DCF Control Reference

Dispel Management has approved all policies that detail how customer data may be made accessible and should be handled. These policies are accessible to all employees and contractors.

Dispel has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.

Dispel tests the integrity and completeness of back-up information on an annual basis.

Dispel has a documented policy for data retention defining the types of data (including company and customer data) and the period of time for which they should be retained.

Dispel has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.

Dispel deletes customer data within 30 days of the customer terminating its contract.

Dispel uses test data within test environments.

Dispel's new hire contracts include a non-disclosure agreement (NDA)

Dispel has a clean desk policy in place to ensure that documents containing sensitive data are not in public areas or laying on unattended employee work areas

Dispel disposes of hardcopy material with sensitive data when no longer needed (for legal or business reasons, or upon expiration of their retention period) through secure means such as cross-cut shredding, incinerating, or pulping, so that the data cannot be reconstructed.

Dispel places paper documents containing sensitive data in a secured storage bin

Dispel has formal policies and procedures in place to guide personnel in the disposal of hardware containing sensitive data.

Dispel performs annual access control reviews.

Dispel's application edits limit input to acceptable value ranges

Dispel system edits require mandatory fields to be complete before record entry is accepted.

Dispel provides notice of its privacy practices to users prior to users entering information into its application.

Dispel's management reviews the privacy notice to ensure that the privacy notice is accurate.

Dispel communicates its Privacy Policy on its public-facing website.

Dispel's Privacy Policy includes: -Purpose for collecting personal information -Choice and consent -Types of personal information collected -Methods of collection (for example, use of cookies or other tracking techniques) -Use, retention, and disposal -Access -Disclosure to third parties -Security for privacy -Quality, including data subjects' responsibilities for quality -Monitoring and enforcement

Dispel's users are required to explicitly accept the notice of privacy practices prior to entering information into the application.

Dispel's collection of personal information is limited to that necessary to meet the entity's objectives.

Dispel's management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully.

Dispel maintains policies and procedures that define allowable use and disclosure scenarios.

Dispel has identified and documented baseline security configuration standards for all system components in accordance with industry-accepted hardening standards or vendor recommendations. These standards are reviewed periodically and updated as needed (e.g., when vulnerabilities are identified) and verified to be in place before or immediately after a production system component is installed or modified (e.g., through infrastructure as code, configuration checklists, etc.).

Dispel's management reviews privacy policies and procedures annually to ensure that personal information is used in conformity with the purposes identified in the privacy notice.

Dispel only uses personal information for the purposes identified in the entity's privacy policy.

Dispel captures requests for deletion of personal information and information related to the requests is appropriately deleted.

Dispel implements policies and procedures to erase or otherwise destroy personal information that has been identified for destruction.

Users accessing their personal information through Dispel's application must be authenticated with a username and password.

Users can access all of their personal information through the application by navigating to their settings and profile.

Users can correct, amend, or append their personal information by logging into the application and navigating to their settings and profile.

Dispel's privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed.

Dispel discloses personal information only to third parties who have agreements with Dispel to protect personal information in a manner consistent with the relevant aspects of Dispel's privacy notice or other specific instructions or requirements.

Dispel maintains a documented list of third parties and vendors that are authorized to receive or access PII

Dispel has a defined Information Security Policy that covers policies and procedures to support the functioning of internal control.

Dispel tracks and logs breaches involving unauthorized uses and disclosures of personal information in an incident tracking system.

Dispel has incident management procedures that include detailed instructions on how to escalate a suspected incident to the Information Security Team and, when necessary, to the Privacy or Legal department. Dispel has a standard incident report template that must be completed for each incident.

Dispel ensures that vendors and third parties with access to protected health information (PHI) are required to sign a Business Associate Agreement (BAA) on an annual basis.

Dispel requires vendors and third parties with access to personal information to sign a formal contract that requires them to notify Dispel in the event of actual or suspected unauthorized disclosures of personal information

Dispel provides vendors and third parties with information on how to report breaches to Dispel.

Dispel has a process for providing notice of breaches and incidents to affected data subjects to meet Dispel's objectives related to privacy.

Dispel's privacy practices posted on their website include the list of third parties authorized to receive personal information.

As personal information is collected, automated edit checks are in place to ensure that data entry fields are completed properly.

Dispel informs users about how to contact Dispel with inquiries, complaints, and disputes via the privacy practices that are posted on the Dispel's public-facing website.

Dispel reviews its organizational structure, reporting lines, authorities, and responsibilities in terms of information security on an annual basis.

Data subjects can submit inquiries, complaints, and disputes via the customer portal.

Dispel has a process for tracking users' inquiries, complaints, and disputes within the incident tracking system.

Executive management meets on a quarterly basis to review compliance with privacy practices and privacy regulations.

The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

Dispel has security policies that have been approved by management and detail how physical access to the company's headquarters is maintained. These policies are accessible to all employees and contractors.

Dispel does application regression testing to validate key processing for the application during the change management process.

Dispel ensures that company-issued removable media devices (USB drives) are encrypted.

Dispel has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances.

Dispel uses DLP (Data Loss Prevention) software to prevent unencrypted sensitive information from being transmitted over email

Dispel ensures that file integrity monitoring (FIM) software is in place to detect whether operating system and application software files have been tampered with.

Dispel has implemented automated mechanisms (e.g., unattended upgrades, automated patching tools, etc.) to install security fixes to systems.

Dispel performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings.

Dispel ensures that incident response plan testing is performed on an annual basis.

Dispel ensures that code changes are tested prior to deployment to ensure quality and security.

Dispel ensures that releases are approved by appropriate members of management prior to production release.

Dispel maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

Dispel allows for external users to implement multi-factor authentication on their accounts in order to require two forms of authentication prior to authentication

Dispel has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.

Dispel conducts a Risk Assessment at least annually.

Dispel conducts continuous monitoring of security controls using Drata, and addresses issues in a timely manner.

Dispel has a well-defined documented scope that reflects the boundaries and applicability of its Information Security Management System

Dispel has a documented statement of applicability, which defines and applies necessary controls for the implementation of an information security risk treatment process.

