Back

Establish, implement, and maintain a system of transparency and controls over the entire supply chain.


CONTROL ID
08879
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain., CC ID: 08878

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • For the avoidance of doubt, controls similar to the above should be implemented by an AI if it partners with another institution offering AAS similar to that in subsection 6.3.1(ii). (§ 6.3.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Each party shall make the procedures for enforcing intellectual property rights, the names of the competent authorities responsible for enforcing the procedures, and the point of contact for assistance available to the public. (Art 30 ¶ 1(a), Anti-Counterfeiting Trade Agreement)
  • Each party shall make relevant laws, regulations, adminstrative rulings, and judicial decisions available to the public. (Art 30 ¶ 1(b), Anti-Counterfeiting Trade Agreement)
  • Each party shall make its efforts for an effective system of enforcement and protection of intellectual property rights available to the public. (Art 30 ¶ 1(c), Anti-Counterfeiting Trade Agreement)
  • the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them. (4.12.2 67(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measur… (4.12.2 68(e), Final Report on EBA Guidelines on outsourcing arrangements)
  • The organization should establish a system of controls and transparency over the mineral supply chain. (Supplement on Tin, Tantalum, and Tungsten Step 1: C, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Downstream companies should implement a supply chain transparency system that identifies the smelters and refiners in the mineral supply chain and collects the identification of all countries of origin and the transporting and transiting for minerals in each smelters or refiners supply chains. (Supplement on Tin, Tantalum, and Tungsten Step 1: C.5(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Companies in the supply chain should establish a system of controls, transparency, and information collection over the gold supply chain. (Supplement on Gold Step 1: § I.C, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Downstream companies should enhance the internal transparency system, information collection, and control over the gold supply chain by including disaggregate information and regularly updated information that tracks refiner's identities and the due diligence findings. (Supplement on Gold Step 3: § II.B, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Formalise the supplier relationship management process for each supplier. The relationship owners should liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through SLAs). (DS2.2 Supplier Relationship Management, CobiT, Version 4.1)
  • The organization shall require suppliers to revise the written quotation and provide an updated risk assessment, whenever the supply source changes. (§ 4.2.2 ¶ 1.e, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Changes to the supply source or traceability shall be approved by the customer and made before the parts are shipped. (§ 4.2.3.3, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The documented material control processes shall not alter, redact, or obliterate any information from the original manufacturer's labeling relevant to supply chain traceability. (§ 4.2.8 ¶ 1.a, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • As applicable, the organization should consider how external providers and outsourced processes can affect its ability to manage its environmental aspects and fulfil its compliance obligations. An organization should establish operational controls that are needed, such as documented procedures, cont… (8.1.2 ¶ 6, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output; (8.4.2 ¶ 2(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall ensure that outsourced processes are controlled (see 8.4) (8.1 ¶ 4, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization has established and applies appropriate policies and controls to address the inherent risk of external dependencies to the enterprise and the sector, if appropriate. (DM.ED-4.2, CRI Profile, v1.2)
  • The organization ensures appropriate oversight and compliance with the external dependency strategy implementation. (DM.ED-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization has established and applies appropriate policies and controls to address the inherent risk of external dependencies to the enterprise and the sector, if appropriate. (DM.ED-4.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization must make all counterfeit product information available to all levels of the supply chain to prevent further counterfeiting. (§ 3.d, DoD Instruction 4140.67, DoD Counterfeit Prevention Policy)
  • For financial institutions directly involved in, or outsource, bankcard acquiring (merchant processing) services, determine the appropriateness of controls over merchant services and ISO/MSP relationships. Consider the adequacy of: (App A Tier 1 Objectives and Procedures Objective 6:9, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluate whether card issuance processing is outsourced to a third party. If yes, evaluate the vendor management controls in place to govern the activities listed in steps 3 and 4. (App A Tier 1 Objectives and Procedures Objective 6:2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Credit approval and monitoring procedures for all new and established merchant accounts. Consider use of Dun & Bradstreet reports, bank statements and credit reports. (App A Tier 1 Objectives and Procedures Objective 6:9 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluating complementary user entity controls included in the SOC 1 report to determine that the appropriate controls are in place to support the activities of the service provider (Section III (B1) ¶ 1 Bullet 4 Sub-bullet 5, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)