STA-12: Supply Chain Service Agreement Compliance

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: STA-01: Data Quality and Integrity, STA-09: Third Party Audits.

Control Statement

Implement policies requiring all CSPs throughout the supply chain to comply with information security, confidentiality, access control, privacy, audit, personnel policy and service level requirements and standards.

Implementation Guidance

Contracts throughout the supply chain should include requirements for all third- and fourth-party service providers and personnel with access to CSP and/or CSC systems and information. Personnel policies should include employment agreements inclusive of information security requirements, security awareness training, and insider risk management.

Auditing Guidance

  1. Examine the policy for incorporation of requirements into contractual documents throughout the CSP’s supply chain.
  2. Determine if requirements have been incorporated in contracts.
  3. Evaluate if the right to audit is protected, where required.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.