Risk Assessment Policy and Procedures

Version: 1.1 approved

Download PDF Controlled copy — valid on date of download only

Internal Use

Risk Assessment Policy and Procedures

Dispel

Document Control

Item	Details
Version	1.0
Cadence	Annual
Policy Owner	Chief Information Security Officer
Approved By	Chief Executive Officer
DCF References	DCF-1, DCF-12, DCF-13, DCF-15, DCF-16, DCF-17, DCF-18, DCF-19, DCF-20, DCF-21, DCF-23, DCF-24, DCF-28, DCF-29, DCF-30, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-43, DCF-44, DCF-45, DCF-47, DCF-51, DCF-52, DCF-55, DCF-56, DCF-57, DCF-58, DCF-60, DCF-72, DCF-73, DCF-74, DCF-75, DCF-80, DCF-81, DCF-83, DCF-84, DCF-96, DCF-99, DCF-100, DCF-101, DCF-134

1. PURPOSE AND SCOPE

1.1 Purpose

The purpose of this policy and procedures document is to define how Dispel identifies, analyzes, evaluates, and treats information security risks to its systems, services, and data, and to specify how Dispel leadership sets and maintains acceptable risk levels.

1.2 Scope

This policy applies to:

The entire Dispel organization and all information systems and services in scope for the information security program.
All assets that may affect the confidentiality, integrity, or availability of organizational or customer information, including hardware, software, data, documentation, and external services.
All Covered Persons involved in identifying, assessing, and managing information security risks.

1.3 Regulatory and Framework Alignment

#	Framework / Standard	Relevant Control IDs	Alignment Notes
1	SOC 2	CC3.2, CC4.1	Risk assessment processes and evaluation of business objectives, risks, and controls.
2	ISO/IEC 27001	A.5.4, A.5.5	Information security risk management and information security risk treatment.
3	NIST SP 800-53	RA-1, RA-2, RA-3, RA-5	Risk assessment policy and procedures, security categorization, risk assessment, and vulnerability scanning.
4	IEC 62443	62443-2-1.4.3	Cybersecurity risk assessment requirements for industrial automation and control systems.
5	HIPAA	164.308(a)(1)(ii)(A)	Risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Primary Policy Statement

Dispel SHALL maintain a documented risk assessment program that periodically and consistently identifies, analyzes, and evaluates information security risks and informs risk treatment decisions.

2.3 Secondary Policy Statement

Risk assessments SHALL be updated when significant changes occur to systems, threats, or business context, and at a defined minimum cadence.
All high and critical risks SHALL be treated through implementation of controls, transfer, or other risk response actions; residual risks SHALL be explicitly accepted by appropriate management.

3. REQUIREMENTS

3.1 Risk Assessment Governance and Review Tempo

Objective: Establish governance for risk assessment activities.

Mandatory Activities:

The Policy Owner (Compliance Officer or delegate) SHALL own this policy and associated procedures and ensure they are reviewed at least annually.
All workforce members (Covered Persons) are within the scope of this policy and SHALL comply with applicable risk-related procedures.
This policy and procedures SHALL be disseminated to Covered Persons; review, acceptance, and acknowledgement SHALL be required initially and at least annually.
The Policy Owner SHALL review and, if necessary, update this policy and procedures:
- At least once annually.
- Following discretionary off-cycle reviews.
- Following significant changes as defined in NIST SP 800-37 or equivalent internal criteria.

Required Outputs:

Approved and current policy and procedures.
Records of Covered Person acknowledgements.

Security Controls: NIST SP 800-53 RA-1.

3.2 Risk Assessment Process

Objective: Define a consistent process for identifying and assessing risks.

