|
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------
Open IT Policy Index
-
Acceptable Use, Administrative or Special Access (Policy)
-
Acceptable Use, Email (Policy)
-
Acceptable Use, Internet (Policy)
-
Acceptable Use, Virtual Private Network (VPN) (Policy)
-
Access Controls, Account (Policy)
-
Account Management (Policy)
-
Change Management (Policy)
-
Computer Virus Prevention (Policy)
-
Contingency Planning (Policy)
-
Data Backup and Storage (Policy)
-
Data Marking, Handling, Processing, Storage, and Disposal (Policy)
-
Deferral of System Security Certification or Accreditation, Annual (Form)
-
General Information Security Management (Procedure)
-
Green Computing (Policy)
-
Incident Response (Policy)
-
Intrusion Detection (Policy)
-
Logging and Audit Trails (Policy)
-
Mobile Computing and Network Access (Policy)
-
Network Access (Policy)
-
Network Access Controls (Standard)
-
Network Configuration (Policy)
-
Network Data Privacy (Policy)
-
Password Management (Policy)
-
Personnel Security (Policy)
-
Physical Security (Policy)
-
Policy Application Checklist (Administrative Utility)
-
Secure Media and Data Handling (Procedure)
-
Secure Software Development Lifecycle (Standard)
-
Social Computing and Networking (Policy)
-
Software and Hardware Security Controls (Policy)
-
Spam and Unsolicited Commercial Email Prohibition (Policy)
-
System Security Certification/Accreditation, Annual (Form)
-
System Security Certification/Accreditation, Annual (Policy)
-
Telecommuting Agreement, Employee (Form)
-------------------------------------------------------------------------------------------------
Overview and Purpose
A contingency plan must be developed and tested for each organizational facility and application. All [variable: Covered Organization] systems that contain, use, or process data must have a documented plan showing how the organization would continue its mission and provide continuity of data processing if service, use, or access were disrupted for an extended period of time.
[variable: Covered Organization] has been entrusted with sensitive, private data to accomplish its goals. For the success of [variable: covered Organization]'s programs, [variable: Covered Organization] data must be available in the event of disruptions. A contingency plan includes preparatory measures, response actions, and restoration activities planned or taken to ensure continuation of the mission critical functions.
Coverage
These procedures apply to data contained in the [variable: Covered Organization] system.
Roles and Responsibilities
[Note: Roles noted in this section are illustrative. In using this policy in your own organization, please replace
content with accurate titles and responsibilities.]
Director
-
Publishes and maintains policy guidelines for preparing and testing [variable: covered Organization]'s contingency plan
-
Assists in identifying the mission critical applications
Information Security Officer (ISO)
-
Prepares policy guidelines for developing [variable: covered Organization]'s contingency plan
-
Reviews the contingency plan
-
Ensures [variable: covered Organization]'s contingency plan is updated and tested annually
Supervisors
-
Assist in the development, review, and testing of the [variable: Covered Organization] contingency plan
-
Determine which applications can revert to manual processing and which applications are mission critical and need priority automated processing
-
Provide personnel for scheduled testing of the procedures
Information Security Manager
-
Works with security personnel to develop the [variable: Covered Organization] contingency plan
-
Coordinates [variable: covered Organization]'s contingency plan development, updating, and testing with [variable: Covered Organization] personnel
Policy
A contingency planning committee composed of the [variable: Covered Organization] Security Officer and [variable: Covered Organization] personnel will develop, test, and maintain the [variable: Covered Organization] Contingency Plan. The plan should contain the following:
-
All mission critical applications shall be identified and ranked according to priority and the maximum permissible outage for each critical application
-
An inventory of all equipment and supplies and floor plan of the current operating facility shall be maintained
-
Direction for how frequently applications, data, software and databases are backed up and where they are stored off site
-
A list the location of the alternate
backup site
-
Instructions for how to prepare alternate site operating procedures
-
A list the arrangement for delivery of
backup data and software
-
A list of the personnel designated to run the applications at the
backup site; travel arrangements, lodging, per diem should be addressed if the
backup site is not local
-
Instructions for recovery procedures.
-
Testing procedures for the contingency plan.
The contingency plan shall be marked, handled, and controlled as sensitive unclassified information.
Each page of the plan shall be dated.
The plan shall be tested annually or when a significant change occurs to the [variable: application/s or system/s].
Supporting Documentation
This policy is supported by the following rules, standards, and procedures:
-
[variable: internal documents (with links, if available)]
-
[variable: external documents (with links, if available)]
Policy Support Contact
[variable: title (not personal name) of role responsible for overseeing this policy] [variable: Contact information of office responsible for overseeing this policy]
References
-
NIST Special Publication 800-12, “An Overview to Computer Security: The NIST Handbook,” Chapter 11. Preparing for Contingencies and Disasters. January 1999
Policy Model(s)
|
Open IT Policy Project 
