Establish and maintain a supply chain due diligence report.
CONTROL ID 08824
CONTROL TYPE Business Processes
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Third Party and supply chain oversight, CC ID: 08807
This Control has the following implementation support Control(s):
Follow reliable due diligence processes when creating the annual supply chain due diligence report., CC ID: 08826
Disseminate and communicate supply chain due diligence report information to the public., CC ID: 08827
Submit the supply chain due diligence report., CC ID: 08828
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Due diligence undertaken during the assessment process should be documented and re-performed periodically as part of the monitoring and control processes of outsourcing arrangements. The due diligence process may vary depending on the nature, and extent of risk of the arrangement and impact to the i… (5.4.5, Guidelines on Outsourcing)
The programme takes different profiles into account and includes further information for posts and employees who have extensive authorisations or access to sensitive data. External employees of service providers and suppliers of the cloud provider, who contribute to the development or operation of t… (Section 5.3 HR-03 Description of additional requirements (confidentiality and availability) ΒΆ 1, Cloud Computing Compliance Controls Catalogue (C5))
The organization may consider having upstream companies cooperate in building the capabilities of suppliers to conduct due diligence for mineral supply chains from conflict-affected and high-risk areas as part of its risk mitigation measures. (Annex III - Table Supply Chain Policy - Bribery and Fraudulent Misrepresentation on Mineral Origin, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
When reviewing information provided by the institution's third-party providers, determine the adequacy of third-party provider audit reports in terms of scope, independence, expertise, frequency, and corrective actions taken on identified issues. Work with the examiner reviewing the third-party mana… (App A Objective 12:17, FFIEC Information Technology Examination Handbook - Management, November 2015)
