A key thing that stood out to me from this reading is that contingency planning should be unique to each system. This seems pretty obvious on the surface but I don’t think a lot of organizations do a great job with it which can become apparent when a contingency plan is tested. I also found it helpful that the planning guide references the use of FIPS 199 and consideration of confidentiality, integrity, and availability of information as a basis for planning. This means there is a structured and repeatable process to prioritize the significance of systems, so planning can focus on those that are highest risk. This is important since most organizations have limits to the time and resources they can and will spend on contingency planning and recovery options.
A topic that stood out to me in this reading is the amount of different plans that organizations should have in order to appropriately respond to an incident efficiently. These plans consist of a business continuity, continuity of operations, crisis communications, critical infrastructure protection, cyber incident response, disaster recovery, information system contingency, and occupation emergency plan. These plans all have a specific purposes, but could have some overlap with other plans so it is important that during the planning phase there is coordination in order to help reduce duplicate efforts or steps that may result in contradiction or confusion. Having these plans fully developed and practiced will help an organization respond quickly and accurately.
Before reading this document, I kind of assumed that there were just Business Continuity Plans and Disaster Recovery Plans. I even know some organizations that treat both of those as one. Part of the reason for having each different type of plan, I think, is so that those details don’t get overlooked. The plan relationship table in the document shows how many of these plans will get activated and used at the same time because they support one another.
I thought the “Identify Preventive Controls” section was an interesting part of developing and Information System Continuity Plan. Ideally, those controls would already be in place. But I think as you’re developing this plan, you will probably think of different threat vectors or vulnerabilities that weren’t realized before. With that comes new controls that could mitigate those risks. In this planning stage, you might now decide you want to purchase a UPS or backup generator. Preventative controls can reduce the impact of outages, which will affect the rest of the recovery plans.
One part I learned from this guideline is the policy of backup methods and offsite storage. It is based on the backup frequency and scope according to the criticality of the data and the frequency of the updated data. Commercial data storage facilities are elements specifically designed to archive media and protect data from threats. The data backup policy should be based on geographic area, accessibility, security, environment, and cost to specify the location of the stored data, file naming conventions, media rotation frequency, and the method of data transmission in different places.
As you mentioned, cost is an important factor as organizations have to consider the cost of downtime in tandem with the cost of recovery and to be able to effectively balance both, that is sustainable from a cost and security perspective. This can be a challenging task, especially for smaller business who may not all the resources to invest in storage/backup and are highly susceptible to cyber attacks.
It’s bad enough when a company is the victim of a cyberattack, but to not take appropriate steps to plan ahead can leave them in a vulnerable position. That is why a plan always needs to be put in place should cyber attacks or physical disruptions come unexpectedly. The Cyber Incident Response Plan has a well needed process in place to identify, mitigate, and recover from unauthorized access or changes to system hardware, software, or data.
An important takeaway from this reading is balancing the cost to recover and cost of downtime. The longer the disruption the more costly downtime becomes. While the shorter recovery time reduces the downtime cost, the more expensive recovery solutions cost to implement. Given that downtime costs and costs to recover will differ among organizations, striking a balance between these costs, provides an optimal point between disruption and recovery costs, but could also prove to be a very challenging task.
this is a great point and one that needs to be considered. The costs could vary depending on the size of the business and the disaster that impacted a business. The cost to Walmart to recover from 1 store being destroyed by an act of god or a cyber attack is a much different cost to the Ma and Pa Hardware store with the same act of god or cyber attack. I really like that you presented the costs and the challenges.
One of the least technical but most important takeaways from this reading, from an executive management perspective, is the cost considerations during contingency planning. A competent information security team with an unlimited budget would keep the organization’s equipment up-to-date at all times, have multiple alternate hot sites, back up all the enterprise’s data, keep a large group or security specialists on-staff full-time, and pay for the latest and greatest training to stay on top of the latest information security threats. The reason that no organization implements 100% of all available contingency planning measures is because no organization has an unlimited budget. Hence, when contingency planning, the security team must be able to identify the controls that offer the highest benefit-to-cost ratio. Executive management will only dedicate resources to measures that will maintain critical business operations (and save money) enough to outweigh the cost of implementation.