Mandatory Activities:

The risk assessment process SHALL include:
- Identification of assets within scope (systems, data, services, infrastructure, and external/outsourced services).
- Identification of threats and vulnerabilities associated with each asset.
- Assignment of risk owners for identified risks.
Risk owners SHALL assess, for each risk:
- The potential impact if the risk is realized.
- The likelihood of occurrence.
Dispel SHALL define and maintain criteria for determining impact and likelihood, and SHALL use these criteria to calculate a risk level (e.g., impact × likelihood).
Risk assessment results SHALL be documented in a risk register or equivalent artifact.

Required Outputs:

Asset inventory and associated threat/vulnerability information.
Risk register with impact, likelihood, and risk ratings.

Security Controls: NIST SP 800-53 RA-2, RA-3.

3.3 Risk Treatment and Residual Risk

Objective: Ensure identified risks are appropriately treated or accepted.

Mandatory Activities:

For each identified risk, Dispel SHALL determine one or more treatment options:
- Implement or enhance security controls.
- Transfer the risk (e.g., insurance, contracts with suppliers or partners).
- Avoid the risk by discontinuing or changing the business activity.
- Accept the risk where treatment would cost more than the potential impact.
All high and critical risks SHALL be treated; acceptance without treatment SHALL require documented justification and approval at an appropriate management level.
Risk owners SHALL estimate residual risk (updated impact and likelihood) after planned treatments are implemented.
Risk treatment plans and residual risk decisions SHALL be documented and periodically reviewed.

Required Outputs:

Risk treatment plans and decisions.
Documentation of residual risk and approvals.

Security Controls: NIST SP 800-53 RA-3.

3.4 Vulnerability Assessment and Monitoring

Objective: Ensure vulnerability-related risks are identified and managed.

Mandatory Activities:

Dispel SHALL conduct vulnerability assessments for in-scope systems, including vulnerability scanning and other technical evaluations.
Vulnerability scanning SHALL:
- Use up-to-date vulnerability information and signatures.
- Provide appropriate breadth and depth of coverage for in-scope systems.
- Be configured to use privileged access where necessary and approved.
Identified vulnerabilities SHALL be evaluated for impact and likelihood and entered into the risk register or tracked in a vulnerability management system.
Historic audit logs and other telemetry SHOULD be reviewed, when appropriate, to understand exploitation attempts and inform risk evaluation.

Required Outputs:

Vulnerability scan results and related analysis.
Updated risk register entries and remediation tasks.

Security Controls: NIST SP 800-53 RA-5.

4. ROLES AND RESPONSIBILITIES

4.1 Policy Owner (Compliance Officer or Delegate)

Responsibilities:

Owns this Risk Assessment Policy and Procedures.
Ensures risk assessment methodology, criteria, and templates are defined and maintained.
Coordinates periodic risk assessments and ensures results feed into risk treatment and governance processes.

4.2 Security Officer

Responsibilities:

Provides input on technical risks, threat intelligence, and vulnerability information.
Supports definition of impact and likelihood criteria and risk rating scales.
Coordinates vulnerability assessments and vulnerability risk analysis.

4.3 System Owners

Responsibilities:

Identify assets under their responsibility and participate in risk assessments.
Act as risk owners or designate appropriate risk owners for system-related risks.
Implement risk treatment plans and monitor residual risk.

4.4 Senior Management

Responsibilities:

Approve risk appetite and risk tolerance levels.
Approve treatment or acceptance of high and critical risks.
Ensure risk assessment outcomes are considered in strategic and operational decisions.

5. PROCEDURES

5.1 Risk Assessment Lifecycle (High-Level)

Step	Action	Responsible Party	Timeframe
1	Define assessment scope (systems, assets, data, processes, and boundaries).	Policy Owner, System Owners	At start of assessment cycle
2	Identify assets, threats, and vulnerabilities and assign risk owners.	System Owners, Security Officer	During assessment planning
3	Assess impact and likelihood, calculate risk ratings, and document in the risk register.	Risk Owners	During assessment execution
4	Determine and document risk treatment options and residual risk.	Risk Owners, Policy Owner, Senior Management (as needed)	After initial assessment
5	Implement risk treatment plans and update risk register accordingly.	System Owners, Security Officer	Per agreed timelines
6	Review and update risk assessments in response to significant changes or at least annually.	Policy Owner, Risk Owners	Ongoing

6. MONITORING AND COMPLIANCE

6.1 Compliance Monitoring

Compliance with this policy SHALL be monitored through:

Periodic reviews of the risk register and risk treatment plans.
Internal or external audits of the risk management process.
Verification that high and critical risks have treatment plans and documented acceptances where applicable.

