Description
Supply chain risk management plans include an expression of the supply chain risk tolerance for the university, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities.
Applicability
-
This control applies to the university Chief Information Security Officer.
Implementation
-
1
It is the responsibility of the Chief Information Security Officer to:
-
1.1
Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of university systems, system components or system services;
-
1.2
Implement the supply chain risk management plan consistently across the university; and
-
1.3
Review and update the supply chain risk management annually to address threat, organizational or environmental changes.
-
1.1