Audit and Accountability Policy and Procedures
Internal Use
Audit and Accountability Policy and Procedures
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 2.0 |
| Cadence | Annual |
| Policy Owner | Chief Information Security Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-1, DCF-10, DCF-11, DCF-12, DCF-13, DCF-15, DCF-16, DCF-17, DCF-18, DCF-19, DCF-20, DCF-21, DCF-22, DCF-23, DCF-24, DCF-25, DCF-28, DCF-29, DCF-30, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-43, DCF-44, DCF-45, DCF-47, DCF-48, DCF-49, DCF-51, DCF-52, DCF-53, DCF-54, DCF-58, DCF-60, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-96, DCF-99, DCF-100, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy and procedures document is to define how Dispel generates, protects, reviews, and retains audit records to support accountability, monitoring, investigations, and compliance.
1.2 Scope
This policy applies to:
- Dispel systems and services in scope for the security and compliance program, including the Dispel Zero Trust Engine.
- Logging and audit mechanisms used to support security monitoring and incident response.
- All Covered Persons involved in the design, operation, or review of audit logging and monitoring capabilities.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC2.1, CC2.3, CC4.1, CC7.2 | System operations, change management, logging, monitoring, and incident detection. |
| 2 | ISO/IEC 27001 | A.8.15 | Logging and monitoring of events that may affect information security. |
| 3 | NIST SP 800-53 | AU-1, AU-2, AU-3, AU-3(1), AU-4, AU-5, AU-5(1), AU-5(2), AU-6, AU-6(1), AU-6(3), AU-6(4), AU-6(5), AU-6(6), AU-6(7), AU-7, AU-7(1), AU-8, AU-9, AU-9(2), AU-9(3), AU-9(4), AU-10, AU-11, AU-12, AU-12(1), AU-12(3) | Audit and accountability controls for logging, alerts, reviews, and protection. |
| 4 | IEC 62443 | 62443-2-1.4.3 | Logging and monitoring requirements in industrial automation and control environments. |
| 5 | HIPAA | 164.312(b), 164.316(b)(1), 164.316(b)(2)(i) | Audit controls and documentation requirements for systems handling ePHI. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL generate, protect, and retain audit records sufficient to support accountability, monitoring, investigations, and compliance obligations.
2.3 Secondary Policy Statement
- Audit logging SHALL cover key security and operational events.
- Audit records SHALL be reviewed regularly and used to inform improvements.
3. REQUIREMENTS
3.1 Audit Logging and Review
Objective: Ensure that audit logging is comprehensive and supports monitoring and investigation.
Mandatory Activities:
- Systems that handle sensitive information, manage access control, or impact security SHALL generate audit records sufficient to answer: what action occurred, who performed it, where, when, how, and with what outcome.
- Audit logs SHALL be reviewed at a defined cadence and in response to security events.
- Audit requirements and log retention periods SHALL be documented and approved.
Required Outputs:
- Audit logging standard/configuration.
- Audit review procedures and schedules.
Security Controls: NIST SP 800-53 AU-2, AU-6.
3.2 Protection of Audit Information
Objective: Protect audit records and logging mechanisms from tampering or unauthorized access.
Mandatory Activities:
- Access to audit logs SHALL be restricted to individuals with a business need.
- Audit logs SHALL be stored in a manner that prevents unauthorized modification or deletion.
- Where feasible, audit logs SHALL be centralized and backed up to secure locations.
- Administrative actions (including those by privileged users) SHALL be logged and subject to review.
Required Outputs:
- Access control configurations for audit logs.
- Evidence of centralized logging and protection mechanisms.
Security Controls: NIST SP 800-53 AU-9, AU-11.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this Audit and Accountability Policy and Procedures.
- Ensures alignment with Logging and Monitoring and Incident Response policies.
4.2 Security Officer / Monitoring Function
Responsibilities:
- Define audit logging requirements and review schedules.
- Coordinate analysis of audit records and escalation of findings.
4.3 System Owners / Administrators
Responsibilities:
- Ensure audit logging is enabled and configured on relevant systems.
- Support periodic log reviews and investigations.
5. PROCEDURES
5.1 Audit Logging Lifecycle (High-Level)
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Define audit logging requirements and retention periods. | Policy Owner, Security Officer | During system onboarding or significant change |
| 2 | Configure and enable logging on in-scope systems. | System Owners / Administrators | Before production use |
| 3 | Collect, store, and protect audit logs. | Administrators, Security Officer | Ongoing |
| 4 | Review audit logs and escalate findings. | Security Officer / Monitoring Function | Per defined schedule |
| 5 | Use outcomes of reviews to improve controls and procedures. | Policy Owner, Security Officer | Ongoing |
6. MONITORING AND COMPLIANCE
Compliance with this policy SHALL be monitored through:
- Periodic audits of logging configurations and access controls.
- Reviews of audit log samples and associated investigations.
7. EXCEPTIONS AND WAIVERS
Exceptions to this policy SHALL follow the exception process and approval authorities defined in related Logging and Monitoring and Incident Response policies.
8. DEFINITIONS
Audit Record: A record of an event relevant to the security or operation of a system.
9. REFERENCES
- Logging and Monitoring Policy.
- Incident Response Policy.
- NIST SP 800-53, AU family.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 2.0 | Predates version control | Ethan Schmertzler | Aligned Audit and Accountability Policy and Procedures to POLICY_TEMPLATE and updated control mappings. |
| 1.0 | Predates version control | Ethan Schmertzler | Initial Audit and Accountability Policy and Procedures. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |