Back

Conduct all parts of the supply chain due diligence process.


CONTROL ID
08854
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Third Party and supply chain oversight, CC ID: 08807

This Control has the following implementation support Control(s):
  • Identify all service providers in the supply chain., CC ID: 12213
  • Establish, implement, and maintain deduplication procedures for third party services., CC ID: 13915
  • Assess third parties' relevant experience during due diligence., CC ID: 12070
  • Assess third parties' legal risks to the organization during due diligence., CC ID: 12078
  • Assess third parties' business continuity capabilities during due diligence., CC ID: 12077
  • Assess third parties' breach remediation status, as necessary, during due diligence., CC ID: 12076
  • Assess third parties' abilities to provide services during due diligence., CC ID: 12074
  • Assess third parties' financial stability during due diligence., CC ID: 12066
  • Assess third parties' use of subcontractors during due diligence., CC ID: 12073
  • Assess third parties' insurance coverage during due diligence., CC ID: 12072
  • Assess the third parties' reputation during due diligence., CC ID: 12068
  • Disallow engaging service providers that are restricted from performing their duties., CC ID: 12214
  • Collect evidence of each supplier's supply chain due diligence processes., CC ID: 08855
  • Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements., CC ID: 00359
  • Assess third parties' compliance environment during due diligence., CC ID: 13134
  • Determine third party compliance with third party contracts., CC ID: 08866
  • Quarantine non-compliant material., CC ID: 08867
  • Review the information collected about each supplier for the supply chain due diligence report., CC ID: 08856


