Information Security Assessment, Authorization, and Monitoring Policy and Procedures

Version: 1.1 approved

Download PDF Controlled copy — valid on date of download only

Internal Use

Information Security Assessment, Authorization, and Monitoring Policy and Procedures

Dispel

Document Control

Item	Details
Version	1.0
Cadence	Annual
Policy Owner	Chief Information Security Officer
Approved By	Chief Executive Officer
DCF References	DCF-1, DCF-4, DCF-5, DCF-6, DCF-12, DCF-13, DCF-15, DCF-16, DCF-17, DCF-18, DCF-19, DCF-21, DCF-22, DCF-23, DCF-24, DCF-31, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-45, DCF-47, DCF-48, DCF-49, DCF-55, DCF-56, DCF-57, DCF-58, DCF-72, DCF-73, DCF-74, DCF-75, DCF-80, DCF-81, DCF-99, DCF-100, DCF-134

1. PURPOSE AND SCOPE

1.1 Purpose

The purpose of this policy and procedures document is to define how Dispel plans, conducts, and manages security assessments, authorization decisions, and ongoing monitoring for Dispel systems, including the Dispel Zero Trust Engine, so that risks are identified, evaluated, and treated in a consistent, evidence-based manner.

1.2 Scope

This policy applies to:

All Dispel information systems and services that process, store, or transmit organizational or customer data.
All components supporting those systems, including infrastructure, platforms, applications, and integrations with third-party services.
All phases of the system lifecycle, from design and development through deployment, operation, and decommissioning.
All Covered Persons involved in designing, operating, assessing, authorizing, or monitoring Dispel systems.

1.3 Regulatory and Framework Alignment

#	Framework / Standard	Relevant Control IDs	Alignment Notes
1	SOC 2	CC4.1, CC4.2, CC7.3	Risk assessment and mitigation activities, and ongoing monitoring of controls supporting the security, availability, and confidentiality criteria.
2	ISO/IEC 27001	A.5.4, A.5.8	Information security risk assessment and inventory of information and other associated assets to support assessment and monitoring.
3	NIST SP 800-53	CA-1, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9	Assessment, authorization, and continuous monitoring of security controls; use of assessment results; penetration testing; and management of internal and external system connections.
4	IEC 62443	62443-2-1.4.3	Cybersecurity management system requirements, including assessment and monitoring activities for industrial automation and control systems.
5	HIPAA	164.308(a)(8)	Periodic technical and non-technical evaluations of information systems and security controls in scope for PHI.

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Primary Policy Statement

Dispel SHALL ensure that all in-scope systems are assessed using defined security control baselines, formally authorized for operation prior to production use, and continuously monitored to detect and respond to changes in risk.

2.3 Secondary Policy Statement

Security assessments SHALL be performed periodically and in response to significant changes in systems or risk.
Authorization decisions SHALL be risk-based, documented, and made by designated Authorizing Officials.
Assessment and monitoring results SHALL be captured in formal artifacts (e.g., SSPs, SAPs, SARs, POA&Ms) and used to drive remediation and improvement.

3. REQUIREMENTS

3.1 Governance, Covered Persons, and Review Tempo

Objective: Establish governance for assessment, authorization, and monitoring activities.

Mandatory Activities:

The Policy Owner SHALL own this policy and associated procedures and ensure they are reviewed at least annually.
All workforce members authorized to work on Dispel Zero Trust Engine instances or other in-scope systems (“Covered Persons”) SHALL comply with this policy and applicable procedures.
This policy and procedures SHALL be disseminated to Covered Persons; review, acceptance, and acknowledgement SHALL be required initially and at least annually.
The Policy Owner SHALL review and, if necessary, update this policy and procedures:
- At least annually.
- Following discretionary off-cycle reviews.
- Following significant changes as defined in NIST SP 800-37 or equivalent internal criteria.

Required Outputs:

Approved and current policy and procedures.
Records of Covered Person acknowledgements.

Security Controls: NIST SP 800-53 CA-1.

3.2 Assessment, Authorization, and Monitoring Program

Objective: Define a structured assessment, authorization, and monitoring program for Dispel systems.