A key takeaway for me was the technical contingency planning section for specific types of systems, specifically the section related to the protection of equipment and resources. This section discusses the importance of resiliency and protecting equipment against environmental and component level failures that would deem a system inoperable if not adequately safeguarded. The first method described is to ensure there is an adequate power supply and notes that most critical hardware such as servers can have two power supplies, one to serve as a back-up if the first one fails. It is also key to have a second power supply such an an uninterrupted power supply (UPS) and/or a generator to act as a back-up in case the power to the physical location is lost. If the power to the physical location is lost, the server, or other critical hardware will be inoperable, even if it has a second power supply. Other important protections include back-up to software and drivers stored at an alternative location such as baseline configurations, licenses, installation information, and image loads. Lastly, third party vendors can be used to help recover data; however, due diligence should be performed, an NDA should be considered depending on security risk, and agreement to follow company policies and procedures. These methods can vary based on risk and the results of the risk assessment should be analyzed and discussed to determine the appropriate actions for each system.
In this week reading, an important takeaway I learned from reading the NIST SP 800 34r1 Contingency Planning Guide for Federal Information Systems was that the document gives guidance on how to establish a disaster recovery plan (DRP) so that an organization can recover and restore their information system functionality, infrastructure, and data processing functions. Not having a disaster recovery plan can hinder an organization from recovering effectively and efficiently should it go through a disaster such as a cybersecurity attack, natural disaster, or a terrorist attack. A disaster recovery plan is an essential document since it outlines strategies and steps to minimize the effect of the disaster to allow the organization to continue its day-to-day operations and functions. A few steps mention in the NIST SP 800 34r1 Contingency Planning Guide for Federal Information Systems are to gather data, build a disaster recovery plan (DRP) and recovery strategies, test and validate the DRP, and test and update the DRP.
The main takeaway from this reading is learning about contingency plans related to a strategy, with set procedures, technical measures that enable the recovery of systems, operations, and data after a disruptive event. Contingency plans guide an organization to restore information using alternate equipment, performing all of the affected business in an alternate way, recovering information systems in a different location, implementing appropriate contingency planning controls based on the system’s impact level. Includes requirements from FIPS 199, NIST 800-53, and other guidelines. This NIST guide is for all managers within the organizations and all those responsible for information systems at all operational levels.
This article was helpful to identify the different plans that could be implemented, When I worked at VW, they had a Business Impact Analysis which was a report on the impact of each process, software, hardware for every operation. Then a Disaster Recovery plan could be created based on the criticality of the operation, software and hardware. Then the business had an understanding of the IT expectations so that there Business Continuity Plan could be in place. I thought this process worked well. It does not make sense to have the business to prepare in their BCP to be up and running in 24 hours, if that operation and seemed was deemed 2 weeks for a DRP. This created gaps.
The purpose of this document is to provides instructions, recommendations, and considerations for federal information system contingency planning. The document provides guidance to help personnel evaluate information systems and operations to determine contingency planning requirements and priorities. The document also outlines planning principles for a wide variety of incidents that can affect information system operations. These range from minor incidents causing short-term disruptions to disasters that affect normal operations for an extended period.
Hi Wei. That’s a good point about contingency plans and how they restore information systems in the event of a disaster that affect the business operations of an organization. A disaster recovery plan is an essential document since it outlines strategies and steps to minimize the effect of the disaster to allow the organization to continue its day-to-day operations and functions. A few steps mention in the NIST SP 800 Contingency Planning Guide for Federal Information Systems are to gather data, build a disaster recovery plan (DRP) and recovery strategies, test and validate the DRP, and test and update the DRP.