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • legal due diligence is performed if AAS involves personal data privacy concerns (e.g. when a customer's personal data needs to be transmitted to, or stored by, another institution especially if it is outside Hong Kong) so as to identify any need for disclosure or obtaining of customer consent. Moreo… (§ 6.3.3(iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • legal due diligence is undertaken to ascertain that any applicable local or overseas legal or regulatory requirements have been complied with (especially if AIs partner with overseas platforms/portals), including those relating to personal data privacy if customers' personal data would be transmitte… (§ 7.2.2(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • The licensed corporation should conduct proper initial due diligence on the EDSP and its controls relating to its infrastructure, personnel and processes for delivering its data storage services, as well as regular monitoring of the EDSP's service delivery, in each case commensurate with the critica… (12., Circular to Licensed Corporations - Use of external electronic data storage)
  • When entrusting a specified system, the financial institution itself must evaluate the contractor. (C20.3. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Enterprises need to be particular in choosing a provider. Reputation, history and sustainability should all be factors to consider. Sustainability is of particular importance to ensure that services will be available and data can be tracked. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 2 ¶ 7 a., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Given that control, security, legal issues on cloud computing are still evolving, a bank needs to exercise caution and carry out necessary due diligence and assess the risks comprehensively while considering cloud computing. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 2 ¶ 9, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Due diligence undertaken during the assessment process should be documented and re-performed periodically as part of the monitoring and control processes of outsourcing arrangements. The due diligence process may vary depending on the nature, and extent of risk of the arrangement and impact to the i… (5.4.5, Guidelines on Outsourcing)
  • Perform comprehensive pre- and post- implementation reviews of new outsourcing arrangements or when amendments are made to the outsourcing arrangements. If an outsourcing arrangement is materially amended, a comprehensive due diligence of the outsourcing arrangement should also be conducted. (5.8.2 (f), Guidelines on Outsourcing)
  • The types of risks in CS that confront institutions are not distinct from that of other forms of outsourcing arrangements. Institutions should perform the necessary due diligence and apply sound governance and risk management practices articulated in this set of guidelines when subscribing to CS. (6.6, Guidelines on Outsourcing)
  • Institutions should be aware of CS' typical characteristics such as multi-tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations. Hence, institutions should take active steps to address the risks associated with data access, confidentiality, integr… (6.7, Guidelines on Outsourcing)
  • The board of directors and senior management should fully understand risks associated with IT outsourcing. Before a service provider is appointed, due diligence should be carried out to determine its viability, capability, reliability, track record and financial position. (§ 5.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should establish standards and procedures for vendor evaluation and selection to ensure the selected vendor is qualified and able to meet its project requirements and deliverables. The level of assessment and due diligence performed should be commensurate with the criticality of the project d… (§ 5.3.1, Technology Risk Management Guidelines, January 2021)
  • Understand the features and limitations of the solution (including plugins) processing personal data, before putting it into use. (Annex A1: ICT Outsourcing 62 iv., Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • APRA-regulated entities often place reliance on information security capabilities of third parties and related parties to provide a targeted information security capability, or as part of a wider service-provision arrangement. Accordingly, entities would have a view as to the sufficiency of resource… (17., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Further to section 5.2 of the EBA SREP Guidelines, competent authorities should assess whether the institution's ICT outsourcing policy and strategy considers, where relevant, the impact of ICT outsourcing on the institution's business and business model. (Title 2 2.3 29., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • due diligence checks on prospective service providers, including the measures required under Section 12.3; (4.7 42(c)(iv), Final Report on EBA Guidelines on outsourcing arrangements)
  • undertake appropriate due diligence on the prospective service provider in accordance with Section 12.3; (4.12 61(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • its business model, nature, scale, complexity, financial situation, ownership and group structure; (4.12.3 71(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function; (Art. 28.4.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable; (Art. 28.4.(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • the lack of real alternatives, even partial, due to the limited number of ICT third-party service providers active on a specific market, or the market share of the relevant ICT third-party service provider, or the technical complexity or sophistication involved, including in relation to any propriet… (Art. 31.2.(d)(i), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • difficulties in relation to partially or fully migrating the relevant data and workloads from the relevant ICT thirdparty service provider to another ICT third-party service provider, due either to significant financial costs, time or other resources that the migration process may entail, or to incr… (Art. 31.2.(d)(ii), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • assess if supervisory conditions for contracting are met; (Art. 28.4.(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a third country, financial entities shall, in addition to the considerations referred to in the second subparagraph, also conside… (Art. 29.2. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The security requirements relevant to the IT service are determined: (1.2.4 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • The PRA expects firms to conduct appropriate due diligence on the potential service provider before entering into an outsourcing arrangement, and to identify a suitable alternative or back-up providers where available. If no alternative or back-up providers for a material outsourcing arrangement are… (§ 5.18, SS2/21 Outsourcing and third party risk management, March 2021)
  • perform appropriate and proportionate due diligence on all potential service providers; and (§ 5.1 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • safety and soundness, including its: (§ 5.11 Bullet 2 Sub-Bullet 4, SS2/21 Outsourcing and third party risk management, March 2021)
  • business model, complexity, financial situation, nature, ownership structure, and scale; (§ 5.19 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • due diligence, materiality assessments, and risk assessments of third-parties outside their group undertaken by and on behalf of the whole firm provided that they take into account their UK regulatory obligations (see Chapter 5); (§ 3.19 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The downstream company should assess if the smelters and refiners have conducted all parts of the due diligence process for supply chains of minerals from conflict-affected and high-risk areas. (Supplement on Tin, Tantalum, and Tungsten Step 2: II.C, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Downstream companies should request verification that the refiner conducted due diligence, when the gold refiner is identified. (Supplement on Gold Step 1: § II.E.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The downstream company should assess if refiners have conducted all parts of the due diligence process for supply chains of gold from conflict-affected and high-risk areas. (Supplement on Gold Step 2: § III.C, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine policies and procedures to verify that processes are defined for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine evidence and interview responsible personnel to verify the process for engaging TPSPs includes proper due diligence prior to engagement. (12.8.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. (12.8.3, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of… (CIS Control 15: Safeguard 15.5 Assess Service Providers, CIS Controls, V8)
  • Principle: Firms should manage cybersecurity risk that can arise across the lifecycle of vendor relationships using a risk-based approach to vendor management. Effective practices to manage vendor risk include: - performing pre-contract due diligence on prospective service providers; - establishing … (Vendor Management, Report on Cybersecurity Practices)
  • Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. (Domain 4: Assessment Factor: Relationship Management, DUE DILIGENCE Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Oversees management processes for approving third-party providers that include an assessment of financial condition and IT security posture of the third party, including on cybersecurity. (App A Objective 2:2 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Has a process to assess whether a third party's actions may negatively affect the institution (e.g., a review of the third-party plans to continue offering the necessary products or services contracted by the institution). (App A Objective 4:7 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Conducting initial due diligence and ongoing monitoring to fully understand the connections and mitigating controls in place between the financial institution and its third-party providers. (App A Objective 12:8 g., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Customer application. (App A Tier 2 Objectives and Procedures N.3 Bullet 1 Sub-Bullet 3, Sub-Sub Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The Agencies' supervisory approach to cross-border outsourcing emphasizes the responsibility of the serviced financial institution to conduct adequate due diligence, manage risks appropriately, comply with applicable U.S. and foreign laws and regulations, and ensure access to critical information wi… (Supervision of Foreign-Based TSP Program ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Financial institutions should oversee their TSPs and perform due diligence in selecting their third-party servicers, including a review of the risk management systems used by the TSPs. Such reviews should include measures taken by the TSPs to protect information about financial institutions' custome… (Risk Management ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Finally, the enterprise will complete the procurement step by releasing a statement of work (SOW), performance work statement (PWS), or statement of objective (SOO) for the release of a request for proposal (RFP) or request for quotes (RFQ). Any bidders responding to the RFP or RFQ should be evaluat… (3.1.2. ¶ 7, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the inform… (SA-12(11) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service. (SA-12(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ [Selection (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organizatio… (SR-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Selection (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organizatio… (SR-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service. (SA-12(8) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the inform… (SA-12(11) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships (GV.SC-06, The NIST Cybersecurity Framework, v2.0)
  • Senior management must verify that due diligence is conducted on potential third parties and report the results to the Board of Directors when using third parties that involve critical activities. ("Senior Bank Management" Bullet 4, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Employees who directly manage third party relationships should conduct due diligence on the third parties and report the due diligence results to senior management. ("Bank Employees Who Directly Manage Third-Party Relationships" Bullet 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)