Mandatory Activities:

Dispel SHALL adopt the NIST SP 800-53 Assessment, Authorization, and Monitoring (CA) control family as the basis for this program.
For each major system or platform release, a security assessment plan (SAP) SHALL be developed that:
- Identifies the control baseline(s) applied (e.g., FedRAMP High where applicable).
- Defines assessment methods, frequency, and responsibilities.
Security assessments SHALL be conducted:
- For major changes (e.g., new platform versions, major features) using comprehensive assessments.
- For minor or incremental changes using targeted assessments against affected controls.
Assessment results SHALL be documented in a Security Assessment Report (SAR) and gaps tracked in a Plan of Action and Milestones (POA&M).
Compensating controls SHALL be identified and documented where gaps cannot be remediated immediately.
Systems SHALL not be promoted to production without a recorded authorization decision based on current assessment results and risk acceptance.
Authorized systems SHALL enter continuous monitoring, with re-assessments performed in line with the continuous monitoring strategy.

Required Outputs:

System Security Plan (SSP) or SSP addendum.
Security Assessment Plan (SAP).
Security Assessment Report (SAR).
POA&M and related risk acceptance records.
Formal authorization decision documentation.

Security Controls: NIST SP 800-53 CA-1, CA-2, CA-5, CA-6, CA-7.

3.3 Use of Assessment Results and Risk Monitoring

Objective: Ensure assessment and monitoring results inform risk management decisions.

Mandatory Activities:

Assessment and monitoring results SHALL be used to:
- Identify vulnerabilities and control weaknesses.
- Prioritize remediation activities and compensating controls.
- Support updated risk assessments and risk acceptance decisions.
POA&M items SHALL be created for material findings and tracked through remediation.
Risk monitoring SHALL incorporate:
- Changes in system architecture, configurations, and dependencies.
- Threat intelligence and vulnerability advisories relevant to Dispel systems.
- Results from continuous monitoring, penetration testing, and red team exercises.

Required Outputs:

Updated risk assessments.
Updated POA&M entries and remediation status.

Security Controls: NIST SP 800-53 CA-2(3), CA-7, CA-7(4).

3.4 Penetration Testing, Red Team Exercises, and System Connections

Objective: Validate security posture through specialized assessments and manage system connections.

Mandatory Activities:

Penetration testing SHALL be performed on in-scope systems at a defined cadence and after significant changes, consistent with CA-8 requirements.
Where appropriate, red team exercises SHALL be used to emulate advanced adversaries and validate detection and response capabilities.
Internal and external system connections (including customer and third-party integrations) SHALL be documented, evaluated, and authorized prior to use.
Transfer authorizations and information exchanges between Dispel systems and third-party systems SHALL be governed by documented agreements and technical controls.

Required Outputs:

Penetration test and red team reports.
Records of internal and external system connections and associated authorizations.

Security Controls: NIST SP 800-53 CA-3, CA-3(6), CA-8, CA-8(1), CA-8(2), CA-9.

4. ROLES AND RESPONSIBILITIES

4.1 Policy Owner (Security Officer or Delegate)

Responsibilities:

Owns this Information Security Assessment, Authorization, and Monitoring Policy and Procedures.
Ensures policy and procedures are reviewed at least annually and updated as needed.
Coordinates with system owners and other stakeholders to implement the assessment and monitoring program.

4.2 Chief Technology Officer (CTO)

Responsibilities:

Ensures system designs and changes support assessment, authorization, and monitoring requirements.
Approves technical approaches for controls and compensating controls.
Supports remediation planning and execution for findings identified in assessments and monitoring.

4.3 System Owners

Responsibilities:

Ensure systems under their responsibility are assessed, authorized, and monitored according to this policy.
Maintain accurate and current system documentation, including SSPs and connection inventories.
Implement remediation activities for findings within agreed timelines.

4.4 Security and Compliance Teams

Responsibilities:

Plan and execute security assessments and continuous monitoring activities.
Develop and maintain SAPs, SARs, POA&Ms, and related artifacts.
Provide guidance on interpreting assessment results and prioritizing remediation.

4.5 Customers (for Dispel Zero Trust Engine)

Responsibilities (where applicable):

Participate in shared assessments and provide necessary information about their use of DZTE.
Implement customer-side controls identified in shared responsibility models.
Maintain their own authorization and monitoring processes for systems that integrate with DZTE.

5. PROCEDURES

5.1 Assessment and Authorization Lifecycle (High-Level)

Step	Action	Responsible Party	Timeframe
1	Define or update control baseline and assessment scope for the system or major release.	Policy Owner, System Owner, Security Officer	During design or major change planning
2	Develop or update the System Security Plan (SSP) and Security Assessment Plan (SAP).	System Owner, Security Officer	Before assessment begins
3	Conduct security control assessments according to the SAP.	Security and Compliance Teams, Assessors	During assessment window
4	Produce the Security Assessment Report (SAR) and create or update POA&M items.	Security and Compliance Teams	After assessment completion
5	Develop and implement remediation and compensating controls for identified gaps.	System Owner, CTO, Security Officer	Per POA&M timelines
6	Prepare authorization package (SSP, SAP, SAR, POA&M, and supporting documents) and obtain formal authorization decision.	System Owner, Authorizing Official	Before production use or continued operation
7	Enter continuous monitoring, including periodic reassessments and control monitoring.	Security Officer, System Owner	Ongoing

