NIST SP 800-34
Contingency Planning Guide for Information Technology Systems (NIST 800-34)
- includes:
- continuity of operations plans (COOP)
- focuses on mission-essential functions (MEF)
- sustain for 30 days
- critical infrastructure protection (CIP)
- “critical infrastructure and key resources (CIKR) which are those components of the national infrastructure that are deemed so vital that their loss would have a debilitating effect on the safety, security, economy, and/or health of the United States”
- information system contingency plan (ISCP)
- concerned with assessment and recovery of a system following some disruption
- continuity of operations plans (COOP)
Seven-Step Process for BCP and DRP Projects
- Develop the contingency planning policy statement
- formal policy provides the authority and guidance necessary to develop and effective contingency plan
- Conduct the business impact analysis (BIA)
- BIA is used to identify and prioritize information systems and components critical to supporting the organization’s mission/business functions
- Identify preventative controls
- measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life-cycle costs
- Create contingency strategies
- thorough strategies ensure that the system may be recovered quickly and effectively following a disruption
- Develop and information system contingency plan
- contingency plan should contain detailed guidance and procedures for restoring a system based on the system’s security impact level and recovery requirements
- Plan testing and training
- Ensure the BCP and DRP are tested and staff are trained in these plans
- Plan maintenance
- plan should be updated frequently to remain current with system and organizational changes