Once signed up, the system will create a set of template security policies for you that can be edited to fit your organisation's existing supply chain security policies.

Policies allow you to apply your security requirements over the suppliers to be reviewed on Risk Ledger. At their most basic, Policies are a list of security controls that you require the Suppliers you work with to have implemented.

You can view your policies by navigating to the Policies section on your account, as seen below:

To create a new policy, navigate to Policies > "+ Add Policy"

You can edit a policy simply by clicking into it, making the necessary changes and then hitting the "Save Changes" button.

To delete a policy, click into the 3 ellipses button on the right hand of the policy and hit the "Delete" button.

The suppliers that a Policy is applied to is defined by the tags and/or labels applied:

On the "Supplier Overview" page you can tag your Suppliers with a criticality, data confidentiality, and PII (Personal Identifier Information) tag when you connect with them, and then you can build you personalised policies which will be applied to these different tags:

For example, if you build a Policy and tag it with the "Holds PII" tag, all of the Suppliers that you connect with and tag as "Holds PII" will have those Policy requirements applied. The platform then automatically calculates the compliance score for Suppliers and highlights and non-compliant controls to you so you very quickly get an overview of any potential risks in the Supplier's security landscape.

You can also create and assign your own labels which can be applied to your suppliers in the "Supplier Overview", which can be applied to Policies:

When you build a Policy, you can apply multiple tags and labels to it. Each tag/label is compared against each Suppier individually.

For example, a Policy that you have built and applied to suppliers with the "Holds PII" and "Critical" tags will apply to all Suppliers that have been tagged with "Holds PII", and all Suppliers that have been tagged as "Critical".

When applying multiple policies to a single supplier, Risk Ledger refers to this as 'Stacking Policies'.

For example, if you have three separate policies, one for suppliers with the Holds PII tag, one for suppliers with the Critical tag, and one for suppliers with the Highly Confidential tag, a supplier that is tagged as Critical, Highly Confidential, and Holds PII will have all three policies applied to them. When applying multiple policies to a supplier, Risk Ledger aggregates the policies and takes the highest required value for each.

The criticality rating, data confidentiality rating, and PII tag are distinct concepts and each drives a different subset of control requirements. Criticality is a driver for controls that protect a suppliers availability, data confidentiality is a driver for controls that cover data protection, and the PII tag is a driver for data privacy controls.

When building your policies, we recommend that you stick to one tag per policy. This allows you to stack policies based on each individual supplier's tags.

For example, Risk Ledger includes a template policy for each tag that can be applied. This means that when you onboard a supplier who has the tags Critical, Highly Confidential, and Holds PII, all of the controls from the Critical Policy, Highly Confidential Policy, and Holds PII Policy are enforced over that supplier.

This process of creating multiple policies and stacking them adds a level of flexibility to the way policies are applied over your supply chain, and we think is a big step forward from the traditional approach of applying one fixed policy over every supplier.

💡Can my suppliers see the policies that I create?

Within the Risk Ledger app policies are used to measure compliance between a suppliers assessment and a clients requirements. Although Risk Ledger doesn't show suppliers the complete Policies of a Client, the suppliers do see the requirements that apply to them. This allows suppliers to have visibility of their security gaps and allows them to be proactive and remediate any control gaps they may have.