' understanding of the service organization's system as it relates to the applicable trust services criteria. (¶ 2.08 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Controls at the vendor are necessary, in combination with the service organization's controls, to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria. (¶ 2.08 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If the service organization's controls alone provide reasonable assurance that its service commitments and system requirements are achieved, or if the service organization's monitoring of the vendor's services and controls is sufficient to provide reasonable assurance that its service commitments an… (¶ 2.09, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed earlier, a vendor is considered a subservice organization when controls performed by the subservice organization are necessary, in combination with the service organization's controls, to provide reasonable assurance that the service organization's service commitments and system require… (¶ 2.20, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Most entities, including service organizations, outsource various functions to other organizations (vendors). The functions provided by these vendors may affect the delivery of services to user entities. Although management can delegate responsibility for these functions, management retains responsi… (¶ 2.07, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Title IX of the Public Health Service Act (42 U.S.C. 299b-24), § 924(b)(1)(E)(i), is amended to state that a patient safety organization must certify that the entity shall fully disclose any financial, reporting, or contractual relationship between the entity and any provider that contracts with th… (§ 2(a)(5), Patient Safety And Quality Improvement Act Of 2005, Public Law 109-41, 109th Congress)
  • A medical device manufacturer shall establish and maintain requirements for contractors, consultants, and suppliers and maintain a record of acceptable contractors, consultants, and suppliers. (§ 820.50(a)(3), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Importers must ensure its business partners have developed security procedures to ensure the integrity of all shipments at the point of origin. Periodic reviews by importers of partners' facilities and processes should be conducted to ensure partners are maintaining the security requirements of the … (Point of Origin, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria)
  • The process to rank third-party service providers based on criticality, risk, and testing scope. (App A Objective 10:21a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The organization should be aware of and approve all third party service providers and should prohibit the assignment of contracts with third parties without the organization's consent. The organization should be notified if the service provider makes any subcontractor changes. The service provider c… (Pg 15, Pg 16, Exam Tier II Obj D.4, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The Agencies use the Risk-Based-Examination Priority Ranking Program (RB-EBR) in determining the overall level of risk a TSP presents to its client financial institutions. The Agencies also use the RB-EPRP to prioritize and establish the frequency of TSP examinations. The RB-EPRP ranks TSPs based on… (Risk-Based-Examination Priority Ranking ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • The service provider must document all security services that are currently outsourced. (Column F: SA-9(1), FedRAMP Baseline Security Controls)
  • Use third party experts to assist the internal policy evaluation team where additional skills and expertise is reasonable and appropriate. (§ 4.8.2 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The organization should use a diverse set of suppliers for smart grid services, components, systems, and technology products. (SG.SA-11 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use a diverse set of suppliers for Information Systems, components, products, and services. (App F § SA-12(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services. (PM-30(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services. (PM-30(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Suppliers are known and prioritized by criticality (GV.SC-04, The NIST Cybersecurity Framework, v2.0)