Contingency Plan

Contingency Planning

Contingency Planning

Policy

  • Identify statutory or regulatory requirements
  • Create a policy statement
  • Get the policy statement approved
  • Publish the policy statement
  • Key elements of policy
    1. Roles and responsibilities
    2. Scope
    3. Resources required
    4. Training required
    5. Testing and exercises schedule
    6. Maintenance schedule
    7. Backup and storage schedule

Business Impact Assessment (BIA)
The BIA is a critical piece of the CP that establishes requirements for the strategy and procedures in the rest of the CP.

  • Identify critical resources
  • Identify disruption impacts and timeframes
  • Establish recovery priorities

Preventative Controls

  • Implement controls
  • Maintain controls

Recovery Strategies

  • Backup methods
  • Alternate sites
  • Equipment replacement
  • Roles and responsibilities
  • Cost considerations

Contingency Plan
The contingency plan should document the recovery strategy that is planned.

Contingency Plan Structure

Contingency Plan Structure

  • Notification phase
  • Recovery phase
  • Reconstitution phase

Testing, Training, Exercises

  • Define the objectives
  • Define the success criteria
  • Collect lessons learned
  • Incorporate new ideas
  • Train staff

Maintenance

  • Review and update the plan
  • Co-ordinate with other organizations
  • Control distribution of plan elements
  • Document any changes

CP related security controls:
CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
CP-2 CONTINGENCY PLAN
CP-3 CONTINGENCY TRAINING
CP-4 CONTINGENCY PLAN TESTING AND EXERCISES
CP-5 CONTINGENCY PLAN UPDATE
CP-6 ALTERNATE STORAGE SITE
CP-7 ALTERNATE PROCESSING SITE
CP-8 TELECOMMUNICATIONS SERVICES
CP-9 INFORMATION SYSTEM BACKUP
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
MP-4 MEDIA STORAGE
MP-5 MEDIA TRANSPORT

KEY NIST DOCS:
800-34 “Contingency Planning Guide for Information Technology Systems”
800-100 “Information Security Handbook: A Guide for Managers”
800-64 “Security Considerations in the Information System Development Life Cycle”
800-53 “Recommended Security Controls for Federal Information Systems”
800-18 “Guide for Developing Security Plans and Information Technology Systems”
800-47 “Security Guide for Interconnecting Information Technology Systems”
800-61 “Computer Security Incident Handling Guide”

Comments are closed.