Back

Include supply chain risk management procedures in the risk management program.


CONTROL ID
13190
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

This Control has the following implementation support Control(s):
  • Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties., CC ID: 14712
  • Assign key stakeholders to review and approve supply chain risk management procedures., CC ID: 13199
  • Analyze supply chain risk management procedures, as necessary., CC ID: 13198


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangeme… (4.5 33, Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. (4.14 103, Final Report on EBA Guidelines on outsourcing arrangements)
  • the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); (4.6 40(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • A firm's risk assessment should balance any risks that the outsourcing arrangement may create or increase against any risks it may reduce or enable the firm to manage more effectively (for instance, a firm's resilience to disruption). The assessment should also take into account existing or planned … (§ 5.23, SS2/21 Outsourcing and third party risk management, March 2021)
  • The PRA considers that it is not sufficient for firms merely to negotiate adequate access, audit, and information rights; these must also be used when appropriate. The purpose of the rights outlined in this chapter is to support firms' identification, assessment management, and mitigation of any ide… (§ 8.5, SS2/21 Outsourcing and third party risk management, March 2021)
  • identifying compliance risks and managing those compliance risks relating to third parties, such as suppliers, agents, distributors, consultants and contractors; (§ 5.3.4 ¶ 2 i), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization shall assess the alignment of service level targets or other contractual obligations for the external supplier against SLAs with customers, and manage identified risks. (§ 8.3.4.1 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization has integrated its external dependency management strategy into the overall cyber risk management plan. (DM.ED-1.1, CRI Profile, v1.2)
  • The organization has established policies, plans, and procedures to identify and manage cyber risks associated with external dependencies throughout those dependencies' lifecycles in a timely manner, including sector-critical systems and operations. (DM.ED-2.1, CRI Profile, v1.2)
  • The organization integrates external dependency management strategy into the overall strategic risk management plan. (DM.ED-1, CRI Profile, v1.2)
  • The organization has integrated its external dependency management strategy into the overall cyber risk management plan. (DM.ED-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization has established policies, plans, and procedures to identify and manage cyber risks associated with external dependencies throughout those dependencies' lifecycles in a timely manner, including sector-critical systems and operations. (DM.ED-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization has established and applies appropriate policies and controls to address the inherent risk of external dependencies to the enterprise and the sector, if appropriate. (DM.ED-4.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • In contrast, the service organization may design and implement control activities that address the risks represented by interactions with the vendor, or the service organization may have designed and implemented processes and procedures to monitor the activities of the vendor. If so, the vendor's co… (¶ 3.149, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Although a service organization can contract with a subservice organization to perform functions that form a portion of the service organization's system, it still retains obligations to user entities with regard to those functions. As a result, part of its system of internal control includes activi… (¶ 3.154, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management's basis for its assertion usually relies heavily on monitoring of controls. Such monitoring activities typically include ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are ordinarily built into the normal recurring activities of the se… (¶ 2.52, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of Nonpublic Information, including the security of Information Systems and Nonpublic Information that are accessible to, or held by, Thi… (Section 4.C ¶ 1(2), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Management should evaluate the likelihood and impact of potential disruptions and events. As part of this evaluation, management should consider the geographical area where the entity operates. Additionally, management should consider the risks and threats that could affect the entity's third-party … (III.B Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Examiners should review the risk assessment and determine whether it addresses the impact and likelihood of disruptions of the entity's information services, technology, personnel, facilities, and services provided by third parties. Specifically, examiners should review whether the following types o… (III.B Action Summary ¶ 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: (App A Objective 2:8b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; (SR-1a.2, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; (SR-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and (RA-3(1)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and (RA-3(1)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; (SR-1a.2, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; (SR-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and (RA-3(1)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; (SR-1a.2, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; (SR-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • C-SCRM should be integrated into the enterprise-wide risk management process described in [NIST SP 800-39] and depicted in Figure 2-1. This process includes the following continuous and iterative steps: (2. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Tailor C-SCRM to the context of the individual system, and apply it throughout the SDLC. (Level 3 Operational Activities Bullet 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Integrating C-SCRM considerations into acquisition activities within every step of the procurement and contract management life cycle process is essential to improving management of cybersecurity risks throughout the supply chain. This life cycle begins with a purchaser identifying a need and includ… (3.1. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Level 2 roles include representatives of each mission and business process, such as program managers, research and development, and acquisitions/procurement. Level 2 C-SCRM activities address C-SCRM within the context of the enterprise's mission and business process. Specific strategies, policies, a… (2.3.3. ¶ 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Once the contract is executed, the enterprise should monitor for changes that alter its exposure to cybersecurity risks throughout the supply chain. Such changes may include internal enterprise or system changes, supplier operational or structural changes, product updates, and geopolitical or enviro… (3.1.2. ¶ 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • It is recommended that the C-SCRM PMO have the lead responsibility of coordinating with mission and business process and budget officials to build out and maintain a multi-year C-SCRM program budget that captures both recurring and non-recurring resource requirements and maps those requirements to a… (3.6. ¶ 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Implement a risk management hierarchy and risk management process (in accordance with NIST SP 800-39, Managing Information Security Risk [NIST SP 800-39]), including an enterprise-wide risk assessment process (in accordance with NIST SP 800-30, Rev. 1, Guide for Conducting Risk Assessments [NIST SP … (3.4.1. ¶1 Bullet 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; (SR-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; (SR-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; (SR-1a.2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; (SR-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; (SR-1a.2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; (SR-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Assess, respond to, and monitor supply chain risks associated with organizational systems and system components. (3.11.6e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders (ID.SC-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks. (ID.SC Supply Chain Risk Management, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Interoperability frameworks or similar multi-party approaches are used to manage data processing ecosystem privacy risks. (ID.DE-P4, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; (SR-1a.2, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; (SR-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and (RA-3(1)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including threats to the security of information systems and nonpublic information that are accessible to or h… (Section 27-62-4(c)(2), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information, including, but not limited to, the security of information systems that are, and nonpublic information that is,… (Part VI(c)(3)(B), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Identify reasonably-foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of an information system or nonpublic information that a third-party service provider h… (§ 8604.(c)(2), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to or held by thir… (§431:3B-202(b)(2), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Identifying reasonably foreseeable internal or external threats that could result in a cybersecurity event, including threats to information systems and nonpublic information held or accessed by third party service providers. (Sec. 17.(2), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to or held by thir… (§2504.C.(2), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access to or transmission, disclosure, misuse, alteration or destruction of nonpublic information, including threats to the security of the licensee's information systems and nonpublic information that are… (§2264 3.B., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to, or held by, th… (Sec. 555.(3)(b), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including threats to the security of information systems and nonpublic information that are accessible to, or … (§ 60A.9851 Subdivision 3(2), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to, or held by, thi… (§ 83-5-807 (3)(b), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to, or held by, thi… (§ 420-P:4 III.(b), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information accessible to, or held by, third-party… (26.1-02.2-03. 3.b., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including threats to the security of information systems and nonpublic information that are accessible to, or … (Section 3965.02 (C)(2), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held… (SECTION 38-99-20. (C)(2), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including threats to the security of information systems and nonpublic information accessible to or held by th… (§ 56-2-1004 (3)(B), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Identify reasonably foreseeable internal and external threats that could result in unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including nonpublic information that is accessible to or held by 3rd-party service providers of the lice… (§ 601.952(2)(a), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)