Definitions[]
General[]
A contingency plan (CP) is a
| “ | [m]anagement policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster.[1] | ” |
| “ | [p]lan maintained for emergency response, backup operations, and post-disaster recovery for an information system, to ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.[2] | ” |
| “ | [a] security plan to ensure that mission-critical computer resources are available to a company in the event of a disaster (such as an earthquake or flood). It includes emergency response actions, backup operations, and postdisaster recovery.[3] | ” |
Year 2000 problem[]
A contingency plan is a
| “ | a plan for responding to the loss or degradation of essential services due to a Year 2000-related problem in an automated system. In general, a contingency plan describes the steps the enterprise would take — including the activation of manual or contract processes — to ensure the continuity of its core business processes in the event of a Year 2000-induced system failure.[4] | ” |
Overview[]
Such plans describe procedures and identify personnel necessary to respond to abnormal situations, and ensure that computer application sponsors/owners can continue to process important applications in the event that computer support at the primary Data Processing Installation is interrupted (e.g., appropriate automated and/or manual backup capabilities should be considered). These plans are developed in conjunction with computer application or data sponsors/owners and maintained at the primary and backup data processing installation.
Contingency planning, which includes developing contingency, business continuity, and disaster recovery plans, should be performed to ensure that when unexpected events occur, essential operations can continue without interruption or can be promptly resumed, and that sensitive data are protected. NIST guidance states that organizations should develop and implement contingency plans that describe activities associated with backing up and restoring the system after a disruption or failure. The plans should be updated and include information such as contact, resources, and description of files in order to restore the application in the event of a disaster.
Contingency planning is a critical component of information protection. If normal operations are interrupted, network managers must be able to detect, mitigate, and recover from service disruptions while preserving access to vital information. Therefore, a contingency plan details emergency response, backup operations, and disaster recovery for information systems. It must provide specific instructions for restoring critical systems, including such things as arrangements for alternative processing facilities in case the usual facilities are significantly damaged or cannot be accessed.
It is important that these plans be clearly documented, communicated to potentially affected staff, updated to reflect current operations, and regularly tested. Moreover, if contingency planning controls are inadequate, even relatively minor interruptions can result in lost or incorrectly processed data, which can lead to financial losses, expensive recovery efforts, and inaccurate or incomplete information.
U.S. government[]
FISMA requires each U.S. government agency to develop, document, and implement plans and procedures to ensure continuity of operations for information systems that support the agency’s operations and assets. NIST requires that contingency plans be developed and tested for information systems.
References[]
Source[]
- NASA Automated Information Security Handbook, at §308(a)(2).