Internal Use

System and Information Integrity Policy and Procedures

Dispel

Document Control

1. PURPOSE AND SCOPE

1.1 Purpose

The purpose of this policy and procedures document is to define how Dispel maintains the integrity of its systems and information, including flaw remediation, malicious code protection, system monitoring, integrity checking, and related safeguards.

1.2 Scope

This policy applies to:

• Dispel systems and services in scope for the security and compliance program, including the Dispel Zero Trust Engine.
• Supporting processes and controls required to maintain the integrity of systems and information.

1.3 Regulatory and Framework Alignment

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

• Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
• Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
• Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
• Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Primary Policy Statement

Dispel SHALL implement and maintain controls to protect the integrity of systems and information, detect and remediate flaws, and monitor for malicious or anomalous activity.

2.3 Secondary Policy Statement

• System flaws SHALL be identified, assessed, and remediated in a timely manner.
• Malicious code protection and integrity monitoring capabilities SHALL be deployed and maintained.

3. REQUIREMENTS

3.1 Flaw Remediation

Objective: Identify, assess, and remediate system flaws.

Mandatory Activities:

1. Dispel SHALL have processes to receive, analyze, and act on information about system vulnerabilities and flaws.
2. Flaws SHALL be prioritized based on risk and remediated according to defined timelines.
3. Where immediate remediation is not possible, compensating controls SHALL be considered and documented.

Required Outputs:

• Flaw remediation procedures.
• Records of identified flaws, risk ratings, and remediation status.

Security Controls: NIST SP 800-53 SI-2.

3.2 Malicious Code Protection and System Monitoring

Objective: Protect systems from malicious code and monitor for anomalous activity.

Mandatory Activities:

1. Malicious code protection mechanisms (e.g., anti-malware, endpoint protection) SHALL be deployed on appropriate systems.
2. System and network monitoring capabilities (e.g., IDS/IPS, EDR, log analysis) SHALL be used to detect anomalous or suspicious activity.
3. Alerts from malicious code and monitoring tools SHALL be integrated into incident response processes.

Required Outputs:

• Configuration and deployment records for malicious code protection and monitoring tools.
• Alerts and investigation records.

Security Controls: NIST SP 800-53 SI-3, SI-4.

3.3 Information and Software Integrity

Objective: Ensure the integrity of information and software components.

Mandatory Activities:

1. Integrity-checking mechanisms (e.g., checksums, digital signatures, file integrity monitoring) SHALL be used for critical software and configuration items.
2. Detected integrity violations SHALL be investigated and treated as potential security incidents.
3. Integrity controls SHALL be protected from unauthorized modification or disabling.

Required Outputs:

• Integrity monitoring configurations and reports.
• Records of detected integrity issues and responses.

Security Controls: NIST SP 800-53 SI-7, SI-8, SI-10, SI-11, SI-12.

4. ROLES AND RESPONSIBILITIES

4.1 Policy Owner

Responsibilities:

• Owns this System and Information Integrity Policy and Procedures.
• Ensures integration with Vulnerability Management, Logging and Monitoring, and Incident Response policies.

4.2 Security Officer / Security Operations

Responsibilities:

• Oversee flaw remediation, malicious code protection, and monitoring programs.
• Analyze alerts and coordinate with Incident Response.

4.3 System Owners / Administrators

Responsibilities:

• Implement and maintain integrity-related controls on systems they manage.
• Coordinate flaw remediation and integrity monitoring activities.

5. PROCEDURES

5.1 System and Information Integrity Lifecycle (High-Level)

6. MONITORING AND COMPLIANCE

Compliance with this policy SHALL be monitored through:

• Vulnerability and integrity assessments.
• Reviews of monitoring and alert handling.
• Periodic audits of integrity-related controls.

7. EXCEPTIONS AND WAIVERS

Exceptions to this policy SHALL follow the documented exception management process and require appropriate approvals.

8. DEFINITIONS

System Flaw: A weakness in hardware, firmware, or software that may be exploited or cause unexpected behavior.

Malicious Code: Software or code designed to perform unauthorized or harmful actions.

9. REFERENCES

• Vulnerability Management Policy.
• Logging and Monitoring Policy.
• NIST SP 800-53, SI family.

10. DOCUMENT HISTORY

11. APPROVAL SIGNATURES

APPENDICES

Appendix A: Supporting System and Information Integrity Procedures

Appendix B: Additional Guidance and Examples