Contingency Planning Policy and Procedures

Version: 1.1 approved
Download PDF Controlled copy — valid on date of download only

Internal Use

Contingency Planning Policy and Procedures

Dispel

Document Control

ItemDetails
Version1.1
CadenceAnnual
Policy OwnerChief Operating Officer
Approved ByChief Executive Officer
DCF ReferencesDCF-1, DCF-3, DCF-12, DCF-13, DCF-14, DCF-20, DCF-21, DCF-22, DCF-25, DCF-26, DCF-27, DCF-28, DCF-29, DCF-30, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-45, DCF-46, DCF-48, DCF-49, DCF-51, DCF-52, DCF-53, DCF-54, DCF-55, DCF-56, DCF-57, DCF-68, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82

1. PURPOSE AND SCOPE

1.1 Purpose

This policy defines Dispel’s approach to Contingency Planning, including requirements for developing, maintaining, and testing the Information System Contingency Plan (ISCP) and related contingency procedures.

1.2 Scope

This policy applies to:

  • The information security program of the entire Dispel organization.
  • Systems and services that support Dispel’s mission and business functions, including FedRAMP systems where applicable (e.g., the Dispel Zero Trust Engine).
  • All personnel with roles or responsibilities related to contingency planning, testing, and execution.

1.3 Regulatory and Framework Alignment

#Framework / StandardRelevant Control IDsAlignment Notes
1SOC 2CC5.3, CC6.1, CC7.2, CC7.5Supports Trust Services Criteria related to continuity of operations, incident response, and change management.
2ISO/IEC 27001A.5.29, A.5.30Supports Annex A controls for information security aspects of business continuity and incident management.
3NIST SP 800-53CP-1, CP-2, CP-3, CP-4, CP-6, CP-7, CP-8, CP-9, CP-10Implements Contingency Planning (CP) controls for contingency planning policy, plan development, training, testing, alternate processing and storage, telecommunications, backup, and recovery.
4IEC 6244362443-3-3.SR7.1, 62443-3-3.SR7.2Aligns with requirements for resilience and recovery of industrial control systems.
5HIPAA164.308(a)(7)Supports Security Rule contingency planning requirements when PHI is in scope.

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

  • Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
  • Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
  • Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
  • Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Primary Policy Statement

Dispel SHALL maintain, implement, and periodically test Contingency Planning policies and procedures that support timely restoration and continuity of mission and business functions in alignment with NIST SP 800‑53 Contingency Planning (CP) controls.

2.3 Secondary Policy Statements

At a minimum, Dispel SHALL:

  • Develop and maintain an Information System Contingency Plan (ISCP) for in‑scope systems.
  • Coordinate Contingency Planning with Business Continuity, Disaster Recovery, and Incident Response plans.
  • Provide role‑appropriate training and exercises for personnel with contingency responsibilities.
  • Review and update contingency policies and plans at least annually and after significant changes or incidents.

3. REQUIREMENTS

3.1 Contingency Plan Development and Maintenance

Objective: Ensure that Dispel maintains a current, effective Information System Contingency Plan.

Mandatory Activities:

  1. Develop and maintain an ISCP that:
    • Identifies essential mission and business functions and associated contingency requirements.
    • Provides recovery objectives, restoration priorities, and metrics.
    • Defines contingency roles, responsibilities, and contact information.
    • Addresses maintaining essential functions during system disruption and full restoration.
  2. Review and approve the ISCP at least annually and after significant changes.
  3. Protect the ISCP against unauthorized access or disclosure in approved documentation repositories.

Required Outputs:

  • Current, approved ISCP and associated appendices.

Security Controls: CP-1, CP-2.

Approval Required: Head of Operations; CTO; COO.

Objective: Align contingency activities with Business Continuity, Disaster Recovery, and Incident Response.

Mandatory Activities:

  1. Develop and revise the ISCP as part of broader reviews of Business Continuity, Disaster Recovery, and Incident Response plans.
  2. Ensure that drills and exercises involving any of these plans are coordinated and, where appropriate, executed jointly.

Required Outputs:

  • Records of coordinated plan reviews and joint exercises.

Security Controls: CP-2(1), CP-4(1).

Approval Required: Head of Operations; Compliance Officer.

3.3 Training and Testing

Objective: Ensure personnel are trained and contingency plans are regularly tested.

Mandatory Activities:

  1. Provide role- and responsibility‑aligned training on the ISCP to relevant personnel within defined timeframes (e.g., within 10 days of assuming a privileged role on a FedRAMP system and at least annually thereafter).
  2. Conduct simulated events and functional tests (tabletop and technical) at least annually, and more frequently as required by regulation or risk.
  3. Document test scenarios, results, and corrective actions.

Required Outputs:

  • Training records and attendance logs.
  • Test plans, reports, and after‑action reviews.

Security Controls: CP-3, CP-3(1), CP-4.

Approval Required: Compliance Officer; Head of Operations.

3.4 Alternate Sites, Telecommunications, and Backup

Objective: Ensure alternate processing and storage sites, telecommunications, and backup capabilities support contingency objectives.

