Home
Recovery Scenario
Planning Concept
Assumptions
Threats
Roles & Responsibilities
File Incident Report
Emergency Contacts
Key Personnel
IT Security Quiz
Tools & Techniques
Contact Us
           
A Contingency Plan strategy must ensure the quick and effective recovery mission critical and support assets following an incident!
IT Security Risk Management (ITSRM)
PURPOSE AND SCOPE
A comprehensive Contingency Pan (CP) should - at a minimum - include the following:  1) A Policy Statement to ensure that personnel fully understands the CP requirement; 2) A Business Impact Analysis (BIA) to fully characterize the system/application components, requirements, processes, and interdependences as well as impact to the organization in case of a loss or disruption; 3) Intended Audience - those who are identified as implementers, supporters, and managers incident to the success of the CP; 4) Preventive controls - measures taken to reduce the effects of system disruptions; 5) A CP strategy that will ensure the quick and effective recovery following an incident; 6) The CP, itself (i.e., Purpose & Scope, Concept of Operations, Notification & Activation, Recovery, and Reconstitution) - the CP and a corresponding Disaster Recovery Plan (DRP) will contain detailed guidance and procedures to restore system and/or application assets; 7) Guidance and/or procedures for testing, training, and conducting exercises to validate and update the CP; and, 8) Guidance and procedures for maintaining the CP.  The CP is a living document and must reflect changes and updated to the subject system and/or application.
PURPOSE
This product is designed to establish procedures to recover and resume normal operations of applications and/or systems after a disruption.  This plan has the following objectives:
  1. Provide a comprehensive description of the asset including all systems and/or applications  impacted by its loss or inability to function as designed.
  2. Identify and document all personnel with the responsibility of operating, maintaining, recovering, and/or providing services for the successful operation of the asset and/or interdependent systems/applications.
  3. Incorporate the following phases in support of the recovery effort: 

    a) Notification/Activation - the decision making process with respect to activating the contingency plan after an incident; determining the extent of damage;  identify key management and recovery personnel;  establish protocols for the recovery effort;

    b) Recovery - restore operations - at a minimum those mission critical and/or critical support assets; identifying and prioritizing the recovery activities; the temporary restoration of operations, and recovering the critical asset(s);

    c) Reconstitution - returning the system/application to normal operations (i.e., before the incident); the decision making processes with respect to deactivating the contingency plan.

  4. Identify those activities, resources, and procedures necessary to carry out the asset's requirements for processing during extended outage or disruption periods.
  5. Assign responsibilities to designated personnel and provide guidance for recovering assets during extended periods of interruption.
  6. Ensure coordination with other personnel responsible for contingency planning strategies; and, ensure coordination with external points of contact and vendors associated with the asset's normal operation.

SCOPE
Although this information in this product contains extractions from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34 (Recommended Guidelines for Federal Organizations), it has pertinent guidelines and procedures to assist personnel responsible for developing contingency plans for both government and commercial/private IT systems and applications.  Given the broad range of information system designs and configurations, as well as the rapid development and obsolescence of products and capabilities, the scope of the discussion is not intended to be comprehensive. Rather, the content describes technology practices to enhance an organization’s information system contingency planning capabilities. These guidelines present contingency planning principles for the following common platform types:  1) Client/server systems; 2) Telecommunications systems; and 3) Mainframe systems.

The content outlines planning principles for a wide variety of incidents that can affect information system operations. These range from minor incidents causing short-term disruptions to disasters that affect normal operations for an extended period. Because information systems vary in design and purpose, specific incident types and associated contingency measures are not addressed in this guide. Instead, a defined process is provided for identifying planning requirements needed to develop an effective contingency plan for any information system.

AUDIENCE
This information is intended for managers and those individuals responsible for IT Security at system and operational levels can used the principles presented in this document.  This includes - but not limited to - the following personnel: 

  • Managers responsible for overseeing IT operations or business processes that rely on IT systems
  • System administrators responsible for maintaining daily IT operations
  • Information System Security Officers (ISSOs) and other staff responsible for developing,  implementing, and maintaining an organization’s IT security activities 
  • System engineers and architects responsible for designing, implementing, or modifying information systems
  • Users who employ desktop and portable systems to perform their assigned job functions
  • Other personnel responsible for designing, managing, operating, maintaining, or using information systems
In addition, emergency management personnel who may need to coordinate facility-level contingency may use this document with IT contingency planning activities. The concepts presented in this document are not specific to government systems and may be used by private and commercial organizations.

AUTHORITIES
This contingency plan model was developed to meet organizational contingency planning requirements – existing and proposed – which specify the basic guidelines for ensuring the viability of the plan.  The methodology used to develop the contingency plan and the approach specified reflects NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, as amended.
Security Begins and Ends with You!

  Why You Need Our Product    |    Where Our Product Fits   |   PURCHASE PRODUCT