MOVEit Transfer Vulnerability: Lack of Supply Chain Visibility Exacerbates Breach View Post

I. Supply Chain Management

This domain covers the processes and controls you have in place to ensure the security risk from your supply chain is mitigated.

01) Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the requirements of the relevant data protection regulations (e.g. GDPR, Australian Privacy Act, US State Law).

Supply Chain Management
Formal Contracts
GDPR
Read more

02) Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies?

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that contains appropriate security clauses including the right to audit and mandatory adherence to appropriate security policies.

Supply Chain Management
Trickle Down Security
Read more

03) Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating?

Answer yes if your organisation assigns each supplier with a criticality rating that is based on a corresponding business impact assessment.

Supply Chain Management
Criticality
Business Impact Assessment
Read more

04) Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet?

Answer yes if your organisation has documented the baseline level of security controls that it expects its suppliers of different criticalities to adhere to. The Risk Ledger platform can be used for this - get in touch!

Supply Chain Management
Supplier Security Policy
Read more

05) Does your organisation conduct security due diligence against suppliers before entering into a contract?

Answer yes if your organisation checks that each supplier has the required level of security in controls in place before it enters into a contract with them. The Risk Ledger platform can be used for this - get in touch!

Supply Chain Management
Security Due Diligence
Read more

06) Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?

Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Please give details of your current process. The Risk Ledger platform can make this easier for you - get in touch!

Supply Chain Management
Security Assurance Programme
Read more