Information Security Management System Plan

Document Control

Table of Contents:

Purpose

Background and Objectives ISMS Plan 4. Context of the organization 4.1. Understanding the organizations and its context 4.2. Understanding the needs and expectations of interested parties 4.3. Determining the scope of the ISMS 5. Leadership 5.1. Leadership and commitment 5.2. Policies 5.3. Organizational roles, responsibilities and authorities 6./8.1 Planning 6.1. Actions to address risks and opportunities 6.1.1. General; 6.1.2 / 8.2. Information security risk assessment 6.1.3 / 8.3. Information security risk treatment SOA Revision History 6.2 Information security objectives and planning to achieve them 7. Support 7.1. Resources and 7.2 Competence 7.3. Awareness 7.4. Communication 7.5. Documented Information 7.5.1. General 7.5.2. Creating and updating 7.5.3. Control of documented information 9. Performance Evaluation 9.1. Monitoring, measurement, analysis and evaluation 9.2. Internal audit 9.3. Management review / 10.1. Nonconformity and corrective action / 10.2. Continual improvement APPENDIX A Internal Audit Plan and Procedure

Purpose

Scope

    Roles and responsibilities
    Plan
 Procedure

APPENDIX B APPENDIX C

Purpose

This Information Security Management System (ISMS) Plan aims to define the principles, requirements, and basic rules for the establishment, implementation and operation of the Information Security Management System.

Background and Objectives The ISMS Plan lays the foundation of the company’s Information Security Management System, and identifies the roadmap for the establishment, implementation and operation of the ISMS and its continued efficacy. This document is supplemented by security policies and procedures that enable the treatment of risks to the organization.

Key objectives of the ISMS Plan are to:

● Define the context of the organization ● Define the scope of the ISMS ● Provide guidance for the implementation of risk assessment findings into a Statement of Applicability ● Provide proper steps and timelines for the implementation and maintenance of the ISMS ● Outline the internal audit process, audit reviews, and remedial actions ● Identify all necessary documents and records ● Continual improvement of the ISMS

ISMS Plan

4. Context of the organization

4.1. Understanding the organizations and its context

To establish an effective ISMS, have a better understanding of relevant information security issues, develop successful strategies, and allocate appropriate resources to garner optimal results, Dispel will define its internal and external context as they pertain to information security.

Internal and external issues are those factors relevant to Dispel’s purpose and that affect Dispel’s ability to achieve the intended outcomes of its ISMS.

Internal issues include, but are not limited to:

● Governance, organizational structure, (see Organization Chart) and roles and responsibilities for the ISMS (see Skills Matrix) ● Policies, objectives and the strategies in place achieve them ● Company culture, values, mission, and vision (see Information Security Policy) ● Flow of information and the decision-making process (see Information Security Policy) ● Capabilities, (e.g. capital, time, people, processes, systems and technology) ● Form and extent of contractual relationships (see Vendor Management Policy)

External issues include, but are not limited to:

● Information Security laws and regulations that are applicable to the company
  (see below)
● Social and cultural
● Interested parties (see below) and their cultures
● Market trends and customer preferences
● Political, public policy, and economic changes

● Technological trends that could impact implemented security controls

     4.2. Understanding the needs and expectations of interested parties

APPLICABLE LAWS AND REGULATIONS (EXTERNAL) Requirements / Notes

International EU GDPR Security provisions of data privacy UK General Data Protection Regulation rules include data protection which ISO 27001 demonstrates.

State CCPA Security provisions of data privacy rules include data protection which ISO 27001 demonstrates.

CONTRACTUAL REQUIREMENTS (EXTERNAL) Requirements / Notes

Keurig KDP maintains a strong vendor security SOC 2 Type 2 Dr Pepper program, which includes data privacy and breach notification processes. Their contract specifically requires receiving a SOC 2 Type 2 or similar certification during the contract period.

United States USAF contract section 252.204-7012 SOC 2 Type 2 and ISO 27001 security Air Force requires Dispel’s information systems rules cover some of the handling USAF Controlled Unclassified requirements set forth in NIST SP Information meet NIST SP 800-171. 800-171.

