Information Security Policy and Procedures (Awareness and Training)

Version: 1.0 approved
Download PDF Controlled copy — valid on date of download only

Internal Use

Information Security Policy and Procedures (Awareness and Training)

Document Control

ItemDetails
Version5.0
CadenceAnnual
Policy OwnerChief Information Security Officer
Approved ByChief Executive Officer
DCF ReferencesDCF-1, DCF-3, DCF-4, DCF-5, DCF-6, DCF-10, DCF-11, DCF-12, DCF-13, DCF-14, DCF-15, DCF-16, DCF-17, DCF-18, DCF-19, DCF-20, DCF-21, DCF-22, DCF-23, DCF-24, DCF-25, DCF-26, DCF-27, DCF-28, DCF-29, DCF-30, DCF-31, DCF-32, DCF-33, DCF-35, DCF-36, DCF-37, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-43, DCF-44, DCF-45, DCF-46, DCF-47, DCF-48, DCF-49, DCF-51, DCF-52, DCF-53, DCF-54, DCF-55, DCF-56, DCF-57, DCF-58, DCF-60, DCF-62, DCF-68, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-96, DCF-99, DCF-100, DCF-134

1. PURPOSE AND SCOPE

1.1 Purpose

This document establishes Dispel’s Awareness and Training (AT) Policy and Procedures, defining how security and privacy training is governed, documented, delivered, and maintained as part of the Information Security Program and the FedRAMP Dispel Zero Trust Engine.

1.2 Scope

This policy applies to:

  • All Dispel staff, contractors, consultants, and any individual with access to Dispel resources.
  • Systems within scope of the FedRAMP Dispel Zero Trust Engine.
  • The broader Information Security Program where training and awareness are required.

1.3 Regulatory and Framework Alignment

#Framework / StandardRelevant Control IDsAlignment Notes
1SOC 2CC2.2Supports Trust Services Criteria for communication and training of information security responsibilities.
2ISO/IEC 270017.2Supports clause for competence and awareness of personnel.
3NIST SP 800-53AT-1, AT-2, AT-3, AT-4Implements Awareness and Training controls for training policy, literacy, role-based training, and record keeping.
4IEC 62443Supports general personnel security and awareness expectations for industrial/OT environments; specific mappings will be finalized during mapping scrub.
5HIPAASupports Security Rule workforce security and awareness expectations when ePHI is in scope; specific control IDs will be finalized during mapping scrub.

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

  • Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
  • Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
  • Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
  • Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Primary Policy Statement

Dispel SHALL provide, maintain, and document security and privacy training for all Covered Persons, including foundational awareness training and role-based training appropriate to job functions.

2.3 Secondary Policy Statements

At a minimum, Dispel SHALL:

  • Maintain formal Awareness and Training policies and procedures (AT-1).
  • Provide literacy training on relevant security and privacy topics to all users on a defined cadence (AT-2).
  • Provide role-based training to personnel with specialized responsibilities (AT-3).
  • Record and retain training records in accordance with retention requirements (AT-4).
  • Incorporate lessons learned from internal or external security and privacy incidents into training content.

3. REQUIREMENTS

3.1 Purpose, Scope, and Background (AT-1)

The Awareness and Training control family exists to ensure that all personnel are adequately informed and trained on security and privacy policies, procedures, and practices, thereby reducing the risk of human error and strengthening Dispel’s security posture.

Covered Persons include all Dispel staff, contractors, consultants, and users of the FedRAMP Dispel Zero Trust Engine or other in-scope systems.

This policy is part of Dispel’s overall Information Security Program (ISP), which includes:

  • Acceptable Use Policy
  • Asset Management Policy
  • Backup Policy
  • Business Continuity/Disaster Recovery Plans
  • Code of Conduct
  • Data Classification, Deletion, and Protection Policies
  • Encryption and Password Policies
  • Incident Response Plan
  • Physical Security Policy
  • Responsible Disclosure Policy
  • Risk Assessment Policy
  • Software Development Life Cycle Policy
  • System Access Management Policy
  • Vendor Management Policy
  • Vulnerability Management Policy

3.2 Dissemination, Acceptance, and Acknowledgement (AT-1)

  • As a prerequisite to being a Covered Person, individuals MUST review, accept, and acknowledge this document.
  • All Covered Persons MUST review, accept, and acknowledge this document at least annually.

