Back

Assign the appropriate individuals or groups to oversee and support supply chain due diligence.


CONTROL ID
08861
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain supply chain due diligence standards., CC ID: 08846

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Responsibility for monitoring the service provider and the outsourced activity should be assigned to staff with appropriate expertise. (2.6.3, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • An institution should assess all relevant aspects of the service provider, including its capability to employ a high standard of care in the performance of the outsourcing arrangement as if the service is performed by the institution to meet its obligations as a regulated entity. The due diligence s… (5.4.2, Guidelines on Outsourcing)
  • All businesses in the supply chain may consider implementing a department to oversee and support the due diligence for responsible supply chains of minerals from conflict-affected and high-risk areas. (Supplement on Tin, Tantalum, and Tungsten Step 4: B.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The service provider shall have a designated individual assigned for each supplier to be responsible for managing the relationship, the contract, and supplier performance. (§ 7.2 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall have one or more designated individuals responsible for managing the relationship, contracts and performance of external suppliers. (§ 8.3.4.1 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The entity assigns responsibility and accountability for the management of risks and changes to services associated with vendors and business partners. (CC9.2 ¶ 3 Bullet 4 Assigns Responsibility and Accountability for Managing Vendors and Business Partners, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Roles and responsibilities for external dependency management are defined and assigned. (DM.ED-3, CRI Profile, v1.2)
  • Roles and responsibilities for external dependency management are defined and assigned. (DM.ED-3.1, CRI Profile, v1.2)
  • Roles and responsibilities for external dependency management are defined and assigned. (DM.ED-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Assigning responsibility and accountability for the management of risks associated with vendors and business partners (¶ 3.150 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. (CC9.2 Assigns Responsibility and Accountability for Managing Vendors and Business Partners, Trust Services Criteria)
  • The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. (CC9.2 ¶ 2 Bullet 3 Assigns Responsibility and Accountability for Managing Vendors and Business Partners, Trust Services Criteria, (includes March 2020 updates))
  • The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the inform… (SA-12(11) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ [Selection (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organizatio… (SR-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Selection (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organizatio… (SR-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the inform… (SA-12(11) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • designate a senior member of the Covered Entity's personnel responsible for direction and oversight of the Third Party Service Provider; and (§ 500.04 Chief Information Security Officer (a)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • designate a senior member of the covered entity's personnel responsible for direction and oversight of the third-party service provider; and (§ 500.4 Cybersecurity Governance (a)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)