Data Protection Policy
Download PDF
Controlled copy — valid on date of download only
Internal Use
Data Protection Policy
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 4.1 |
| Cadence | Annual |
| Policy Owner | Chief Information Security Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-1, DCF-2, DCF-3, DCF-10, DCF-11, DCF-12, DCF-13, DCF-18, DCF-19, DCF-20, DCF-21, DCF-22, DCF-23, DCF-24, DCF-25, DCF-26, DCF-27, DCF-28, DCF-29, DCF-30, DCF-32, DCF-33, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-43, DCF-44, DCF-45, DCF-46, DCF-47, DCF-48, DCF-49, DCF-51, DCF-52, DCF-55, DCF-56, DCF-57, DCF-58, DCF-60, DCF-68, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-83, DCF-84, DCF-96, DCF-99, DCF-100, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
This policy defines requirements and controls for protecting Dispel and customer data against unauthorized access, alteration, disclosure, or destruction.
1.2 Scope
This policy applies to:
- All Dispel-managed production systems that create, receive, store, or transmit customer or company data.
- All environments where Production Data is stored, processed, or transmitted (including SaaS and public cloud providers used by Dispel).
- All personnel with access to Production Data.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC6.1, CC6.6, CC6.7, CC7.2 | Supports Trust Services Criteria related to logical access, least privilege, monitoring, and change management for data protection. |
| 2 | ISO/IEC 27001 | A.5.12, A.5.13, A.5.23, A.8.11 | Supports Annex A controls for policies for information security, access control, identity management, secret authentication information, and secure authentication mechanisms. |
| 3 | NIST SP 800-53 | SC-7, SC-12, SC-13, AU-2, AU-6 | Implements security and audit controls for boundary protection, cryptographic protections, and audit logging. |
| 4 | IEC 62443 | 62443-3-3.SR3.1, 62443-3-3.SR3.2 | Aligns with requirements for identification, authentication, and least-privilege access in industrial control system contexts. |
| 5 | HIPAA | 164.308(a)(1), 164.312(a)(1) | Supports Security Rule implementation specifications for information access management, access control, and technical safeguards when PHI is in scope. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL protect Production Data using technical and organizational measures appropriate to its classification and risk, including access control, encryption, logging, and monitoring.
2.3 Secondary Policy Statements
At a minimum, Dispel SHALL:
- Ensure data is handled and protected according to its classification and applicable encryption standards.
- Avoid mixing data of different classifications in a single repository where feasible; where mixed, controls SHALL be applied at the highest classification level present.
- Restrict direct administrative access to Production Data to approved, time-bound exceptions for activities such as forensic analysis or manual disaster recovery.
- Ensure all Production Systems have appropriate logging and security monitoring enabled.
3. REQUIREMENTS
3.1 Data Protection Governance and Responsibilities
Objective: Establish clear governance for data protection across Production Systems.
Mandatory Activities:
- Production Systems SHALL follow documented security baselines that address access control, logging, encryption, and monitoring.
- Cloud and SaaS providers used by Dispel SHALL be vetted for appropriate security certifications and controls; responsibilities between Dispel and providers SHALL be documented.
- When operating in client-managed environments, Dispel SHALL clarify security responsibilities with the client; ultimate responsibility for those environments remains with the client.
Required Outputs:
- Security baseline documentation for Production Systems.
- Supplier and customer responsibility matrices where applicable.
Security Controls: CC6.x, CC7.x; ISO 27001 A.5.12, A.5.23.
Approval Required: Policy Owner, Security Officer.
3.2 Data at Rest
Objective: Protect data at rest using encryption, retention, and secure storage and disposal practices.
Mandatory Activities:
- All databases, data stores, and file systems containing Production Data SHALL be encrypted in accordance with Dispel’s Encryption Policy.
- Stored data SHALL be categorized, and a retention schedule SHALL be applied in conjunction with Dispel’s Asset Management Policy, Data Classification Policy, and Data Deletion/Retention Policy.
- Storage and disposal decisions SHALL consider authorization, retention periods, technology lifecycle, retrieval needs, and appropriate disposal methods.
Required Outputs:
- Inventory of encrypted data stores.
- Retention schedule and disposal procedures.
Security Controls: SC-12, SC-13; MP-6.
Approval Required: Policy Owner, Security Officer.
3.3 Data in Transit and Messaging
Objective: Protect data in transit and control use of messaging channels.
Mandatory Activities:
- Data in transit SHALL be encrypted end-to-end using approved cryptographic mechanisms and keys managed by Dispel.
- All internet and intranet connections used for Production Data SHALL use strong protocols, key exchange, and ciphers consistent with the Encryption Policy.
- Restricted and sensitive data SHALL NOT be sent over messaging channels (e.g., email, chat) unless encryption is enabled and appropriate safeguards are in place.
