Information System Contingency Plan
Internal Use
Information System Contingency Plan
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 1.1 |
| Cadence | Annual |
| Policy Owner | CTO |
| Approved By | Chief Executive Officer |
| DCF References | DCF-1, DCF-3, DCF-10, DCF-11, DCF-12, DCF-13, DCF-14, DCF-20, DCF-21, DCF-22, DCF-25, DCF-26, DCF-27, DCF-28, DCF-29, DCF-30, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-45, DCF-46, DCF-47, DCF-48, DCF-49, DCF-51, DCF-52, DCF-53, DCF-54, DCF-55, DCF-56, DCF-57, DCF-58, DCF-60, DCF-68, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-83, DCF-84, DCF-99, DCF-100, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
This policy sets the high‑level requirements for Dispel’s Information System Contingency Plans (ISCPs), which provide detailed, system‑specific recovery and reconstitution procedures for covered systems.
1.2 Scope
This policy applies to:
- Systems and services in scope for Dispel’s Information System Contingency Planning, including the Dispel Zero Trust Engine (DZTE) and supporting infrastructure.
- All personnel with roles in planning, maintaining, or executing ISCP procedures.
- Coordination of ISCP activities with Business Continuity, Disaster Recovery, and Incident Response.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC5.3, CC6.1, CC7.2, CC7.5 | Supports Trust Services Criteria related to contingency planning, incident response, and continuity of operations. |
| 2 | ISO/IEC 27001 | A.5.29, A.5.30 | Supports Annex A controls related to information security aspects of business continuity and incident management. |
| 3 | NIST SP 800-53 | CP-2, CP-3, CP-4, CP-6, CP-7, CP-9, CP-10 | Implements Contingency Planning (CP) family expectations for system-specific contingency plans, including recovery and reconstitution. |
| 4 | IEC 62443 | 62443-3-3.SR7.1, 62443-3-3.SR7.2 | Supports industrial cybersecurity requirements for resilience and recovery of IACS and industrial/OT environments. |
| 5 | HIPAA | 164.308(a)(7) | Supports applicable Security Rule contingency planning and data backup requirements when PHI is in scope. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL develop, maintain, and test Information System Contingency Plans for covered systems that define system‑specific recovery and reconstitution procedures and support timely restoration of services following disruptions.
2.3 Secondary Policy Statements
At a minimum, Dispel SHALL:
- Coordinate ISCP activities with Business Continuity, Disaster Recovery, and Incident Response.
- Ensure ISCP content is kept current with system architectures, dependencies, and risk landscape.
- Provide training and exercises for personnel with ISCP responsibilities.
3. REQUIREMENTS
3.1 ISCP Development and Maintenance
Objective: Ensure that each covered system has a current, effective ISCP.
Mandatory Activities:
- Develop and maintain an ISCP for each covered system that:
- Identifies essential mission and business functions and associated contingency requirements.
- Provides recovery objectives, restoration priorities, and metrics.
- Defines roles, responsibilities, and contact information for system-level recovery.
- Review and update each ISCP at least annually and after significant changes to systems, architectures, or operating environments.
Required Outputs:
- Approved ISCP documents and appendices for each covered system.
Security Controls: CP-1, CP-2.
Approval Required: Policy Owner; System Owners; Security Officer.
3.2 Plan Activation, Recovery, and Reconstitution
Objective: Define when and how ISCP procedures are activated and how systems are recovered and returned to normal operations.
Mandatory Activities:
- Define clear criteria and procedures for activating ISCPs in response to disruptive events.
- Document recovery steps for restoring temporary operations and fully reconstituting systems at primary or alternate locations.
- Ensure that security controls and configurations are restored and validated as part of reconstitution.
Required Outputs:
- Activation criteria and step‑by‑step recovery procedures in each ISCP.
- Post‑recovery validation checklists and sign‑offs.
Security Controls: CP-2, CP-10.
