Security

Contingency Planning: 101

Nick Manning
Thursday, December 1, 2022

In an emergency, it helps to have a plan. Contingency planning ensures that in case of emergency, everyone on your team knows what steps to take in order to mitigate and quickly recover from disruptions.

Everyone on your team should be familiar with your contingency plan and what steps each team member should take in an emergency scenario.

A Contingency Plan (CP) is exactly what it sounds like - a plan that can be easily implemented incase of an emergency. According to NIST 800-57, a CP is a plan that is maintained for disaster response, backup operations, and post-disaster recovery, to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency. The CP itself is considered a living document, so if there are changes that are made to the environment, the CP must be updated. In addition, if an employee leaves or joins an organization, the CP must be updated so that the call tree remains accurate. In summary, the CP serves as a roadmap with steps that the team can follow in the event of an emergency scenario.

To maximize the effectiveness of a Contingency Plan, and to organize the plan in the event of a disaster, the plan consists of the following phases:

  • Activation and Notification Phase: Activation of the CP will occur after an outage or disruption that may reasonably extend beyond the Recovery Time Objective (RTO) for the system. Think of the RTO as the amount of time that it will take to viably recover from a disruption.
  • Recovery Phase: This phase consists of restoring the system or returning it to a fully functional state. Depending on the type and severity of the incident this action may or may not be particularly resource intensive. For example, a minor incident may only require a simple reboot whereas a major incident could require completely rebuilding a system and restoring all data from the most recent backup.
  • Reconstitution Phase: It is during this phase that the impacted system is restored to normal operations, which typically involves a plethora of testing and collaborating amongst all stakeholders.

 

After the Reconstitution Phase is completed, there is typically a Lessons Learned activity that takes place where key stakeholders get together and examine the incident in detail. While examining the response to the incident, key stakeholders will look for any areas where they can improve their overall response and readiness for the issue at hand. For example, if it was deemed that it took stakeholders too long to respond to the incident, it may be because accurate information was not provided within the roles and responsibilities section. It is very common for the CP team to create a written lessons-learned report, which may contain recommendations that will ultimately be included as part of the updated CP plan. 

One of the more important features of a solid CP plan is the Roles and Responsibilities section. For recovery and reconstitution efforts to move swiftly, all roles, and responsibilities must be accurately defined as part of the CP plan. As the CP coordinator, you do not want to be caught in a scenario where you are scrambling to find contact information so that you may begin a collaborative effort to restore the system with key stakeholders. Enacting the Contingency Plan can be avoided if the issue at hand is taken care of promptly, and the accuracy of the Roles and Responsibilities section will have a great impact on this endeavor, especially if the incident takes place before or after business hours.

The Business Impact Analysis (BIA) is also of seminal importance to the overall creation of the CP plan. Think of the BIA as a section that identifies the business priorities that are critical to an organization’s ongoing sustainability and the threats posed to those resources. Parameters are also defined during this stage, starting with the Maximum Tolerable Downtime, which is essentially the amount of time that a business/mission can continue to operate without causing grave damage or harm to the business. We also have the Recovery Time Objective, which is the amount of time an organization thinks it will take for an organization to recover in the event of a major disruption. Lastly, the Recovery Point Objective can be described as a measurement of how much loss is acceptable to the organization when a disaster occurs.  

An entire series of books could be written about the intricacies and stages of a Contingency Plan. However, you will notice that the common theme of preparation is the nucleus of the CP plan itself. The idea of preparation has been with us since the beginning of recorded history. Sun Tzu, one of the most important figures in the history of war once stated, “Know the enemy and know yourself in a hundred battles you will never be in peril. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are certain in every battle to be in peril.” Therefore, the more adequately Softrams is prepared for an emergency scenario, the less the chances are that such an emergency would cause grave damage. 

 


Resources

NIST 800-57: Recommendation for Key Management

Contingency Plan Template

Nick Manning
Thursday, December 1, 2022
Share this story
Follow on Face Book IconFollow on Twitter IconFollow on Linked In Icon
BLOG

Related Stories from our blog

Security

Tabletop Testing: An Overview

Nick Manning
Friday, January 27, 2023
Security

Cyber Insurance: Is it worth it?

Harshita B.
Friday, August 19, 2022
Security

Do Your Part: CyberSecurity

Larry Bensky
Tuesday, November 9, 2021
View More