NIST Special Publication 800-34: Contingency Planning Guide for Information Technology (IT) Systems

NIST Special Publication 800-34:
Contingency Planning Guide for
Information Technology (IT) Systems
NIST Computer Security Division
Gaithersburg, Maryland
Background
• IT Contingency Planning is the development of interim
measures to recover IT services after an emergency or system
disruption.
– Relocation of IT systems and operations to an alternative site
– Recovery of IT functions using alternative equipment
– Performance of IT functions using manual methods
2
Background
Differences among the types of plans
Type of Plan
Focus
Business Continuity Plan (BCP)
Sustain/Recover Business
Business Recovery/Resumption Plan (BRP)
Recover Business
Continuity of Operations Plan (COOP)
Sustain Headquarters
Continuity of Support/IT Contingency Plan*
Recover IT
(subject of 800-34)
Crisis Communications Plan
Communications
Cyber Incident Response Plan
Recover IT (malicious attack)
Disaster Recovery Plan (DRP)
Recover IT (large scale disruption)
Occupant Emergency Plan (OEP)
Personnel Safety
* OMB A-130 recommends a Continuity of Support Plan for general support systems; Contingency
Plan for major applications. NIST SP 800-34 considers these plans to be interchangeable.
3
Background
8 types of plans make up the “Suite”
4
IT Contingency Planning
Process
5
IT Contingency Planning Process
• The IT contingency planning process is made up of fundamental
planning principles for developing an effective contingency
capability
• Principles outlined in SP 800-34 are universal to all IT systems
• The process must be supported by senior management (e.g.,
Chief Information Officer [CIO])
• A Contingency Planning Coordinator should be assigned
responsibility for—
– Coordinating the planning process
– Strategy development
– Coordination with senior management
6
IT Contingency Planning Process
The seven steps of IT contingency planning
1.
Develop the contingency planning policy statement
2.
Conduct the business impact analysis (BIA)
3.
Identify preventive controls
4.
Develop recovery strategies
5.
Develop an IT Contingency Plan (discussed last, slide 25)
6.
Plan testing, training, & exercises
7.
Plan maintenance
Develop
Contingency
Planning
Policy
• Identify statutory or
regulatory
requirements for
contingency plans
• Develop IT
contingency planning
policy statement
• Obtain approval of
policy
• Publish policy
Conduct
Business Impact
Analysis
• Identify critical IT
resources
• Identify outage impacts
and allowable outage
times
• Develop recovery
priorities
Identify
Preventive
Controls
• Implement controls
• Maintain controls
Develop
Recovery
Strategies
• Identify methods
• Integrate into system
architecture
Develop
Contingency
Plan*
• Document recovery
strategy
*Discussed in Section 4
Plan Testing,
Training, and
Exercises
• Develop test objectives
• Develop success criteria
• Document lessons
learned
• Incorporate into the plan
• Train personnel
Plan
Maintenance
• Review and update plan
• Coordinate with
internal/external
organizations
• Control distribution
• Document changes
7
IT Contingency Planning Process
Step 1: Develop the Contingency
Planning Policy Statement
• Policy must be supported by senior management (CIO)
• Key policy elements include –
– Roles and responsibilities
– Scope
– Resource requirements
– Training requirements
– Exercise and testing schedules
– Plan maintenance schedule
– Backup frequency and storage method
8
IT Contingency Planning Process
Step 2: Conduct a Business
Impact Analysis
• The business impact analysis (BIA) characterizes system
contingency requirements and priorities in the event of a disruption
Step 1: Identify critical IT resources
Step 2: Identify disruption impacts and allowable outage times
Step 3: Develop recovery priorities
Identify Critical IT Resources
Input from users,
business process
owners, application
owners, and other
associated groups
Identify Disruption Impacts and
Allowable Outage Times
PROCESS: 2. Time and Attendance Reporting
Critical Business Process
Critical Resources
Critical Resource
1. Payroll Processing
2. Time and Attendance
Reporting
3. Time and Attendance
Verification
4. Time and Attendance
Approval
..
.
X
• LAN Server
• LAN Server
• WAN Access
• WAN Access
• E-mail
• Mainframe Access
• Mainframe
Access
• E-mail Server
.
.
.
.
• E-mail Server
.
.
.
.
Max Allowable
Outage
Develop Recovery
Priorities
Resource
Recovery
Priority
Impact
8 hours • Delay in time
sheet processing
• Inability to
perform routine
payroll
operations
• Delay in payroll
processing
.
.
.
• LAN Server
• WAN Access
High
Medium
• E-mail
Low
• Mainframe
Access
High
• E-mail Server
.
.
.
.