Approval Required: System Owners; Security Officer.
3.3 Training and Exercises
Objective: Ensure personnel understand and can execute ISCP procedures.
Mandatory Activities:
- Provide training to personnel with ISCP responsibilities so they understand their roles and tasks.
- Conduct regular exercises (e.g., tabletop and technical tests) to validate ISCP effectiveness.
- Incorporate lessons learned from exercises and real incidents into ISCP updates.
Required Outputs:
- ISCP training records and attendance logs.
- Exercise plans, reports, and after‑action reviews.
Security Controls: CP-3, CP-3(1), CP-4.
Approval Required: Compliance Officer; System Owners.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this ISCP policy and ensures it is reviewed and updated at least annually.
- Coordinates with System Owners, Security Officer, and Head of Operations.
4.2 System Owners and Administrators
Responsibilities:
- Ensure system-specific contingency information is accurate and maintained in the ISCP.
- Execute ISCP procedures during activation, recovery, and reconstitution.
4.3 Security and Compliance
Responsibilities:
- Ensure that ISCP content and activities align with broader security and compliance requirements.
- Coordinate ISCP activities with Incident Response and Business Continuity efforts.
5. PROCEDURES
5.1 High‑Level ISCP Procedure
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Maintain detailed, system-specific contingency runbooks for covered systems. | System Owners; Administrators | Ongoing; update with system changes |
| 2 | Conduct regular walkthroughs and tabletop exercises to validate ISCP procedures. | Policy Owner; System Owners; Security Officer | At least annually |
| 3 | Execute ISCP procedures during contingency events and document actions and outcomes. | System Owners; Administrators; Security Officer | During and immediately after event |
| 4 | Perform post-incident reviews and update the ISCP based on lessons learned. | Policy Owner; System Owners; Compliance Officer | Within defined period after event/test |
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this policy SHALL be monitored through:
- Periodic review of ISCP documentation for completeness and currency.
- Review of exercise and incident reports.
- Internal audits of ISCP content and execution.
6.2 Metrics and Reporting
| Metric | Frequency | Owner |
|---|---|---|
| Number of ISCP exercises conducted vs. planned | Annual | Policy Owner |
| Percentage of ISCPs reviewed and updated in last 12 months | Annual | Policy Owner |
6.3 Non-Compliance Consequences
Non‑compliance with this policy may result in:
- Corrective and preventive actions.
- Re‑prioritization of resources to remediate ISCP deficiencies.
- Disciplinary measures up to and including termination.
7. EXCEPTIONS AND WAIVERS
7.1 Exception Process
Exceptions to this policy MUST be documented, justified, and:
- Approved by Executive Management.
- Time‑bound and reviewed periodically.
7.2 Exception Approval Authority
| Risk Level | Approval Authority |
|---|---|
| Low | Policy Owner |
| Medium | Policy Owner and Security Officer |
| High | Policy Owner, Security Officer, and Head of Operations |
| Critical | Executive Management |
8. DEFINITIONS
Information System Contingency Plan (ISCP): A documented set of procedures to recover and restore an information system and its data following a disruption.
Contingency Event: Any event that disrupts normal system operations and may require ISCP activation.
9. REFERENCES
9.1 Internal References
- Business Continuity Plan
- Disaster Recovery Plan
- Contingency Planning Policy and Procedures
- Incident Response Policy
9.2 External References
- NIST SP 800‑34
- NIST SP 800‑53 (CP family)
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2024-08-29 | Christopher DiLorenzo | Initial creation and approval |
| 1.1 | 2025-01-13 | Christopher DiLorenzo | Reviewed for current year and aligned with POLICY_TEMPLATE |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Compliance Officer |
END OF POLICY
APPENDICES
Appendix A: System-Specific ISCP Details
System-specific contingency runbooks, role mappings, and test schedules are maintained in the Information System Contingency Plan and its appendices.