INTERESTED PARTIES (INTERNAL/EXTERNAL) Requirements / Notes

Customers Customers are interested in gaining SOC 2 Type 2 has been requested assurance that Dispel maintains a high and testing has been completed standard of internal security. Some customers have contractually required Dispel receive SOC 2 Type 2 or similar certifications.

Partners Compliance and third-party audits provide Partners and resellers do not have Dispel’s resellers and partners with a any specific requirements. competitive advantage when offering the Company’s products against those competitors who do not meet the same standards.

DEPARTMENTS & BUSINESS UNITS (INTERNAL) Requirements / Notes

Management Legal, training, contractor oversight, Cybersecurity standards improve accounting, finance, and procurement. insurance rates. Standards also provide training criteria that must be met. Standards help legal during negotiations with customers.

Engineering Development, Human Design (UX/UI), and A more structured approach to Developer Operations (DevOps). implementing security controls.

People & Places Onboarding and Offboarding of staff More formalized onboarding/offboarding process.

Security Internal audit, compliance, security Reduced time spent selecting training. security controls for implementation.

Operations Customer deployments, implementation, Sets standards for deployments. support.

Sales & Sales, marketing. Aids in sales efforts with customers Marketing by meeting their requirements and maintaining an advantage over competitors.

4.3. Determining the scope of the ISMS

This document provides a clear definition for the Information Security Management System (ISMS) boundaries of Dispel, and applies to all matters related to the ISMS, to include documentation and activities.

This document will be used by:

● Dispel Management ● Members responsible for implementation of the ISMS

Through this document, Dispel will define the boundaries of its ISMS by outlining information that needs to be protected. This information is under the direct responsibility of Dispel and will be safeguarded regardless of it being additionally stored, processed or transferred in or out of the ISMS scope. In the event of the transfer of information out of the ISMS, the responsibility of applying security measures will be transferred to the external party responsible for its management.

The following items will establish the ISMS boundaries of Dispel, within the context of legal, regulatory, contractual, interested parties, and other stated requirements:

a. Organizational Units

            Management
            Engineering
            People & Places
            Security
            Operations
            Sales & Marketing

b. Networks and IT Infrastructure

The Dispel SRA platform including the underlying infrastructure and customer data are hosted in the Amazon Web Services and Microsoft Azure Infrastructure as a Service (IaaS) platforms. The components are managed through a shared responsibility model between Dispel, the cloud providers, and the platform service provider Heroku to maximize uptime, availability, and security. The Dispel platform’s database and backups are managed by Heroku and hosted in Amazon Web Services.

Primary Infrastructure

Hardware Type Purpose Hosts application logic and files for the Servers Amazon Web web application. Services Provides underlying infrastructure for Microsoft Azure the SD-WAN connections to facilities. Heroku Provides the virtual desktops for remote access sessions.

Database services uses to store, Databases Amazon Web retrieve, and manage data from the Services system. Microsoft Azure Heroku

Simple Amazon Web Services Storage service used for file objects such as Storage logs, database backups, and website assets. Service (S3)

c. Processes and Services

Dispel provides a complete secure remote access (SRA) platform tailored for operators and third-parties who need to remotely access and manage their industrial control systems (ICS). The Company serves customers worldwide, with deployments in the Americas, Europe, Asia, Africa, Oceania, and Australia.

Dispel’s SRA platform combines a web-based application for administrative management of the system and user access to their environments, and single-tenant infrastructure that provides the actual network routing, segmentation, and access enforcement to target ICSs. Taken together, Dispel SRA provides the following capabilities:

   User management governing access to a target ICS, including integrations with
   client single sign on tools such as Microsoft Active Directory and Okta.
   Access Control Lists (ACLs)/Role-Based Access Control (RBAC) providing control over
   what IP addresses and ports each user may access and what protocols they may use
   when connected to an ICS.
   Video recording and system logs (syslogs) of remote access sessions for security,
   compliance, and auditing.
   Segmentation and isolation of each remote connection session to prevent the
   spread of malware and ransomware.
   Protection against attacks at the reconnaissance stage through a moving target
   defense network.
   ICS asset inventory management at facilities.
   Network routing between multiple facilities.
   Data streaming for monitoring, maintenance, and operations.

