Back

Include risk management procedures in the supply chain management policy.


CONTROL ID
08811
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a supply chain management program., CC ID: 11742

This Control has the following implementation support Control(s):
  • Perform risk assessments of third parties, as necessary., CC ID: 06454
  • Re-evaluate risk assessments of third parties, as necessary., CC ID: 12158


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The Board of Directors and management of AIs should ensure that the proposed outsourcing arrangement has been subject to a comprehensive risk assessment (in respect of operational, legal and reputation risks) and that all the risks identified have been adequately addressed before launch. Specificall… (2.2.1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • In any outsourcing arrangement, AIs should ensure that they have effective procedures for monitoring the performance of, and managing the relationship with, the service provider and the risks associated with the outsourced activity. (2.6.1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • the EDSP's internal governance for the safeguard of the licensed corporation's Regulatory Records (where Regulatory Records are kept with the EDSP), and may include assessing the physical security of the storage facilities, the type of hosting (ie, whether it is dedicated or shared hardware), securi… (12.(a), Circular to Licensed Corporations - Use of external electronic data storage)
  • The board and senior management of an institution play pivotal roles in ensuring a sound risk management culture and environment. While an institution may delegate day-to-day operational duties to the service provider, the responsibilities for maintaining effective oversight and governance of outsou… (5.2.1, Guidelines on Outsourcing)
  • approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements and the policies that apply to such arrangements; (5.2.2 (a), Guidelines on Outsourcing)
  • performance, operational, internal control and risk management standards; (5.5.2 (b), Guidelines on Outsourcing)
  • In line with the BCM Guidelines, an institution should take steps to evaluate and satisfy itself that the interdependency risk arising from the outsourcing arrangement can be adequately mitigated such that the institution remains able to conduct its business with integrity and competence in the even… (5.7.2, Guidelines on Outsourcing)
  • An institution should establish a structure for the management and control of its outsourcing arrangements. Such a structure will vary depending on the nature and extent of risks in the outsourcing arrangements. As relationships and interdependencies in respect of outsourcing arrangements increase i… (5.8.1, Guidelines on Outsourcing)
  • Periodic reviews, at least on an annual basis, on all material outsourcing arrangements. This is to ensure that the institution's outsourcing risk management policies and procedures, and these Guidelines, are effectively implemented. Such reviews should ascertain the adequacy of internal risk manage… (5.8.2 (d), Guidelines on Outsourcing)
  • IT security risks need to be appropriately managed regardless of whether activities and associated IT assets are under the direct control of a regulated institution or have been outsourced to a service provider. Where a service provider (including a software vendor) has been engaged, the due diligen… (Attachment C ¶ 1, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • adequate staff, resources and competences to monitor and manage the ICT risks from the outsourced services. (Title 3 3.3.4(e) 60.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment ins… (4.5 32, Final Report on EBA Guidelines on outsourcing arrangements)
  • risk identification, assessment and management in accordance with Section 12.2; (4.7 42(c)(iii), Final Report on EBA Guidelines on outsourcing arrangements)
  • where operational tasks of internal control functions are outsourced (e.g. in the case of intragroup outsourcing or outsourcing within institutional protection schemes), exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important func… (4.6 39(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • operational risk, including conduct, information and communication technology (ICT) and legal risks; (4.4 31(b)(iii), Final Report on EBA Guidelines on outsourcing arrangements)
  • identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk as referred to in Article 29; (Art. 28.4.(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • As part of their ICT risk management framework, financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, shall adopt, and regularly review, a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to … (Art. 28.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Policies and instructions for ensuring the protection of information accessed by other third parties (e. g. service providers and/or suppliers of the cloud provider), who contribute significant parts to the development or operation of the cloud service, are documented, communicated and provided acco… (Section 5.12 DLL-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The definition of the requirements is integrated into the risk management of the cloud provider. According to requirements OIS-07, they are checked at regular intervals for their appropriateness. (Section 5.12 DLL-01 Basic requirement ¶ 2, Cloud Computing Compliance Controls Catalogue (C5))
  • The processes for vendor due diligence and for assessing the materiality and risks of outsourcing arrangements (including notification to the PRA where required). (Table 4 Column 2 Row 2 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The supply chain policy for all companies in the supply chain should ensures risks are adequately managed. (Supplement on Tin, Tantalum, and Tungsten Step 1: A.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Identify and mitigate risks relating to suppliers' ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure that contracts conform to universal business standards in accordance with legal and regulatory requirements. Risk management should further … (DS2.3 Supplier Risk Management, CobiT, Version 4.1)
