GV.SC-02:

Implementation Examples

Ex1: 

Identify one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cybersecurity supply chain risk management activities

Ex2: 

Document cybersecurity supply chain risk management roles and responsibilities in policy

Ex3: 

Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and informed

Ex4: 

Include cybersecurity supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability

Ex5: 

Document performance goals for personnel with cybersecurity risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance

Ex6: 

Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cybersecurity risks, and integrate them into organizational policies and applicable third-party agreements

Ex7:

Internally communicate cybersecurity supply chain risk management roles and responsibilities for third parties

Ex8:

Establish rules and protocols for information sharing and reporting processes between the organization and its suppliers