3.3 Policy and Procedures Review Tempo (AT-1)

  • At least annually, the Policy Owner and a security/compliance committee of senior management SHALL review this policy and procedures to ensure that methods and processes remain relevant and effective.
  • The Policy Owner SHALL also review and update this document following significant changes (e.g., major system changes, regulatory changes, or significant security events).

3.4 Compliance (AT-1(2))

Compliance with this policy SHALL be monitored at minimum through:

  • Verification that AT policies and procedures exist and cover the FedRAMP High baseline (AT-1(a)).
  • Confirmation that the Compliance Officer has been designated to manage development, documentation, and dissemination of Information Security policy and procedures (AT-1(b)).
  • Review that policies and procedures are updated at the defined tempo and after Significant Changes (AT-1(c)).
  • Confirmation that training occurs at the required tempo for awareness and role-based training (AT-2/3).
  • Verification that appropriate sanctions processes exist (PS-8).
  • Monitoring of related controls (clean desk, internet use, teleworking, device inventory, IP rights).

(The existing detailed compliance table is retained below in Appendix A to support audits.)

3.5 Literacy Training and Awareness (AT-2)

Dispel SHALL:

  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors) as part of initial onboarding and at least annually thereafter.
  • Provide additional training when required by system changes or after significant events.
  • Employ multiple techniques (e.g., lunch-and-learn sessions, capture-the-flag exercises, targeted training modules) to increase awareness.
  • Update literacy training and awareness content at least annually and following major security events or changes.
  • Incorporate lessons learned from internal and external incidents into literacy training.

3.6 Training and Awareness Content (AT-2(2), AT-2(3), AT-2(4), AT-2(5), AT-2(6))

The Compliance Officer SHALL ensure that training content covers, at a minimum:

  • Recognition and reporting of potential insider threats.
  • Recognition and reporting of social engineering and social mining attempts.
  • Recognition and reporting of suspicious communications and anomalous system behavior.
  • Awareness of advanced persistent threats and the evolving cyber threat environment.
  • Techniques and processes to keep training current through feedback, analysis, and industry practices.

The training program (including role-based training) SHALL be:

  • Reviewed at least annually and after significant changes (per NIST SP 800-37).
  • Updated where the Policy Owner determines changes are necessary.

3.7 Role-Based Training (AT-3)

Role-based training SHALL:

  • Occur before authorizing access to sensitive systems or information, and at least annually thereafter, or after significant system changes/events.
  • Be updated at least annually and following significant system changes or events.
  • Incorporate lessons learned from internal or external security incidents or breaches.

3.8 Training Record Keeping (AT-4)

Formal training activities (awareness and role-based training) SHALL:

  • Be documented and monitored.
  • Have individual records retained for the greater of five years, or five years after completion of a specific training program.
  • Be tracked in Dispel’s SaaS compliance platform and/or other designated systems under the responsibility of the Compliance Officer.

4. ROLES AND RESPONSIBILITIES

4.1 Compliance Officer

  • Manages development, documentation, dissemination, and enforcement of Awareness and Training policies.
  • Ensures training is assigned and completed at required tempos.
  • Maintains training records and evidence for audits.
  • Coordinates updates to training content based on incidents and changes.

4.2 Security Officer

  • Structures security activities related to training as part of the FedRAMP program.
  • Ensures security aspects of training are aligned with continuous monitoring and incident response.
  • Flags security issues discovered through training or compliance reviews to appropriate roles.

4.3 Chief Technology Officer (CTO)

  • Ensures the ISMS and FedRAMP systems meet AT-related security requirements.
  • Supports resource allocation for training and awareness initiatives.

