Back

Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements.


CONTROL ID
08870
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain supply chain due diligence standards., CC ID: 08846

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; (4.7 42(c)(v), Final Report on EBA Guidelines on outsourcing arrangements)
  • identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. (4.12 61(e), Final Report on EBA Guidelines on outsourcing arrangements)
  • A smelter may be non-compliant if the supplying smelter refuses the audit, does not cooperate, or fails the audit. (§ A(I) Applicable to ¶ 3, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • A company receives an overall noncompliance result for audits past the initial audit where there are findings of not-conflict free minerals or materials that cannot be validated as being from conflict-free sources linked to level 3 countries. (§ A(I) Non-conforming material detection, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • A company that receives a noncompliance result will be exempted from participating in the conflict-free smelter program for 6 months and be removed from the conflict-free compliant smelters list. (§ A(I) Non-conforming material detection, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • Develop and manage procedures for vetting and auditing vendors for compliance with the privacy and data security policies and legal requirements (T0908, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and manage procedures for vetting and auditing vendors for compliance with the privacy and data security policies and legal requirements (T0908, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)