J. Supply Chain Management
This domain covers the processes and controls you have in place to ensure the security risk from your supply chain is mitigated.
00) Does your organisation share client data with any third parties, or rely on any third parties to deliver critical services?
Answer yes if your organisation shares any client data with any third parties, which may include sub-processors, or if your organisation relies on any third parties to deliver critical services.
01) Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?
Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the requirements of the relevant data protection regulations (e.g. GDPR, Australian Privacy Act).
02) Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies?
Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that contains appropriate security clauses including the right to audit and mandatory adherence to appropriate security policies.
03) Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating?
Answer yes if your organisation assigns each supplier with a criticality rating that is based on a corresponding business impact assessment.
04) Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet?
Answer yes if your organisation has documented the baseline level of security controls that it expects its suppliers of different criticalities to adhere to. The Risk Ledger platform can be used for this - get in touch!
05) Does your organisation conduct security due diligence against suppliers before entering into a contract?
Answer yes if your organisation checks that each supplier has the required level of security in controls in place before it enters into a contract with them. The Risk Ledger platform can be used for this - get in touch!
06) Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?
Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Please give details of your current process. The Risk Ledger platform can make this easier for you - get in touch!