6.2 Metrics and Reporting

The following metrics SHALL be tracked and reported at least annually to the Policy Owner and senior management:

Metric	Frequency	Owner
Number of risks identified vs. risks treated within the reporting period	Annual	Policy Owner
Percentage of high/critical risks with approved treatment or acceptance decisions	Quarterly	Policy Owner
Time-to-close for risk treatment actions above defined thresholds	Quarterly	System Owners

6.3 Non-Compliance Consequences

Failure to comply with this policy and procedures may result in:

Inaccurate or incomplete understanding of organizational risk exposure.
Revocation or restriction of access for Covered Persons who repeatedly fail to follow risk-related procedures.
Disciplinary action for employees and contractors, consistent with Dispel HR policies and applicable law.

7. EXCEPTIONS AND WAIVERS

7.1 Exception Process

Exceptions to this policy SHALL:

Be submitted in writing by the requesting party.
Identify the specific policy or procedural requirements for which an exception is sought.
Include justification and business impact.
Describe compensating controls or mitigation measures.
Define exception duration and remediation plan.

7.2 Exception Approval Authority

Risk Level	Approval Authority
Low	Policy Owner
Medium	Policy Owner and Security Officer
High	Policy Owner, Security Officer, and Senior Management representative
Critical	Senior Management representative in consultation with Policy Owner and Security Officer

8. DEFINITIONS

Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.

Risk Assessment: The overall process of risk identification, risk analysis, and risk evaluation.

Risk Owner: A person or entity with the accountability and authority to manage a risk.

Risk Treatment: The process of selecting and implementing measures to modify risk.

Covered Person: Any Dispel workforce member, contractor, or third party within the scope of the information security program.

9. REFERENCES

9.1 Internal References

Information Security Policy.
Information Security Assessment, Authorization, and Monitoring Policy and Procedures.
System Supply Chain Risk Management Policy and Procedures.
Incident Response Policy and Procedures.

9.2 External References

NIST SP 800-30, Guide for Conducting Risk Assessments.
NIST SP 800-37, Risk Management Framework.
NIST SP 800-53, RA family.
ISO/IEC 27005, Information security risk management.

10. DOCUMENT HISTORY

Version	Date	Author	Changes
1.1	Predates version control	Ethan Schmertzler	Aligned Risk Assessment Policy and Procedures to POLICY_TEMPLATE and updated control mappings.
1.0	Predates version control	Ethan Schmertzler	Initial Risk Assessment Policy and Procedures.

11. APPROVAL SIGNATURES

Role	Name	Signature	Date
Policy Owner (Compliance Officer)
Security Officer
Senior Management Representative

APPENDICES

Appendix A: Supporting Risk Assessment Procedures

This appendix may include:

Detailed risk assessment templates and scoring methodologies.
Example risk registers and treatment plan formats.

Appendix B: Additional Guidance and Examples

This appendix may include:

Example scenarios illustrating risk assessment and treatment decisions.
References to current industry best practices for risk assessment and management.

Framework Coverage

SOC 2 CC3.2 CC4.1

ISO 27001 A.5.4 A.5.5

NIST 800-53 RA-1 RA-2 RA-3 RA-5

Last Modified	April 6, 2026 at 12:37 -0400
Author	unknown
Signature	Not signed
Commit	`547bdca` View on GitHub
File History	All changes