Contingency Plan
A comprehensive contingency plan for responding to a system emergency will facilitate the assurance of continuity of key business systems and operations. Included is an applications and data criticality analysis used to assess sensitivity, vulnerability and security of key information assets, a data backup plan to ensure recovery of information lost or inaccessible, a disaster recovery plan to enable restoration of systems and data following a catastrophic event, an emergency mode operation plan to ensure operational continuity for some period of time, and testing and revision procedures to enable periodic updates and audits of all contingency plans.
Current state vulnerabilities in this area might include: no disaster plan in effect, or some disaster plan in effect covering only major enterprise systems; contingency plans left to the discretion of department managers to cover their departments, with no comprehensive plan in effect for the entire organization; or contingency plans in place that have not been updated recently and fail to cover all parts of the organization, including remote sites.
Contingency plans should be based on formal application and data criticality analysis assessments. Plans should be regularly reviewed, tested and updated to account for changes in operations and address emergencies that affect physical sites and systems as well as data.
Issues to consider when developing contingency plans
Is there a designated person(s) responsible for contingency planning in
the organization?
Are roles and responsibilities defined?
Is there a formal sign-off and approval process?
As part of an application and data criticality analysis, are systems,
applications and modules listed and ranked for continuity prioritization?
Is there a sequential order for restarting systems affected by an emergency?
How is a minimal level of service defined and produced?
How often is the criticality analysis reviewed and revised?
On what basis is data backup performed (frequency, scope of backup)?
Are data backups kept offsite?
Do offsite locations have adequate security?
Are data backups tested for retrieval and full restoration?
Are all data backup procedures fully documented?
Does the organization have a full or partial disaster recovery plan?
Does the plan include an alternate (hot) site?
What processes are in place to ensure periodic testing and revision of the
disaster recovery plan?
Is there a responsible, accountable disaster recovery team in place, or are
resources assembled on an ad hoc basis in the event of a disaster?
Does the emergency mode operation plan include notification procedures
to affected personnel?
Is there a documented, tested process for implementing downtime procedures,
including the decision for invoking such procedures?
Do procedures include checkpoint assessments of the status of the emergency
and appropriate reporting to affected personnel?
Are all contingency plans periodically reviewed, tested and revised?
Is documentation maintained in all areas detailing 'lessons learned' from actual
experiences with loss of business continuity?
Administrative Procedures to Guard Data Integrity, Confidentiality and Availability
The proposed security rule will require each organization to maintain a contingency plan for responding to system emergencies. The organization is required to perform periodic backups of data, have available critical facilities for continuing operations in the event of an emergency, and have disaster recovery procedures in place. To satisfy the requirement, the plan would include the following:
-
Strategies and policies have been established to help ensure the business contingency of systems.
-
Recovery testing should be periodically performed to help ensure the viability of the recovery plans.
-
Procedures to store and recall media from offsite storage should help ensure the availability of the media.
-
Processes should be in place to monitor computer and network operations to mitigate interruptions.
-
Recovery tools and offsite facilities should be in place to support timely recovery in the event of a disaster.
Physical Safeguards For Data Integrity, Confidentiality And Availability
The proposed security rule will require each organization to assign the security responsibility to a specific individual or organization, and the assignment must be documented. In a small organization this may be an office manager. In a large organization there may be many people that grant access but there must be an ultimate owner of security for an organization. Responsibilities would include:
-
Use of security measures to protect data; and
-
The conduct of personnel in relation to the protection of data.
The proposed security rule will require each organization to establish media controls in the form of formal, documented policies and procedures that govern the receipt and removal of hardware/software (diskettes, tapes) into and out of a facility. For disposal of media, you must ensure that the information contained on the media has been removed. For controlled access to media this may be as simple as locking media in secure environment when not in use. Mandatory implementation features include:
-
Controlled access to media;
-
Accountability (tracking mechanism);
-
Data backup;
-
Data storage; and
-
Disposal.
The proposed security rule will require each organization to establish formal, documented policies and procedures for limiting physical access to an entity while ensuring that properly authorized access is allowed. There are many ways to provide equipment control. These may include assignment of liability, property pass, desktop lock, and property alarm device. Facility security may include access cards, cipher locks or just a lock on the door. Mandatory implementation features include:
-
Disaster recovery;
-
Emergency mode operation;
-
Equipment control (into and out of site);
-
Facility security plan;
-
Procedures for verifying access authorizations prior to physical access;
-
Maintenance records;
-
Need to know procedures for personnel access;
-
Sign in for visitors and escorts; and
-
Testing and revision.