I found chapter 3.2.1 to be very interesting. This section talked about policy statements that would accompany the contingency plan. Some of the elements that should be included are: Roles and responsibilities, Scope as applies to common platform types and organization functions (i.e., telecommunications, legal, media relations) subject to contingency planning, Resource requirements, Training requirements, Exercise, and testing schedules, Plan maintenance schedule, and Minimum frequency of backups and storage of backup media. Figure 3.3 was also interesting to me. It showed graphically cost to receiver vs the cost of disruption. this intersecting point shows the cost balance point. This point shows where the optimal tradeoff between the cost to recover and the cost of disruption. THis point will be different for every company, so it is very important to find it
The NIST SP 800 34r1 section 5.1 detailed some common technical considerations when developing the contingency plans. Those considerations including:
Use of information gathered from the BIA process, development of data security, integrity, and backup policies and procedures, protection of equipment and system resources, adherence and compliance with security controls in NIST SP 800-53, development of primary and alternate sites with appropriately sized and configured power management systems and environmental control and use of high availability.
Keep data security and integrity in contingency planning is important. Regardless of the form of backup and location of the backups, onsite, offsite, and when data is in transit. Ensuring the data is available when needed and the ability to retrieve the data, restore the data from backup securely and effectively will have a great positive impact on the overall success of the effectiveness of the contingency plan.
This document just outlines everything from different types of recoveries, to testing, to costs, etc… The most interesting part to me is testing in preparation. How good could your testing possibly be? How do you prepare for what’s basically an infinite amount of possibilities? On top of that, you could never possibly replicate the tense climate that comes with a real event. As employees, this is a priceless experience if you’ve ever been a part of a major breach. So long as you weren’t the reason why I’d imagine that speaking on that experience would get you major points at an interview. To wrap up my thoughts, what is a reasonable amount to spend on testing your DRP?
The key point that stood out to me in this reading is the difference between the continuing of operations plan (COOP) and the information system contingency plan (ISCP). The reading states the COOP plans address national, primary, or mission essential functions while the ISCP specifically address federal information systems. As such, not all government mission/business processes fall within the scope of COOP. However, all ISCPs apply to all information systems in federal organizations.
A key thing that stood out to me from this reading is that contingency planning should be unique to each system. This seems pretty obvious on the surface but I don’t think a lot of organizations do a great job with it which can become apparent when a contingency plan is tested. I also found it helpful that the planning guide references the use of FIPS 199 and consideration of confidentiality, integrity, and availability of information as a basis for planning. This means there is a structured and repeatable process to prioritize the significance of systems, so planning can focus on those that are highest risk. This is important since most organizations have limits to the time and resources they can and will spend on contingency planning and recovery options.
A topic that stood out to me in this reading is the amount of different plans that organizations should have in order to appropriately respond to an incident efficiently. These plans consist of a business continuity, continuity of operations, crisis communications, critical infrastructure protection, cyber incident response, disaster recovery, information system contingency, and occupation emergency plan. These plans all have a specific purposes, but could have some overlap with other plans so it is important that during the planning phase there is coordination in order to help reduce duplicate efforts or steps that may result in contradiction or confusion. Having these plans fully developed and practiced will help an organization respond quickly and accurately.
Before reading this document, I kind of assumed that there were just Business Continuity Plans and Disaster Recovery Plans. I even know some organizations that treat both of those as one. Part of the reason for having each different type of plan, I think, is so that those details don’t get overlooked. The plan relationship table in the document shows how many of these plans will get activated and used at the same time because they support one another.
I thought the “Identify Preventive Controls” section was an interesting part of developing and Information System Continuity Plan. Ideally, those controls would already be in place. But I think as you’re developing this plan, you will probably think of different threat vectors or vulnerabilities that weren’t realized before. With that comes new controls that could mitigate those risks. In this planning stage, you might now decide you want to purchase a UPS or backup generator. Preventative controls can reduce the impact of outages, which will affect the rest of the recovery plans.
One part I learned from this guideline is the policy of backup methods and offsite storage. It is based on the backup frequency and scope according to the criticality of the data and the frequency of the updated data. Commercial data storage facilities are elements specifically designed to archive media and protect data from threats. The data backup policy should be based on geographic area, accessibility, security, environment, and cost to specify the location of the stored data, file naming conventions, media rotation frequency, and the method of data transmission in different places.
