Picture: French Quarter, New Orleans, LA; Photo by Donald E. Hester all rights reserved
NIST SP 800-34
Presenter
Presentation Notes
What is IT Contingency Planning OMB Circular A-130, Appendix III, requires the development and maintenance of continuity of support plans for general support systems and contingency plans for major applications. NIST SP 800-34
Presenter
Presentation Notes
Business Continuity Planning Business continuity planning Reestablishment of critical business operations so that operations can continue If a disaster has rendered the business unusable for continued operations, there must be a plan to allow the business to continue to function
Presenter
Presentation Notes
Continuity Strategy Management must drive strategic planning to assure continuous information systems availability Plans are referred to in a number of ways Business Continuity Plans (BCPs) Disaster Recovery Plans (DRPs) Incident Response Plans (IRPs) Contingency Plans (CP) Continuity of Operations Plan (COOP) Business Recovery Plan (BRP) Some organizations may have many types of plans, some may have one simple plan Most organizations have inadequate planning
NIST SP 800-34
Presenter
Presentation Notes
Interrelationship of Emergency Preparedness Plans NIST SP 800-34
NIST SP 800-34
Presenter
Presentation Notes
Follow the System Development Life Cycle (SDLC) NIST SP 800-34
1 • Develop the contingency planning policy statement
2 • Conduct the business impact analysis
3 • Identify preventive controls
4 • Develop recovery strategies
5 • Develop an IT contingency plan
6 • Plan testing, training and exercise
7 • Plan maintenance
Presenter
Presentation Notes
Seven-step Continuity Process
Presenter
Presentation Notes
Contingency Planning Policy “A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.” Identify statutory requirements Identify organizational requirements Management support Create policy Publish policy (communicate policy)
Presenter
Presentation Notes
Business Impact Analysis Begin with Business Impact Analysis (BIA) if the attack succeeds, what do we do then? The CP team conducts the BIA in the following stages: Threat attack identification Business unit analysis Attack success scenarios Potential damage assessment Subordinate plan classification “The BIA helps to identify and prioritize critical IT systems and components.”
Identify critical IT resources and dependencies
Identify maximum allowable downtime
Develop recovery strategies & priorities
Presenter
Presentation Notes
BIA Process Identify critical IT resources and dependencies Identify maximum allowable downtime Develop recovery strategies & priorities
Presenter
Presentation Notes
Business Impact Analysis 3 types of threats Natural - e.g., earthquake, hurricane, tornado, flood, and fire Human - e.g., operator error, sabotage, implant of malicious code, and terrorist attacks Environmental - e.g., equipment failure, software error, telecommunications network outage, and electric power failure.
Presenter
Presentation Notes
Identify Preventive Controls “Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.” Redundancy Backups Environmental: A/C, Fire Suppression Offsite Storage UPS/Generator Earthquake racks
Presenter
Presentation Notes
Develop Recovery Strategies “Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.” Onsite Recovery, recover from backup Hardware replacement, Vendor agreements (SLA) Alternate site, reciprocal agreements Cold site, warm site, hot site, mobile site, mirrored sites
Presenter
Presentation Notes
Develop an IT Contingency Plan “The contingency plan should contain detailed guidance and procedures for restoring a damaged system.” Document roles and responsibilities Document recovery information Notification and Activation Damage Assessment Recovery Procedures Call Tree
Presenter
Presentation Notes
Plan Testing, Training & Exercises “Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.” Annual testing Classroom exercises Functional exercise Find weakness Train users so that when it happens you are ready and know what to do
Presenter
Presentation Notes
Plan Maintenance “The plan should be a living document that is updated regularly to remain current with system enhancements.” The plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies. Keep a record of changes Updated as needed
Presenter
Presentation Notes
NIST SP 800-53 Rev 4 Controls
Presenter
Presentation Notes
Resources NIST SP 800-34 “Contingency Guide for Information Technology Systems” Has sample documents ISO 17799 § 11 COBIT § DS4.0 Guide to Disaster Recovery by Michael Erbschloe ISBN 0-619-13122-5 DRI International Disaster-Resource.com