Internal Use

System Media Protection Policy and Procedures

Dispel

Document Control

1. PURPOSE AND SCOPE

1.1 Purpose

This policy and procedures document defines how Dispel protects media that contains company or customer information, with particular focus on flash drives and other digital media used in deployment and operations of the Dispel Zero Trust Engine.

1.2 Scope

This document applies to:

• All digital media (e.g., flash drives, removable storage) used in connection with Dispel systems.
• Any physical handling, storage, transport, sanitization, and disposal of such media.
• All workforce members and contractors involved in deployment or maintenance activities that use removable media.

The Dispel Zero Trust Engine does not use non-digital media; all relevant media is electronic.

1.3 Regulatory and Framework Alignment

2. POLICY STATEMENTS

2.1 Dispel SHALL restrict access to and use of digital media containing sensitive or customer data to authorized personnel only.

2.2 Dispel SHALL protect media throughout its lifecycle—from creation and storage through transport, sanitization, and disposal—to prevent unauthorized disclosure or loss of information.

2.3 The use of removable media for purposes other than approved deployment or maintenance activities is prohibited.

3. REQUIREMENTS

3.1 Media Access

• Only authorized personnel designated by the Head of Operations or System Administrator MAY access or use flash drives and other digital media associated with Dispel systems.
• Media used in deployment processes (e.g., imaging Wicket ESI components) SHALL be stored in a secure location (e.g., a locked safe) with access limited to authorized personnel.

3.2 Media Marking

• Digital media used for FedRAMP-related or other regulated deployments MUST be marked in accordance with Dispel’s data classification scheme (e.g., “Confidential External FedRAMP”).
• Markings SHOULD make clear the sensitivity and handling requirements of the media.

3.3 Media Storage

• Inventory of all deployment-related flash drives and similar media SHALL be maintained.
• When not in use, such media MUST be stored in a physically secure container (e.g., a GSA approved or equivalent safe) in a Dispel-controlled facility.
• If ownership of media is transferred to a customer, Dispel’s inventory SHALL be updated and the customer assumes responsibility for ongoing protection.

3.4 Media Transport

• Media MUST NOT be removed from Dispel offices except when explicitly required for customer deployment or maintenance.
• When shipped to a customer, media SHALL:
  • Be sent using a tracked courier service via a Dispel account.
  • Be packaged in a tamper-evident manner.
  • Have shipping and approval details documented in deployment records.
• At least two individuals SHALL approve each shipment of media to a customer.

3.5 Media Sanitization and Disposal

• When media is no longer needed, or prior to reuse, it MUST be sanitized using methods aligned with industry standards (e.g., NIST SP 800-88) appropriate to the information sensitivity.
• Sanitization actions SHALL be logged (e.g., media ID, date, method, personnel involved).
• If physical destruction is used, it MUST render data recovery infeasible.

3.6 Media Use

• Acceptable uses of media are limited to deployment and maintenance scenarios explicitly authorized by the Head of Operations or System Administrator.
• Any other use of removable media on Dispel systems (e.g., ad hoc file transfer, personal storage) is prohibited.

4. ROLES AND RESPONSIBILITIES

• Head of Operations – Policy Owner; ensures these procedures are followed and updated.
• System Administrator / Operations Staff – Maintain media inventory, manage storage, transport, and sanitization, and ensure logs are complete.
• Compliance Officer – Periodically reviews adherence to this policy and coordinates with external audit requirements.
• All Authorized Personnel – Handle media in accordance with this policy, including secure storage, transport, and reporting of incidents.

5. PROCEDURES

5.1 The Head of Operations MAY maintain detailed standard operating procedures that elaborate on:

• Step-by-step imaging processes using flash drives.
• How to update and reconcile media inventory.
• Specific sanitization tools and commands to be used for different media types.

5.2 FedRAMP-specific narratives for MP family controls for the Dispel Zero Trust Engine SHALL be kept in the FedRAMP documentation set and referenced from this policy as necessary.

6. MONITORING AND COMPLIANCE

• Compliance with this policy MAY be evaluated through:
  • Periodic inventory reviews.
  • Inspection of storage locations.
  • Review of shipment and sanitization records.
• Deviations or suspected loss/theft of media SHALL be reported promptly to the Security Officer and treated as security incidents under the Incident Response Policy.

7. EXCEPTIONS AND WAIVERS

• Any exception to this policy MUST be documented, justified, time-bound, and approved by the Head of Operations and Compliance Officer.
• Long-term or structural changes to media handling practices SHALL be reflected in an updated version of this policy.

8. DEFINITIONS

• Media – Any digital storage device including flash drives, removable drives, and similar devices that can contain company or customer data.
• Sanitization – A process that renders data on media irretrievable by ordinary or advanced recovery methods.

9. REFERENCES

• Dispel Data Classification and Protection Policies.
• Dispel Asset Management Policy.
• Dispel Incident Response Policy.
• NIST SP 800-88, “Guidelines for Media Sanitization”.

10. DOCUMENT HISTORY

11. APPROVAL SIGNATURES

APPENDICES

(Intentionally left blank at this time. Detailed media handling checklists and imaging instructions are maintained in separate deployment runbooks.)