6. MONITORING AND COMPLIANCE

6.1 Compliance Monitoring

Compliance with this policy SHALL be monitored through:

Review of assessment and authorization artifacts (SSPs, SAPs, SARs, POA&Ms, authorization decisions).
Continuous monitoring activities, including vulnerability management, configuration monitoring, and log analysis, where applicable.
Periodic internal or external audits that test the effectiveness of assessment, authorization, and monitoring controls.

6.2 Metrics and Reporting

The following metrics SHALL be tracked and reported at least annually to the Policy Owner and appropriate senior management:

Metric	Frequency	Owner
Number of completed security assessments vs. planned	Annual	Security Officer
Percentage of systems with current authorization to operate (ATO)	Quarterly	System Owners / Security Officer
Percentage of POA&M items closed within agreed timelines	Quarterly	System Owners

6.3 Non-Compliance Consequences

Failure to comply with this policy and procedures may result in:

Delayed or revoked authorization to operate for affected systems.
Revocation or restriction of access for Covered Persons.
Disciplinary action for employees and contractors, consistent with Dispel HR policies and applicable law.
Contractual or access-related remedies for third parties.

7. EXCEPTIONS AND WAIVERS

7.1 Exception Process

Exceptions to this policy SHALL:

Be submitted in writing by the requesting party.
Identify the specific policy or procedural requirements for which an exception is sought.
Include justification and business impact.
Describe compensating controls or mitigation measures.
Define exception duration and remediation plan.

7.2 Exception Approval Authority

Risk Level	Approval Authority
Low	Policy Owner
Medium	Policy Owner and Security Officer
High	Policy Owner, Security Officer, and Senior Management representative
Critical	Senior Management representative in consultation with Policy Owner and Security Officer

8. DEFINITIONS

Covered Person: Any Dispel workforce member, contractor, or third party authorized to work on Dispel Zero Trust Engine instances or other in-scope systems.

Security Assessment: A systematic evaluation of the extent to which a system’s security controls are implemented correctly, operating as intended, and producing the desired outcome.

Authorization to Operate (ATO): A formal management decision that a system is approved to operate, based on an acceptable level of risk.

Continuous Monitoring: Ongoing activities that provide visibility into security control effectiveness and changes in risk over time.

Plan of Action and Milestones (POA&M): A document that identifies security weaknesses and tracks planned remediation activities, milestones, and completion dates.

9. REFERENCES

9.1 Internal References

Information Security Policy.
Risk Assessment Policy and Procedures.
System Supply Chain Risk Management Policy and Procedures.
Incident Response Policy and Procedures.

9.2 External References

NIST SP 800-53, CA family.
NIST SP 800-37, Risk Management Framework.
NIST SP 800-30, Guide for Conducting Risk Assessments.
FedRAMP guidance, where applicable.
ISO/IEC 27001 and related guidance on risk assessment and monitoring.

10. DOCUMENT HISTORY

Version	Date	Author	Changes
1.1	Predates version control	Ethan Schmertzler	Aligned policy and procedures to POLICY_TEMPLATE and updated control mappings.
1.0	Predates version control	Ethan Schmertzler	Initial Information Security Assessment, Authorization, and Monitoring policy and procedures.

11. APPROVAL SIGNATURES

Role	Name	Signature	Date
Policy Owner (Security Officer)
Chief Technology Officer
Senior Management Representative

APPENDICES

Appendix A: Supporting Assessment and Authorization Procedures

This appendix may include:

Detailed checklists for developing SSPs, SAPs, SARs, and POA&Ms.
Sample authorization decision templates.
Example continuous monitoring plans and schedules.

Appendix B: Additional Guidance and Examples

This appendix may include:

Example scenarios illustrating major vs. minor vs. incremental changes and associated assessment requirements.
References to current industry best practices for security assessment, authorization, and monitoring.

Framework Coverage

SOC 2 CC4.1 CC4.2 CC7.3

ISO 27001 A.5.4 A.5.8

NIST 800-53 CA-1 CA-2 CA-3 CA-5 CA-6 CA-7 CA-8 CA-9

Last Modified	April 6, 2026 at 12:37 -0400
Author	unknown
Signature	Not signed
Commit	`547bdca` View on GitHub
File History	All changes