As you mentioned, cost is an important factor as organizations have to consider the cost of downtime in tandem with the cost of recovery and to be able to effectively balance both, that is sustainable from a cost and security perspective. This can be a challenging task, especially for smaller business who may not all the resources to invest in storage/backup and are highly susceptible to cyber attacks.
It’s bad enough when a company is the victim of a cyberattack, but to not take appropriate steps to plan ahead can leave them in a vulnerable position. That is why a plan always needs to be put in place should cyber attacks or physical disruptions come unexpectedly. The Cyber Incident Response Plan has a well needed process in place to identify, mitigate, and recover from unauthorized access or changes to system hardware, software, or data.
An important takeaway from this reading is balancing the cost to recover and cost of downtime. The longer the disruption the more costly downtime becomes. While the shorter recovery time reduces the downtime cost, the more expensive recovery solutions cost to implement. Given that downtime costs and costs to recover will differ among organizations, striking a balance between these costs, provides an optimal point between disruption and recovery costs, but could also prove to be a very challenging task.
Lakshmi,
this is a great point and one that needs to be considered. The costs could vary depending on the size of the business and the disaster that impacted a business. The cost to Walmart to recover from 1 store being destroyed by an act of god or a cyber attack is a much different cost to the Ma and Pa Hardware store with the same act of god or cyber attack. I really like that you presented the costs and the challenges.
One of the least technical but most important takeaways from this reading, from an executive management perspective, is the cost considerations during contingency planning. A competent information security team with an unlimited budget would keep the organization’s equipment up-to-date at all times, have multiple alternate hot sites, back up all the enterprise’s data, keep a large group or security specialists on-staff full-time, and pay for the latest and greatest training to stay on top of the latest information security threats. The reason that no organization implements 100% of all available contingency planning measures is because no organization has an unlimited budget. Hence, when contingency planning, the security team must be able to identify the controls that offer the highest benefit-to-cost ratio. Executive management will only dedicate resources to measures that will maintain critical business operations (and save money) enough to outweigh the cost of implementation.
A key takeaway for me was the technical contingency planning section for specific types of systems, specifically the section related to the protection of equipment and resources. This section discusses the importance of resiliency and protecting equipment against environmental and component level failures that would deem a system inoperable if not adequately safeguarded. The first method described is to ensure there is an adequate power supply and notes that most critical hardware such as servers can have two power supplies, one to serve as a back-up if the first one fails. It is also key to have a second power supply such an an uninterrupted power supply (UPS) and/or a generator to act as a back-up in case the power to the physical location is lost. If the power to the physical location is lost, the server, or other critical hardware will be inoperable, even if it has a second power supply. Other important protections include back-up to software and drivers stored at an alternative location such as baseline configurations, licenses, installation information, and image loads. Lastly, third party vendors can be used to help recover data; however, due diligence should be performed, an NDA should be considered depending on security risk, and agreement to follow company policies and procedures. These methods can vary based on risk and the results of the risk assessment should be analyzed and discussed to determine the appropriate actions for each system.
In this week reading, an important takeaway I learned from reading the NIST SP 800 34r1 Contingency Planning Guide for Federal Information Systems was that the document gives guidance on how to establish a disaster recovery plan (DRP) so that an organization can recover and restore their information system functionality, infrastructure, and data processing functions. Not having a disaster recovery plan can hinder an organization from recovering effectively and efficiently should it go through a disaster such as a cybersecurity attack, natural disaster, or a terrorist attack. A disaster recovery plan is an essential document since it outlines strategies and steps to minimize the effect of the disaster to allow the organization to continue its day-to-day operations and functions. A few steps mention in the NIST SP 800 34r1 Contingency Planning Guide for Federal Information Systems are to gather data, build a disaster recovery plan (DRP) and recovery strategies, test and validate the DRP, and test and update the DRP.
