Incident Response Policy
Internal Use
Incident Response Policy
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 1.0 |
| Cadence | Annual |
| Policy Owner | Chief Information Security Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-12, DCF-13, DCF-18, DCF-19, DCF-21, DCF-22, DCF-23, DCF-24, DCF-25, DCF-26, DCF-27, DCF-28, DCF-29, DCF-30, DCF-32, DCF-33, DCF-35, DCF-36, DCF-37, DCF-38, DCF-39, DCF-40, DCF-47, DCF-48, DCF-49, DCF-51, DCF-52, DCF-55, DCF-56, DCF-57, DCF-58, DCF-68, DCF-72, DCF-73, DCF-80, DCF-81, DCF-82, DCF-99, DCF-100, DCF-101, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy is to define how Dispel prepares for, detects, analyzes, responds to, and recovers from security incidents.
1.2 Scope
This policy applies to:
- All Dispel workforce members and external parties (“Users”) who access or support Dispel systems and services.
- All environments supporting Dispel services, including the Dispel Zero Trust Engine (DZTE) and related infrastructure.
- All information systems and data assets in scope for Dispel’s security and compliance program.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC5.3, CC7.2, CC7.3, CC7.4 | Incident response governance, monitoring, testing, and communication. |
| 2 | ISO/IEC 27001 | A.5.29, A.5.30, A.5.31, A.16.1.1, A.16.1.2 | Information security incident management and coordination. |
| 3 | NIST SP 800-53 | IR-1, IR-2, IR-2(1), IR-2(2), IR-3, IR-3(2), IR-4, IR-4(1), IR-4(2), IR-4(4), IR-4(6), IR-4(11), IR-5, IR-5(1), IR-6, IR-6(1), IR-6(3), IR-7, IR-7(1), IR-8, IR-9, IR-9(2), IR-9(3), IR-9(4) | Preparation, training, testing, handling, monitoring, reporting, and plan maintenance. |
| 4 | IEC 62443 | 62443-2-1.4.3, 62443-3-3.SR6.1, 62443-3-3.SR6.2 | Incident detection, response, and recovery in industrial automation and control systems. |
| 5 | HIPAA | 164.308(a)(1), 164.308(a)(6), 164.308(a)(7) | Security management processes, incident procedures, and contingency planning for ePHI. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL establish, maintain, and continually improve an incident response capability that:
- Detects, analyzes, contains, eradicates, and recovers from security incidents in a timely manner.
- Coordinates with disaster recovery and contingency planning activities.
- Satisfies applicable regulatory and contractual requirements for incident response and reporting.
2.3 Secondary Policy Statement
- Incident response plans and procedures SHALL be documented, approved, and tested.
- Incidents and lessons learned SHALL be documented and used to improve controls and procedures.
3. REQUIREMENTS
3.1 Governance and Coverage
Objective: Define who is covered by this policy and how it is governed.
Mandatory Activities:
- All workforce members and external parties who access or support Dispel systems SHALL be treated as Covered Persons for incident response purposes.
- Covered Persons SHALL review, accept, and acknowledge this document prior to being granted access and at least annually thereafter.
- The Policy Owner SHALL review and, where necessary, update this policy and associated procedures at least annually and following significant changes.
Required Outputs:
- Current list of Covered Persons.
- Records of annual policy acknowledgements.
- Evidence of annual policy review and updates.
Security Controls: NIST SP 800-53 IR-1.
3.2 Training and Awareness
Objective: Ensure personnel are trained to fulfill incident response roles and responsibilities.
Mandatory Activities:
- The incident response training program SHALL be maintained and kept up to date.
- Personnel assigned to incident response roles SHALL complete role-appropriate training within a defined time after assuming the role, and at least annually.
- The training program SHOULD include simulated events or exercises where feasible.
Required Outputs:
- Incident response training curriculum and schedule.
- Training completion records for covered personnel.
Security Controls: NIST SP 800-53 IR-2.
3.3 Testing, Exercises, and Coordination
Objective: Validate the effectiveness of incident response capabilities.
Mandatory Activities:
- Incident response capabilities SHALL be tested at a defined cadence (e.g., at least annually).
- Testing SHALL be coordinated with disaster recovery and contingency planning teams.
- Test results and lessons learned SHALL be documented and used to update the incident response plan, procedures, and training.
Required Outputs:
- Incident response test plans and results.
- Documented lessons learned and follow-up actions.
Security Controls: NIST SP 800-53 IR-3.
3.4 Incident Handling and Monitoring
Objective: Ensure consistent and effective handling of incidents.
Mandatory Activities:
- Dispel SHALL maintain an incident handling process aligned with the Incident Response Plan, including preparation, detection and analysis, containment, eradication, and recovery.
- Monitoring and logging capabilities SHALL support incident detection and investigation.
- Incidents SHALL be categorized, prioritized, and tracked through resolution.
Required Outputs:
- Incident handling procedures.
- Incident records and tracking artifacts.
Security Controls: NIST SP 800-53 IR-4, IR-5, IR-6.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this Incident Response Policy.
- Ensures integration with logging, vulnerability management, and business continuity policies.
4.2 Incident Response Lead / Team
Responsibilities:
- Coordinate incident response activities.
- Maintain the incident response plan and related procedures.
- Report on incident metrics and trends.
4.3 System Owners
Responsibilities:
- Support detection and analysis of incidents affecting their systems.
- Implement containment, eradication, and recovery actions as directed.
5. PROCEDURES
5.1 Incident Response Lifecycle (High-Level)
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Detect and report suspected incidents. | All Covered Persons | As soon as practicable |
| 2 | Triage, categorize, and prioritize incidents. | Incident Response Team | Upon report |
| 3 | Contain, eradicate, and recover from incidents. | Incident Response Team, System Owners | As required by severity |
| 4 | Document incidents, root causes, and lessons learned. | Incident Response Team | After incident closure |
| 5 | Update controls, procedures, and training based on lessons learned. | Policy Owner, Security Officer | As needed |
6. MONITORING AND COMPLIANCE
Compliance with this policy SHALL be monitored through:
- Reviews of incident records and post-incident reports.
- Audits of incident response testing and training activities.
7. EXCEPTIONS AND WAIVERS
Exceptions to this policy SHALL follow the documented exception management process and require appropriate approvals.
8. DEFINITIONS
Incident: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system, or constitutes a violation or imminent threat of violation of law, security policies, or acceptable use policies.
9. REFERENCES
- NIST SP 800-61 Incident Handling Guide.
- NIST SP 800-53, IR family.
- Business Continuity and Disaster Recovery plans.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.1 | Predates version control | Ethan Schmertzler | Aligned Incident Response Policy to POLICY_TEMPLATE and updated control mappings. |
| 1.0 | Predates version control | Ethan Schmertzler | Initial Incident Response Policy. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |