gv-sc-2 high Govern / Cybersecurity Supply Chain Risk Management

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

When a supplier causes a breach or an outage, ambiguity about who is responsible for what turns a manageable incident into a chaotic one. Establishing clear security roles for each vendor relationship before an incident means that notification timelines, access revocation procedures, and incident response coordination all run smoothly when they need to.

Estimated effort: 4h

supply-chainvendorsresponsibilitiesincident-responsegovernance

Complete first: gv-sc-1

Implementation steps

1

Define security responsibilities for each vendor tier

For each risk tier in your supplier inventory, write down what the supplier is responsible for (protecting data they process, notifying you of breaches, maintaining their own security controls) and what your organization is responsible for (limiting their access to least-privilege, monitoring their activity, reviewing their access periodically).

confluencenotion
2

Establish incident notification and response coordination procedures

For critical and high-risk suppliers, define the notification chain: if the supplier has a security incident affecting your data, who do they contact, how quickly, and through what channel? Define your organization's obligations as well. Capture these in a shared runbook or reference in the contract.

confluencenotionjira
3

Name internal owners for critical supplier relationships

Assign a named internal contact responsible for each critical or high-risk vendor relationship. This person is responsible for the periodic access review, the annual security assessment, and acting as the point of contact during incidents. The assignment should be documented and kept current.

Evidence required

Supplier security responsibility assignments

Documentation defining what each party is responsible for in the security of the vendor relationship.

· Vendor security responsibilities matrix
· Shared responsibility model document for each critical vendor
· Contract security addendum defining mutual obligations

Internal vendor relationship owner assignments

A record showing which internal person owns each critical supplier relationship from a security perspective.

· Vendor register with 'security owner' column populated
· Org chart or responsibility document listing vendor owners
· Procurement records showing security approver for each critical vendor

Related controls

gv-sc-1 high

A cybersecurity supply chain risk management program is established

Cybersecurity Supply Chain Risk Management

gv-sc-8 medium

Relevant suppliers are included in incident planning, response, and recovery activities

Cybersecurity Supply Chain Risk Management

gv-sc-3 high

Supply chain risk management is integrated into enterprise risk management processes

Cybersecurity Supply Chain Risk Management

gv-sc-4 high

Suppliers are known and prioritized by criticality

Cybersecurity Supply Chain Risk Management