Dispel has identified and documented interested internal and external parties relevant to its ISMS, and relevant and applicable legal and contractual requirements for compliance.

Dispel's top management conducts scheduled reviews of the ISMS to ensure effectiveness and relevance.

Dispel has an internal audit process to ensure that the ISMS is effectively implemented, maintained, and in conformance.

Dispel has a defined Business Continuity Plan that outlines the proper procedures to respond, recover, resume, and restore operations following a disruption.

Dispel has a Business Impact Analysis process to determine resources and time required to ensure business continuity after a disruptive incident.

Dispel has a defined vendor management policy that establishes requirements of ensuring third-party entities meet the organization's data preservation and protection requirements.

Dispel has a defined backup that establishes the requirements for backup policy information, software and systems.

Dispel's Management prepares a remediation plan to formally manage the resolution of findings identified in risk assessment activities.

Dispel has documented security objectives and procedures to achieve those objectives.

Dispel has documented procedures for operations relating to information processing and communication facilities

Dispel has a defined change management process for the organization, business processes, and information processing facilities and systems that affect information security.

Dispel has an established Employment Terms and Conditions that defines obligations and responsibilities in line with information security policies.

Dispel has a defined policy that establishes requirements and responsibilities for remote work and the use of company and personal IT devices.

Dispel has a defined communications plan that establishes procedures for internal and external communications relevant to the ISMS

Dispel has a defined process for evaluating information security performance and the effectiveness of the ISMS.

Dispel has a defined plan for event logging that establishes the required criteria for logs, protection of logged information, clock synchronization.

Dispel has an established system for record management and document control.

Dispel has an established list of applicable information security roles and specified skill and competence level required for each role.

Dispel engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.

Dispel has a defined process to ensure the secure transfer of information internally and externally.

Dispel has a defined policy that establishes requirements for the use of cryptographic controls.

Dispel has a defined policy that establishes requirements for the proper management and tracking of organizational assets.

Dispel has a defined policy that establishes requirements for vulnerability assessments and reporting.

Dispel has a defined and documented Information Security Management System (ISMS) Plan, for the establishment, implementation, maintenance, and continuous improvement of its information security and risk management program.

Dispel has an established threat assessment process to continuously analyze threats and disseminate the information appropriately.

Dispel has a defined process for the de-identification of data that has been classified as sensitive.

Dispel has a defined Configuration Management Plan that outlines the proper procedures to manage and protect new and existing configurations.

Dispel has a process to communicate and exchange information with relevant security and privacy organizations.

Dispel performs a review of information system activities on regular intervals

Dispel engages with third-party to conduct penetration tests of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.

Dispel has identified and assigned members to appropriate information security roles

Dispel has documented procedures for periodic communication of security updates and reminders to all personnel, and other interested parties when appropriate

Dispel has a defined policy that establishes the requirements of the HIPAA Privacy Rule

Dispel has a defined breach notification policy that establishes the requirements and procedures for reporting a breach of sensitive information

Dispel has a defined policy that establishes the requirements related to Group Health Plans

Dispel has a defined policy that establishes the requirements related to Business Associate Agreements

Dispel has established a training program for the use and disclosure of protected health information (PHI) to help employees understand their obligations and responsibilities to comply with the Dispel's security policies and procedures, as they apply to HIPAA. All members of Dispel's workforce are required to complete this training upon hire and annually thereafter.

Dispel retains required documentation for 6 years from the date of the document's creation or when it was last in effect (whichever is later).

Dispel authorizes access to information resources, including data and the systems that store or process customer data, based on the principle of least privilege.

Dispel identifies, inventories, classifies, and assigns owners to IT assets.

A data-flow diagram is maintained to show all account data flows across systems and networks. The diagram is reviewed and updated annually or as needed upon changes to the environment.

Dispel has implemented network security controls between trusted and untrusted networks to prevent unauthorized traffic from traversing network boundaries.

Dispel defines groups, roles, and responsibilities for management of network components.

Dispel has a documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

Dispel maintains an accurate architecture diagram to document system boundaries to support the functioning of internal control.

Dispel identifies all services, protocols, and ports in use considered to be in use. Dispel identifies, documents and implements security features for each insecure service, protocol, or port in use, such that the risk is mitigated.

Dispel ensures that all other inbound and outbound traffic is specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)

Inbound traffic from untrusted networks is restricted to communications with system components that are authorized to provide publicly accessible services, protocols, and ports, and to stateful responses to communications initiated by system components in a trusted network. All other traffic is denied.

Dispel maintains an accurate network diagram that is accessible to the engineering team and is reviewed by management on an annual basis.

Dispel private IP addresses and routing information are not disclosed to unauthorized parties.

Dispel has installed personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include: * Specific configuration settings are defined. * Personal firewall (or equivalent functionality) is actively running. * Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices.

Dispel has configured personal firewall software (or equivalent functionality) to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices.

Dispel ensures that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.

All vendor-supplied default accounts are either disabled or removed, or their default password is changed in accordance with the company's policy and compliance requirements.

Dispel tracks and prioritizes security deficiencies through internal tools according to their severity by an independent technical resource.

Dispel ensures that unnecessary default accounts are removed or disabled before installing a system on the network.

Dispel ensures that firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks.

Dispel ensures that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.1.

Dispel's system configuration standards include all of the following: Changing of all vendor-supplied defaults and elimination of unnecessary default accounts; implementing only one primary function per server to prevent functions that require different security levels from coexisting on the same server; enabling only necessary services, protocols, daemons, etc., as required for the function of the system; implementing additional security features for any required services, protocols or daemons that are considered to be insecure; configuring system security parameters to prevent misuse; removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

Dispel has Implemented only one primary function per server to prevent functions that require different security levels from coexisting on the same server.

Dispel tracks security deficiencies through internal tools and closes them within an SLA that management has pre-specified.

Dispel uses only necessary services, protocols, daemons, and functions in system components, and all unnecessary functionality (e.g., scripts, drivers, features, subsystems, file systems, interfaces, unused web servers, etc.) is removed or disabled in accordance with documented configuration standards.

