UnixTime

Research Note

Supplier Security Responsibility Matrix

Use this when a supplier relationship has shared security responsibilities and the contract needs a clear split between the organization, the supplier, and any shared control ar...

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this when a supplier relationship has shared security responsibilities and the contract needs a clear split between the organization, the supplier, and any shared control areas.

Responsibility matrix

Control area Organization responsibility Supplier responsibility Shared responsibility Evidence location Notes
Access approval
Account provisioning
Privileged access
MFA/authentication
Logging and monitoring
Incident notification
Vulnerability management
Backup and recovery
Data retention/deletion
Subcontractor management
Service change notification
Exit support