Back

Establish, implement, and maintain supply chain due diligence requirements.


CONTROL ID
08853
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain supply chain due diligence standards., CC ID: 08846

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The PRA expects firms to have regard to all applicable criteria in Table 5 below, both individually and in conjunction, when assessing the materiality of an outsourcing or third party arrangement not otherwise covered by paragraphs 5.8 and 5.9. Although in practice many material outsourcing and thir… (§ 5.13, SS2/21 Outsourcing and third party risk management, March 2021)
  • Select suppliers according to a fair and formal practice to ensure a viable best fit based on specified requirements. Requirements should be optimised with input from potential suppliers. (AI5.3 Supplier Selection, CobiT, Version 4.1)
  • The certified audit shall constitute a critical component of due diligence for establishing the source and chain of custody for conflict minerals. (§ 1502(b)(p)(1)(B), PUBLIC LAW 111-203, July 21 2010)
  • Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight … (Bullet 4: Vendor Management, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing: (§ 500.11 Third Party Service Provider Security Policy (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to third-party service providers including to the extent applicable guidelines addressing: (§ 500.11 Third-Party Service Provider Security Policy (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)