System Supply Chain Risk Management Policy and Procedures
Download PDF
Controlled copy — valid on date of download only
Internal Use
System Supply Chain Risk Management Policy and Procedures
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 1.0 |
| Cadence | Annual |
| Policy Owner | Chief Operating Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-3, DCF-4, DCF-5, DCF-6, DCF-10, DCF-11, DCF-12, DCF-13, DCF-15, DCF-16, DCF-17, DCF-19, DCF-28, DCF-29, DCF-30, DCF-31, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-45, DCF-46, DCF-47, DCF-51, DCF-52, DCF-56, DCF-58, DCF-60, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-83, DCF-84, DCF-99, DCF-100, DCF-101, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy and procedures document is to define how Dispel manages risks arising from its information and communications technology (ICT) and operational technology (OT) supply chains, including suppliers, service providers, and other third parties supporting Dispel systems and the Dispel Zero Trust Engine.
1.2 Scope
This policy applies to:
- All suppliers, service providers, and third parties that provide products, services, or components that support in-scope Dispel systems.
- All phases of the system life cycle where supply chain decisions are made or implemented, including selection, onboarding, ongoing management, and termination of suppliers.
- All Covered Persons involved in procurement, vendor management, system design, security, and operations where supply chain risk is relevant.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC3.1, CC3.2 | Risk identification and mitigation, including risks associated with service providers and supply chains. |
| 2 | ISO/IEC 27001 | A.5.19, A.5.20 | Information security for the use of cloud services and relationships with suppliers, including supply chain security requirements. |
| 3 | NIST SP 800-53 | SR-1, SR-2, SR-3, SR-5, SR-6, SR-8, SR-9, SR-10, SR-11, SR-12 | Supply chain risk management policy and procedures, controls for supplier due diligence, contractual requirements, monitoring, and component integrity. |
| 4 | IEC 62443 | 62443-2-1 | Requirements for supplier and service provider security in industrial automation and control system environments. |
| 5 | HIPAA | 164.308(a)(1) | Risk management for ePHI, including risks introduced by business associates and their supply chains. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL manage supply chain risks for in-scope systems by defining, implementing, and monitoring controls over the selection, onboarding, operation, and termination of suppliers and service providers.
2.3 Secondary Policy Statement
- Supply chain risk considerations SHALL be incorporated into procurement, design, and change management processes.
- Contracts and agreements with suppliers SHALL include appropriate information security and privacy requirements.
- Supply chain risks SHALL be periodically reassessed and monitored over the life of the relationship.
3. REQUIREMENTS
3.1 Supply Chain Risk Management Governance
Objective: Establish governance for managing system supply chain risks.
Mandatory Activities:
- The Policy Owner SHALL own this policy and associated procedures and ensure they are reviewed at least annually.
- Roles involved in procurement, vendor management, security, and operations SHALL be aware of and trained on relevant supply chain risk management responsibilities.
- This policy and procedures SHALL be disseminated to relevant stakeholders; review, acceptance, and acknowledgement SHALL be required initially and at least annually.
- Supply chain risk management SHALL be integrated with Dispel’s overall risk management and vendor management programs.
Required Outputs:
- Current policy and procedures approved by management.
- Records of acknowledgements and training for relevant roles.
Security Controls: NIST SP 800-53 SR-1, SR-2.
3.2 Supplier Selection and Onboarding
Objective: Ensure supply chain risks are considered and documented during supplier selection and onboarding.
Mandatory Activities:
- Prior to engaging a new supplier or service provider for in-scope systems, Dispel SHALL:
- Identify the services, products, or components to be provided.
- Assess the criticality and sensitivity of data and systems impacted.
- Evaluate the supplier’s security posture using questionnaires, assessments, certifications, or independent audit reports where available.
- Contracts or agreements with suppliers SHALL include security and privacy requirements
commensurate with the risks, including (as applicable):
- Data protection and confidentiality obligations.
- Incident notification and cooperation requirements.
- Sub-processor or downstream supplier controls.
- Right-to-audit or obtain independent assurance reports.
- Risk assessment results and supplier due diligence outcomes SHALL be documented and retained.
Required Outputs:
- Supplier due diligence records.
- Contracts or agreements with defined security and privacy clauses.
Security Controls: NIST SP 800-53 SR-3, SR-5.
3.3 Ongoing Supplier Monitoring and Risk Management
Objective: Monitor and manage supply chain risks over the life of the relationship.
Mandatory Activities:
- Dispel SHALL monitor key suppliers and service providers for changes that may impact
security or risk, including:
- Material changes in ownership, financial condition, or service scope.
- Changes in control environments as indicated by updated audit reports or certifications.
- Reported security incidents or known vulnerabilities affecting supplied products or services.
- Dispel SHALL periodically reassess supply chain risks and update risk registers or treatment plans accordingly.
- Where issues are identified (e.g., significant control gaps, unresolved incidents), Dispel
SHALL:
- Work with the supplier to develop and track remediation plans, or
- Implement compensating controls, or
- Consider transitioning to alternative suppliers.
Required Outputs:
- Updated supplier risk assessments.
- Evidence of ongoing monitoring (e.g., review of audit reports, certifications, security advisories).
Security Controls: NIST SP 800-53 SR-6, SR-8, SR-9.
3.4 Component Integrity and Supply Chain Security Controls
Objective: Protect the integrity and security of components acquired through the supply chain.
