Home Page Purpose & Scope Concept of Operations Notification Activation Recovery Reconstitution
ENTERPRISE ASSURANCE PORTAL
CONTINGENCY PLANNING OVERVIEW
WHY A CONTINGENCY PLAN
Business owners and managers must accept a well known fact:  There is no such thing as a risk free operation!  Things happen!  Information and data disappear!  Equipment fail!  Employees and contractors become disgruntled!  A viable contingency plan will assure prompt resumption of business in the event of a mishap, sabotage, or catastrophe.
  Contingency management and planning tools help answer asset questions such as:  What they are?  Where they are?  Their value?  Replacement costs?  The alternatives How long can the organization function without them?

IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction, fire) from a variety of sources such as natural disasters to terrorists actions. While vulnerabilities may be minimized or eliminated through technical, management, or operational solutions as part of the organization’s risk management effort, it is virtually impossible to completely eliminate all risks. In many cases, critical resources may reside outside the organization’s control (such as electric power or telecommunications), and the organization may be unable to ensure their availability. Thus effective contingency planning, execution, and testing are essential to mitigate the risk of system and service unavailability.

THE CONTINGENCY PLAN (CP) vs. THE DISASTER RECOVERY PLAN (DRP)
Contingency planning refers to interim measures to recover IT services following an emergency or system disruption. Interim measures may include the relocation of IT systems and operations to an alternate site, the recovery of IT functions using alternate equipment, or the performance of IT functions using manual methods.  Where the CP refers to interim measures, i.e., temporary disruption of business, the DRP addresses preparing for a permanent or long term disruption of business which requires the relocation to an alternate or new site.  The primary site may have to be rebuilt or a new permanent site must be established.  Once the replacement site is operational, a new Contingency Plan for that site must be developed and tested.


ENSURING THE CONTINGENCY PLAN
In order for contingency planning to be successful, management must ensure the following:  1) An understanding of the IT Contingency Planning Process and its place within the overall Continuity of Operations and Business Continuity process.  2) The development or reexamination of the contingency policy and planning process and applying the elements of the planning cycle, including preliminary planning, business impact analysis, alternate site selection, and recovery strategies.  3) Developing or reexamining the IT contingency planning policies and plans with emphasis on maintenance, training, and exercising the contingency plan.

POLICY STATEMENT
The following is an example of a contingency Plan policy statement:  It is the organization's policy that each component or sub-unit  will have a management approved contingency plan (CP) for mission critical applications (MCA), major applications (MA), and critical support systems CSS).  It is the responsibility of the system or business owner to ensure that a CP is developed and maintained for their respective assets.  CPs will be reviewed least annually, and/or when significant updates or modifications have been made as to warrant updating.  An independent team - not associated with the target asset - will review and test the CP and record the result.  The CP is a living document and must be periodically reviewed and updated to accurately depict the status of the respective asset. 

ASSETS REQUIRING A CONTINGENCY PLAN
This product addresses contingency planning (i.e., strategies and techniques) for the IT environment including, but not limited to:  1) Human resources, 2) Infrastructure, 3) Desktops and portable systems, 4) Servers, 5) Web sites, 6) Local area networks, 7) Wide area networks, 8) Distributed systems, and 9) Mainframe systems.