Internal Use

Vendor Management Policy

Dispel

Document Control

1. PURPOSE AND SCOPE

1.1 Purpose

The purpose of this policy is to define how Dispel selects, approves, and manages vendors and service providers to ensure that risks to security, privacy, and compliance are identified and controlled throughout the vendor lifecycle.

1.2 Scope

This policy applies to:

• All vendors and service providers that process, store, transmit, or otherwise have access to Dispel data, systems, or facilities.
• All engagements where vendors provide services that could impact Dispel’s ability to meet its regulatory, contractual, or security obligations.
• All Covered Persons involved in procurement, vendor onboarding, oversight, or offboarding.

1.3 Regulatory and Framework Alignment

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

• Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
• Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
• Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
• Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Primary Policy Statement

Dispel SHALL maintain a structured vendor management program that ensures vendors and service providers are selected, onboarded, monitored, and offboarded in a manner that manages risks to acceptable levels.

2.3 Secondary Policy Statement

• Vendors SHALL be classified based on the nature and criticality of services and data access.
• Higher-risk vendors SHALL be subject to increased due diligence, contractual protections, and monitoring.
• Vendor relationships SHALL be periodically reviewed to ensure continued alignment with security, privacy, and compliance requirements.

3. REQUIREMENTS

3.1 Vendor Management Governance

Objective: Establish governance for vendor management activities.

Mandatory Activities:

1. The Policy Owner SHALL own this policy and associated procedures and ensure they are reviewed at least annually.
2. Vendor management responsibilities SHALL be defined and communicated to relevant stakeholders (e.g., Procurement, Security, Legal, System Owners).
3. This policy and procedures SHALL be disseminated to Covered Persons involved in vendor activities; review, acceptance, and acknowledgement SHALL be required initially and at least annually.

Required Outputs:

• Approved and current vendor management policy and procedures.
• Records of acknowledgements for relevant roles.

Security Controls: NIST SP 800-53 SA-4, SA-9, SR-3.

3.2 Vendor Classification and Risk Assessment

Objective: Classify vendors and assess vendor-related risks.

Mandatory Activities:

1. Dispel SHALL define vendor classification criteria based on:
   • Type and sensitivity of data accessed or processed.
   • Criticality of the services provided.
   • Level of connectivity or integration with Dispel systems.
2. Vendors SHALL be assigned to risk tiers (e.g., low, medium, high) based on the classification criteria.
3. For each vendor, a risk assessment SHALL be conducted that considers:
   • The vendor’s control environment and security posture.
   • Regulatory and contractual requirements.
   • Potential impact of vendor failures or incidents.

Required Outputs:

• Vendor inventory with classification and risk tier.
• Vendor risk assessments.

Security Controls: NIST SP 800-53 SA-9, SR-3.

3.3 Vendor Due Diligence and Contracting

Objective: Ensure appropriate due diligence and contractual protections are in place.

Mandatory Activities:

1. Prior to onboarding medium- and high-risk vendors, Dispel SHALL perform due diligence activities such as:
   • Security and privacy questionnaires.
   • Review of independent audit reports or certifications (e.g., SOC 2, ISO 27001).
   • Technical evaluations where applicable.
2. Contracts or Business Associate Agreements (BAAs), where applicable, SHALL include security and privacy provisions commensurate with the risks, including:
   • Data protection and confidentiality clauses.
   • Incident notification and cooperation requirements.
   • Sub-processor controls and approval mechanisms.
   • Termination and data return or destruction requirements.
3. Due diligence results and contract terms SHALL be documented and retained.

Required Outputs:

• Completed due diligence artifacts.
• Executed contracts or BAAs with security and privacy clauses.

Security Controls: NIST SP 800-53 SA-4, SA-9, SR-3.

3.4 Ongoing Vendor Monitoring and Offboarding

Objective: Monitor vendor performance and manage end-of-life transitions.

