(6)Cybersecurity Supply Chain Risk Management网络安全供应链风险管理(GV.SC):
Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders
组织利益相关者识别、建立、管理、监控和改进网络供应链风险管理过程
GV.SC-01:
A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
组织的利益相关者(们)建立网络安全供应链风险管理计划、战略、目标、策略和过程,并达成一致
- Ex1: Establish a strategy that expresses the objectives of the cybersecurity supply chain risk management program
建立表达网络安全供应链风险管理计划目标的战略 - Ex2: Develop the cybersecurity supply chain risk management program, including a plan (with milestones), policies, and procedures that guide implementation and improvement of the program, and share the policies and procedures with the organizational stakeholders
拟定网络安全供应链风险管理计划,包括指导计划实施和改进的规划(带有里程碑)、策略和规程,并与组织利益相关者分享策略和规程 - Ex3: Develop and implement program processes based on the strategy, objectives, policies, and procedures that are agreed upon and performed by the organizational stakeholders
基于组织利益相关者达成一致并生效的战略、目标、策略和规程,开发和实施(网络安全供应链风险管理)计划的过程 - Ex4: Establish a cross-organizational mechanism that ensures alignment between functions that contribute to cybersecurity supply chain risk management, such as cybersecurity, IT, operations, legal, human resources, and engineering
建立跨组织机制,确保有助于网络安全供应链风险管理的功能(如网络安全、IT、运营、法律、人力资源和工程)之间的一致性
🧡检查落实
🌹文件和台账
- 风险管理计划
- 业务连续性计划
🌹预期结果
- 组织建立了供应链相关的网络安全风险管理计划
- 组织利益相关者了解供应链相关的网络安全风险管理计划
- 网络安全供应链风险管理计划包括来自关键部门(如网络安全、IT、运营、法律、人力资源、工程)的贡献。
GV.SC-02:
Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
建立、沟通和协调供应商、客户和合作伙伴的网络安全角色和责任,包括内部和外部
- Ex1: Identify one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cybersecurity supply chain risk management activities
确定一个或多个负责规划、资源配置和执行网络安全供应链风险管理活动的具体角色或职位 - Ex2: Document cybersecurity supply chain risk management roles and responsibilities in policy
在策略中正式记录网络安全供应链风险管理的角色和责任 - Ex3: Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and informed
创建责任矩阵,记录谁将负责网络安全供应链风险管理活动,以及如何咨询和通知这些团队和个人 - Ex4: Include cybersecurity supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability
在人员描述中包含网络安全供应链风险管理职责和绩效要求,以确保明晰并提高可问责性 - Ex5: Document performance goals for personnel with cybersecurity risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance
正式记录承担网络安全风险管理特定职责的人员的绩效目标,并定期测量以展示和改进绩效 - Ex6: Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cybersecurity risks, and integrate them into organizational policies and applicable third-party agreements
拟定供应商、客户和业务合作伙伴的角色和职责,以指明适用网络安全风险的共同责任,并将其集成到组织策略和适用的第三方协议中 - Ex7: Internally communicate cybersecurity supply chain risk management roles and responsibilities for third parties
内部沟通第三方网络安全供应链风险管理角色和责任 - Ex8: Establish rules and protocols for information sharing and reporting processes between the organization and its suppliers
