System and Services Acquisition Policy and Procedures
Download PDF
Controlled copy — valid on date of download only
Internal Use
System and Services Acquisition Policy and Procedures
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 1.0 |
| Cadence | Annual |
| Policy Owner | Chief Operating Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-1, DCF-4, DCF-5, DCF-6, DCF-12, DCF-13, DCF-15, DCF-16, DCF-17, DCF-18, DCF-19, DCF-20, DCF-21, DCF-22, DCF-23, DCF-24, DCF-31, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-45, DCF-47, DCF-48, DCF-49, DCF-55, DCF-56, DCF-57, DCF-58, DCF-62, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-99, DCF-100, DCF-101, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy and procedures document is to define how Dispel acquires systems and services, ensuring that security, privacy, and supply chain risks are addressed throughout the acquisition lifecycle.
1.2 Scope
This policy applies to:
- All acquisitions of systems and services that support Dispel operations, including cloud services, software, hardware, and managed services.
- Acquisitions related to Dispel’s FedRAMP systems (e.g., the Dispel Zero Trust Engine) as well as other systems within the information security program.
- All Covered Persons involved in evaluating, approving, and managing system and service acquisitions.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC3.1, CC3.2 | Risk assessment and mitigation related to acquisitions and third-party services. |
| 2 | ISO/IEC 27001 | A.5.19, A.5.20 | Information security for supplier relationships and integrating security into acquisition. |
| 3 | NIST SP 800-53 | SA-1, SA-2, SA-4, SA-5, SA-9, SA-10, SA-11, SA-15, SA-16, SA-17, SA-21, SA-22 | System and services acquisition policy and procedures, functional and security requirements, acquisition process, external system services, developer security testing, and C-SCRM-related controls. |
| 4 | IEC 62443 | 62443-2-4 | Security requirements for service providers in industrial automation and control systems. |
| 5 | HIPAA | 164.308(a)(1) | Risk management for acquisitions that impact systems with ePHI. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL ensure that system and service acquisitions include appropriate security and privacy requirements and that acquired systems and services are assessed and managed for risk.
2.3 Secondary Policy Statement
- Acquisition activities SHALL consider lifecycle costs, including security controls, monitoring, and decommissioning.
- External system services SHALL be governed by appropriate contracts and oversight.
3. REQUIREMENTS
3.1 Acquisition Governance
Objective: Establish governance for system and services acquisition.
Mandatory Activities:
- The Policy Owner SHALL own this policy and associated procedures and ensure they are reviewed at least annually.
- Acquisition roles and responsibilities (e.g., Procurement, Security, Legal, System Owners) SHALL be defined and communicated.
- This policy and procedures SHALL be disseminated to Covered Persons involved in acquisition; review, acceptance, and acknowledgement SHALL be required initially and at least annually.
Required Outputs:
- Approved acquisition policy and procedures.
- Records of acknowledgements for relevant roles.
Security Controls: NIST SP 800-53 SA-1, SA-2.
3.2 Acquisition Requirements and Process
Objective: Ensure acquisitions reflect security and privacy requirements.
Mandatory Activities:
- For each acquisition, Dispel SHALL define functional, security, and privacy requirements.
- Requests for proposal (RFPs), contracts, or equivalent documents SHALL include relevant requirements and evaluation criteria.
- Risk assessments SHALL be conducted for significant acquisitions, considering suppliers' control environments and C-SCRM concerns.
Required Outputs:
- Documented acquisition requirements.
- Acquisition risk assessments and decisions.
Security Controls: NIST SP 800-53 SA-4, SA-5.
3.3 External System Services and Developer Responsibilities
Objective: Manage risks related to external services and development activities.
Mandatory Activities:
- External system services (e.g., cloud services, managed services) SHALL be governed by contracts that define security and privacy responsibilities.
- For acquisition of development services or components, Dispel SHALL ensure developers follow secure development practices and provide appropriate documentation, testing, and training as applicable.
- Criticality analyses MAY be performed to identify components or services requiring heightened scrutiny.
Required Outputs:
- Contracts and statements of work with security and privacy clauses.
- Documentation of developer security responsibilities and deliverables.