Security parameters in system components are configured to prevent misuse in accordance with documented configuration standards.

Dispel's enabled functions are documented and support secure configuration.

Dispel has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.

Dispel ensures system services and parameter files are configured to prevent the use of Telnet and other insecure remote login commands.

Dispel ensures that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.

Dispel disposes of data securely upon expiration of the established retention periods or when no longer needed for legal, regulatory, and/or business reasons.

Dispel conducts annual BCP/DR tests and documents according to the BCDR Plan.

Disk encryption implementations are configured to require independent authentication and logical access controls for decryption to protect data in the event of physical loss of a disk.

Dispel stores cryptographic keys securely.

Dispel utilizes multiple availability zones to replicate production data across different zones.

Dispel stores cryptographic keys in the fewest possible locations to minimize the potential for keys to be exposed to unauthorized parties.

Key-management policies and procedures are documented and implemented including: generation of strong cryptographic keys, secure distribution, and secure storage of cryptographic keys used to protect sensitive data.

Dispel's cryptographic key procedures include secure cryptographic key distribution

Dispel retires, replaces or destructs cryptographic keys that are no longer used or needed or when the key expires, the integrity of the key has been weakened, or the key is known or suspected to be compromised, in accordance with documented company policies and procedures. Retired or replaced keys are not used for encryption operations.

Dispel has implemented an Incident Response Plan that includes creating, prioritizing, assigning, and tracking follow-ups to completion and lend support to Business Continuity/Disaster Recovery.

Dispel uses strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.

Dispel has implemented security protocols so that only trusted keys and/or certificates are accepted during transmission of sensitive data that are confirmed valid and not expired or revoked.

Dispel has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.

An anti-malware solution is deployed on all system components, except for those system components identified through periodic risk assessments that concludes the system components are not at risk from malware.

Dispel performs periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether those systems considered to not be commonly affected by malicious software continue as such.

The deployed anti-malware solution is configured to detect all known types of malware and to remove, block, or contain all known types of malware, and is kept current via automatic updates.

The implemented anti-malware solutions are configured to perform periodic scans and active or real-time scans, or perform continuous behavioral analysis of systems or processes.

Dispel has implemented a formal patch management process where critical or high-security patches/updates (as identified per the entity's vulnerability risk analysis) are installed within one month of release. All other applicable security patches/updates are installed within the timeframe established by the entity per the risk analysis and company policies and procedures.

Dispel uses encryption to protect user authentication and admin sessions of the internal admin tool transmitted over the Internet.

Dispel has implemented an Incident Response Plan that includes documenting “Lessons Learned” and "Root Cause Analysis" after incidents and sharing them with the broader engineering team to support Business Continuity/Disaster Recovery.

Dispel removes development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.

Dispel has separation of duties between development/test and production environments.

Test data and test accounts are removed from system components before the system goes into production.

Changes to all system components in the production environment (including software, code, infrastructure, network, configuration changes, etc.) are made according to established policies and procedures that include documentation (change description, justification, evaluation of security impact, approval by authorized parties, rollback procedures) and testing (including security impact testing and code vulnerability testing for custom development changes).

Dispel has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.

Dispel trains developers at least annually in up- to-date secure coding techniques, including how to avoid common coding vulnerabilities.

Dispel's coding techniques address improper error handling.

Dispel's coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process.

Dispel Management has approved security policies, and all employees accept these procedures when hired. Management also ensures that security policies are accessible to all employees and contractors.

Dispel limits access to system components and sensitive data to only those individuals whose job requires such access.

Dispel defines access needs for each role, including: System components and data resources that each role needs to access for their job function; Level of privilege required for accessing resources.

Dispel requires documented approval by authorized parties specifying required privileges.

Management reviews security policies on an annual basis.

Dispel's access control system(s) is configured to enforce assignment of privileges to individuals based on job classification and function.

Dispel controls addition, deletion, and modification of user IDs, credentials, and other identifier objects.

Dispel removes/disables inactive user accounts within 90 days.

Accounts used by third parties to access, support, or maintain system components via remote access are enabled during the time period needed based on documented authorization by management and disabled when not in use. Third-party remote access is monitored by company personnel for unexpected activity.

Dispel ensures that accounts used by third parties to access, support, or maintain system components via remote access are monitored when in use.

Dispel limits repeated access attempts by locking out the user ID after not more than six attempts.

Invalid authentication attempts are limited by locking out the user ID after not more than 10 failed attempts.

Dispel has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.

Dispel has configured account lockout duration following a set number of invalid authentication attempts to a minimum of 30 minutes or until the identity of the user is confirmed (for example, by a system administrator).

Dispel ensures that if a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

Dispel ensures that in addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: * Something you know, such as a password or passphrase * Something you have, such as a token device or smart card * Something you are, such as a biometric.

The security team communicates important information security events to company management in a timely manner.

System configuration settings are in place to prevent password reuse. Individuals are not allowed to submit a new password that is the same as any of the last four passwords used, at a minimum.

Dispel sets passwords/passphrases for first-time use and upon reset to a unique value for each user, and changes them immediately after the first use.

All remote access to the entity’s network (including that of users, administrators, and third parties or vendors) requires multi-factor authentication.

Dispel's authentication policies and procedures include: Guidance on selecting strong authentication credentials; guidance for how users should protect their authentication credentials; instructions not to reuse previously used passwords; instructions to change passwords if there is any suspicion the password could be compromised.

Dispel ensures that where other authentication mechanisms are used, use of these mechanisms are assigned as follows: Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts; physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.

Dispel has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with Dispel's security policies and procedures, including the identification and reporting of incidents. All full-time employees are required to complete the training upon hire and annually thereafter.

Entry controls (e.g., badge access systems, etc.) are in place at Dispel's locations to restrict physical access to corporate facilities, including systems or areas that may process or store sensitive data, to authorized personnel, and to monitor such access.

Dispel uses either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

Dispel ensures that video cameras or access control mechanisms (or both) are protected from tampering or disabling.