High
• Results are key to development of recovery strategy and should
also be used for COOP, BCP, and BRP development
9
IT Contingency Planning Process
Step 3: Identify Preventive
Controls
• Preventive controls should be selected and implemented to
mitigate some of the impacts identified
• Controls include, but are not limited to –
– Uninterruptible Power Supplies (UPS) and power generators
– Fire suppression systems and detectors
– Offsite storage and system documentation
– Technical security controls
10
IT Contingency Planning Process
Step 4: Develop Recovery
Strategies
• Recovery strategies are a means to restore IT operations
quickly and effectively following a disruption
• The strategies should:
– Address residual risks and impacts identified by the BIA
– Use a combination of methods to cover full spectrum of identified
risks
– Integrate with the design and implementation phases of the system
development life cycle
• Strategy should consider:
– Backup methods
– Alternate sites
– Equipment replacement
– Roles and responsibilities
– Cost considerations
11
IT Contingency Planning Process…Develop Recovery Strategies
Backup Methods
• A backup policy should define the –
– Backup media (e.g., electronic vaulting, mirrored disks, floppy
disks)
– Frequency (i.e., daily or weekly; incremental or full)
– Storage requirements (i.e., offsite storage, frequency of rotation,
transportation methods)
12
IT Contingency Planning Process…Develop Recovery Strategies
Alternate Sites
• An alternative site is a facility for recovering and operating a
system for an extended period of time when the primary site is
unavailable
Cost
Hardware
Equipment
Telecommunications
Setup Time
Location
Cold Site
Low
None
None
Long
Fixed
Warm Site
Medium
Partial
Partial/Full
Medium
Fixed
Hot Site
Medium/High
Full
Full
Short
Fixed
Mobile Site
High
Dependent
Dependent
Dependent
Not Fixed
Mirrored Site
High
Full
Full
None
Fixed
13
IT Contingency Planning Process…Develop Recovery Strategies
Equipment Replacement
Strategies
• Damaged or lost hardware or software can be replaced (or
duplicated if primary site is unavailable) via:
– Vendor agreements
– Equipment inventory
– Existing compatible equipment
14
IT Contingency Planning Process…Develop Recovery Strategies
Recovery Roles & Responsibilities
• Specific teams should be staffed based on their skills,
knowledge, and normal operating responsibilities
• Team members should be trained to be ready to deploy and
implement the plan when necessary
• Inter-team training will facilitate coordination and ease staff
shortages during a response
• Role-based teams should be developed; do not use actual
names and titles
15
IT Contingency Planning Process…Develop Recovery Strategies
Recovery Roles & Responsibilities
• Senior management (e.g., CIO) should have authority over plan
activation and execution; may be supported by a management
team
• Line of succession should define delegation of authority
• All teams are lead by a team leader; team leaders should have
alternatives designated
16
IT Contingency Planning Process…Develop Recovery Strategies
Cost Considerations
• Recovery strategy costs should be weighed against budget
limitations
• Costs related to alternative site, equipment replacement, and
storage options include:
– Hardware, software, and other supplies
– Vendors and labor hours/contractors
– Testing, travel, and shipping
17
IT Contingency Planning Process
Step 6: Plan Testing, Training, &
Exercises
• Objectives, success criteria, schedule, scope, scenario, and
logistics should be defined in the test plan
• Recovery staff should be trained on team procedures and
responsibilities
• Plan deficiencies and ability to implement the plan should be
evaluated through testing
• 2 basic types of tests
– Classroom (tabletop)
– Functional (simulation)
18
IT Contingency Planning Process
Step 7: Plan Maintenance
• Plan effectiveness relies on up-to-date system, organization,
and procedural information
• Reviews, followed by updates, should be conducted:
– At least annually for technical, operational, and system
requirements
– At least annually for alternative site/offsite requirements and vital
records information
• All changes made to the plan should be communicated to POCs
of associated plans and procedures
• All changes should be recorded in the Record of Changes
(included in the plan)
19
IT Contingency Plan
Development
20
IT Contingency Plan Development
• The IT contingency plan is the resulting documentation of
recovery activities developed through Process steps 1-4
• Plans must be tested and maintained (Process steps 6 and 7) to
ensure viability and validity
• IT contingency plans are a part of the overall system security
package
• 5 major components of the IT contingency plan
– Supporting Information
– Notification/Activation Phase
– Recovery Phase
– Reconstitution Phase
– Plan Appendices
21
IT Contingency Plan Development
Supporting Information
• Introduction orients the reader to the type and location of
information in the plan
– Purpose
– Applicability
– Scope
– References/Requirements
– Record of Changes
• Concept of Operations provides contextual information about
the IT system and framework of the plan
– System Description
– Line of Succession
– Responsibilities
22
IT Contingency Plan Development
Notification/Activation Phase
• Notification methods should be documented to address:
– Procedures for business/non-business hours
– Use of multiple technologies/methods such as phone, cell phone,
page, or e-mail
– Necessary information about the event to be relayed
• Criteria for plan activation should be clearly identified
23
IT Contingency Plan Development
Recovery Phase
• Temporary IT processing capabilities are established, damage
repaired, and operational capabilities are restored during the
recovery phase
• Recovery procedures should be documented to:
– Reflect system priorities from BIA
– Account for system and activity details, including shipment/receipt
of offsite materials and procurements
– Guide teams in a sequential, step-by-step manner
24
IT Contingency Plan Development
Reconstitution Phase
• Recovery operations are terminated and normal operations are
transferred to the original or new site during the reconstitution
phase
• Procedures should be written to address:
– Preparing the original/new site/system for normal operations
– Testing original/new system prior to cut over
– Data backup and graceful shutdown of redundant system
– Termination of contingency operations and cleanup of alternative
site
25
IT Contingency Plan Development
Plan Appendices
• Important information which supports execution of the IT
contingency plan should be appended to the plan
–
–
–
–
–
–
–
–
–
–
Personnel Contact List
Vendor Contact List
Equipment and Specifications
Service Level Agreements and Memorandums of Understanding
IT Standard Operating Procedures
Business Impact Analysis
Related Contingency Plans
Emergency Management Plan
Occupant Evacuation Plan
Continuity of Operations Plan.
26
Summary
• An IT contingency plan is part of a larger “suite” of plans
• Strategies developed in the IT contingency plan must be
coordinated with other plans in the suite
• Senior management (e.g., CIO) must support the
contingency planning policy statement
• A BIA should be conducted to determine impacts to the
system and appropriate recovery strategies
• Notification procedures must be clearly outlined in the plan
• Role-based teams must be trained to execute the plan
• IT contingency plans must be tested and maintained to
ensure viability and validity
27
For Additional Information
Download SP 800-34 from: http://csrc.nist.gov
Marianne Swanson
Senior Advisor for IT Security Management
Computer Security Division
PHONE: (301) 975-3293
marianne.swanson@nist.gov
28