G.3 Manage suppliers

Controls to require that third-party suppliers employ adequate security measures to protect information, applications, AI models, and services provided to the organization.

Controls

G.3.1 Security-related contract terms

Component, system, AI model, and service acquisition policies include the inclusion of adherence to security policies, security requirements, and secure SDLC practices that are compatible with compliance requirements.

G.3.2 Separation of duties

Reduce the potential for abuse of authorized privileges and the chance of collusion when acquiring components, systems, and services.

G.3.3 Information disclosure

Contract language requires that a vendor monitors for information disclosure and notifies the enterprise of information disclosure.

G.3.4 Session audits

Identify security risks in the supply chain.

G.3.5 Notification agreement

Timely notification of security threat and product end-of-life