PT-1—Policy And Procedures
>Control Description
Enterprises should ensure that supply chain concerns are included in PII processing and transparency policies and procedures, as well as the related C-SCRM Strategy/Implementation Plan, C-SCRM Policies, and C-SCRM Plan. The policy can be included as part of
the general security and privacy policy or can be represented by multiple policies.
The procedures can be established for the security and privacy program in general and individual information systems. These policy and procedures should address the purpose, scope, roles, responsibilities, management commitment, coordination among enterprise entities, and privacy compliance to support systems/components within information systems or the supply chain.
Policies and procedures need to be in place to ensure that contracts state what PII data will be shared, which contractor personnel may have access to the PII, controls protecting PII, how long it can be kept, and what happens to it at the end of a contract.
a. When working with a new supplier, ensure that the agreement includes the most recent set of applicable security requirements.
b. Contractors need to abide by relevant laws and policies regarding information (PII and other sensitive information).
c. The enterprise should require its prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.