Back

Establish, implement, and maintain information security controls for the supply chain.


CONTROL ID
13109
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Third Party and supply chain oversight, CC ID: 08807

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Where a licensed corporation is keeping only part of its Relevant Information with the EDSP (whether due to data sensitivity concerns or otherwise), it should put in place controls to prevent the migration of Relevant Information to the EDSP without proper authorisation. (16., Circular to Licensed Corporations - Use of external electronic data storage)
  • the EDSP's internal governance for the safeguard of the licensed corporation's Regulatory Records (where Regulatory Records are kept with the EDSP), and may include assessing the physical security of the storage facilities, the type of hosting (ie, whether it is dedicated or shared hardware), securi… (12.(a), Circular to Licensed Corporations - Use of external electronic data storage)
  • An institution should be proactive in identifying and specifying requirements for confidentiality and security in the outsourcing arrangement. An institution should take the following steps to protect the confidentiality and security of customer information: (5.6.2, Guidelines on Outsourcing)
  • Review and monitor the security practices and control processes of the service provider on a regular basis, including commissioning audits or obtaining periodic expert reports on confidentiality, security adequacy and compliance in respect of the operations of the service provider, and requiring the… (5.6.2 (d), Guidelines on Outsourcing)
  • Periodic reviews, at least on an annual basis, on all material outsourcing arrangements. This is to ensure that the institution's outsourcing risk management policies and procedures, and these Guidelines, are effectively implemented. Such reviews should ascertain the adequacy of internal risk manage… (5.8.2 (d), Guidelines on Outsourcing)
  • an assessment of the impact of the ICT outsourcing on the risk management of the institution related to the use of service providers (e.g. cloud service providers) and their services during the procurement process that is documented and is taken into account by senior management or the management bo… (Title 3 3.3.4(e) 60.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or r… (4.13.2 83, Final Report on EBA Guidelines on outsourcing arrangements)
  • requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framew… (Art. 30.3. ¶ 1(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The security-relevant tasks covered by the external service provider and the security-relevant tasks covered by the own security management must be clarified. The following questions should be clarified in detail before involving external service providers: (§ 8.3.7 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • To which target objects and to which information does the service provider have access? On the one hand it should be considered which target objects and information are focussed by provisioning of services, but on the other hand it also should be considered which target objects and information can b… (§ 8.3.7 ¶ 3 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Ensuring the protection of information which can be accessed by the service providers and/or suppliers of the cloud provider (subcontractors) and monitoring the services and security requirements agreed upon. (Section 5.12 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • The PRA expects firms to implement appropriate measures to protect outsourced data and set them out in their outsourcing policy (see Chapter 4) and, where appropriate, in their written agreements for material outsourcing (see Chapter 6). (§ 7.10, SS2/21 Outsourcing and third party risk management, March 2021)
  • Where a material outsourcing or third party agreement involves the transfer of or access to data, the PRA expects firms to define, document, and understand their and the service provider's respective responsibilities in respect of that data and take appropriate measures to protect them. (§ 7.2, SS2/21 Outsourcing and third party risk management, March 2021)
  • sharing data with third parties, including but not limited to as part of an outsourcing arrangement. (§ 7.5 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • measurement and evaluation of process performance; (§ 8.2.3.2(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • measurement and evaluation of the effectiveness of services and service components in meeting the service requirements. (§ 8.2.3.2(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall define and apply relevant controls for other parties from the following: (§ 8.2.3.2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall agree and implement information security controls to address information security risks related to external organizations. (§ 8.7.3.2 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • When determining controls, the organization should also take into account controls needed for services from outside suppliers of e.g. applications, processes and functions. Typically, these controls are mandated by entering information security requirements in the agreements with these suppliers, in… (§ 6.1.3 Guidance ¶ 8, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Minimum cybersecurity practices for critical external dependencies designed to meet the objectives of the Cyber Risk Management Program or Cyber Supply Chain Risk Management Plan are identified and documented. (DM.ED-6, CRI Profile, v1.2)
  • Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate… (§ 252.204-7012(b)(3), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
  • Document and provide assistance for implementing the security-related controls for the Interface Agency and its users. (§ 3.2.8 ¶ 1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine whether management of the information security program is appropriate and supports the institution's ITRM process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program. (App A Objective 3, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether the information security program is integrated with the institution's lines of business, support functions, and management of third parties. (App A Objective 2.1.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should develop and implement an information security program that does the following: - Supports the institution's IT risk management (ITRM) process by identifying threats, measuring risk, defining information security requirements, and implementing controls. - Integrates with lines of … (II Information Security Program Management, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services]. (SR-3(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls]. (SR-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services]. (SR-3(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls]. (SR-7 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Draft and publish supply chain security and risk management documents. (T0551, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service. (SA-12(9) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services]. (SR-3(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [Assignment: organization-defined controls]. (SR-3(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls]. (SR-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services]. (SR-3(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [Assignment: organization-defined controls]. (SR-3(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls]. (SR-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service. (SA-12(9) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • If the processes provided by the third party service organization is significant to an Agency's internal control objectives, then the Agency is responsible for establishing user Agency controls that complement the service organization's controls. Management still retains overall responsibility and a… (Section III (B1) ¶ 1 Bullet 2 Management's Responsibility for Establishing User Controls., OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • SECURE GLOBAL SUPPLY CHAINS FOR INFORMATION, COMMUNICATIONS, AND OPERATIONAL TECHNOLOGY PRODUCTS AND SERVICES (STRATEGIC OBJECTIVE 5.5, National Cybersecurity Strategy)
  • SECURE GLOBAL SUPPLY CHAINS FOR INFORMATION, COMMUNICATIONS, AND OPERATIONAL TECHNOLOGY PRODUCTS AND SERVICES (STRATEGIC OBJECTIVE 5.5, National Cybersecurity Strategy (Condensed))
  • Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on … (§ 500.11 Third Party Service Provider Security Policy (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Each covered entity shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. Such policies and procedures shall be based on the risk assessment of the covered en… (§ 500.11 Third-Party Service Provider Security Policy (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)