d. Locations

   Fully Remote

EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Dispel:

5. Leadership

5.1. Leadership and commitment

To ensure the success of the Information Security Management System (ISMS), the management team of Dispel must be fully aware and appropriately engaged in matters involving the ISMS. Management must provide proper resources (e.g., personnel, funding, etc.) for the establishment, implementation, and maintenance of the ISMS.

Top Management shall demonstrate its leadership and commitment through:

● Establishing an information security policy
● Ensuring ISMS, roles, responsibilities and authorities are assigned
● Communicating the importance of effective information security
  management

Management commitment can be demonstrated, for example, by:

● Motivating & empowering persons to contribute to the effectiveness of the
  ISMS
● Reinforcing organizational accountability for information security
  management results
● Creating and maintaining an internal environment in which persons can
  become fully involved in achieving the organization's information security
  objectives

5.2. Policies

In addition to this plan, the information security plans, processes and procedures of Dispel will be outlined in a series of policies that define the vision and mission of Dispel’s management as to what needs to be achieved to ensure the protection of information, and how that will be accomplished. These policies will include:

● Information Security Policy ● Acceptable Use Policy ● Asset Management Policy ● Backup Policy

● Business Continuity/Disaster Recovery Plans ● Code of Conduct ● Data Classification, Deletion, and Protection Policies ● Encryption and Password Policies ● Incident Response Plan ● Physical Security Policy ● Responsible Disclosure Policy ● Risk Assessment Policy ● Software Development Life Cycle Policy ● System Access Management Policy ● Vendor Management Policy ● Vulnerability Management Policy

5.3. Organizational roles, responsibilities and authorities

The CEO is responsible for:

1. The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and associated policies.
2. Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013 (Clause 5.2c and Clause 5.3a).
3. Reporting on the performance of the information security program to top management to identify areas for continuous improvement (Clause 5.2d and Clause 5.3b).

The objectives and measures outlined by this plan and associated policies shall be maintained and enforced by the roles and responsibilities specified in each policy and the company Skills Matrix (see below).

SKILLS MATRIX

Role Title Job ISMS Responsibilities Required Skills & Current Fully Competency Plan Proof of Competency Description Competence Member Competent (if not fully competent) (Y/N)

CEO Responsible for a) The design, development, 10 years of Ethan Y N/A Resume day to day maintenance, dissemination, Industry Schmertzler operations and and enforcement of the items experience in strategic Cybersecurity contained in this policy and growth of the other ISP policies. company

b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013.

c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b).

a) The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies.

b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013.

c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b.

Internal Responsible for a) Conduct annual Internal 12 year of Audit Jemel Kyles Y N/A Resume Auditor audit and Audits to drive Continuous experience Manager compliance Improvement across the Drata ISMS. Independence from implementation and daily operation of the Drata ISMS

6./8.1 Planning

6.1. Actions to address risks and opportunities

6.1.1. General; 6.1.2 / 8.2. Information security risk assessment

Methodology. Dispel will establish a well-defined methodology for risk assessment tailored to the company’s circumstances and needs, which will include the method of defining the following (see Risk Assessment Policy):

● Risks that could cause the loss of confidentiality, integrity, and/or availability of information ● Identity of risk owners ● Assessment consequences and the likelihood of the risk ● Risk calculation ● Risk acceptance

The risk methodology will ensure that the risk assessment results are consistent across all relevant sectors of the company with comparable results.

Performance. Dispel will conduct a risk assessment as outlined in its Risk Assessment Policy, and will produce a Risk Assessment Report.

6.1.3 / 8.3. Information security risk treatment

● Risk Treatment Plan

   The Risk Treatment Plan is a crucial part of the ISMS implementation. Dispel
   will have a well-defined Risk Treatment Plan, which will outline how the
   controls from the Statement of Applicability will be implemented, to include
   responsible parties, timing and intervals, and allocated resources/budges.