Data collected from video cameras and/or access control mechanisms are reviewed and correlated with other entries (e.g., access logs) on a periodic basis.

Data collected from video cameras and/or access control mechanisms is stored for at least three months unless otherwise restricted by law.

Dispel has implemented physical and/or logical controls to restrict access to publicly accessible network jacks.

Dispel restricts physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the company facilities.

Dispel has policies and procedures in place to establish acceptable use of information assets approved by management, posted on the company wiki, and accessible to all employees. All employees must accept the Acceptable Use Policy upon hire.

Dispel has procedures to easily distinguish between onsite personnel and visitors, to include: Identifying onsite personnel and visitors (for example, assigning badges); changes to access requirements; revoking or terminating onsite personnel and expired visitor identification (such as ID badges).

Dispel restricts access to the identification or badge system to authorized personnel based on need-to-know principles.

Dispel controls physical access for onsite personnel to sensitive areas as follows: Access must be authorized and based on individual job function; access is revoked immediately upon termination, and all physical access mechanisms are returned or disabled.

Visitors are authorized before entering, and escorted at all times within company facilities including areas where sensitive data may processed or maintained.

Dispel personnel are required to wear a badge or other form of identification within company facilities. Dispel provides visitors with a badge or other form of identification that visibly distinguishes visitors from onsite personnel.

Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration.

Dispel maintains a visitor log to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted.

Dispel' visitor log includes, at a minimum, the visitor’s name and the organization represented, the date and time of the visit, and the name of the personnel authorizing physical access.

Dispel evaluates the performance of all employees through a formal, annual performance evaluation.

Dispel retains visitor logs for a minimum of three months, unless otherwise restricted by law.

All media with sensitive data is encrypted and/or physically secured to prevent unauthorized persons from gaining access to the data.

Dispel stores offline media backups in a secure location (e.g., off-site facility, commercial storage facility, etc.). The security of the location is reviewed at least once every 12 month through inspection of the facilities. Results of the review are documented.

Dispel maintains strict control over the internal or external distribution of any kind of media.

All media with sensitive data is classified in accordance with the nature of the data and the company's data classification policy.

Media with sensitive data sent outside the company's facilities is logged, securely transmitted (e.g., via secure courier or other trackable method), and captured within offsite tracking logs to include details about media location.

Management approves all media with sensitive data that is moved outside the facility, including when media is distributed to individuals. Documentation of management's approval for the movement of media is retained.

Dispel maintains strict control over the storage and accessibility of media.

Dispel maintains documented inventory all electronic media with sensitive data. A verification of the inventory is conducted at least once every 12 months in accordance with company procedures.

Dispel's new hires are required to pass a background check as a condition of their employment.

Electronic media is destroyed or sensitive data is rendered unrecoverable so that it cannot be reconstructed when no longer needed for business or legal reasons.

Dispel has policies and procedures for the destruction of electronic media when no longer needed for business or legal reasons.

Dispel uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin.

Dispel requires its contractors to read and accept the Code of Conduct, read and accept the Acceptable Use Policy, and pass a background check.

Audit logs are enabled and active for all system components and sensitive data in accordance with company policies.

Dispel has configured audit logs to contain user or identity, type of event, date and time, success and failure indication, origination of event, affected data, and system component, resource, or service.

Automated audit trails or logs are implemented for all system components to capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.

Members of the Board of Directors are independent of management.

Dispel ensures that automated audit trails are implemented for all system components to reconstruct access to all audit trails.

Automated audit trails or logs are implemented for all system components to capture all invalid access attempts.

Automated audit trails or logs are implemented to capture all changes to identification and authentication credentials (e.g., creation of new accounts, elevation of privileges, changes, additions, or deletions to accounts with administrative access, etc.).

Automated audit trails or logs are implemented for all system components to capture initialization of new audit logs and all starting, stopping, or pausing of the existing audit logs.

Automated audit trails or logs are implemented for all system components to capture all creation and deletion of system-level objects.

Dispel ensures that audit trail entries are recorded for all system components for user identification.

Dispel ensures that audit trail entries are recorded for all system components for type of event.

Dispel ensures that audit trail entries are recorded for all system components for date and time.

Dispel ensures that audit trail entries are recorded for all system components for origination of an event.

Management has established defined roles and responsibilities to oversee implementation of the information security policy across the organization.

Dispel ensures that audit trail entries are recorded for all system components for identity or name of affected data, system component, or resource.

Dispel synchronizes all critical system clocks and times using time-synchronization technology such as Network Time Protocol (NTP).

Systems are configured so that one or more designated central time servers are in use and receiving time from industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC).

Where there is more than one designated time server, the time servers peer with one another to keep accurate time.

Internal systems receive time information only from designated central time server or servers.

Access to modify time synchronization configurations or system time is restricted to authorized system administrators or personnel with a business need.

Dispel receives time settings from specific, industry-accepted time sources.

Dispel secures audit trails so they cannot be altered.

Access to audit log files and associated configurations is limited to those with a job-related need as authorized by management.

Dispel uses a termination checklist to ensure that an employee's system access, including physical access, is removed within a specified timeframe and all organization assets (physical or electronic) are properly returned.

Audit log files are protected to prevent modifications by individuals (e.g., via access control mechanisms, physical segregation, network segregation, etc.)

Dispel uses file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

Dispel has documented policies and procedures for logging and log monitoring that describe the events the organization must log and monitor, the general systems and system components that should be monitored, the specific information that must be captured in logs, the configuration of specific elements of the logging infrastructure, etc.

Dispel has a formal Code of Conduct approved by management and accessible to all employees. All employees must accept the Code of Conduct upon hire.

Dispel has audit log retention policies and procedures in place.

Dispel retains audit log history and historical records of activity for at least 12 months, with at least the most recent three months immediately available for analysis.

Dispel has the three most current months' logs, at the least, immediately available for analysis.

Dispel has implemented processes for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: Firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms, segmentation controls (if used).

