Policies Section
  1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls
Policies Section

Contingency Planning (from NIST)

This contingency planning list and description are meant to tie Contingency planning to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

  • Contingency planning policy and procedures - A business contingency policy and plan should be developed along with procedures for implementation of the plan. The policy will define roles and responsibilities regarding implementation of the plan and procedures, carrying out the plan, training, testing, and other facets of the plan. (low)
  • Contingency plan - Describes what will be done in various scenarios requiring the use of the contingency plan along with a description of activities required to carry out the plan tied to the involved individual's roles. The contingency plan should be reviewed annually and modified to suit business needs as the organization changes. (low)
  • Contingency training - Individuals involved in the implementation of the contingency plan are trained in their respective roles on a periodic basis such as yearly or as the plan changes. (moderate)
  • Contingency plan testing - The contingency plan is tested using pre-defined exercises. A test results report is generated and reviewed so corrective action may be taken. (moderate)
  • Contingency plan update - The contingency plan should be reviewed annually and modified to suit business needs as the organization changes. (low)
  • Alternate storage sites - An alternate storage site for data and required equipment should be defined and secured using necessary agreements. The alternate site should not be too close to the main site. (moderate)
  • Alternate processing sites - An alternate site where hot or cold systems can be set up as part of the contingency plan should be secured. The alternate site should not be too close to the main site. (moderate)
  • Telecommunications services - Alternate telecommunications services should be identified and arranged to be made available in the event that the contingency plan needs to be implemented. This should be part of the plan and procedures. (moderate)
  • Information system backup - All information on all computer systems should be backed up to media that is moved to an alternate location. Both application, user, and system information information should be backed up including log files. The backup media may be a hot server in an alternate location. (low)
  • Information system recovery and reconstitution - Procedures are provided that instruct organizational staff in the system and recovery method used to get an alternate system in operation and to restore the original system. Media with required software and any additional documentation should be available and the procedures should instruct the staff about where the media and documentation are stored. Licensing information required to restore the software should be available along with instructions for restoring data from the backup media. (low)