● Evaluation of Effectiveness

   Dispel will measure and evaluate the fulfillment and effectiveness of the
   controls in place and other ISMS objectives in place, as set forth in the Risk
   Treatment Plan

● Statement of Applicability

6.2 Information security objectives and planning to achieve them

In accordance with Dispel’s Information Security Policy, the information security objectives will reflect (see below):

● What will be done ● Resources Required ● Responsible Parties/Personnel ● Completion Timeline ● Metrics for Evaluation and Acceptance Criteria

Dispel information security objectives will reflect 5-7 objectives that will cover Confidentiality, Integrity, and Availability as it relates to Dispel’s ISMS. The objectives will be tracked and updated when needed.

INFORMATION SECURITY OBJECTIVES

      Objective                  Action             Required         Responsible           Timeline         Acceptance              Status

Resources Party Criteria

CMMC Preparation Level 2 List controls Jemel/Business Internal Audit 6 months List of signed off In progress Implement controls Teams Manager controls Verify controls SOC 2 Agree testing schedule Operational Internal Audit N/A N/A Done Conduct tests staff time Manager Produce test reports

HIPAA Identify key resources Training Internal Audit 3 months Training records Complete Identify courses budget Manager Attend courses Time of Complete training attendees records Security Awareness Training Agree allocation with Business teams CEO 9 months Time allocated to In Progress Improvements top management information security Plan involvement Conduct activities

Finalize transition of MDM Vendor Research Risk owners CEO 9 months UAT is Successful In Progress IT team

7. Support

7.1. Resources and 7.2 Competence

The proper operations and maintenance of the ISMS requires proper personnel planning and resources. Dispel management is devoted to making sure that the ISMS roles and responsibilities, as well as the skills necessary to perform them are well-defined, and that those roles are properly manned by people with the requisite skills (see Skills Matrix above). Management will also make sure that the ISMS is prioritized in the budgeting process and properly resourced to guarantee optimal performance.

7.3. Awareness

To ensure the proper implementation of the controls, policies, and procedures, Dispel will promote awareness and provide training as to the necessity of such provisions, and how to perform their roles and responsibilities in accordance with these provisions.

7.4. Communication

Dispel’s communication plan outlines the lines of communication within the organization, and with outside entities, to include appropriate government agencies (e.g., law enforcement) and non-governmental organizations. It also defines times and intervals, events and situations, and personnel responsible for the communication (see below).

COMMUNICATION PLAN

Document/ Frequency of Sender Audience Delivery Type Delivery Evidence Deliverable Communication (Delivery from) (Delivery to)

Internal Audit Annually -Internal Auditor Management -Email -Email Report -Member of Security Team -Presentations -Committee Meeting Minutes -Drata Reports & Docs (with -In Drata Access to Drata)

External Audit Annually -External Auditor Management/Clients -Email -Risk Committee and/or Board of Directors Report -Member of Security Team -Presentations Closing Meeting Minutes

ISO 27001 As New -External Auditor Management/Clients -Email -Email Certificate Certificates are -Member of Web Dev Team -Web Posting -Website Issued

Corrective Quarterly -Member Responsible for Management/Staff -Email -Email Action Report Developing CARs -Meetings -Meeting Minutes -Drata Reports & Docs (with -In Drata Access to Drata)

ISMS Security Quarterly -Member Responsible for Management/Staff -Email -Email Objectives Developing objectives -Meetings -Meeting Minutes -Drata Reports & Docs (with -In Drata Access to Drata)

Risk Quarterly -Member Responsible for Management -Email -Email Treatment Developing RTPs -Meetings -Meeting Minutes Plans -Drata Reports & Docs (with -In Drata Access to Drata)

Management Annually or as -Member Responsible for Management -Email -Email Review necessary reporting metrics in -Meetings -Meeting Minutes Report Management Review -Drata Reports & Docs (with -In Drata Access to Drata)

External As necessary -Designated member to Management -Email -Email Incident communicate with external -Phone -Phone Log Response parties (e.g., government -As required by local -Appropriate Records Report agency, NGOs, etc.) regulations or standards

Privacy Policy Management Review of Privacy Compliance and Review Purposes

7.5. Documented Information

7.5.1. General

The following table includes the documents determined by Dispel as being necessary for the effectiveness of the ISMS.

