Policies allow Clients (organisations running assurance programmes) to apply their security Requirements over their supply chain. At their most basic, they are a list of security controls that you require the Suppliers you work with to have implemented. The Requirements within Policies are based on the control questions taken from our Supplier Assessment Framework.
The Suppliers that a Policy is applied to is defined by tags. Tags can be thought of as labels - you tag Suppliers with a criticality, data confidentiality, and PII tag when you connect with them, and then you build your Policies to apply to these different tags.
For example, if you build a Policy and tag it with the "Holds PII" tag, all of the Suppliers that you connect with and tag as "Holds PII" will have those Policy requirements applied.
Policies with multiple tags
When you build a Policy, you can tag it with multiple tags. Each tag is compared against each Supplier individually.
For example, a Policy that you have built and applied to suppliers with the "Holds PII" and "Critical" tags will apply to all Suppliers that have been tagged with "Holds PII", and all Suppliers that have been tagged as "Critical".
When applying multiple Policies to a single Supplier, Risk Ledger refers to this as 'stacking Policies'.
For example, if you have three separate Policies, one for Suppliers with the Holds PII tag, one for Suppliers with the Critical tag, and one for Suppliers with the Highly Confidential tag, a Supplier that is tagged as Critical, Highly Confidential, and Holds PII will have all three policies applied to them.
When applying multiple Policies to a Supplier, Risk Ledger aggregates the Policies and takes the highest required value for each control.
Why should I stack Policies?
The criticality rating, data confidentiality rating, and PII tag are distinct concepts and we think each drives a different subset of control requirements. Criticality is a driver for controls that protect a Suppliers availability, data confidentiality is a driver for controls that cover data protection, and the PII tag is a driver for privacy controls.
When building your Policies, we recommend that you stick to one tag per policy. This allows you to stack Policies based on each individual Supplier's tags.
For example, Risk Ledger includes a template Policy for each tag that can be applied. This means that when you on-board a Supplier who has the tags Critical, Highly Confidential, and Holds PII, all of the controls from the Critical Policy, Highly Confidential Policy, and Holds PII Policy are enforced over that Supplier.
This process of creating multiple Policies and stacking them adds a level of flexibility to the way Policies are applied over your supply chain, and we think is a big step forward from the traditional approach of applying one fixed Policy over every Supplier.