Mandatory Activities:

1. Dispel SHALL monitor vendors, particularly those in higher risk tiers, for:
   • Changes in control environments as indicated by updated reports or certifications.
   • Reported security incidents or issues affecting services.
   • Material changes in services, ownership, or financial condition.
2. Vendor performance and risk SHALL be reviewed at defined intervals and upon triggering events (e.g., major incident, change in services).
3. When offboarding a vendor, Dispel SHALL:
   • Ensure return or secure destruction of Dispel data.
   • Revoke access to systems and facilities.
   • Update inventories and documentation to reflect the end of the relationship.

Required Outputs:

• Vendor performance and risk review records.
• Offboarding checklists and evidence of data return/destruction and access revocation.

Security Controls: NIST SP 800-53 SA-9.

4. ROLES AND RESPONSIBILITIES

4.1 Policy Owner

Responsibilities:

• Owns this Vendor Management Policy.
• Ensures integration with risk management, supply chain, and information security policies.
• Coordinates periodic reviews and updates.

4.2 Procurement / Vendor Management

Responsibilities:

• Maintain the vendor inventory and classification.
• Coordinate due diligence, contracting, and ongoing monitoring activities.
• Ensure vendor onboarding and offboarding procedures are followed.

4.3 Security Officer

Responsibilities:

• Provide input on vendor-related security and privacy requirements.
• Review due diligence and contract terms for higher-risk vendors.
• Participate in incident response and remediation activities involving vendors.

4.4 Legal / Compliance

Responsibilities:

• Review and approve contractual terms and BAAs.
• Ensure vendor agreements meet regulatory and contractual obligations.

4.5 System Owners

Responsibilities:

• Identify vendor dependencies for systems they own.
• Participate in risk assessments and monitoring of vendors impacting their systems.
• Support implementation of compensating controls where vendor risks are identified.

5. PROCEDURES

5.1 Vendor Management Lifecycle (High-Level)

6. MONITORING AND COMPLIANCE

6.1 Compliance Monitoring

Compliance with this policy SHALL be monitored through:

• Reviews of vendor inventories, classifications, and due diligence records.
• Internal or external audits of vendor management processes.
• Reviews of vendor-related incidents and remediation activities.

6.2 Metrics and Reporting

The following metrics SHALL be tracked and reported at least annually to the Policy Owner and senior management:

6.3 Non-Compliance Consequences

Failure to comply with this policy and procedures may result in:

• Increased exposure to vendor-related risks and potential service disruptions.
• Revocation or restriction of access for Covered Persons who repeatedly fail to follow vendor management procedures.
• Disciplinary action for employees and contractors, consistent with Dispel HR policies and applicable law.

7. EXCEPTIONS AND WAIVERS

7.1 Exception Process

Exceptions to this policy SHALL:

1. Be submitted in writing by the requesting party.
2. Identify the specific policy or procedural requirements for which an exception is sought.
3. Include justification and business impact.
4. Describe compensating controls or mitigation measures.
5. Define exception duration and remediation plan.

7.2 Exception Approval Authority

8. DEFINITIONS

Vendor: Any external organization that provides products or services to Dispel.

Business Associate: A vendor that creates, receives, maintains, or transmits ePHI on behalf of Dispel or provides services involving ePHI, as defined by HIPAA.

Due Diligence: The process of evaluating a vendor’s capabilities and control environment prior to engagement.

9. REFERENCES

9.1 Internal References

• Risk Assessment Policy and Procedures.
• System Supply Chain Risk Management Policy and Procedures.
• Information Security Policy.

9.2 External References

• NIST SP 800-53, SA and SR families.
• ISO/IEC 27001 and ISO/IEC 27036 series.
• HIPAA regulations for business associates.

10. DOCUMENT HISTORY

11. APPROVAL SIGNATURES

APPENDICES

Appendix A: Supporting Vendor Management Procedures

This appendix may include:

• Detailed vendor onboarding and offboarding checklists.
• Sample due diligence questionnaires.
• Example contract security and privacy clauses.

Appendix B: Additional Guidance and Examples

This appendix may include:

• Example vendor risk scenarios and mitigation approaches.
• References to current industry best practices for vendor management.