MANDATORY RECORDS & DOCUMENTS

Document Reference Location

ISO 27001:2013 TIER 1 DOCUMENTATION

Scope of The Information Security Management System Clause 4.3 ISMS Plan (ISMS) Information Security Policy Clause 5.2 Drata Policy Center Definition of Security Roles & Responsibilities Clause 5.2, ISMS Plan Annex A.7.1.2 Information Security Objectives Clause 6.2 Information Security Objectives Risk Assessment Process Clause 6.1.2 Actions to address risks and opportunities - Information security risk assessment Risk Assessment Report Clause 8.2 Information security risk assessment Risk Treatment Process Clause 6.1.3 Risk Treatment Process

Risk Treatment Plan Clause 6.1.3e Risk Treatment Process Statement of Applicability (For Controls in Annex A) Clause 6.1.3d ISMS Plan

List of Interested Parties, Legal & Other Requirements Clauses 4.2 & 6.1 Interested Parties and Legal Requirements Competence (e.g., Skills Matrix & Associated Proof Of Clause 7.2 Information Security Skills Matrix Skills) Evidence of Communication Clause 7.4 ISMS Plan

Procedure for Document Control Clause 7.5 ISMS Plan

Monitoring & Measurement Results Clause 9.1 Monitoring, measurement, analysis, and evaluation Internal Audit Plan & Reports Clause 9.2 Internal Audit Results of Management Reviews of ISMS Clause 9.3 Management review Nonconformities, Corrective Actions & Improvement Clause 10.1; 10.2 Nonconformity and corrective action | Suggestions Continual Improvement ISO 27001:2013 TIER 2 DOCUMENTATION

Inventory of Assets Annex A.8.1.1 Inventory of assets Acceptable Use of Assets Annex A.8.1.3 Acceptable use of assets Access Control Policy Annex A.9.1.1 Access control policies Operating Procedures for Information Security Annex A.12.1.1 Operating Procedures

Logs of User Activities, Exceptions, Faults & Security Annex A.12.4.1 Event logging Events Logs of System Administrator & System user activities, Annex A.12.4.3 Administrator and operator logs exceptions, faults and security events Incident Management Procedure Annex A.16.1.5 Response to information security incidents Business Continuity Strategy & Procedures Annex A.17.1 Statutory, Regulatory, And Contractual Requirements Annex A.18.1.1 Identification of applicable legislation and contractual requirements

CONDITIONAL RECORDS & DOCUMENTS (If Applicable) Document Reference Location

Confidentiality or Non-Disclosure Agreements Annex A.13.2.4 Confidentiality or nondisclosure agreements Secure System Engineering Principles Annex A.14.2.5 Secure system engineering principles Supplier Security Policy Annex A.15.1.1 Information security policy for supplier relationships

DISCRETIONARY RECORDS & DOCUMENTS (Commonly Used) Document Reference Location

Controls for Managing Records 7.5 Procedure for Measuring and Monitoring 9.1 Monitoring, measurement, analysis, and evaluation Procedure for Corrective Action 10.1 Nonconformity and corrective action Bring Your Own Device (BYOD) Policy Annex A.6.2.1 Mobile device policy

Mobile Device & Teleworking Policy Annex A.6.2.1 Mobile device policy Information Classification Policy Annex A.8.2 Classification of information User Access Rights Policies (Including Password Control) Annex A.9.2 Disposal & Destruction Policy Annex A.8.3.2; Disposal of Sensitive Data in Hardware A.11.2.7 Procedures for Working in Secure Areas Annex A.11.1.5 Procedure for Working in Secure Area Clear Desk & Clear Screen Policy Annex A.11.2.9 Clear Desk and Clear Screen Organizational Change Management Policy Annex A.12.1.2 Organizational Change Management Software Change Management Policy Annex A.14.2.4 Software Development Life Cycle Backup Policy Annex A.12.3.1 Backup Policy Information Transfer Policy Annex A.13.2 Information transfer policies and procedures

