Vulnerability Management Policy

Version: 5.1 approved

Download PDF Controlled copy — valid on date of download only

Internal Use

Vulnerability Management Policy

Dispel

Document Control

Item	Details
Version	1.0
Cadence	Annual
Policy Owner	Chief Information Security Officer
Approved By	Chief Executive Officer
DCF References	DCF-13, DCF-18, DCF-19, DCF-20, DCF-21, DCF-22, DCF-23, DCF-24, DCF-32, DCF-38, DCF-39, DCF-40, DCF-41, DCF-43, DCF-44, DCF-47, DCF-48, DCF-49, DCF-55, DCF-56, DCF-57, DCF-58, DCF-60, DCF-72, DCF-73, DCF-74, DCF-75, DCF-96, DCF-99, DCF-100, DCF-134

1. PURPOSE AND SCOPE

1.1 Purpose

The purpose of this policy is to define Dispel’s requirements for identifying, assessing, tracking, and remediating vulnerabilities in systems and applications in order to reduce security risk.

1.2 Scope

This policy applies to:

All Dispel product systems and supporting infrastructure.
All environments where Dispel code or configurations run (including cloud platforms and third-party services in scope for the security program).

1.3 Regulatory and Framework Alignment

#	Framework / Standard	Relevant Control IDs	Alignment Notes
1	SOC 2	CC1.2, CC3.1, CC3.3, CC3.4, CC4.1, CC4.2, CC5.1, CC5.2, CC7.1, CC7.2	Risk assessment, vulnerability management, and incident handling.
2	ISO/IEC 27001	A.12.1.1, A.12.7.1, A.18.2.3	Change management, vulnerability management, and technical compliance review.
3	NIST SP 800-53	RA-3, RA-5, RA-7, SI-2, SI-3, SI-5	Vulnerability identification, assessment, and remediation requirements are implemented in conjunction with RA and SI controls.
4	IEC 62443	62443-2-1, 62443-2-3, 62443-3-2, 62443-3-3, 62443-4-1, 62443-4-2	Vulnerability management and system hardening for industrial/OT systems.
5	HIPAA	164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5), 164.308(a)(6), 164.310, 164.312	Risk analysis, risk management, workforce security, access control, and technical safeguards where ePHI is in scope.

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Primary Policy Statement

Dispel SHALL identify, assess, and remediate vulnerabilities in systems and applications within risk-appropriate timeframes, using independent scanning and testing where appropriate.

2.3 Secondary Policy Statement

Vulnerability management activities SHALL be integrated with change management and incident response.
Vulnerability findings and remediation status SHALL be tracked and retained for compliance and audit purposes.

3. REQUIREMENTS

3.1 Vulnerability Scanning and Assessment

Objective: Systematically identify vulnerabilities in Dispel systems and infrastructure.

Mandatory Activities:

Vulnerability scanning SHALL be performed at a defined cadence (e.g., at least quarterly) using automated tools and/or third-party services.
Scanning SHALL cover relevant assets, including servers, applications, containers, and supporting infrastructure.
Findings from vulnerability scans SHALL be reviewed and analyzed for impact and likelihood.

Required Outputs:

Vulnerability scan results.
Records of analysis and prioritization.

3.2 Penetration Testing

Objective: Validate the effectiveness of security controls through controlled exploitation attempts.

Mandatory Activities:

Penetration testing SHOULD be performed regularly by an independent party for high-risk systems and significant changes.
Findings from penetration tests SHALL be analyzed and entered into the vulnerability tracking process.

Required Outputs:

Penetration test reports.
Records of remediation actions.

3.3 Vulnerability Tracking, Prioritization, and Remediation

Objective: Ensure vulnerabilities are consistently reported, prioritized, and remediated.

Mandatory Activities:

Vulnerability findings SHALL be recorded in a tracking system and assigned to owners.
Findings SHALL be prioritized based on severity and context (e.g., exposure, exploitability, business impact).
Remediation SHALL be performed according to defined SLAs based on severity (e.g., Critical, High, Medium, Low).
Exceptions to remediation timelines SHALL require documented risk acceptance by appropriate management.

Required Outputs:

Vulnerability tracking records.
SLA adherence metrics and exception approvals.

4. ROLES AND RESPONSIBILITIES

4.1 Policy Owner

Responsibilities:

Owns this Vulnerability Management Policy.
Ensures integration with Risk Assessment, System and Information Integrity, and Incident Response policies.

4.2 Security Officer / Vulnerability Management Function

Responsibilities:

Coordinate vulnerability scanning, penetration testing, and remediation efforts.
Maintain vulnerability tracking and reporting.

4.3 System Owners

Responsibilities:

Ensure vulnerabilities affecting their systems are assessed and remediated.
Implement configuration and code changes required to address vulnerabilities.

5. PROCEDURES

5.1 Vulnerability Management Lifecycle (High-Level)

Step	Action	Responsible Party	Timeframe
1	Discover assets and define vulnerability scanning scope.	Security Officer, System Owners	During onboarding and periodically
2	Perform vulnerability scanning and penetration testing per schedule.	Security Officer, Third Parties	Per defined cadence
3	Analyze findings, prioritize based on severity and context, and create tracking items.	Security Officer	After each scan/test
4	Remediate vulnerabilities and verify fixes.	System Owners, Engineering	According to SLA
5	Report metrics and review program effectiveness.	Policy Owner, Security Officer	At least annually

6. MONITORING AND COMPLIANCE

Compliance with this policy SHALL be monitored through:

Reviews of vulnerability scan and test results.
Audits of vulnerability tracking records and remediation timelines.

7. EXCEPTIONS AND WAIVERS

Exceptions to this policy SHALL follow the documented exception management process and require appropriate approvals.

8. DEFINITIONS

Vulnerability: A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited.

9. REFERENCES

Risk Assessment Policy and Procedures.
System and Information Integrity Policy and Procedures.
NIST SP 800-53, RA and SI families.

10. DOCUMENT HISTORY

Version	Date	Author	Changes
5.1	Predates version control	Ethan Schmertzler	Aligned Vulnerability Management Policy to POLICY_TEMPLATE and updated control mappings.
5.0	Predates version control	Ethan Schmertzler	Prior Vulnerability Management Policy revision.

11. APPROVAL SIGNATURES

Role	Name	Signature	Date
Policy Owner
Security Officer
Senior Management Representative

APPENDICES

Appendix A: Supporting Vulnerability Management Procedures

Appendix B: Additional Guidance and Examples

Framework Coverage

SOC 2 CC1.2 CC3.1 CC3.3 CC3.4 CC4.1 CC4.2 CC5.1 CC5.2 CC7.1 CC7.2

ISO 27001 A.12.1.1 A.12.7.1 A.18.2.3

NIST 800-53 RA-3 RA-5 RA-7 SI-2 SI-3 SI-5

Last Modified	April 6, 2026 at 12:37 -0400
Author	unknown
Signature	Not signed
Commit	`547bdca` View on GitHub
File History	All changes