Supply Chain Contracts

This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

Supply Chain Contracts Policy

Updated: 22 July 2025

This policy is a set of rules directed toward a supplier/vendor/third party (“supplier”) that can have an impact — small or large — on the organization’s brand, security, confidentiality, integrity, data, information, availability, personnel, facilities, and more. The rules for each major security domain are found in their individual One-Pager documents, all of which should be considered for inclusion in supplier contracts.

The “I” in “I will…” refers to the person signing the contract on behalf of the supplier. That person should designate a security professional within their organization who will be accountable for implementing and maintaining ongoing compliance with these rules.

General Security Governance / Security Management

  • I will ensure all security requirements of this contract are implemented within _____ days of execution.
  • I will report security incidents, concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline as soon as possible and safe; if they are not available and I feel unsafe, I will contact law enforcement.
  • I will identify the Chief Security Officer (CSO) and Chief Information Security Officer (CISO) and supply their full 24×7 contact information to the customer/client’s CSO/CISO and Supplier Management Organization within 5 days of signing.
  • I will ensure our organization maintains a strong incident response program covering all types of security, safety, and fraud incidents, including notification of the customer/client’s CSO and CISO within 24 calendar hours of awareness of any incident impacting the customer/client.
  • I will maintain a current inventory of all assets (people, processes, technology, buildings, suppliers, etc.) used to support this contract — in particular, assets that access, store, or process the customer/client’s assets (information, buildings, people).
  • I will ensure that all parts of our organization’s assets that will service the customer/client are subject to independent accreditation through a minimum of ISO 27001:2022.
  • I will ensure any identified flow-down requirements from the customer/client are implemented within _____ days of execution of the agreement. I will also ensure all security requirements of this agreement are flowed down to any suppliers being used to service this agreement.
  • I will ensure all assets used to support this contract are covered under a documented, tested, and exercised business continuity and disaster recovery program.
  • I will ensure all personnel (employees and non-employees) used to support this contract receive initial documented training based on the contract requirements and recurring sustainment training at least once per year or upon any significant changes to the contract or SOW.
  • I will ensure we can provide attestation and evidence of compliance to all security elements of this agreement within 5 days of a formal request for attestation.
  • I will ensure industry-leading metrics and statistics are collected, verified, and used for the security and compliance of all security elements of this contract.
  • I will ensure a 24×7 insider threat program is in place to prevent, detect, and respond to any insider threats that could impact the delivery of the services of this contract or the customer/client.
  • I will ensure a 24×7 capability for monitoring of information security, cyber security, personnel security, physical security, and fraud threats and attacks against all assets supporting this contract.

Personnel Security

  • I will ensure all customer/client personnel going onsite to a supplier location or event are provided personnel security commensurate with the level of security and threat in/around the environment on that particular day. If I cannot ensure this level of security, I will communicate with the customer/client CSO as soon as feasible.
  • I will notify the CSO of the customer/client when any of my organization’s personnel are going to be onsite at or attending events of the customer/client, to make sure personnel security measures are shared and verified.
  • I will ensure any of my organization’s personnel who will be onsite at a customer/client location or event are fully briefed on their/our responsibility for their security and the applicable procedures, including any special rules, concerns, or incidents.

Information Security / Cyber Security

  • I will ensure all accounts used on assets servicing this contract have multi-factor authentication implemented and monitored — including accounts at the operating system, database, application, and other layers.
  • I will ensure all software on all assets servicing this contract has no end-of-life/end-of-service software. If EOL/EOS software is required, this will be documented to the customer/client with a remediation date.
  • I will ensure all access to assets servicing this contract is implemented with the strict principle of least privilege.
  • I will ensure all physical assets (computers, servers, paper files, etc.) are physically secure.
  • I will ensure all technology used to service this contract has implemented and verified (via random restores) backups based on the 3-2-1 standard.
  • I will ensure all functional/generic login accounts have secondary authorization implemented to support individual accountability.
  • I will ensure network segmentation is implemented to allow only assets servicing this contract to communicate with assets also servicing this contract.
  • I will ensure that an all-layer vulnerability management system (reporting, scanning, evaluation, threat intelligence, and patch/configuration management) is implemented across all assets servicing this contract.
  • I will ensure that any software development supporting the servicing of this contract uses strong SDLC standards (e.g., Secure Coding practices from CMU/SEI).
  • I will ensure all information/data is retained and disposed of based on the customer/client’s legal requirements.
  • I will ensure all technology assets used to service this contract have strong configuration management controls based on industry secure configuration management standards, along with the strictest hardening settings feasible while remaining operationally practical.
  • I will ensure all assets used to service this contract have documented and controlled classification levels for confidentiality, integrity, and availability.

Physical Security

  • I will ensure all physical access to rooms used to store assets servicing this contract has multi-factor authentication implemented and monitored — including IDF, MDF, Data Center, Computer Rooms, Safe Storage, and non-public paper storage.
  • I will ensure all physical access control systems used to service this contract have no end-of-life/end-of-service software. If EOL/EOS is required, this will be documented to the customer/client with a remediation date.
  • I will ensure all access to assets servicing this contract is implemented with the strict principle of least privilege, whether by badge or key.
  • I will ensure all logging of physical human access to areas used to service this contract is electronically logged and IDs verified for entering and exiting areas.
  • I will ensure industry-standard security camera coverage that records for at least _____ days is in place for all areas used to service this contract.
  • I will ensure all facilities used to service this contract undergo a certified CPTED assessment at least once a year and that gaps are mitigated within _____ days, based on agreement with the customer/client’s CSO.
  • I will ensure physical intrusion detection technology (e.g., cameras, door alarms, anti-passback, window alarms, etc.) is implemented for all areas servicing this contract and is monitored 24×7.
  • I will ensure panic buttons are available at perimeter lobby(ies) for all locations used to service this contract.

Fraud

  • I will ensure fraud controls, analytics, monitoring, and investigations (as defined and scoped by the Association of Certified Fraud Examiners) are implemented for all potential areas of fraud related to the servicing of this contract — particularly financial elements (e.g., AP, ACH, Billing, Expenses, Travel, PCard, etc.).

Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.

________________________
Print Full Legal Name

________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License

________________________
Date

🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.