Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for.
Both the CSP and CSC should implement the finalized SSRM and then thoroughly document and test it to validate proper operation of security control implementations—including integration testing where there are interdependencies. Once implemented, both the CSP and CSC should operate, monitor and audit, and/or assess their service performance according to the finalized SSRM and remain engaged with their supply chain and customers to understand, implement and manage SSRM changes over time. Particular areas that require proactive supply chain SSRM engagement with corresponding levels of (secure) transparency include:
- Incident and vulnerability management
- Change and configuration management
- Periodic SSRM-aligned audit reviews and security assessments with appropriate risk management
- Examine the policy related to addressing security in third-party agreements and determine if organizations employ formal contracts.
- Determine if written procedures exist for addressing security in third-party agreements and whether or not the procedure(s) address(es) each element of the policy/control requirement(s) stipulated in the policy level.
- Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), and/or relevant stakeholders, as needed, for addressing security in third-party agreements and determine if the policy/control requirements stipulated in the policy level have been implemented.
- Examine measure(s) that evaluate(s) the organization's compliance with the third-party management policy and determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated in the policy level.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.