The main takeaway from this reading is learning about contingency plans related to a strategy, with set procedures, technical measures that enable the recovery of systems, operations, and data after a disruptive event. Contingency plans guide an organization to restore information using alternate equipment, performing all of the affected business in an alternate way, recovering information systems in a different location, implementing appropriate contingency planning controls based on the system’s impact level. Includes requirements from FIPS 199, NIST 800-53, and other guidelines. This NIST guide is for all managers within the organizations and all those responsible for information systems at all operational levels.
This article was helpful to identify the different plans that could be implemented, When I worked at VW, they had a Business Impact Analysis which was a report on the impact of each process, software, hardware for every operation. Then a Disaster Recovery plan could be created based on the criticality of the operation, software and hardware. Then the business had an understanding of the IT expectations so that there Business Continuity Plan could be in place. I thought this process worked well. It does not make sense to have the business to prepare in their BCP to be up and running in 24 hours, if that operation and seemed was deemed 2 weeks for a DRP. This created gaps.
The purpose of this document is to provides instructions, recommendations, and considerations for federal information system contingency planning. The document provides guidance to help personnel evaluate information systems and operations to determine contingency planning requirements and priorities. The document also outlines planning principles for a wide variety of incidents that can affect information system operations. These range from minor incidents causing short-term disruptions to disasters that affect normal operations for an extended period.
Hi Wei. That’s a good point about contingency plans and how they restore information systems in the event of a disaster that affect the business operations of an organization. A disaster recovery plan is an essential document since it outlines strategies and steps to minimize the effect of the disaster to allow the organization to continue its day-to-day operations and functions. A few steps mention in the NIST SP 800 Contingency Planning Guide for Federal Information Systems are to gather data, build a disaster recovery plan (DRP) and recovery strategies, test and validate the DRP, and test and update the DRP.
I found chapter 3.2.1 to be very interesting. This section talked about policy statements that would accompany the contingency plan. Some of the elements that should be included are: Roles and responsibilities, Scope as applies to common platform types and organization functions (i.e., telecommunications, legal, media relations) subject to contingency planning, Resource requirements, Training requirements, Exercise, and testing schedules, Plan maintenance schedule, and Minimum frequency of backups and storage of backup media. Figure 3.3 was also interesting to me. It showed graphically cost to receiver vs the cost of disruption. this intersecting point shows the cost balance point. This point shows where the optimal tradeoff between the cost to recover and the cost of disruption. THis point will be different for every company, so it is very important to find it
The NIST SP 800 34r1 section 5.1 detailed some common technical considerations when developing the contingency plans. Those considerations including:
Use of information gathered from the BIA process, development of data security, integrity, and backup policies and procedures, protection of equipment and system resources, adherence and compliance with security controls in NIST SP 800-53, development of primary and alternate sites with appropriately sized and configured power management systems and environmental control and use of high availability.
Keep data security and integrity in contingency planning is important. Regardless of the form of backup and location of the backups, onsite, offsite, and when data is in transit. Ensuring the data is available when needed and the ability to retrieve the data, restore the data from backup securely and effectively will have a great positive impact on the overall success of the effectiveness of the contingency plan.
This document just outlines everything from different types of recoveries, to testing, to costs, etc… The most interesting part to me is testing in preparation. How good could your testing possibly be? How do you prepare for what’s basically an infinite amount of possibilities? On top of that, you could never possibly replicate the tense climate that comes with a real event. As employees, this is a priceless experience if you’ve ever been a part of a major breach. So long as you weren’t the reason why I’d imagine that speaking on that experience would get you major points at an interview. To wrap up my thoughts, what is a reasonable amount to spend on testing your DRP?
The key point that stood out to me in this reading is the difference between the continuing of operations plan (COOP) and the information system contingency plan (ISCP). The reading states the COOP plans address national, primary, or mission essential functions while the ISCP specifically address federal information systems. As such, not all government mission/business processes fall within the scope of COOP. However, all ISCPs apply to all information systems in federal organizations.