Contingency Planning Policy

Policy Owner Name the person/group responsible for this policys management.
Policy Approver(s) Name the person/group responsible for implementation approval of this policy.
Related Policies List other related enterprise policies both within or external to this manual.
Related Procedures List other related enterprise procedures both within or external to this manual.
Storage Location List the physical or digital location of copies of this policy.
Effective Date List the date that this policy went into effect.
Net Review Date List the date that this policy must undergo review and update.
Purpose
Contingency plans are used to establish the manner in which information systems
will continue to be operated in the event of a catastrophic failure to the information
system or any of its components. Without contingency plans the potential exists
that, should some form of catastrophic failure occur, [Company ABC] will be
unprepared to recover from that failure and the unavailability of information
systems will be extended.
Scope
This Contingency Planning Policy applies to all information systems and
information system components of [Company ABC]. Specifcally, it includes
!ainframes, servers and other devices that provide centrali"ed computing
capabilities.
S#$, $#S and other devices that provide centrali"ed storage capabilities.
%es&tops, laptops and other devices that provide distributed computing
capabilities.
'outers, switches and other devices that provide networ& capabilities.
(irewalls, )%P sensors and other devices that provide dedicated security
capabilities.
Policy
*. Contingency plans will outline contingency roles and responsibilities as well as
indicate the individuals assigned to those roles and responsibilities and
appropriate contact information for those individuals. Where appropriate,
plans will be integrated with related plans +,usiness Continuity Plan, %isaster
'ecovery Plan, )ncident 'esponse Plan, etc.-.
.. )ndividuals assigned to outlined contingency roles and responsibilities will be
trained in contingency operations within [indicate frequency suggest 30
days] of appointment to the contingency response team and thereafter within
[indicate frequency suggest 30 days] of revision of the contingency plan.
Where appropriate, plans will be integrated with related plans +,usiness
Continuity Plan, %isaster 'ecovery Plan, )ncident 'esponse Plan, etc.-.
/. Contingency plans will be tested [indicate frequency suggest quarterly]
through the use of table top exercises, [indicate frequency suggest annually]
through the use of simulation tests, and [indicate frequency suggest every
1
three years] through the use of a full0scale test. Where appropriate, tests will
be integrated with testing of related plans +,usiness Continuity Plan, %isaster
'ecovery Plan, )ncident 'esponse Plan, etc.- where such plans exist. The
results of these tests will be documented, shared with &ey sta&eholders.
1. Contingency plans will be reviewed and, where applicable, revised on an
[indicate frequency suggest annually] basis. 'eview will be based upon the
documented results of previously conducted tests or live executions of the
contingency plan. 2pon completion of plan revision, updated plans will be
distributed to &ey sta&eholders.
Procedure !
Contingency planning can incorporate a number of di3erent types of plans. [Company
ABC] must complete the following before commencing plan construction
Conduct a ,usiness )mpact #nalysis
o )dentify critical )T resources
o )dentify disruption impacts
o %etermine allowable 'ecovery Time and 'ecovery Point ob4ectives
o %evelop recovery prioriti"ation schedules.
)dentify )n0Place and 'e5uired Preventative !easures
%evelop a 'ecovery Strategy
%ocument the Plan
Procedure "
(or e6cient operations of the contingency plan, individuals with understanding of,
and training in, contingency operations are re5uired
)dentify Contingency 'esponsibilities
#ssociate 'oles and Personnel with )dentifed 'esponsibilities
%evelop, Publish and !aintain #ppropriate Contact )nformation for
Contingency Personnel
,uild and %eliver a Contingency 'esponse Training Program
Procedure #
To ensure the applicability of the plan and to verify that the plan can be acted upon
as created, periodic testing is re5uired
%efne Tests and Testing !ethodologies
o )dentify systems and system components to be tested
o )dentify test types to be used
7xecute Tests
'eview Test 'esults and Ta&e Corrective #ction
8nce the test has been completed, the results should be reviewed to see if
the contingency plan accurately re9ects the needs of [Company ABC] or if an
ad4ustment is re5uired.
Non$Co%pliance
2
:iolation of any of the constraints of these policies or procedures will be
considered a security breach and depending on the nature of the violation,
various sanctions will be ta&en
# minor breach will result in written reprimand.
!ultiple minor breaches or a ma4or breach will result in suspension.
!ultiple ma4or breaches will result in termination.
3
Revision &istory
'ersion C(ange Aut(or Date of C(ange
nfo!"ech #esearch $roup tools and template documents are provided for the free and unrestricted use of subscribers to nfo!"ech #esearch
$roup services. "hese documents are intended to supply general information only% not specific professional or personal advice% and are not
intended to be used as a substitute for any &ind of professional advice. 'se this document either in whole or in part as a basis and guide for
document creation. "o customi(e this document with corporate mar&s and titles% simply replace the nfo!"ech nformation in the )eader and
*ooter fields of this document.
+