Supply chain risk management plans include an expression of the supply chain risk tolerance for the university, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities.


  • This control applies to the university Chief Information Security Officer.


  • 1

    It is the responsibility of the Chief Information Security Officer to:

    • 1.1

      Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of university systems, system components or system services;

    • 1.2

      Implement the supply chain risk management plan consistently across the university; and

    • 1.3

      Review and update the supply chain risk management annually to address threat, organizational or environmental changes.