Mandatory Activities:
- Dispel SHALL define and implement controls, where feasible, to:
- Verify the integrity and authenticity of software, firmware, and hardware components.
- Protect against counterfeit or tampered components.
- For critical systems, Dispel SHOULD:
- Prefer suppliers with secure development, manufacturing, and distribution practices.
- Require cryptographic signing and verification of software and firmware updates.
- Findings related to component integrity SHALL be incorporated into risk assessments and remediation plans.
Required Outputs:
- Procedures and configurations for component verification.
- Records of integrity checks or validation activities.
Security Controls: NIST SP 800-53 SR-10, SR-11, SR-12.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this System Supply Chain Risk Management Policy and Procedures.
- Ensures integration with Dispel’s overall risk management and vendor management frameworks.
- Coordinates periodic reviews and updates.
4.2 Procurement / Vendor Management
Responsibilities:
- Ensure supplier selection and contracting activities follow this policy and related procedures.
- Maintain the inventory of in-scope suppliers and associated contracts.
- Coordinate due diligence and ongoing monitoring activities.
4.3 Security Officer
Responsibilities:
- Provide input on supply chain risks and required security controls.
- Review due diligence results and security clauses in contracts for high-risk suppliers.
- Participate in incident response and remediation planning involving suppliers.
4.4 System Owners
Responsibilities:
- Identify dependencies on suppliers and service providers for systems they own.
- Participate in supplier assessments and monitoring relevant to their systems.
- Implement system-level controls to mitigate supply chain risks.
5. PROCEDURES
5.1 Supply Chain Risk Management Lifecycle (High-Level)
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Identify business and technical needs for supplier engagement, including data and system impact. | System Owners, Procurement | During planning and procurement |
| 2 | Perform supplier due diligence, including security and privacy assessments. | Procurement, Security Officer | Before contract execution |
| 3 | Negotiate and execute contracts with appropriate security and privacy clauses. | Procurement, Legal, Security Officer | Before service start |
| 4 | Monitor supplier performance and security posture; update risk assessments as needed. | Procurement, Security Officer, System Owners | Ongoing |
| 5 | Manage remediation for identified supply chain risks and consider alternatives if necessary. | System Owners, Security Officer, Procurement | As risks are identified |
| 6 | Plan and execute supplier offboarding and data return or destruction at end of relationship. | Procurement, System Owners | At contract termination |
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this policy SHALL be monitored through:
- Periodic reviews of supplier inventories, contracts, and due diligence records.
- Internal or external audits of supply chain risk management controls.
- Reviews of incidents or issues involving suppliers and associated remediation actions.
6.2 Metrics and Reporting
The following metrics SHALL be tracked and reported at least annually to the Policy Owner and senior management:
| Metric | Frequency | Owner |
|---|---|---|
| Percentage of high-risk suppliers with completed due diligence and current contracts | Annual | Procurement |
| Number of significant supplier-related incidents and remediation status | Quarterly | Security Officer |
| Percentage of in-scope suppliers with periodic risk reviews completed on schedule | Annual | Policy Owner |
6.3 Non-Compliance Consequences
Failure to comply with this policy and procedures may result in:
- Increased exposure to supply chain risks and potential service disruptions.
- Revocation or restriction of access for Covered Persons who repeatedly fail to comply.
- Disciplinary action for employees and contractors, consistent with Dispel HR policies and applicable law.
7. EXCEPTIONS AND WAIVERS
7.1 Exception Process
Exceptions to this policy SHALL:
- Be submitted in writing by the requesting party.
- Identify the specific policy or procedural requirements for which an exception is sought.
- Include justification and business impact.
- Describe compensating controls or mitigation measures.
- Define exception duration and remediation plan.
7.2 Exception Approval Authority
| Risk Level | Approval Authority |
|---|---|
| Low | Policy Owner |
| Medium | Policy Owner and Security Officer |
| High | Policy Owner, Security Officer, and Senior Management representative |
| Critical | Senior Management representative in consultation with Policy Owner and Security Officer |
8. DEFINITIONS
Supplier: Any third party providing products, services, or components that support Dispel systems or operations.
Supply Chain Risk: The potential for adverse impacts to Dispel’s systems, data, or operations due to vulnerabilities, threats, or failures in the supply chain.
Due Diligence: The process of assessing a supplier’s capabilities, including its security and privacy controls, prior to engagement.
9. REFERENCES
9.1 Internal References
- Risk Assessment Policy and Procedures.
- Vendor Management Policy.
- Information Security Assessment, Authorization, and Monitoring Policy and Procedures.
9.2 External References
- NIST SP 800-53, SR family.
- NIST SP 800-161 (if adopted), Supply Chain Risk Management Practices.
- ISO/IEC 27036 series, Information security for supplier relationships.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | Predates version control | Ethan Schmertzler | Initial System Supply Chain Risk Management Policy and Procedures aligned to POLICY_TEMPLATE and control mappings. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |
APPENDICES
Appendix A: Supporting Supply Chain Risk Management Procedures
This appendix may include:
- Detailed supplier due diligence templates.
- Example contract security clauses.
- Checklists for supplier onboarding and offboarding.
Appendix B: Additional Guidance and Examples
This appendix may include:
- Example supply chain risk scenarios and treatment options.
- References to industry best practices for supply chain security.