为组织和供应商之间的信息共享和报告过程建立规则和协议
🧡检查落实
🌹文件和台账
- 组织结构图
- 网络安全工作描述
- 网络安全策略(信息共享相关部分)
- 合同和协议
- 供应商管理计划
- 风险管理计划
🌹预期结果
- 组织设立了与供应商、客户和合作伙伴等外部因素相关的网络安全角色,定义、沟通和协调其职责
- 分配供应链风险管理的责任和责任。
- 定义和理解围绕供应链的角色和职责。
- 供应商角色和责任在相关协议中定义并配有监督落实的机制。
- 信息共享策略定义了信息共享和报告的规则和协议。
GV.SC-03:
Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
将网络安全供应链风险管理整合到网络安全和企业风险管理、风险评估和改进过程中
- Ex1: Identify areas of alignment and overlap with cybersecurity and enterprise risk management
确定与网络安全和企业风险管理一致和重叠的领域 - Ex2: Establish integrated control sets for cybersecurity risk management and cybersecurity supply chain risk management
建立网络安全风险管理和网络安全供应链风险管理的综合控制集 - Ex3: Integrate cybersecurity supply chain risk management into improvement processes
将网络安全供应链风险管理整合到改进过程中 - Ex4: Escalate material cybersecurity risks in supply chains to senior management, and address them at the enterprise risk management level
将供应链中的重大网络安全风险上报给高层管理人员,并在企业风险管理层面予以解决
🧡检查落实
🌹文件和台账
- 网络安全风险评估
- 风险管理计划
🌹预期结果
- 供应链风险管理集成到了网络安全和企业风险管理、风险评估和改进流程中。
GV.SC-04:
Suppliers are known and prioritized by criticality
清单记录供应商,并按关键程度排序
- Ex1: Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organization’s systems, and the importance of the products or services to the organization’s mission
根据供应商处理或拥有的数据的敏感性,对组织系统的访问权级别,以及产品或服务对组织使命的重要性,拟定供应商关键程度标准 - Ex2: Keep a record of all suppliers, and prioritize suppliers based on the criticality criteria
保留所有供应商的记录,并根据关键程度标准对供应商进行排序
🧡检查落实
🌹文件和台账
- 供应商管理计划
- 第三方库存
- 合同和协议
🌹预期结果
- 有全面的供应商清单。
- 定义了可行、可测量的标准来指导对供应商关键性的评估(如风险类别、访问级别、服务重要性、合规性要求)。
- 作为供应商管理计划的一部分,供应商应定期被评估并根据关键度进行优先级排序。
GV.SC-05:
Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
建立解决供应链网络安全风险的要求,对其进行优先排序,并将其整合到与供应商和其他相关第三方的合同和其他类型的协议中
- Ex1: Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised
为供应商、产品和服务建立与其关键程度和违背预期时的潜在影响相称的安全要求 - Ex2: Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language
第三方必须遵守的所有网络安全和供应链要求,以及如何达成这些要求,都应该以默认的契约文字确认 - Ex3: Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in agreements
在协议中定义组织与其供应商和下级供应商之间信息共享的规则和协议 - Ex4: Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised
在协议中包含安全需求以管理风险,这些安全需求基于关键性和违背预期时的潜在影响来确定 - Ex5: Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle
在服务水平协议(SLAs)中定义安全需求,以便在整个供应商关系生命周期中监视供应商,以获得可接受的安全绩效 - Ex6: Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service
合同中要求供应商在产品生命周期或服务期限内披露其产品和服务的网络安全特性、功能和漏洞 - Ex7: Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products
合同中要求供应商提供并维护关键产品的当前部件清单(如软件或硬件材料清单) - Ex8: Contractually require suppliers to vet their employees and guard against insider threats
合同中要求供应商审查其员工并防范内部威胁 - Ex9: Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections
合同中要求供应商提供其施行了可接受的安全实践(自我验证、符合已知标准、认证或检查等)的证据 - Ex10: Specify in contracts and other agreements the rights and responsibilities of the organization, its suppliers, and their supply chains, with respect to potential cybersecurity risks
在合同和其他协议中明确本组织、本组织的供应商以及供应商的供应链在潜在网络安全风险方面的权利和责任
🧡检查落实
🌹文件和台账
- 合同和协议
- 供应商管理计划
🌹预期结果
- 组织明确指派了负责对第三方进行监督的人员,其负责理解、沟通对第三方的要求。
- 组织定义和监视SLA,度量遵从情况。
- 组织有一个供应商管理程序,其中定义了基于第三方服务和关键度的合同和协议的标准。
- 合同和协议由法律部门审查是否符合法规和内部网络安全要求。
GV.SC-06:
Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
在与供应商或其他第三方建立正式关系之前实施规划和尽职调查以降低风险
- Ex1: Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship
对潜在供应商进行全面的尽职调查,供应商应符合采购计划,并与各种供应商关系的风险水平、重要性和复杂性相称 - Ex2: Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers
评估潜在供应商的技术能力和网络安全能力的适用性以及风险管理实践 - Ex3: Conduct supplier risk assessments against business and applicable cybersecurity requirements
根据业务和适用的网络安全要求进行供应商风险评估 - Ex4: Assess the authenticity, integrity, and security of critical products prior to acquisition and use
在购买和使用前评估关键产品的真实性、完整性和安全性
🧡检查落实
🌹文件和台账
- 供应商管理计划
- 网络安全风险评估
- 合同和协议”
🌹预期结果
- 正式的供应商采购计划、选择程序和尽职调查程序,为啥要依靠供应商,怎么选择供应商,选中的供应商怎么监督。
- 进行风险评估,以识别和衡量与外部因素关联的风险。
- 尽职调查是根据供应商风险、重要性和关系的复杂性量身定做的。
- 评审尽职调查文件(如SOC报告、安全测试报告、网络安全策略、BCP、风险管理计划和合规认证),以评估第三方技术和网络安全能力的适宜性。
- 在购买和使用关键产品和服务之前进行评估(例如,源代码评审、供应链评审、安全测试报告评审和物理检查)。
GV.SC-07:
The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
供应商、其产品和服务以及其他第三方构成的风险在关系过程中得到理解、记录、优先排序、评估、响应和监控
- Ex1: Adjust assessment formats and frequencies based on the third party’s reputation and the criticality of the products or services they provide
根据第三方的声誉和他们提供的产品或服务的重要性调整评估格式和频率 - Ex2: Evaluate third parties’ evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts
评估第三方符合合同中网络安全要求的证据,如自我证明、保证、认证和其他工件 - Ex3: Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation
使用各种方法和技术(如检查、审计、测试或其他形式的评估)监视关键供应商,以确保他们在整个供应商关系生命周期中履行其安全义务 - Ex4: Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly
监控关键供应商、服务和产品的风险变化,并相应地重新评估供应商的重要性和风险影响 - Ex5: Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity
规划应对供应商和供应链的意外中断,以确保业务连续性
🧡检查落实
🌹文件和台账
- 供应商管理计划
- 合同和协议
- 业务连续性计划
🌹预期结果
- 组织的供应商管理计划包括了持续监控:
- 收集和审查相关尽职调查信息,以核实符合要求
- 至少每年一次,或在组织、供应商或其他外部力量(如经济挑战、地缘政治不稳定或技术进步)发生重大变化时,评审和更新供应商风险评估。
- 合同和协议明确要求第三方提供相关证据(如审计、测试、证书等)以证实自身符合要求(资质、资源、安全保障等)。
- BCP和供应商管理计划中考虑了减轻供应链中断影响的方法。
GV.SC-08:
Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
相关供应商和其他第三方应参与事件规划、响应和恢复活动
- Ex1: Define and use rules and protocols for reporting incident response and recovery activities and the status between the organization and its suppliers
定义规则和协议,用它们来报告事件响应和恢复活动以及组织与其供应商之间的状态 - Ex2: Identify and document the roles and responsibilities of the organization and its suppliers for incident response
确定并记录组织及其供应商在事件响应方面的角色和职责 - Ex3: Include critical suppliers in incident response exercises and simulations
