Threats, whether adversarial, accidental, structural, or environmental, pose a risk to all organizations regardless of size and industry. While controls are implemented to mitigate these risks, disruptions are unfortunately inevitable. To be resilient, organizations must have a contingency plan in place that establishes procedures and technical measures that will support the recovery of disrupted systems as rapidly and effectively as possible. This blog post will cover everything you need to know about contingency planning, including why you need one and how to get started.
In consideration of why a contingency plan is critical to an organization's security strategy, NIST Special Publication 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems provides instructions, recommendations, and considerations for contingency planning, including the following seven-step contingency planning process:
Developing a contingency plan should include collaboration with stakeholders throughout the organization to ensure that the critical business processes are able to withstand the impact of outages and that recovery strategies meet the priorities of the organization. The plan should clearly define recovery steps and the roles and responsibilities of personnel. After documenting the contingency plan, training and testing exercises are critical.
In perhaps one of the most cringe-worthy episodes of “The Office,” the pandemonium wrought by Dwight Schrute deliberately setting a fire to test the organization’s response is a great example of what can happen when you’re not prepared. In the aftermath, Dwight is left pleading with his colleagues, “What is the procedure?!” A plea that anyone can perhaps relate to, if your organization has up until this moment, only just hoped the “fire” would never happen.
Find engaging ways to inform your organization of the documented plan and use simulated drills and exercises to test the effectiveness of response procedures. As Dwight observes, “PowerPoint is boring, people learn in lots of different ways, but experience is the best teacher.”
However, do avoid the severe, albeit comical, approach that Dwight employs.
Short answer: everyone. All organizations have critical processes that need a contingency plan to limit the time, cost, and impact of a disruption. For some, these processes include the life and safety of personnel and customers, for others, critical services are provided to customers on a 24x7 basis, and all organizations have daily operations that drive the ability to operate as a business. Therefore, all organizations, regardless of size, industry, and complexity need a contingency plan to promote recovery objectives.
One of the reasons organizations don’t already have a contingency plan in place is because the process can be daunting. Creating and implementing an effective contingency plan is complex and many organizations don’t know where to start. But Ingalls is here to help!
We know it’s daunting to even get started, but our expert team of cyber risk management consultants would love to help guide you through the contingency planning process. Reach out today for a free consultation so you can have the right answer to the critical question: “What is the procedure?!”