- Where external messaging or file-sharing services are used, their use SHALL be approved and documented.
Required Outputs:
- Network and application configuration records documenting encryption in transit.
- Approved list of messaging and collaboration services.
Security Controls: SC-7, SC-12, SC-13.
Approval Required: Security Officer.
3.4 Logging and Monitoring
Objective: Ensure that access to and operations on Production Data are logged and monitored.
Mandatory Activities:
- Systems that handle confidential information, accept network connections, or make access-control decisions SHALL record audit logs sufficient to answer who did what, where, when, how, and with what outcome.
- Logged events SHALL include, at a minimum: changes to confidential data, authentication events, access-right changes, key system configuration changes, application lifecycle events, and security-relevant events.
- Logs SHALL contain standardized identifiers, timestamps, and status codes and SHALL be protected against tampering.
- System clocks SHALL be synchronized using an approved time source to support accurate logging.
Required Outputs:
- Log configuration standards and retained logs.
- Time synchronization configuration.
Security Controls: AU-2, AU-6; CC7.2.
Approval Required: Security Officer.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this Data Protection Policy.
- Reviews and updates the policy at least annually.
- Monitors key metrics related to data protection incidents and control effectiveness.
4.2 Security Officer
Responsibilities:
- Oversees implementation and enforcement of data protection controls.
- Coordinates incident response related to data protection failures or breaches.
- Ensures alignment with related policies (Encryption, Data Classification, Data Retention, Access Control).
4.3 Engineering / Operations
Responsibilities:
- Implement encryption, logging, and monitoring configurations.
- Maintain system baselines for Production Systems.
- Review and respond to security alerts related to data protection.
4.4 All Personnel
Responsibilities:
- Handle data according to classification and this policy.
- Use approved tools and channels for storing and transmitting Production Data.
- Report suspected data protection issues or incidents promptly.
5. PROCEDURES
5.1 High-Level Data Protection Procedure
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Identify Production Systems and data stores and apply appropriate security baselines. | Engineering / Operations | During system onboarding and significant changes |
| 2 | Configure encryption, access control, logging, and monitoring according to this policy and related policies. | Engineering / Operations | During deployment and configuration changes |
| 3 | Review logs and alerts and respond to anomalies or suspected incidents. | Security Officer; Engineering / Operations | Ongoing |
| 4 | Periodically review data protection controls and update baselines and configurations as needed. | Policy Owner; Security Officer | At least annually |
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this policy SHALL be monitored through:
- Configuration reviews of Production Systems.
- Regular review of logging and monitoring outputs.
- Internal audits comparing implemented controls to this policy and related policies.
6.2 Metrics and Reporting
| Metric | Frequency | Owner |
|---|---|---|
| Number of data-protection-related incidents | Quarterly | Security Officer |
| Percentage of Production Systems meeting baseline configurations | Annually | Engineering / Operations |
6.3 Non-Compliance Consequences
Violations of this policy may result in:
- Corrective and preventive actions.
- Disciplinary measures up to and including termination.
- Additional technical or procedural remediation.
7. EXCEPTIONS AND WAIVERS
7.1 Exception Process
Exceptions to this policy SHALL:
- Be submitted in writing by the requesting party.
- Include detailed justification and business impact.
- Describe compensating controls or mitigation measures.
- Define exception duration and remediation plan.
7.2 Exception Approval Authority
| Risk Level | Approval Authority |
|---|---|
| Low | Policy Owner |
| Medium | Policy Owner and Security Officer |
| High | Policy Owner, Security Officer, and Compliance Officer |
| Critical | Executive Management |
8. DEFINITIONS
Production Data: Customer or company data processed by Dispel’s production systems.
Production System: Any system that processes, stores, or transmits live Dispel or customer data.
9. REFERENCES
9.1 Internal References
- Encryption Policy
- Data Classification Policy
- Data Retention / Deletion Policy
- Access Control Policy
9.2 External References
- SOC 2 Trust Services Criteria
- ISO/IEC 27001 Annex A.5.12, A.5.13, A.5.23, A.8.11
- NIST SP 800-53 (SC and AU families)
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2022-01-13 | Ethan Schmertzler | Initial Creation |
| 2.0 | 2022-01-24 | Ethan Schmertzler | Approved |
| 3.0 | 2023-01-20 | Ethan Schmertzler | Annual review and updates |
| 4.0 | 2024-01-09 | Ethan Schmertzler | Annual review and updates |
| 4.1 | 2025-01-14 | Ethan Schmertzler | Annual review and updates |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Compliance Officer |
END OF POLICY
January 12, 2025 January 14, 2025 January 14, 2025 Ethan Schmertzler Ethan Schmertzler Ethan Schmertzler