Mandatory Activities:

  1. Establish and maintain alternate processing and storage sites with controls equivalent to the primary environment, consistent with RTO/RPO commitments.
  2. Ensure alternate sites and telecommunications services are sufficiently separated from primary sites to reduce shared risks and single points of failure.
  3. Ensure system backup, testing, integrity checks, and secure storage are implemented in accordance with the Backup Policy and CP‑9/10.

Required Outputs:

  • Documentation of alternate sites and telecommunications arrangements.
  • Backup and restore test reports.

Security Controls: CP-6, CP-6(1), CP-6(2), CP-6(3), CP-7, CP-7(1)–CP-7(4), CP-8, CP-8(1)–CP-8(4), CP-9, CP-9(1)–CP-9(3), CP-9(5), CP-9(8), CP-10, CP-10(2), CP-10(4).

Approval Required: Head of Operations; Development Operations Lead.

4. ROLES AND RESPONSIBILITIES

4.1 Policy Owner (Head of Operations)

Responsibilities:

  • Manage development, documentation, and dissemination of this policy and associated procedures.
  • Ensure periodic review and update of Contingency Planning documents.

4.2 Compliance Officer

Responsibilities:

  • Ensure training and testing requirements are met and properly evidenced.
  • Coordinate internal audits of Contingency Planning controls.

4.3 Development Operations Lead and Engineering/Operations

Responsibilities:

  • Implement technical aspects of contingency measures (alternate sites, backup, recovery scripts, etc.).
  • Participate in contingency plan testing and exercises.

5. PROCEDURES

5.1 High‑Level Contingency Planning Procedure

StepActionResponsible PartyTimeframe
1Develop and maintain the ISCP and related contingency documentation.Head of Operations; Compliance OfficerAt least annually and after significant changes
2Coordinate ISCP with Business Continuity, Disaster Recovery, and Incident Response plans.Head of Operations; Security OfficerDuring plan updates and prior to major exercises
3Plan and conduct contingency training and exercises (tabletop and technical).Compliance Officer; Development Operations LeadAt least annually
4Capture lessons learned and update plans, procedures, and training content.Head of Operations; Compliance OfficerAfter each exercise or real incident

6. MONITORING AND COMPLIANCE

6.1 Compliance Monitoring

Compliance with this policy SHALL be monitored through:

  • Review of the ISCP and associated documentation for completeness and currency.
  • Verification that CP training and testing occur at the required tempos and are documented.
  • Periodic internal audits comparing implemented capabilities to CP control requirements.

6.2 Metrics and Reporting

MetricFrequencyOwner
Completion rate of required contingency trainingAnnualCompliance Officer
Number of contingency tests performed vs. plannedAnnualHead of Operations

6.3 Non-Compliance Consequences

Non‑compliance with this policy may result in:

  • Corrective and preventive actions.
  • Re‑prioritization of resources to remediate contingency gaps.
  • Disciplinary measures up to and including termination.

7. EXCEPTIONS AND WAIVERS

7.1 Exception Process

Exceptions to this policy MUST:

  1. Be documented and justified.
  2. Be approved by the Policy Owner and, where appropriate, Executive Management.
  3. Be time‑bound and subject to periodic review.

7.2 Exception Approval Authority

Risk LevelApproval Authority
LowPolicy Owner
MediumPolicy Owner and Compliance Officer
HighPolicy Owner, Compliance Officer, and Head of Operations
CriticalExecutive Management

8. DEFINITIONS

Contingency Planning: Activities and processes for preparing for, responding to, and recovering from disruptive events affecting information systems and business processes.

Information System Contingency Plan (ISCP): A documented set of procedures to recover and restore an information system and its data following a disruption.

9. REFERENCES

9.1 Internal References

  • Information System Contingency Plan (ISCP)
  • Business Continuity Plan
  • Disaster Recovery Plan
  • Backup Policy
  • Incident Response Policy

9.2 External References

  • NIST SP 800‑34, Contingency Planning Guide for Federal Information Systems
  • NIST SP 800‑53 (CP family)
  • ISO/IEC 27001 Annex A.17

10. DOCUMENT HISTORY

VersionDateAuthorChanges
1.02022-01-13Ethan SchmertzlerInitial creation and approval
1.12025-01-10Stefan KristensenAnnual review and alignment with POLICY_TEMPLATE

11. APPROVAL SIGNATURES

RoleNameSignatureDate
Policy Owner
Security Officer
Compliance Officer

END OF POLICY

APPENDICES

Appendix A: Detailed Contingency Planning Requirements and Role Mapping

Detailed CP control mappings, role matrices, and procedural content are maintained in the Information System Contingency Plan and associated appendices.

Framework Coverage

SOC 2 CC5.3 CC6.1 CC7.2 CC7.5
ISO 27001 A.5.29 A.5.30
NIST 800-53 CP-1 CP-10 CP-2 CP-3 CP-4 CP-6 CP-7 CP-8 CP-9

Document Provenance

Last ModifiedApril 3, 2026 at 16:04 -0400
Authorunknown
Signature Not signed
Commit547bdca View on GitHub
File HistoryAll changes