Business Impact Analysis Annex A.17.1.1 Business Impact Analysis ISMS Continuity Controls Testing Plan Annex A.17.1.3 Verify, review, and evaluate information security continuity

7.5.2. Creating and updating

Dispel ensures documentation generated by Dispel personnel is appropriately controlled. Consideration is given to:

● Identification of documentation through the assignment of titles, dates, authors, and reference numbers. ● Format including language, version, and media (physical or electronic) used to display and communicate documentation. ● Review and approval for suitability, adequacy, and accuracy of the information contained within documentation.

The record of this consideration is contained within the “Revision History” table inside of each policy, and records of review and approval are contained within the Drata Policy Center, which documents the policy approval and assigned owner.

7.5.3. Control of documented information

Dispel’s crucial task in the operation and maintenance of the ISMS is the collection of the appropriate records and evidence to ensure the functionality of the ISMS, and the effectiveness of the system. The records will also reflect personnel performance and completion of necessary tasks.

Dispel will also have a systematic approach for document management. To control documents:

● Classify documents properly ● Define members with the rights for distribution, access, retrieval, and use of documents, and the necessary actions to be performed. ● Identify methods currently used to receive, process, approve/reject, store and/ or delete documents. ● Align business processes to document management requirements ● Identify documents for control

● Integrate change controls to ensure integrity of documents

9. Performance Evaluation

9.1. Monitoring, measurement, analysis and evaluation

Dispel will evaluate its security objectives by monitoring and measurement of implemented controls. Monitoring provides awareness of the status and state of assets and processes that have been selected to be watched, and can provide basic and immediate alerts if something is not performing as expected. Measurements allow for the evaluation of assets and processes based on predefined units. The assets and processes for evaluation will be properly documented, the company will produce and maintain reports and evidence of evaluations.

These evaluations are meant to allow the Dispel to:

● Ensure control objectives are being satisfied and validate the decisions made; ● Establish a roadmap to meet set targets and expectations; ● Produce evidence and justification for implemented measures; and/or,

● Discover and identify security gaps that would require change, corrective action(s), or intervention

9.2. Internal audit

Internal Audits are a crucial element of Dispel’s ISMS and its continuous improvement. The process will ensure the discovery and identification of issues, gaps, malfunctions, etc. in the company’s ISMS that could ultimately damage or harm the company.

Frequency. Dispel will conduct an internal audit of its ISMS annually.

Audit Entity. Dispel internal audits will be conducted by:

● Employee, full-time auditor; ● Employee, part-time auditor; or ● Third party internal auditor (outside organization will conduct internal audit per rules set by Dispel)

In the case of an employee being selected as an auditor, Dispel will ensure that the auditor is objective and impartial. This will be done through different methods, such as selecting an employee from a different department or team to audit a specific department or team.

Documentation. Dispel will set and document the criteria and scope of each Annual internal audit in the Internal Audit Program. It will also produce and maintain, for evidence, reports of the internal audit, where findings, gaps, and nonconformities will be outlined (see Appendix A)

(OPTIONAL) Dispel will include in its Internal Audit Program sections such as:

● Method of internal auditor selection ● Process of planning the internal audit ● Steps to conduct the internal audit ● Post-audit activities

● Internal audit checklist

Plan and Procedure. (See Appendix A)

9.3. Management review / 10.1. Nonconformity and corrective action / 10.2. Continual improvement

Management review. Dispel management will systematically review and make critical decisions concerning the ISMS. The review will be arranged by Ethan who is also responsible for compiling all necessary information and inputs for consideration (see Appendix B).

