Internal Use

Information Security Policy

Document Control

1. PURPOSE AND SCOPE

1.1 Purpose

Dispel’s Information Security Policy establishes the overarching approach to protecting information, minimizing misuse, compromise, or loss, documenting security processes and measures, upholding ethical and regulatory obligations, controlling business risk, and ensuring an appropriate company image and reputation.

1.2 Scope

This policy applies to:

• Information in any form, regardless of the media on which it is stored, as well as any facility, system, or network used to store, process, or transfer information.
• All Dispel employees, temporary staff, partners, contractors, vendors, suppliers, and any other person or entity (“Staff” or “Personnel”) that accesses the company’s networks or any other public or private network through company networks or systems.
• All activity while using or accessing the company’s information or information processing, storage, or transmission equipment, whether on Dispel premises (owned, rented, leased, or borrowed) or remotely.
• Information resources entrusted to Dispel by external entities (e.g., customers, staff, and others).
• Documents, messages, and other communications created on or communicated via company systems; these are considered business records and may be subject to review for audits, litigation, process improvement, and compliance.

1.3 Regulatory and Framework Alignment

This policy is supported by a family of more detailed policies and standards, including but not limited to:

• Acceptable Use Policy
• Asset Management Policy
• Backup Policy
• Business Continuity/Disaster Recovery Plans
• Code of Conduct
• Data Classification, Deletion, and Protection Policies
• Encryption and Password Policies
• Incident Response Plan
• Physical Security Policy
• Responsible Disclosure Policy
• Risk Assessment Policy
• Software Development Life Cycle Policy
• System Access Management Policy
• Vendor Management Policy
• Vulnerability Management Policy

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

• Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
• Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
• Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
• Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Commitment to Continuous Improvement

(ISO 27001:2022: CL.5.2.d)

Dispel is committed to continual improvement of its Information Security Management System (ISMS) to ensure it remains effective, relevant, and aligned with strategic direction and evolving risks. This includes regularly reviewing and enhancing policies, procedures, and controls based on audits, incidents, feedback, and changes in legal, regulatory, and contractual obligations. Personnel at all levels are encouraged to contribute to ongoing development and refinement of the ISMS.

2.3 Coordination, Coverage, and Communication

(NIST SP 800‑53: PL-1)

• Coordination Among Organizational Entities: Procedures throughout this document indicate where intra‑organizational coordination is necessary. Employees who identify outdated or inefficient procedures SHALL notify the Policy Owner.
• Covered Persons: All workforce members authorized to work on Dispel Zero Trust Engine instances are covered by this policy.
• Dissemination, Acceptance, and Acknowledgement: As a prerequisite to being a Covered Person, individuals MUST review, accept, and acknowledge this document. All Covered Persons MUST review, accept, and acknowledge this document at least annually.

3. REQUIREMENTS

3.1 Information Security Objectives

Dispel SHALL protect information in all forms (written, spoken, electronic, printed) from accidental or intentional unauthorized modification, destruction, or disclosure throughout its lifecycle. Protection includes appropriate security over equipment and software used to process, store, and transmit information.

Information security objectives include:

• Protect information from internal, external, deliberate, or accidental threats.
• Enable secure information sharing.
• Encourage consistent and professional use of information.
• Ensure clarity about roles and responsibilities for protecting information.
• Ensure business continuity and minimize business damage.
• Protect the company from legal liability and inappropriate use of information.
• Reduce the likelihood of security incidents.
• Minimize the amount of useful data that could be compromised in an incident.
• Improve market image and reduce damage from incidents and non‑compliance (e.g., EU GDPR).
• Ensure alignment between security concerns and business objectives, strategy, and plans.

3.2 Training and Awareness

Management SHALL ensure that employees, contractors, and third‑party users:

• Are briefed on information security roles and responsibilities before being granted access.
• Are provided guidelines stating security expectations for their roles.
• Are motivated and supported to comply with security policies.
• Achieve a level of security awareness relevant to their roles.
• Conform to terms and conditions of employment, including applicable security policies.

Requirements:

• All new hires MUST complete information security awareness training during onboarding and annually thereafter.
• Onboarding training MUST be completed within 30 days of hire.
• Ongoing training SHALL include security and privacy requirements and proper use of information assets and facilities.
• Specialized training SHALL be provided to personnel responsible for system security (e.g., spam, phishing, OWASP Top 10, SANS Top 25).
• Incident response and contingency training SHALL be delivered:
  • Within 90 days of assuming relevant roles.
  • As required by system or policy changes.
  • At least annually.
• Delivery of training SHALL be documented, and all employees MUST acknowledge, in writing, their understanding of the Information Security Program (including Code of Conduct) upon hire and annually.

3.3 Clean Desk / Work Area

Authorized users SHALL ensure that sensitive or confidential materials (hardcopy or electronic) are secured when not in use or when leaving a workstation.

Key requirements:

• Secure all sensitive/confidential information when away from the desk and at end of day.
• Lock computer workstations when unattended and fully shut down at day’s end.
• Lock file cabinets containing restricted or sensitive information.
• Do not leave keys or access badges unattended.
• Do not write down passwords in accessible locations; use the authorized password manager.
• Remove sensitive printouts from printers immediately and shred or place in secure bins when disposing.
• Erase whiteboards containing sensitive information.
• Secure and encrypt mass storage devices.

3.4 Acceptable Use: Internet/Intranet Access and Use

Use of Dispel computers, networks, and Internet access is a privilege that may be revoked for inappropriate conduct, including but not limited to:

• Sending chain letters or unsolicited “spam” unrelated to legitimate purposes.
• Excessive personal use of instant messaging or chat.
• Accessing systems or data without authorization.
• Making unauthorized copies, destruction, or concealment of company data.
• Misrepresenting oneself or the company.
• Violating applicable laws and regulations.
• Engaging in unlawful or malicious activities, including malware propagation.
• Using abusive, profane, threatening, or discriminatory language.
• Accessing pornographic materials.
• Causing network/system disruption or congestion.
• Using recreational games on company systems.
• Defeating or attempting to defeat security restrictions.
• Operating endpoints in root/administrator mode except when strictly necessary.

User ID and Access Management:

• Access will be discontinued upon termination or role change; reissued only when approved.
• User IDs inactive for 30 days SHALL be revoked.
• Privileges MUST be reevaluated at least annually, and revoked promptly when no longer needed.

3.5 Teleworking and Remote Access

Requirements:

• Remote access MUST use strong encryption, multi‑factor authentication, and strong passwords (see Encryption and Password Policies).
• Authorized users MUST protect their login credentials.
• Remote hosts connecting to Dispel infrastructure MUST NOT be simultaneously connected to untrusted networks, except for personal networks under full control.
• Up‑to‑date antivirus software MUST be used on all computers.
• Equipment MUST meet remote access and device requirements in Acceptable Use, Asset Management, and System Access Control policies.

Remote Access Tools:

• MUST use multi‑factor authentication and strong, mutual challenge‑response protocols not susceptible to replay attacks.
• SHOULD use application‑layer proxies rather than direct firewall traversal.
• MUST support strong, end‑to‑end encryption as per the Encryption Policy.
• Security systems (AV, DLP, etc.) MUST NOT be disabled, interfered with, or bypassed.

3.6 Mobile Endpoint and Storage Devices

• Company‑issued mobile devices MUST have antivirus and endpoint security installed.
• Devices MUST comply with Acceptable Use and Asset Management policies.
• A risk analysis (formal or informal) MUST be conducted before connecting new storage devices to the network unless pre‑approved.
• Incidents and stolen devices MUST be reported to the CTO immediately.

3.7 Intellectual Property Rights

Dispel SHALL protect intellectual property rights (software, documents, designs, trademarks, patents, source code licenses) by:

• Acquiring software only from reputable sources.
• Maintaining an asset inventory that identifies assets requiring IP protection.
• Maintaining proof of ownership (licenses, master media, manuals).
• Ensuring only licensed software/products are installed.
• Ensuring compliance with terms for software and information from public networks.

