Supply Chain Security Policy

This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

Supply Chain Security Policy

Updated: 5 April 2025

Protecting human lives is the highest requirement of our entire organization, whether they are employees, customers, volunteers, visitors, or part of our supply chain while under some nexus to our organization. Many times things we do online will impact people’s lives physically, financially, and emotionally.

  • I will report safety and security incidents, concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline as soon as possible and safe. If they are not available and I feel unsafe, I will contact law enforcement.
  • I will not engage a new supplier without written (e.g. contract) approval from Legal, Accounts Payable, Procurement, and Security.
  • I will not provide any supplier more access (physical or cyber) to facilities, data, systems, people, customers, etc. than the absolute minimum they need to do their job.
  • I will not interact with a potential supplier or current supplier if there is a conflict of interest.
  • I will not engage with a potential supplier that involves non-public information without a complete due diligence/background check and OFAC/ABC due diligence.
  • I will perform or support the ongoing due diligence and security audit on all appropriate suppliers under my management.
  • I will make sure all appropriate suppliers under my management meet the security requirements required under law, regulation, Code of Ethics, corporate security and safety rules, and the contract, if one is established.
  • I will make sure all appropriate suppliers do not subcontract work for my organization unless it is approved and reviewed by Legal, Accounts Payable, Procurement, and Security.
  • I will not use my assigned Corporate Credit Card, Travel Card, or PCard for unauthorized purchases, including purchases that may impact the safety and security of our organization.
  • I will establish and report on security and compliance metrics for all appropriate suppliers under my management that impact the risk of the company.
  • I will not use a supplier that doesn’t have a documented and tested business continuity plan, or where the organization doesn’t have an equally qualified backup supplier for products or services where this supplier is considered critical.
  • I will maintain compliance with all Legal-approved rules and requirements from all suppliers under my management.
  • I will verify all contracts for suppliers under my management include security requirements appropriate to the services, products, risks, and access the supplier will impact.
  • I will maintain all supplier-provided equipment, software, hardware, and services to the manufacturer and industry security standards.
  • I will verify all insurance and licenses for all suppliers and their personnel under my management, as required to perform services.

Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.

________________________
Print Full Legal Name

________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License

________________________
Date

🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.