Cybersecurity Blog | Ingalls Information Security

Contingency Plan Is Critical to Every Organization’s Security Strategy

Written by Stephen Gutleber | Mar 21, 2023 4:00:00 AM

Threats, whether adversarial, accidental, structural, or environmental, pose a risk to all organizations regardless of size and industry. While controls are implemented to mitigate these risks, disruptions are unfortunately inevitable. To be resilient, organizations must have a contingency plan in place that establishes procedures and technical measures that will support the recovery of disrupted systems as rapidly and effectively as possible. This blog post will cover everything you need to know about contingency planning, including why you need one and how to get started.

What Is a Contingency Plan?

In consideration of why a contingency plan is critical to an organization's security strategy, NIST Special Publication 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems provides instructions, recommendations, and considerations for contingency planning, including the following seven-step contingency planning process:

  1. Develop a contingency planning policy
  2. Conduct a business impact analysis
  3. Identify preventive controls
  4. Create contingency strategies
  5. Develop a contingency plan
  6. Plan testing, training, and exercises
  7. Plan maintenance

 

Developing a contingency plan should include collaboration with stakeholders throughout the organization to ensure that the critical business processes are able to withstand the impact of outages and that recovery strategies meet the priorities of the organization. The plan should clearly define recovery steps and the roles and responsibilities of personnel. After documenting the contingency plan, training and testing exercises are critical.

In perhaps one of the most cringe-worthy episodes of “The Office,” the pandemonium wrought by Dwight Schrute deliberately setting a fire to test the organization’s response is a great example of what can happen when you’re not prepared. In the aftermath, Dwight is left pleading with his colleagues, “What is the procedure?!”  A plea that anyone can perhaps relate to, if your organization has up until this moment, only just hoped the “fire” would never happen. 

Find engaging ways to inform your organization of the documented plan and use simulated drills and exercises to test the effectiveness of response procedures. As Dwight observes, “PowerPoint is boring, people learn in lots of different ways, but experience is the best teacher.”

However, do avoid the severe, albeit comical, approach that Dwight employs.

Who Needs a Contingency Plan?

Short answer: everyone. All organizations have critical processes that need a contingency plan to limit the time, cost, and impact of a disruption. For some, these processes include the life and safety of personnel and customers, for others, critical services are provided to customers on a 24x7 basis, and all organizations have daily operations that drive the ability to operate as a business. Therefore, all organizations, regardless of size, industry, and complexity need a contingency plan to promote recovery objectives.

How Do You Create a Contingency Plan?

One of the reasons organizations don’t already have a contingency plan in place is because the process can be daunting. Creating and implementing an effective contingency plan is complex and many organizations don’t know where to start. But Ingalls is here to help!

  1. Find an expert: If you need help getting started, the first step is to find a risk management expert who has experience helping organizations of all sizes evaluate their security practices. An expert who can design practical, repeatable solutions can offer the guidance to building your contingency plan. 
  2. Align with internal stakeholders: Once you find that expert, it’s time to meet with key stakeholders in your organization to understand the critical business processes and identify gaps in any recovery strategies. This will ultimately help to develop a custom contingency plan that is suited for the needs of your organization. 
  3. Create and implement a plan: And lastly, put that contingency plan into use and adopt the procedures necessary to ensure you’re prepared for any disruption. 

We know it’s daunting to even get started, but our expert team of cyber risk management consultants would love to help guide you through the contingency planning process. Reach out today for a free consultation so you can have the right answer to the critical question: “What is the procedure?!”