Back

Establish, implement, and maintain a supply chain management program.


CONTROL ID
11742
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Third Party and supply chain oversight, CC ID: 08807

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts., CC ID: 00796
  • Terminate supplier relationships, as necessary., CC ID: 13489
  • Document and maintain supply chain processes., CC ID: 08816
  • Establish, implement, and maintain an exit plan., CC ID: 15492
  • Include contingency plans in the third party management plan., CC ID: 10030
  • Formalize client and third party relationships with contracts or nondisclosure agreements., CC ID: 00794
  • Document the organization's supply chain in the supply chain management program., CC ID: 09958
  • Establish, implement, and maintain Operational Level Agreements., CC ID: 13637
  • Establish, implement, and maintain Service Level Agreements with the organization's supply chain., CC ID: 00838
  • Categorize all suppliers in the supply chain management program., CC ID: 00792
  • Include risk management procedures in the supply chain management policy., CC ID: 08811
  • Establish, implement, and maintain a supply chain management policy., CC ID: 08808


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The other relevant controls include service level management, vendor management, capacity management and configuration management which are described in later chapters. Decommissioning and destruction controls need to be used to ensure that information security is not compromised as IT assets reach … (Critical components of information security 6) (iv), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A person who has commissioned a third party to transmit advertising information for profit on his or her behalf shall control and oversee the person to whom the transmission was commissioned to ensure that the person does not violate Article 50. (Article 50-3(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. (Article 25(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • In supervising an institution, MAS will review its implementation of these Guidelines, the quality of its board and senior management oversight and governance, internal controls and risk management with regard to managing outsourcing risks. (5.1.1, Guidelines on Outsourcing)
  • undertaking regular reviews of these outsourcing strategies and arrangements for their continued relevance, and safety and soundness. (5.2.2 (f), Guidelines on Outsourcing)
  • management and monitoring of service providers that defines the framework for overseeing the management of IT security risks by third parties; (¶ 27(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Competent authorities should assess whether the institution's outsourcing strategy, in line with the requirements of the CEBS outsourcing Guidelines (2006) and further to the requirement in paragraph 85 (d) of the EBA SREP Guidelines, adequately applies to ICT outsourcing, including intra-group outs… (Title 3 3.3.4(e) 59., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the appropriate monitoring and management of outsourcing arrangements. (4.10 51(e), Final Report on EBA Guidelines on outsourcing arrangements)
  • they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; (4.6 40(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • outsourcing and cloud computing. (§ 8.1 Subsection 5 ¶ 2 Bullet 15, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • If you have outsourced processes, are they appropriately controlled? (Operation ¶ 5, ISO 22301: Self-assessment questionnaire)
  • Other external procurement of IT services shall be managed in line with the strategies, taking account of the institution's risk assessment. The rendering of the service owed by the service provider shall be monitored in line with the risk assessment. (II.8.54, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Intragroup outsourcing is subject to the same requirements and expectations as outsourcing to service providers outside a firm's group and should not be treated as being inherently less risky. (§ 3.3, SS2/21 Outsourcing and third party risk management, March 2021)
  • The PRA recognises that new and growing firms frequently tend to rely more extensively on outsourcing and third party products and services given the benefits they can bring in terms of lower barriers to entry, cost savings, and in some cases increased operational resilience. However, to meet the Th… (§ 3.11, SS2/21 Outsourcing and third party risk management, March 2021)
  • Outsourcing arrangements by UK branches of third-country firms (third-country branches) are subject to the requirements in Chapter 7 of the Internal Governance of Third Country Branches Part of the PRA Rulebook (banks) and Conditions Governing Business Chapter 7 (insurers). (§ 3.15, SS2/21 Outsourcing and third party risk management, March 2021)
  • their overall reliance on third parties; and (§ 5.24 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Firms should ensure that written agreements for non-material outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Moreover, regardless of materiality, firms should ensure that outsourcing agreements do not impede or limit the PRA's ability to effe… (§ 6.3, SS2/21 Outsourcing and third party risk management, March 2021)
  • appropriate monitoring and oversight of their intragroup outsourcing arrangements, including appropriate visibility of the whole firm's or parent's material sub-outsourced service providers and supply chain by internal control functions and, if applicable, other areas such as technology; (§ 3.18 Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
  • The purpose of the supplier management practice is to ensure that the organization's suppliers and their performances are managed appropriately to support the seamless provision of quality products and services. This includes creating closer, more collaborative relationships with key suppliers to un… (5.1.13 ¶ 1, ITIL Foundation, 4 Edition)
  • Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Through observation, review of policies and procedures, and review of supporting documentation, verify that processes are implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data as follows: (12.8, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • The organization shall ensure that outsourced processes are controlled. (§ 8.1 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall ensure that outsourced processes and the supply chain are controlled. (§ 8.1 ¶ 3, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall ensure that outsourced processes are determined and controlled. (§ 8.1 ¶ 4, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall ensure that outsourced functions and processes are controlled. The organization shall ensure that its outsourcing arrangements are consistent with legal requirements and other requirements and with achieving the intended outcomes of the OH&S management system. The type and deg… (§ 8.1.4.3 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • the responsibilities and authorities within the organization for managing the outsourced processes and activities; and) (Section 8.7 ¶ 3(c), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the implications of the mixed responsibilities involved (including the associated risks and how the mixed responsibilities can be effectively discharged with accountability for those responsible); (Section 8.7 ¶ 3(b), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • When the organization outsources any activities that can have an impact on the achievement of its IT asset management objectives, it shall assess the associated risks. The organization shall ensure that outsourced processes and activities are controlled. (Section 8.7 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. (§ 8.1 ¶ 4, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Review supply chain control and management system (stockpiling, storage, security, transportation and distribution arrangements) for medical and other essential supplies, including COVID-19 DCP and patient kit reserve in-country (Pillar 8 Step 2 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Review procurement processes (including importation and customs) for medical and other essential supplies, and encourage local sourcing to ensure sustainbility (Pillar 8 Step 2 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The organization's dependency management policies, plans, and procedures are regularly updated. (DM.ED-2.2, CRI Profile, v1.2)
  • The organization's dependency management policies, plans, and procedures have been reviewed and approved by appropriate organizational stakeholders. (DM.ED-2.3, CRI Profile, v1.2)
  • The organization ensures appropriate oversight and compliance with the external dependency strategy implementation. (DM.ED-1.3, CRI Profile, v1.2)
  • The organization's dependency management policies, plans, and procedures are regularly updated. (DM.ED-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization's dependency management policies, plans, and procedures have been reviewed and approved by appropriate organizational stakeholders. (DM.ED-2.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Regardless of whether the carve-out or inclusive method is selected, the description of the service organization's system and the scope of the service auditor's examination include the controls designed, implemented, and operated at the service organization to monitor the effectiveness of controls a… (¶ 3.50, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtaining an understanding of the procedures in place at the service organization to evaluate and monitor the implementation, suitability of design, and, in a type 2 examination, the operating effectiveness of the controls at the subservice organization (for example, evaluation of a service auditor'… (¶ 3.99 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtaining an understanding of the procedures in place at the service organization to evaluate and monitor the implementation, suitability of design, and in a type 2 examination, the operating effectiveness of the controls at the subservice organization (for example, evaluation of a service auditor's… (¶ 3.114 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Outsourcing of Criminal Justice Functions (§ 3.2.2 ¶ 1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Board and senior management consideration of the entity's business objectives, including functions performed by affiliates and third-party service providers. (App A Objective 2:2a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management identifies internal and external roles and responsibilities for AIO activities and implements processes to oversee those activities performed by third-party service providers. Assess whether management appropriately assigned and defined the responsibility and oversight o… (App A Objective 7:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management maintains effective oversight of the entity's third-party service providers responsible for activities related to AIO functions. (III.E, "Oversight of Third-Party Service Providers") (App A Objective 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the financial institution's third-party management program to ascertain the extent and effectiveness of the oversight by the board of directors and management of risks involved in the financial institution's outsourced relationships. An effective third-party management program should incorpor… (App A Objective 12:14, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the … (Vendor and Third-Party Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the vendor management program over the technology service providers offering new and emerging technologies for retail payment systems. Determine: (App A Tier 1 Objectives and Procedures Objective 11:2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Where technology service providers are used, determine whether RDC is included in the institution's vendor management program. (App A Tier 2 Objectives and Procedures N.4 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the adequacy of vendor management program over a service provider that provides a new and emerging retail payment technology. (Select one or more projects involving the development and deployment of a new and emerging retail payment technology and complete the following procedures.) (App A Tier 2 Objectives and Procedures O. ¶ 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Financial institutions should oversee their TSPs and perform due diligence in selecting their third-party servicers, including a review of the risk management systems used by the TSPs. Such reviews should include measures taken by the TSPs to protect information about financial institutions' custome… (Risk Management ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • AI risks and benefits from third-party entities are managed. (MANAGE 3, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Many C-SCRM processes can and should be built into existing program and operational activities and may be adequately performed using available funds. However, there may be a need for an influx of one-time resources to establish an initial C-SCRM program capability. For example, this might include th… (3.6. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Develop supply chain, system, network, performance, and cybersecurity requirements. (T0414, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight … (Bullet 4: Vendor Management, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • A licensee shall exercise due diligence in the selection of third-party service providers, conduct oversight of all third-party service provider arrangements, and require all third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure… (507F.5 1., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • vendor and Third Party Service Provider management; (§ 500.03 Cybersecurity Policy (l), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • vendor and third-party service provider management; (§ 500.3 Cybersecurity Policy (l), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)