Dispel has implemented alerting mechanisms to notify personnel of failures of critical security control systems (including network security controls, IDS/IPS, change-detection mechanisms, anti-malware solutions, physical access controls, logical access controls, audit logging mechanisms, segmentation controls, audit log review mechanisms, automated security testing tools, etc.). Failures of critical security control systems are evaluated as a security event and investigated in accordance with company policies and procedures.

Failures of any critical security controls systems are addressed promptly based on the nature of the failure and monitoring of security controls is resumed. Documentation is maintained to include identification of the issue, start time and end time, root cause and required remediation, identification of any security issues that arose during the failure along with associated response, identification of follow-up actions are required as a result of the security failure, and implemented controls to prevent the cause of failure from reoccurring.

Dispel documents failures in critical security controls, and includes: Identification of cause(s) of the failure, including root cause; duration (date and time start and end) of the security failure; details of the remediation required to address the root cause.

Dispel has security policies and operational procedures for monitoring all access to network resources and cardholder data that are documented, in use, and known to all affected parties.

Dispel's methodology to detect and identify any unauthorized wireless access points, includes: WLAN cards inserted into system components; portable or mobile devices attached to system components to create a wireless access point; and, wireless devices attached to a network port or network device.

Dispel has established a Data Protection Policy and requires all employees to accept it upon hire. Management monitors employees' acceptance of the policy.

Dispel ensures that if automated monitoring is utilized, monitoring is configured to generate alerts to notify personnel.

Dispel maintains an inventory of authorized wireless access points including a documented business justification.

Dispel's new hires and/or internal transfers are required to go through an official recruiting process during which their qualifications and experience are screened to ensure that they are competent and capable of fulfilling their responsibilities.

All Dispel positions have a detailed job description that lists qualifications, such as requisite skills and experience, which candidates must meet in order to be hired by Dispel.

Dispel has enabled file integrity monitoring or a change-detection mechanism to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, audit files, or content files to ensure critical data cannot be changed without generating alerts.

Dispel ensures that all company-issued computers use a screensaver lock with a timeout of no more than 15 minutes.

Dispel has implemented a process to respond to any alerts generated by the change-detection solution.

Dispel has security policies and operational procedures for security monitoring and testing that are documented, in use, and known to all affected parties.

Dispel has documented and implemented acceptable use policies for end-user technologies (e.g., remote access and wireless technologies, laptops, tablets, mobile phones, removable electronic media, email usage, internet, etc.), which include explicit approval by authorized parties, acceptable uses of the technology, and list of products approved by the company for employee use, including hardware and software.

Dispel has included automatic disconnect of sessions for remote-access technologies after a specific period of inactivity in critical technologies usage policy.

Dispel has included activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use in critical technologies usage policy.

Dispel ensures that a password manager is installed on all company-issued laptops.

Dispel prohibits, for personnel accessing cardholder data via remote-access technologies, the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.

When Dispel's application code changes, code reviews and tests are performed by someone other than the person who made the code change.

Dispel requires antivirus software to be installed on workstations to protect the network against malware.

Dispel's security awareness program includes multiple methods of communicating awareness and educating personnel, such as newsletters, web-based training, in-person training, team meetings, phishing simulations, etc. Periodic security updates are provided to personnel through these multiple methods of communication.

Dispel performs due diligence activities prior to engaging with a new service provider or vendor, which may include review of security questionnaires and compliance reports, review of vendor-provided policies, procedures or other documents, analysis of delegated or shared responsibilities with the prospective vendor, etc. Results of the due diligence activities including action items are documented.

Dispel's workstations operating system (OS) security patches are applied automatically.

Dispel's IRP addresses roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum.

Dispel has a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

Dispel ensures that company-issued laptops have encrypted hard-disks.

The implemented anti-malware solutions are configured to perform automatic scans or continuous behavioral analysis of systems or processes when removable electronic media is inserted, connected, or logically mounted within the environment.

Dispel has formally assigned an independent and capable member to manage PII-related matters.

Dispel has established a process to obtain consent from a data subject prior to collecting PII.

Dispel has an established policy and procedures that governs the use of cryptographic controls.

Dispel properly reports and retains records of PII disclosures to include PII disclosed to third parties, requests for legally-binding PII disclosures, subcontractors/sub-processors used for PII processing in accordance with contractual requirements, and changes in subcontractors.

Dispel has an established and documented record of processing activity (ROPA), which includes evidence of lawful collection and use, including defined purpose of processing.

Dispel has data processing agreements in place with data processing ecosystem parties which include minimum technical and organizational measures designed to meet the objectives of Dispel’s privacy program.

Data at rest is encrypted using strong cryptographic algorithms.

Dispel tracks and manages requests from data subjects, and provides a response to valid requests within 30 days.

Dispel has an established processes to properly manage data subject rights.

Dispel notifies customers of any intended changes (including additions and replacements) in subprocessors that process PII so that customers have an opportunity to object to such changes.

% has an established process for identity verification for requests made by data subjects or authorized agents.

Data in transit is encrypted using strong cryptographic algorithms.

Dispel has an established process for managing shared and group accounts.

Dispel has a deny-all, allow-by-exception rule in place for authorized software applications and implements procedures to allow execution.

Dispel has an allow-all, deny-by-exception rule in place for unauthorized software applications and implements procedures to deny execution.

Dispel maintains a directory of its key vendors, including its agreements that specify terms, conditions and responsibilities.

Dispel has established baselines for normal behavior of networks, systems, and applications for the detection of anomalies.

Dispel has an established process for managing the use of utility programs.

Dispel has an established process to properly manage and track non-conformities.

Dispel has a defined Change Management Policy that covers policies and procedures to manage changes across the organization in a well-communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues.

Dispel maintains documentation of the necessary competence of personnel affecting its information security program.

Dispel has developed and implemented procedures for labeling of information across the organization in accordance with its information classification scheme.

Dispel maintains a directory of its key vendors, including their compliance reports. Critical vendor compliance reports are reviewed annually.

Dispel has a defined disciplinary sanctions process to be enacted when a member of the workforce violates the company's policies or causes a security or privacy incident. Management retains documentation of instances when the disciplinary process was enacted.

Fire detection and suppression systems are installed in critical locations to protect people and assets in the event of a disaster. Maintenance is conducted periodically in accordance with manufacturer guidance.

Server rooms and data centers are air conditioned to maintain appropriate atmospheric conditions. Systems are in place to monitor and control air temperature and humidity at appropriate levels. Maintenance is conducted periodically in accordance with manufacturer guidance.

Uninterruptible power supply (UPS) systems units are in place to provide backup power in the event of an electrical failure in the data centers or server rooms. Maintenance is conducted periodically in accordance with manufacturer guidance.

A mobile device management (MDM) is installed in company-issued devices and bring-your-own devices used for company purposes to enforce security for assets off-premise (e.g., location tracking, remote locking and wiping, threat detection, restrictions on software installation, etc.)

Dispel has a defined maintenance management policy to ensure that IT resources are maintained in compliance with security policies, standards, and procedures.

Dispel has a defined policy for system information and integrity that establishes procedures to ensure systems are established with system integrity monitoring.

Dispel has a defined policy for system security planning to ensure resources and information systems are established with effective security controls and control enhancements.

Dispel has a defined policy for system and services acquisition that establishes the procedures for systems and services to be acquired with security requirements that align with business objectives.

Dispel has an access management system in place using automated mechanisms to manage accounts (e.g., create, enable, modify, monitor, report, disable, and remove).

Username and password (password standard implemented) or SSO required to authenticate into application, MFA optional for external users, and MFA required for employee users.

Dispel has a process for disabling system accounts for users who pose a significant security and/or privacy risk.

Dispel has procedures to prevent flow of encrypted information through flow control tools.

Dispel only allows locked accounts to be unlocked by an administrator.

Dispel displays system use notification to users prior to granting access.

Dispel defines the maximum number of concurrent sessions for system accounts.

Dispel defines specific user actions that are permitted without identification or authentication.

Dispel defines conditions for allowing remote access to security/privacy information and executing privileged commands.

Dispel identifies and explicitly authorizes users that are allowed to independently configure wireless networking capabilities.

Dispel calibrates the transmission power levels of selected radio antennas.

External systems used to access Dispel's systems are properly vetted or have verified controls in place.

Role-based security is in place for internal and external users, including super admin users.

Dispel uses automated tools to facilitate information sharing decisions by authorized users.

Dispel has an established procedure for managing publicly accessible content, which includes proper content review, and properly-trained personnel to make information publicly accessible.

Dispel analyzes audit records in correlation with other information, including vulnerability scanning, performance, system monitoring, and physical monitoring.

Dispel uses cryptographic mechanisms to protect audit information and audit tools.

Dispel defines actions to be covered by non-repudiation and maintains records of the actions performed.

Dispel only allows authorized personnel to modify log settings/configurations.

Dispel uses automated tools to maintain completeness, currency, accuracy, and availability of baseline configurations.

Dispel retains previous versions of system and component configuration to support rollback.

Dispel has an established process to secure system and system components during travel to areas that pose significant risk.

Only authorized Dispel personnel can push or make changes to production code.

Dispel's application user passwords are stored using a salted password hash.

Dispel uses automated configuration change management tools to notify, document, prohibit, and highlight system changes.

Dispel has established processes and procedures to manage cryptographic mechanisms that provide defined controls.

Dispel provides up-to-date contingency training on specified intervals to users based on the users' roles and responsibilities.

Dispel has an alternate processing site that is prepared to serve as the operational site for essential mission and business functions support.

Dispel has transaction recovery procedures for transaction-based systems.

Dispel accepts and electronically verifies Personal Identity Verification-compliant credentials.

Dispel identifies and authenticates devices prior to establishing a connection.

Dispel has a process in place to manage system identifiers and prevent their reuse.

Dispel maintains a list of commonly used, expected, or compromised passwords.

Dispel has an established process for public key authentication for individuals, machines, and devices.

Dispel's customer data is segregated from the data of other customers

Dispel protects authenticators based on the highest security category of information on the system.

Dispel has implemented mechanisms to obscure the feedback of authentication information, such as usernames/passwords, during the authentication process where technically feasible (e.g., in company-developed systems or applications, configurable third-party systems, etc.).

Dispel uses automated tools to identify and authenticate non-organizational users.

Dispel has defined methods to validate and verify identity evidence consistent with system risks, roles, and privileges associated with the user account.

Dispel utilizes automated maintenance tools to perform maintenance activities.

Dispel requires that the use of maintenance tools be approved, controlled, and monitored.

Dispel has an approval process for non local maintenance activities.

Dispel has established procedures for maintenance personnel authorization.

Dispel has an established process for obtaining maintenance support and/or spare parts for system components.

Dispel reviews, approves, tracks, documents, and verifies media sanitization and disposal actions (for example, when media is taken offsite for maintenance) in accordance with company policies and procedures.

Dispel automatically logs users out after a predefined inactivity interval and/or closure of the internet browser, and requires users to reauthenticate

Dispel has an established process for testing media sanitization equipment and procedures.

Dispel manages the physical access control for output devices.

Dispel has physical intrusion alarms and surveillance equipment in place to monitor physical access to the site where the system resides.

Dispel has defined rules of behavior for restricting social media, social networking sites, and external sites/application use.

Dispel assigns risk designations to all company roles/positions.

External users must accept the Terms of Service prior to their account being created.

Dispel assesses and updates supply chain risks associated with system components and system services.

Dispel has a process to implement corrective actions when system information is discoverable.

Dispel has explicit budgeting and organizational programming line items for information security and privacy programs and the resources needed for them throughout the system development life cycle.

Dispel only allows information technology products approved under the Federal Information Processing Standards (FIPS) 201 to be used for Personal Identity Verification (PIV) capabilities.

Dispel maintains system documentation for the system, system component, and system services, and has procedures for responding to attempts to obtain documents when the documentation is unavailable or nonexistent.

Dispel has documented software development procedures that outline the company's processes for secure development. The documented processes include references to industry standards and/or best practices for secure development, security requirement considerations (for example, secure authentication and logging, etc.), and consideration information security issues during each stage of the software development life cycle.