将关键供应商纳入事件响应演习和模拟 - Ex4: Define and coordinate crisis communication methods and protocols between the organization and its critical suppliers
定义和协调组织及其关键供应商之间的危机沟通方法和协议 - Ex5: Conduct collaborative lessons learned sessions with critical suppliers
与关键供应商进行对话,总结协作中的经验教训
🧡检查落实
🌹文件和台账
- 业务连续性计划
- 事故响应计划
- 响应或演练的结果
🌹预期结果
- 事件响应规划中包括相关供应商和第三方
- 事故应变计划规定:
- 关键供应商和第三方的角色和职责
- 第三方沟通指南
- 关键供应商和第三方参与事件响应演习
- 有证据表明关键供应商为事件响应计划提供了助力
GV.SC-09:
Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
将供应链安全实践整合到网络安全和企业风险管理计划中,并在整个技术产品和服务生命周期中对其绩效进行监控
- Ex1: Policies and procedures require provenance records for all acquired technology products and services
策略和规程要求记录所有取得的技术产品和服务的来源 - Ex2: Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic
定期向领导提供风险报告,说明获得的组件是未经篡改的和真实的,以及这些是如何被证明的 - Ex3: Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software providers
定期与网络安全风险管理人员和运营人员沟通,使这些人认识到仅从经过认证且值得信赖的软件提供商处获取软件补丁、更新和升级的必要性 - Ex4: Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products
评审策略,确保策略要求对供应商产品进行维护的是经批准的供应商工作人员 - Ex5: Policies and procedure require checking upgrades to critical hardware for unauthorized changes
策略和规程要求检查关键硬件的升级,以避免未经授权的更改
🧡检查落实
🌹文件和台账
- 风险管理计划
- 网络安全策略(供应链相关部分)
🌹预期结果
- 实施供应链策略和程序,确保网络安全最佳实践在供应商处得到落实。
- 技术产品和服务的采购,只能通过信誉良好的、获得授权的、和被有效监督的来源购买。
- 实施升级和变更的外部实体,是信誉良好的、获得授权的、以及被有效监督的。
GV.SC-10:
Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
网络安全供应链风险管理计划包括对合作伙伴关系或服务协议签订后所发生活动的规定
- Ex1: Establish processes for terminating critical relationships under both normal and adverse circumstances
建立在正常情况和非正常情况下终止关键关系的程序 - Ex2: Define and implement plans for component end-of-life maintenance support and obsolescence
制定相关规划,按规划实施部件的EOL维护支持和报废 - Ex3: Verify that supplier access to organization resources is deactivated promptly when it is no longer needed
核验当供应商对组织资源的访问不再必要时及时取消了访问权 - Ex4: Verify that assets containing the organization’s data are returned or properly disposed of in a timely, controlled, and safe manner
核验包含组织数据的资产以及时、可控和安全的方式被返还或妥善作废 - Ex5: Develop and execute a plan for terminating or transitioning supplier relationships that takes supply chain security risk and resiliency into account
在考虑供应链安全风险和韧性[可复原性,resilience]的情况下,制定并执行解雇或转换供应商关系的规划 - Ex6: Mitigate risks to data and systems created by supplier termination
降低因解雇供应商而对数据和系统造成的风险 - Ex7: Manage data leakage risks associated with supplier termination
管理与供应商解雇相关的数据泄露风险
🧡检查落实
🌹文件和台账
- 合同和协议
- 终止合同应急计划
- IT资产清单
🌹预期结果
- 供应链管理计划中包括对合作伙伴的管理和监督,而且不仅仅是在合作关系发生时如此,要包括选择和清退的环节
- 合同和协议有终止关键关系的条款。
- 合同和协议定义如何处理数据所有权,包括安全销毁和/或返还组织资产(例如,数据、系统、设备和知识产权)。
- 对于关键的第三方服务(例如,将服务转移到备用第三方、将服务移动到内部或停止服务),已经制定了终止合同应急计划。
- 已制定计划来应对产品EOL的情况(如跟踪IT资产清单中的EOL日期或创建计划替换EOL系统)。
- 定义、发布、沟通了供应商终止程序。
