Skip to the main content.
Under Attack? Login
Under Attack? Login
Managed Extended Detection & Response
Layered cybersecurity controls for effective risk management and rapid response.

24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management

Book MXDR Demo

Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Resources

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Company

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

2 min read

Why a Contingency Plan Is Critical to Every Organization’s Security Strategy

Picture of Stephen Gutleber Stephen Gutleber Mar 21, 2023 1:26:55 PM

Professional Services

Threats, whether adversarial, accidental, structural, or environmental, pose a risk to all organizations regardless of size and industry. While controls are implemented to mitigate these risks, disruptions are unfortunately inevitable. To be resilient, organizations must have a contingency plan in place that establishes procedures and technical measures that will support the recovery of disrupted systems as rapidly and effectively as possible. This blog post will cover everything you need to know about contingency planning, including why you need one and how to get started.

What Is a Contingency Plan?

In consideration of why a contingency plan is critical to an organization's security strategy, NIST Special Publication 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems provides instructions, recommendations, and considerations for contingency planning, including the following seven-step contingency planning process:

  1. Develop a contingency planning policy
  2. Conduct a business impact analysis
  3. Identify preventive controls
  4. Create contingency strategies
  5. Develop a contingency plan
  6. Plan testing, training, and exercises
  7. Plan maintenance

 

Contingency Planning Chart

Developing a contingency plan should include collaboration with stakeholders throughout the organization to ensure that the critical business processes are able to withstand the impact of outages and that recovery strategies meet the priorities of the organization. The plan should clearly define recovery steps and the roles and responsibilities of personnel. After documenting the contingency plan, training and testing exercises are critical.

this-is-not-a-drill

In perhaps one of the most cringe-worthy episodes of “The Office,” the pandemonium wrought by Dwight Schrute deliberately setting a fire to test the organization’s response is a great example of what can happen when you’re not prepared. In the aftermath, Dwight is left pleading with his colleagues, “What is the procedure?!”  A plea that anyone can perhaps relate to, if your organization has up until this moment, only just hoped the “fire” would never happen. 

Find engaging ways to inform your organization of the documented plan and use simulated drills and exercises to test the effectiveness of response procedures. As Dwight observes, “PowerPoint is boring, people learn in lots of different ways, but experience is the best teacher.”

However, do avoid the severe, albeit comical, approach that Dwight employs.

Who Needs a Contingency Plan?

Short answer: everyone. All organizations have critical processes that need a contingency plan to limit the time, cost, and impact of a disruption. For some, these processes include the life and safety of personnel and customers, for others, critical services are provided to customers on a 24x7 basis, and all organizations have daily operations that drive the ability to operate as a business. Therefore, all organizations, regardless of size, industry, and complexity need a contingency plan to promote recovery objectives.

How Do You Create a Contingency Plan?

One of the reasons organizations don’t already have a contingency plan in place is because the process can be daunting. Creating and implementing an effective contingency plan is complex and many organizations don’t know where to start. But Ingalls is here to help!

lets-do-this

  1. Find an expert: If you need help getting started, the first step is to find a risk management expert who has experience helping organizations of all sizes evaluate their security practices. An expert who can design practical, repeatable solutions can offer the guidance to building your contingency plan. 
  2. Align with internal stakeholders: Once you find that expert, it’s time to meet with key stakeholders in your organization to understand the critical business processes and identify gaps in any recovery strategies. This will ultimately help to develop a custom contingency plan that is suited for the needs of your organization. 
  3. Create and implement a plan: And lastly, put that contingency plan into use and adopt the procedures necessary to ensure you’re prepared for any disruption. 

We know it’s daunting to even get started, but our expert team of cyber risk management consultants would love to help guide you through the contingency planning process. Reach out today for a free consultation so you can have the right answer to the critical question: “What is the procedure?!”
Subscribe to Network Security News