Security Controls: NIST SP 800-53 SA-9, SA-10, SA-11, SA-15, SA-16, SA-17, SA-21, SA-22.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this System and Services Acquisition Policy and Procedures.
- Ensures integration with risk management, vendor management, and supply chain policies.
- Coordinates periodic reviews and updates.
4.2 Procurement / Acquisition Teams
Responsibilities:
- Coordinate acquisition activities and ensure requirements are captured.
- Maintain inventories of acquired systems and services.
- Work with Security, Legal, and System Owners throughout the acquisition lifecycle.
4.3 Security Officer
Responsibilities:
- Provide input on acquisition security requirements and evaluation criteria.
- Review risk assessments and supplier security posture for significant acquisitions.
4.4 System Owners
Responsibilities:
- Define system-specific requirements and constraints.
- Participate in evaluation and selection of systems and services.
- Ensure acquired systems and services are integrated in line with this policy.
5. PROCEDURES
5.1 Acquisition Lifecycle (High-Level)
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Identify business and technical need for system or service. | System Owners, Procurement | During planning |
| 2 | Define functional, security, and privacy requirements. | System Owners, Security Officer, Policy Owner | Before vendor engagement |
| 3 | Conduct market research, evaluations, and risk assessments. | Procurement, Security Officer | Before selection |
| 4 | Negotiate and execute contracts with appropriate clauses. | Procurement, Legal, Policy Owner | Before implementation |
| 5 | Integrate acquired systems and services following SDLC and change processes. | System Owners, Engineering, DevOps | During implementation |
| 6 | Review acquisitions periodically for continued suitability and risk. | Policy Owner, System Owners | Ongoing |
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this policy SHALL be monitored through:
- Reviews of acquisition documentation, contracts, and risk assessments.
- Audits of external system services and their performance against requirements.
- Incident reviews related to acquired systems and services.
6.2 Metrics and Reporting
The following metrics SHALL be tracked and reported at least annually to the Policy Owner and senior management:
| Metric | Frequency | Owner |
|---|---|---|
| Percentage of significant acquisitions with documented security and privacy requirements | Annual | Procurement |
| Number of acquisition-related incidents and remediation status | Quarterly | Security Officer |
6.3 Non-Compliance Consequences
Failure to comply with this policy and procedures may result in:
- Increased exposure to risks from acquired systems and services.
- Revocation or restriction of access for Covered Persons who repeatedly fail to follow acquisition procedures.
- Disciplinary action for employees and contractors, consistent with Dispel HR policies and applicable law.
7. EXCEPTIONS AND WAIVERS
7.1 Exception Process
Exceptions to this policy SHALL:
- Be submitted in writing by the requesting party.
- Identify the specific policy or procedural requirements for which an exception is sought.
- Include justification and business impact.
- Describe compensating controls or mitigation measures.
- Define exception duration and remediation plan.
7.2 Exception Approval Authority
| Risk Level | Approval Authority |
|---|---|
| Low | Policy Owner |
| Medium | Policy Owner and Security Officer |
| High | Policy Owner, Security Officer, and Senior Management representative |
| Critical | Senior Management representative in consultation with Policy Owner and Security Officer |
8. DEFINITIONS
Acquisition: The process of procuring systems, services, or components to support Dispel operations.
External System Service: A service provided by an external provider that is integrated with or relied upon by Dispel systems.
9. REFERENCES
9.1 Internal References
- Risk Assessment Policy and Procedures.
- Vendor Management Policy.
- System Supply Chain Risk Management Policy and Procedures.
9.2 External References
- NIST SP 800-53, SA family.
- ISO/IEC 27001 and ISO/IEC 27036 series.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.1 | Predates version control | Ethan Schmertzler | Aligned System and Services Acquisition Policy and Procedures to POLICY_TEMPLATE and updated control mappings. |
| 1.0 | Predates version control | Ethan Schmertzler | Initial System and Services Acquisition Policy and Procedures. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |
APPENDICES
Appendix A: Supporting Acquisition Procedures
This appendix may include:
- Acquisition checklists and templates.
- Sample RFP and contract language.
Appendix B: Additional Guidance and Examples
This appendix may include:
- Example acquisition scenarios and lessons learned.
- References to industry best practices for system and services acquisition.