  • Reviewing a third party’s key attributes, such as those listed above, will help an organization to establish a risk level for each third party involved in the development, operation, or maintenance of their CDE and help to prioritize those that appear to carry the highest level of risk. (§ 5.1 ¶ 4, Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • The anti-counterfeit processes shall require a risk assessment plan and risk mitigation plan are developed for each procurement from other than the manufacturer or authorized supplier. (§ 4.1.3.d, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • Risk mitigation methods should be used when supply chain traceability is not known or the documents appear to be suspect. (App C § C.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • risks associated with contractual compliance, including license compliance risk; and (Section 6.1.2 ¶ 1(c)(1)(d), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • If a cloud service provider uses cloud services of peer cloud service providers, the cloud service provider should ensure information security levels to its own cloud service customers are maintained or exceeded. When the cloud service provider provides cloud services based on a supply chain, the cl… (§ 15.1.3 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The entity assesses and manages risks associated with vendors and business partners. (CC9.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Cybersecurity training covers topics designed to minimize risks to or from interconnected parties. (PR.AT-3.3, CRI Profile, v1.2)
  • The organization manages cyber risks associated with external dependencies. (DM.ED-4, CRI Profile, v1.2)
  • Cybersecurity training covers topics designed to minimize risks to or from interconnected parties. (PR.AT-3.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. (SA-12 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity assesses and manages risks associated with vendors and business partners. (CC9.2, Trust Services Criteria)
  • The entity assesses and manages risks associated with vendors and business partners. (CC9.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Determine whether management identifies factors that may increase risk from supply chain attacks and responds with appropriate risk mitigation. Review whether management implements the following as appropriate: (App A Objective 6.19, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Incorporates a measurement and assessment of outsourced relationships in the risk identification process. (App A Objective 10:1 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Third-party management program. (App A Objective 10:2 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and… (Retail Payment Systems Risk Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., FedRAMP Security Controls High Baseline, Version 5)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., FedRAMP Security Controls Low Baseline, Version 5)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Implementing C-SCRM requires enterprises to establish a coordinated team-based approach and a shared responsibility model to effectively manage cybersecurity risks throughout the supply chain. Enterprises should establish and adhere to C-SCRM-related policies, develop and follow processes (often cro… (2.3.1. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Terms and conditions that address the government, supplier, and other applicable third-party roles, responsibilities, and actions for responding to identified supply chain risks or risk incidents in order to mitigate risk exposure, minimize harm, and support timely corrective action or recovery from… (3.1.2. ¶ 11 Bullet 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • A critical first step is to ensure that there is a current and accurate inventory of the enterprise's supplier relationships, contracts, and any products or services those suppliers provide. This information allows for a mapping of these suppliers into strategically relevant groupings as determined … (3.1.1. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. (SA-12 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization protects against supply chain threats to the information system, system component, or information system service by employing {organizationally documented security safeguards} as part of a comprehensive, defense-in-breadth information security strategy. (SA-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service. (SA-12(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizational analysis} of {organizationally documented supply chain elements} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizational penetration testing} of {organizationally documented actors} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {independent third-party penetration testing} of {organizationally documented processes} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {independent third-party penetration testing} of {organizationally documented actors} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {independent third-party analysis} of {organizationally documented supply chain elements} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizational penetration testing} of {organizationally documented supply chain elements} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {independent third-party penetration testing} of {organizationally documented supply chain elements} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizational analysis} of {organizationally documented processes} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizational analysis} of {organizationally documented actors} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {independent third-party analysis} of {organizationally documented processes} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {independent third-party analysis} of {organizationally documented actors} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizational penetration testing} of {organizationally documented processes} associated with the information system, system component, or information system service. (SA-12(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization protects against supply chain threats to the information system, system component, or information system service by employing {organizationally documented security safeguards} as part of a comprehensive, defense-in-breadth information security strategy. (SA-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. (SA-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. (SA-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain. (SA-12(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and (SR-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. (SA-12 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain. (SA-12(5) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight … (Bullet 4: Vendor Management, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • The third party management plan should discuss the inherent risks for all activities. ("Planning" Bullet 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)