Third Party & Supply Chain Risk

• A defined external-workforce lifecycle framework governs contractor access.
• Remote and third-party access is restricted to compliant devices through Zero Trust and conditional-access controls.
• Third-party IT service delivery is consolidated into a single, tiered model with service-level agreements for consistent security enforcement.

Framework Alignment: NIST CSF GV.SC, PR.AA; CIS Control 6, 15; CMMC Level 1 (AC); GDPR Art. 28; ISO 27001:2022 A.5.19, A.5.22

• Independent penetration tests, red-team exercises, and a third-party program review validate controls.
• An external cyber-insurer continuously and independently monitors security posture.
• Customer and vendor security questionnaires are supported by a dedicated GRC function for consistent, sourced responses.

Framework Alignment: NIST CSF GV.SC; CIS Control 15; SOC 1 Type II; GDPR Art. 28; ISO 27001:2022 A.5.35

• A third-party risk-management program is maintained under a dedicated policy, with defined roles and processes.
• External system connections are identified, verified, and controlled, and third parties are expected to meet security requirements.
• Vendors handling sensitive data are governed by non-disclosure agreements and security expectations.

Framework Alignment: NIST CSF GV.SC; CIS Control 15; CMMC Level 1 (AC); GDPR Art. 28; ISO 27001:2022 A.5.19, A.5.20, A.5.21

• Background checks (screening/vetting) are performed on personnel who access or process confidential information.
• Contracted personnel sign non-disclosure agreements before access to systems or premises is granted.
• Formal offboarding ensures asset return and prompt access removal for departing staff and contractors.

Framework Alignment: NIST CSF GV.SC; CIS Control 15; GDPR Art. 28, 32; ISO 27001:2022 A.6.1, A.6.6