Dispel ensures that user functions are separated from system management functions.

Dispel ensures that any unauthorized or unintended information transfers via shared system resources are prevented.

Dispel's security commitments are communicated to external users, as appropriate.

Dispel ensures that the number of external network connections to the system are limited.

Dispel uses authenticated proxy servers at managed interfaces to route internal communication traffic to external networks.

Dispel has implemented fail secure mechanisms to maintain the system in a secure state when a boundary protection device fails.

Dispel prohibits the remote activation of collaborative computing devices and applications, unless explicitly defined otherwise.

Dispel manages the use of acceptable mobile code and mobile code technologies.

Dispel ensures that communication at the session level is protected.

Dispel maintains a separate execution domain for each executing system process.

Dispel allows system monitoring tools and mechanisms to see encrypted communications traffic.

Dispel detects network services that have not been authorized and alerts designated personnel when detected.

Correct operation of security and privacy functions will be verified and designated personnel will be alerted of the failed security and privacy verification resulting in system restart or shutdown.

Dispel maintains a Privacy Policy that is available to all external users and internal employees, and it details the company's confidentiality and privacy commitments.

Dispel performs integrity checks of systems software, firmware, and system information during transitional states.

Dispel has mechanisms in place to automatically shut down, restart, or implement controls on systems when integrity violations are discovered.

Dispel has cryptographic mechanisms in place to authenticate software and firmware components prior to installation.

Dispel has spam protection at system entry and exit points to detect unsolicited messages.

Dispel has controls in place to protect the system memory from unauthorized code execution.

Dispel has implemented a procedure for protection against systems tampering.

Dispel provides authoritative source information for external name/address resolution queries.

Dispel maintains a Terms of Service that is available to all external users and internal employees, and the terms detail the company's security and availability commitments regarding the systems. Client Agreements or Master Service Agreements are in place for when the Terms of Service may not apply.

Dispel has processes and procedures in place for customers to participate in granting access to predefined high risk privileged roles.

Dispel requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.

Dispel has implemented a software update management process where critical patches and application updates are installed for all authorized software within priority SLAs established in company policies.

Dispel has defined and documented a policy that outlines requirements for deployment, management and operation of network security controls at the company.

Dispel has a documented policy outlining the minimum requirements for passwords used for authentication to organizational systems. Password requirements are enforced for all systems in accordance with company policy.

Dispel conducts periodic phishing simulations as part of the company's security awareness initiatives.

Dispel has implemented redundancy strategies for equipment, systems and processes as deemed necessary per the business continuity plans meet availability requirements (e.g., redundancy in network components, production resources, supporting utilities, service providers, processing sites, etc.)

Dispel has implemented processes and automated mechanisms to maintain the integrity of email communications and detect or protect against phishing attacks (e.g., DMARC, SPF and DKIM to prevent spoofed or modified emails from valid domains, link scrubbers, server-side antivirus, etc.).

Dispel tracks and documents the return of all electronic and physical assets upon termination as part of the offboarding process. Access mechanisms such as keys, access cards, MFA tokens, are disabled or collected by IT or HR personnel.

Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents and operational issues through an on-call rotation schedule.

Appropriate levels of access to infrastructure and code review tools are granted to new employees within one week of their start date.

Dispel obtains express consent from data subjects prior to using any PII processed under a contract for marketing and advertising which is not a condition for using the service.

Dispel limits the use of unencrypted physical media and portable devices to only when strictly necessary. Use of unencrypted physical media is documented to include business justification and approval.

Dispel has implemented automated mechanisms to perform audit log reviews, such as centralized log management systems, event log analyzers, security information and event management (SIEM) solutions, etc.

Separate environments are used for testing and production for Dispel's application

Access to infrastructure and code review tools is removed from terminated employees within one business day.

Dispel has implemented mechanisms to validate that authentication secrets for any application and system accounts are not hard coded in scripts, configuration/property files, or bespoke and custom source code.

An inventory of bespoke and custom software and third-party software components (e.g., software bill of materials), is maintained and kept up to date (e.g., through the use of software composition analysis tools or other mechanisms).

Access to corporate network, production machines, network devices, and support tools requires a unique ID.

Dispel uses static application security testing (SAST) or equivalent tool as part of the CI/CD pipeline to detect vulnerabilities in the code base. When vulnerabilities are identified, corrections are implemented prior to release as appropriate based on the nature of the vulnerability.

SSH users use unique accounts to access production machines. Additionally, the use of the “Root” account is not allowed.

Network security controls are in place to restrict public access to remote server administration ports (e.g., SSH, RDP) to authorized IP addresses or address ranges only.

Dispel communicates system changes to customers that may affect security, availability, processing integrity, or confidentiality.

Dispel has a documented policy that outlines requirements for audit logging and monitoring of system activity at the company.

Dispel has identified and documented authorities to be contacted (such as law enforcement, regulatory bodies, supervisory authorities) as well as the events or circumstances that would require communication. Dispel has also documented the methods and responsibilities for communication with authorities.

Management has identified and documented conflicting duties and areas of responsibility in the organization and implemented strategies to achieve segregation of duties (e.g., access control, assigning responsibilities to different individuals, etc.) Where segregation of duties is not feasible, Management has identified mitigating controls to reduce the risk of fraud.

Dispel has established training programs to help personnel understand their obligations and responsibilities for the protection of personally identifiable information (PII) and associated regulatory requirements. Personnel (including employees and contractors as applicable) are required to complete the training during onboarding and annually thereafter.

Dispel provides customers with the capabilities for secure log-on procedures for any user accounts under the customers' control (e.g., single sign-on, multi-factor authentication, masking of passwords, minimal information disclosures in error messages, etc.)

Dispel uses network segmentation and/or other techniques to isolate portions of the environment and to control traffic between them based on security and business needs.

Critical facilities are equipped with a leak detection system to detect water in the event of a flood or leakage.

Cloud resources are configured to deny public access.

