II.C.13(e) Rogue or Shadow IT
Management should have policies explaining that employees should not and are not authorized to use unsanctioned or unapproved IT resources (e.g., online storage services, unapproved mobile device applications, and unapproved devices). Security awareness or information security training should include procedures for identifying and reporting shadow IT.
II.C.13(d) Transit of Physical Media
II.C.14 Supply Chain