3.8 Information Security Requirements Analysis and Specifications

Dispel SHALL:

• Identify information security requirements via policies/regulations, threat modeling, incident reviews, and vulnerability thresholds.
• Document and review requirements with stakeholders.
• Integrate requirements into early project stages.

Factors include:

• Required confidence in user identity.
• Access provisioning and authorization processes.
• Duties and responsibilities of users/operators.
• Protection needs (availability, confidentiality, integrity).
• Business process needs (logging, monitoring, non‑repudiation).
• Integration with other controls (logging/monitoring, DLP, etc.).

3.9 Employment Terms and Conditions

Employment/contract terms SHALL include obligations for safeguarding information, including:

• Signing NDAs prior to access to confidential information.
• Clarifying legal responsibilities and IP rights.
• Responsibilities for classification and management of organizational assets.
• Handling of information from third parties.
• Agreement with security policies.
• Duration of responsibilities beyond employment.
• Consequences for non‑compliance.

3.10 Disciplinary Process

Dispel’s discipline process provides a structured corrective action path to address behavior and performance issues, consistent with HR best practices and laws. Steps may include:

• Step 1: Verbal Warning and Counseling.
• Step 2: Formal Written Warning, possibly including a Performance Improvement Plan (PIP).
• Step 3: Suspension and Final Written Warning.
• Step 4: Recommendation for Termination.

Dispel may combine or skip steps based on the seriousness of the issue and reserves the right to terminate employment without prior steps in severe cases (e.g., theft, substance abuse, violence).

4. ROLES AND RESPONSIBILITIES

The Security Officer/CISO SHALL:

1. Design, develop, maintain, disseminate, and enforce this policy and related policies.
2. Ensure the information security management system conforms to ISO/IEC 27001 requirements.
3. Report on the performance of the information security program to top management.

Other roles and responsibilities are described in domain‑specific policies and the company Skills Matrix.

5. PROCEDURES

High‑level procedures for implementing this policy’s requirements (e.g., training, telework, mobile device management) are defined in supporting standards and runbooks referenced in Section 9.

6. MONITORING AND COMPLIANCE

6.1 Policy Review

• At least annually, a security/compliance committee of senior management and key personnel SHALL review and document the ISP, ensuring strategic goals and objectives are updated.
• ISP policies SHALL be reviewed, modified, and approved at least annually.

6.2 Accessibility

• Policies and procedures SHALL be accessible to employees (e.g., via Drata).
• Policies relevant to a role MUST be reviewed and signed upon hire and annually.

6.3 Exceptions

• Exceptions to ISP policies MUST be approved by Executive Management after review and SHALL be reviewed at least annually.

6.4 Enforcement

• Management, under authority from the CEO, MAY monitor and enforce compliance with this and related policies.
• Monitoring MAY include review of communications and activities, limited to what is necessary to determine compliance or performance issues.
• Violations MAY result in disciplinary actions up to and including termination, consistent with HR standards and practices.

7. EXCEPTIONS AND WAIVERS

Exceptions to this policy MUST:

1. Be documented and justified.
2. Be approved by appropriate executives (e.g., Executive Management).
3. Be time‑bound and reviewed regularly.

8. DEFINITIONS

Covered Persons: Workforce members authorized to work on Dispel systems in scope.

Information Security Management System (ISMS): A management framework for establishing, implementing, maintaining, and continually improving information security.

ISP (Information Security Program): The collection of policies, procedures, standards, and controls used to manage information security at Dispel.

9. REFERENCES

• SOC 2 Trust Services Criteria
• ISO/IEC 27001 and Annex A
• NIST SP 800‑53 (PL, AT, AC, SI families as referenced)
• Related Dispel policies listed in Section 1.3

10. DOCUMENT HISTORY

11. APPROVAL SIGNATURES

END OF POLICY

Revision History (Human-Readable)