Dispel provides customers with a mechanism for data subjects to object to the processing of their PII (e.g. objections relating to the processing of PII for direct marketing purposes, etc.).

Dispel has documented and implemented procedures and mechanisms to locate, retrieve, and provide a copy of the PII that is collected and/or processed when requested by the data subject, or to notify them if the PII has been deleted or de-identified.

Dispel provides a dual opt-in mechanism for consent to sell or share personal information whereby the data subject first requests to opt-in and then, separately confirms their choice to opt-in.

Dispel provides user guides, help articles, system documentation or other mechanisms to users to share information about the design and operation of the system and its boundaries. The information provided includes functional and nonfunctional requirements related to system processing and information specifications required to support the use of the system.

Dispel authorizes designated member(s) with the autonomy to validate, change, and release critical security patches and bug fixes, outside of the standard change management process, when absolutely necessary to ensure security standards and availability of the systems.

Audit requirements and activities involving verification of operational systems are planned and agreed-upon by management to minimize disruptions to business processes and security risks (considering scope, access requirements, availability impact, etc.).

Changes to the provision of services by vendors, including expansions of services and supplier changes, require review and due diligence activities and are authorized by management. Documentation of the due diligence activities and authorization is retained.

Dispel's policies, procedures, and agreements include requirements for protection of intellectual of property rights and use of proprietary software products.

Where any optionality in the collection and processing of PII exists, Dispel has disabled that option by default and only enabled by explicit choice of the data subject.

Dispel performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.

When a data subject an authorized agent to submit a privacy right request, Dispel confirms directly with the data subject that they provided the authorized agent permission to submit the request prior to fulfilling the request and retains supporting documentation.

Application/data processing for Dispel's system is logged and monitored to ensure processing is done completely and accurately. Errors in application/data processing are documented, investigated, escalated and corrected in accordance with policies and procedures.

Dispel has enabled deletion protection for cloud resources to prevent irreversible data loss or downtime resulting from accidental or malicious actions.

Dispel assigns permissions to accounts based on the principle of least privilege and limits the use of wildcard permissions or broad-access patterns.

Dispel uses tags to assign metadata to cloud resources to facilitate identification, inventory, and classification of virtual assets.

Dispel performs an evaluation of fraud risks at least annually, either as a separate evaluation or as part of the overall enterprise risk assessment. The evaluation of fraud risk is performed in accordance with the company's risk assessment methodology.

Dispel has implemented processes to change cryptographic keys periodically based on a defined schedule.

Storage buckets that contain customer data are versioned.

Dispel has implemented web filtering mechanisms to enforce the company's internet usage policies (e.g, block access to known malicious sites, prevent access to prohibited web resources, etc.)

Dispel has implemented secure login procedures for in-house developed systems to deter enumeration or brute-force attacks (e.g., displaying limited information in login error messages without indicating which data is correct or incorrect, etc.)

Dispel has configured lifecycle rules for cloud storage buckets to delete objects automatically after expiration of their retention periods.

Dispel has implemented processes to change credentials (secrets, access keys, API keys, etc.) periodically based on a defined schedule.

Dispel checks software components and libraries for policy and license compliance, security risks, and supported versions (e.g. using software composition analysis (SCA) tools in development pipeline, etc.). If vulnerabilities in these software components or libraries are identified, fixes are implemented in accordance with the company's vulnerability management policies.

Dispel maintains secure and supported configuration standards for application and platform runtimes.

Management has defined company objectives, including operational objectives at the entity and functional levels, financial performance goals, and other objectives as appropriate to serve as the basis for risk assessment activities (e.g., objectives related to security, compliance, risk mitigation, etc.). Management communicates its objectives and any changes to those objectives to personnel.

Dispel has identified and documented the interested parties, their requirements and expectations of the organization, and how these requirements and expectations will be addressed (e.g., security and privacy expectations of customers, compliance expectations of regulators, business expectations of partners, performance and risks expectations of directors and investors, etc.).

Dispel uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.

Dispel provides a process to external users for reporting security, confidentiality, integrity, and availability failures, incidents, concerns, and other complaints.

Dispel uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.

Dispel has implemented tools to monitor Dispel's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

Dispel has implemented tools to monitor Dispel's messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

Dispel has implemented tools to monitor Dispel's NoSQL databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

Dispel has implemented tools to monitor Dispel's servers and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

Network security controls are in place to limit inbound and outbound traffic to the environment to only what is necessary based on business justification. All other traffic is specifically denied.

Production systems and resources are monitored and automated alerts are sent out personnel based on pre-configured rules. Events are triaged to determine if they constitute an incident and escalated per policy if necessary.

Dispel has infrastructure logging configured to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically created, sent to appropriate personnel and resolved, as necessary.

A web application firewall is in place to protect public-facing web applications from outside threats.

Dispel is using Drata to monitor the security and compliance of its cloud infrastructure configuration

Dispel provides a process to employees for reporting security, confidentiality, integrity, and availability features, incidents, and concerns, and other complaints to company management.

Access to the root account in the cloud infrastructure provider is monitored. Login activity for the root account is investigated and validated for appropriateness.

An intrusion detection system (IDS) is in place to detect potential intrusions, alert personnel when a potential intrusion is detected

Users can only access the production system remotely through the use of encrypted communication systems.

Dispel has an established key management process in place to support the organization's use of cryptographic techniques.

Dispel has security policies that have been approved by management and detail how physical security for the company's headquarters is maintained. These policies are accessible to all employees and contractors.

Dispel monitors its processing capacity and usage on a quarterly basis in order to appropriately manage capacity demand and to enable the implementation of additional capacity to meet availability commitments.

Dispel uses a load balancer to automatically distribute incoming application traffic across multiple instances and availability zones.

Dispel automatically provisions new server instances when predefined capacity thresholds are met.

Backups are encrypted and segmented from production systems (e.g., air-gapped, replicated to a different region, stored offsite, etc.) to ensure protection from a disaster or incident.

Automated notifications are sent to personnel in the event of a backup failure. Backup failures are investigated and resolved by engineering personnel following company policies and procedures.