The review will take into consideration:

● Status of items, issues, and tasks from previous review ● Reports form evaluations and internal audits ● Lessons learned from assessments, tests, or incidents ● Improvement inputs from the company ● Any internal and external changes that impact security

Decisions will be made concerning:

● The ISMS scope and whether it requires modifications ● Security policies and whether any require modifications ● Security gaps and necessary improvements ● Necessary resources ● The overall effectiveness of the ISMS and fulfillment of its objectives ● Implementation of different security strategies and training

Frequency. Dispel will conduct a management review of its ISMS annually, and as necessary.

Documentation and reporting. The considerations, discussions, and decisions from the management review will be recorded in the meeting minutes, which could also include discussions from other reviews. The results of the review, and subsequent tasks and responsibilities, will be communicated to relevant parties by Drata

Corrective Action Plan. Dispel will employ corrective action plans for the systematic elimination of issues and nonconformities. The plan will aim to resolve an issue from its root cause so that it can be prevented or mitigated in the future and sustain the corrective measures. It will include:

● Root cause analysis and assessment ● Required steps for root cause elimination ● Risk-opportunity assessment of changes ● Time and cost assessment ● Rubric for measuring effectiveness

Corrective Action Report. Dispel will document any corrective action taken in a corrective action report (see Appendix C). The report will at a minimum include:

● Nature of nonconformities ● Identified root cause ● Corrective actions taken ● Implementation of corrective actions ● Result of corrective actions (include effectiveness)

APPENDIX A

Internal Audit Plan and Procedure

Purpose

The purpose of the internal audit is to ensure the effectiveness of Dispel’s information security management system, its continuous improvement, and conformance with the requirements of ISO 27001:2013, as set out in Clause 9.2 of the standard. It will ensure (a) conformance with the standard, and more importantly, (b) proper information security measures in place that are continuously improved. Additionally, the internal audit will:

● Uncover nonconformities before others discover them; ● Ensure a strong security stance by identifying areas that require attention prior to a security event; ● Demonstrate and inform management commitment; and ● Assist staff understanding and awareness.

Scope

This plan applies to Dispel internal audits of the ISMS, and establishes the procedures for carrying out the audit. The audit scope should match the ISMS.

Roles and responsibilities

Lead Auditor: Responsible for the planning and execution of the audit. The lead auditor is a competent entity independent from the ISMS, who is Jemel Kyles.

Employees: Responsible for assisting in the audit process, when and as required.

Plan

1. Audit schedule a. Properly planned out audit, and readily-available schedule to let all members aware of when each process will be audited over the upcoming cycle. b. Allow time for better preparation and practical support. c. Allow time for process owners to: i. finish any improvement projects and gather valuable information on the implementation; or,

      ii.   request that the auditor(s) focus on helping to gather
   

information for other planned improvements. 2. Coordinate with process owners a. Collaborate to determine the best time to review the process. b. Auditor(s) can review previous audits to see if any follow-up is required on comments or concerns previously found. c. Process owners can identify any areas that the auditor can look at to assist the process owner to identify information. d. Ensure that the process owners will get value out of the audit process. 3. Conducting the audit a. Gather, review, analyze information as outlined in the audit procedures below. b. Identify areas that do not have operational evidence. c. Identify areas that may function better if changes are made. 4. Reporting audit findings a. Meet with interested parties and process owners to ensure an efficient flow of information (non-conforming). b. Highlight areas of weakness to be addressed, and areas that could use improvement (improvement opportunities). 5. Follow-up a. Ensure that identified areas of non-conformity are resolved and corrective actions have been taken. b. Check any progress on identified improvement opportunities.

Procedure

1. Review ISMS documentation a. Audit scope should match ISMS, setting clear limits for the internal audit. b. All prescribed documents(See Prescribed Documentation above) are in place and readily available.

2. Identify any criteria, if any, needed for consideration during the audit a. Identify the extent of work that may be done during the audit b. Identify any anticipated limitations

3. Identify the main stakeholders in the ISMS a. Any required documentation for the audit could be easily requested.

4. Management input a. Designated internal auditor should be competent and independent. b. Agree and determine the timing and resources required for the audit. c. Set milestones/checkpoints for when the board should receive interim updates. d. Discuss issues or concerns

5. Conduct practical assessment a. Observe the operation of the ISMS, and whether it properly functions in practice by speaking with members involved and operating processes related to the ISMS, whether they are in an ISMS role or not. b. Run audit tests to validate evidence as it is gathered. c. Complete audit reports and document the results of each test.