4.4 Head of Operations (HOO) and Development Operations Lead

  • Ensure technical teams (System Administrators, DevOps, Developers) understand and complete the relevant role-based training.
  • Reinforce policy and procedure adherence through training, drills, culture, and oversight.

4.5 Other Roles

Roles such as System Owner, System Administrator, System User, AO, SPM, Senior Product Manager, SecCM Program Manager, SSO, Software Developer, CEO, President, CFO, COO retain their detailed responsibilities as defined in Appendix A and are subject to role-based training as appropriate.

5. PROCEDURES

High-level procedures for Awareness and Training include:

  1. Plan and Maintain Training Content

    • Identify required training topics based on controls (AT-1–4), incidents, and regulatory changes.
    • Design literacy and role-based modules to cover required content.

  2. Assign and Deliver Training

    • Onboard new hires with foundational literacy training within 30 days of hire.
    • Assign annual refresher training to all Covered Persons.
    • Assign specialized role-based training to personnel with specific responsibilities.

  3. Track and Verify Completion

    • Use Dispel’s SaaS compliance platform to assign, track, and report on training.
    • Periodically review completion reports and follow up on overdue items.

  4. Review and Improve

    • Annually review training content and schedules.
    • Incorporate lessons learned from incidents, audits, and feedback.
    • Update content and procedures as needed.

Detailed AT-1/AT-2/AT-3/AT-4 text, compliance tables, and role definitions are preserved in Appendix A.

6. MONITORING AND COMPLIANCE

6.1 Monitoring

Compliance with this policy SHALL be monitored through:

  • Regular review of training assignments and completion reports.
  • Verification that training content has been updated on the required cadence.
  • Sampling and review of training records for key roles.
  • Use of the AT-1(2) compliance table (see Appendix A) as a formal compliance checklist.

6.2 Non-Compliance

Non-compliance with training requirements may result in:

  • Additional remedial training assignments.
  • Escalation to management.
  • Disciplinary measures, up to and including termination, consistent with HR policies and laws.

7. EXCEPTIONS AND WAIVERS

Any exception to this policy (e.g., waiving modules for specific roles) MUST:

  1. Be documented and justified.
  2. Be approved by the Policy Owner and, where appropriate, Executive Management.
  3. Be time-bound and subject to periodic review.

8. DEFINITIONS

Covered Person: Any Dispel staff member, contractor, consultant, or user authorized to access covered systems and information.

Literacy Training: Foundational security and privacy training provided to all Covered Persons to raise awareness of common threats, responsibilities, and safe practices.

Role-Based Training: Additional, specialized training for individuals with particular roles and responsibilities (e.g., administrators, developers, SecCM roles).

Awareness and Training Program: The overall set of policies, procedures, content, and activities that implement AT-1 through AT-4.

9. REFERENCES

  • NIST SP 800-53 (AT-1, AT-2, AT-3, AT-4)
  • ISO/IEC 27001 clause 7.2
  • SOC 2 Trust Services Criteria CC2.2
  • Dispel Information Security Policy
  • Dispel Information Security Management System Plan (ISMS)

10. DOCUMENT HISTORY

VersionDateAuthorChanges
1.02022-01-14Ethan SchmertzlerInitial creation
2.02022-01-14Ethan SchmertzlerApproved
3.02023-01-10Ethan SchmertzlerApproved
4.02023-12-08Ian SchmertzlerAdded NIST 800-53 alignment and reformatted
4.12023-12-08Jemel KylesApproved
5.02024-11-21Stefan KristensenReviewed and aligned with POLICY_Template

11. APPROVAL SIGNATURES

RoleNameSignatureDate
Policy Owner
Security Officer
Compliance Officer

END OF POLICY

Framework Coverage

SOC 2 CC2.2
ISO 27001 7.2
NIST 800-53 AT-1 AT-2 AT-3 AT-4

Document Provenance

Last ModifiedApril 6, 2026 at 12:37 -0400
Authorunknown
Signature Not signed
Commit547bdca View on GitHub
File HistoryAll changes