Contingency Plan Testing & Revision Procedure Policy (Addressable)

Goal: Implement procedures for periodic testing and revision of contingency plans.

The purpose of this policy is to establish a formal, documented policy and procedures that describes what the organization should do to conduct regular testing of its disaster recovery plan to ensure that it is up-to-date and effective.

Procedure: The Security Manager shall update the contingency plan every time new software or hardware is integrated into the system. Modification of systems, updates and upgrades may also require revision of the plan. At the very least, the contingency plan shall be tested and revised at random intervals but under no circumstances shall the gap between updates exceed one year. Testing and revisions will be documented by the Security Manager.

• Contingency plan shall be tested at random intervals, not to exceed one year between intervals.
  • Testing of the contingency plan will include but not limited to:
    • Accessing alternative system and site in a timely fashion.
    • Load and run any necessary software.
    • Load and run backup.
    • Simulate employee actions (paper simulation and written test will be used randomly to validate workforce knowledge).
    • The Security Manager will coordinate exercises and tests to be performed.
  • Testing, workforce participants, dates, feedback, and areas tested shall be documented by the Security Manager (Contingency Plan Testing Form).