6. Analyze evidence a. Sort and review all evidence collected during the audit, as related to the company’s risk treatment plan and control objectives. b. Identify any further gaps or need for further audit tests.

7. Report findings (see Appendix A). The report should include: a. Classification and dissemination restrictions of the report b. Intended recipient(s) of the report c. An executive summary to highlight the key findings, high-level analysis and a conclusion d. Scope, Timing, any outlined criteria e. Analysis of the findings and compliance with each clause of the ISMS requirements f. Recommendations g. Post-audit actions

      INTERNAL AUDIT REPORT                                        Confidentiality      Date of Audit              8/4/22
   

   Dispel Date of Previous Audit N/A

   RECIPIENT(S)
   

EXECUTIVE SUMMARY

Performed Internal Audit with the use of Drata

AUDITOR AUDIT SCOPE & CRITERIA

Auditor Name Jemel Kyles Scope Secure Remote Access Platform

Internal or External? Internal

Organization (if external) N/A Criteria ISO 27001

Primary Role Compliance Manager

AUDIT METHOD AUDIT FINDINGS

      Activity                              Action                                      Nonconformities

Document Review 100% DCF-19 DCF-74 DCF-75 DCF-78 Evidential Sampling Drata Sampling / Random DCF-96

Interviews Improvement Opportunities

ISMS Key Members                      Non-ISMS Members            Security Awareness Training timeliness

MDM roll out

Ethan Schmertzler Peter Chuba Chris Dilorenzo Ian Schmertzler Sundew Shin Sushrut Mirashi RECOMMENDATIONS Valentin Mirabile

See Corrective Action Report

COMPLIANCE POST-AUDIT ACTIONS

Clause 4 See Corrective Action Report Clause 5 Clause 6 Clause 7 Clause 8 Clause 9 Clause 10

Dissemination Restrictions:

Report PREPARED by: Jemel Kyles Compliance Lawrenceville,GA 08/08/22 Manager

Report APPROVED by: Ethan Schmertzler CEO New York 8/22/22

APPENDIX B

Confidentiality Date of Review 9/6/2022 MANAGEMENT REVIEW

Dispel Date of Previous N/A Review

MEETING DETAILS ACTION ITEMS

Participants Jemel Owner Previous Items Status Chris Ethan Ian Ian/Chris Security Awareness In-Progress Improvement

Ethan MDM In-Progress

Input Items Evaluation and internal audit Reports Assessments, tests, or incidents lessons learned Improvement inputs from the company

           DISCUSSION POINTS & DECISIONS                    Owner              Current Items          Status

ISMS Scope Modification No Changes N/A

Security Policies No Changes Modification

Overall ISMS Effectiveness Reviewed Drata -95%

Changes Internal/External No changes

Security Gaps See Drata

Security Improvements Security Awareness, MDM

Security Strategies N/A

NOTES: Reviewed Internal audit report and confirmed and reviewed issues.

           FOCUS FOR NEXT INTERNAL AUDIT

Have Action Items been closed, Any new risks?

Report PREPARED by: Jemel Kyles Internal Audit Remote 8/6/22 Manager

Report APPROVED by: Ethan Schmertzler Chief Executive Remote 8/6/22 Officer

APPENDIX C

Confidentiality Date of Review 8/6/22 CORRECTIVE ACTION REPORT

Dispel Date of Previous N/A Review

NON-CONFORMITIES

1.     Rules for the acceptable use of information and of assets associated with information and information processing
       facilities shall be identified, documented and implemented.

Nature DCF-19 Corrective Action Review and Link Acceptable Use policy within Drata

Root Cause Policy not linked correctly Implementation Implemented but needs to be finalized within Drata

Result/Effectiveness Failed in Drata

Due Date 8/9/22 Owner Jemel Kyles

Notes: Resolved.