Back

Disseminate and communicate internal controls with supply chain members.


CONTROL ID
12416
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain communication protocols., CC ID: 12245

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Firms should make outsourced and third party providers aware of relevant internal policies, including those on outsourcing, ICT, information security, or operational resilience. Where firms' policies include confidential or sensitive information, firms can omit or redact it and only share those sect… (§ 4.11, SS2/21 Outsourcing and third party risk management, March 2021)
  • Independent of the expectations on access, audit, and information rights set out later in this chapter, the Bank and PRA have a range of statutory information-gathering and investigatory powers, some of which may apply directly to outsourced service providers as well as firms. The PRA expects firms … (§ 8.1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization communicates with external parties regarding matters affecting the functioning of internal control. (§ 3 Principle 15 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • As applicable, the organization should consider how external providers and outsourced processes can affect its ability to manage its environmental aspects and fulfil its compliance obligations. An organization should establish operational controls that are needed, such as documented procedures, cont… (8.1.2 ¶ 6, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The entity communicates with external parties regarding matters affecting the functioning of internal control. (CC2.3 ¶ 1 COSO Principle 15:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • When a service organization uses a subservice organization, the service organization may need to implement controls to achieve its service commitments and system requirements. The controls to be implemented may be communicated in an authoritative communication or as CUECs in a type 1 or type 2 repor… (¶ 3.89, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The entity communicates with external parties regarding matters affecting the functioning of internal control. (CC2.3 COSO Principle 15:, Trust Services Criteria)
  • The entity communicates with external parties regarding matters affecting the functioning of internal control. (CC2.3 ¶ 1 COSO Principle 15:, Trust Services Criteria, (includes March 2020 updates))
  • Receive information from the CGA (e.g., system updates) and disseminate it to appropriate Contractor employees. (§ 3.2.7 ¶ 1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Coordinates its processes with third-party service providers, when used, to ensure seamless functionality to the entity's lines of business. (App A Objective 16:1c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • To successfully address evolving cybersecurity risks throughout the supply chain, enterprises need to engage multiple internal processes and capabilities, communicate and collaborate across enterprise levels and mission areas, and ensure that all individuals within the enterprise understand their ro… (3. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Tracks, documents, and disseminates to relevant supply ICT chain participants changes to the provenance; (PV-2c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The extent of an Agency's oversight of a service organization depends on the nature of the contract or agreement terms and conditions. The use of a third party provider needs to be considered for management's oversight and assessment of internal control based on risk and when the activity is signifi… (Section III (B1) ¶ 1 Bullet 3 Management's Responsibility for Oversight of Service Organizations., OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)