Contingency and Emergency Planning and Disaster Recovery Program (CEP-DR)


A contingency planning and disaster recovery system is one of the least difficult programs to establish, and yet always seems to be a difficult task. With the change in information systems' environments and configurations—client-server, LAN, distributed processing, etc.—this problem may be getting worse.

Prior to discussing CEP-DR, it is important to understand why it is needed. It is really a very important aspect of an InfoSec program, and may even be its most vital part.

The ISSO must remember that the purpose of InfoSec is to:

  • Minimize the probability of a security vulnerability;

  • Minimize the damage if a vulnerability is exploited; and

  • Provide a method to recover efficiently and effectively from the damage.

What Is It?

Contingency planning is making a plan for responding to emergencies, backup operations, and recovering after a disaster. It addresses what action will be taken to return to normal operations. Emergencies requiring action would include such natural events as floods and earthquakes, as well as human-caused acts such as fires, or hacker attacks causing denial of services.

Disaster recovery is the restoration of the information systems, facility, or other related assets following a significant disruption of services.

Why Do It?

Primarily users often ask the question, why is a CEP-DR program necessary? Everyone associated with using, protecting, and maintaining information systems and the information that they store, process, and/or transmit must understand the need for such a program:

  • To assist in protecting vital information;

  • To minimize adverse impact on productivity; and

  • To support the business staying in business!

How Do You Do It?

Each CEP-DR program is unique to the environment, culture, and philosophy of each business or government agency. However, the basic program, regardless of business or agency, requires the development and maintenance of a CEP-DR plan. It must be periodically tested, problems identified and corrected, and processes changed to minimize the chances of adverse events happening again.

The CEP-DR Planning System

IWC's CEP-DR plan must be written based on the standard format used by IWC. The following generic format is offered for consideration:

  1. Purpose: State the reason for the plan and its objective. This should be specific enough that it is clear to all that read it why it has been written.

  2. Scope: State the scope and applicability of the plan. Does it include all systems, all locations, subcontractors?

  3. Assumptions: State the priorities, the support promised, and the incidents to be included and excluded. For example, if your area does not have typhoons, will you assume that typhoons, as a potential disaster threat, will not be considered?

  4. Responsibilities: State who is to be responsible for taking what actions. This should be stated clearly so everyone knows who is responsible for what. Consider a generic breakdown such as managers, systems administrators, users. Also, specific authority and responsibility should be listed by a person's title and not necessarily by that person's name. This approach will save time in updating the plan because of personnel changes.

  5. Strategy: Discuss backup requirements and how often they should be accomplished based on classification of information; state how you will recover, etc.

  6. Personnel: Maintain an accurate, complete, and current list of key CEP-DR personnel, including addresses, phone numbers, page numbers, and cellular-phone numbers. Be sure to establish an emergency prioritized, notification listing, and a listing of response teams members and how to contact them in an emergency.

  7. Information: Maintain an on-site inventory listing and an off-site inventory listing; identify the rotation process to ensure a history and current inventory of files. Identify vital information. This information must come from the owner of that information and must be classified according to its importance, based on approved guidelines.

  8. Hardware: Maintain an inventory listing, including supplier's name, serial number, and property identification number; ensure that emergency replacement contracts are in place; maintain hard copies of applicable documents on and off site.

  9. Software: Identify and maintain backup operating systems and application systems software. This should include original software and at least one backup copy of each. Be sure to identify the version numbers, etc. In this way, you can compare what is listed in the plan with what is actually installed. It would not be a unique event if software backups were not kept current and compatible with the hardware. If this is the case, the systems might not be able to work together to process, store, and transmit much-needed information.

  10. Documentation: All-important documentation should be identified, listed, inventoried, and maintained current in both on- and off-site locations.

  11. Telecommunications: The identification and maintenance of telecommunications hardware and software listings are vital if you are operating in any type of network environment. Many systems today cannot operate in a standalone configuration; thus, the telecommunications lines, backups, schematics, etc., are of vital importance to getting back in operation within the time period required. As with other documentation, their identification, listing, etc., should be maintained at multiple on- and off-site locations. Be sure to identify all emergency requirements and all alternative communication methods.

  12. Supplies: Supplies are often forgotten when establishing a CEP-DR plan, as they often take a back seat to hardware and software. However, listing and maintenance of vital supplies are required, including the name, address, telephone numbers, and contract information concerning suppliers. Be sure to store sufficient quantities at appropriate locations on and off site. If you don't think this is an important matter, try using a printer when its toner cartridge has dried out or is empty!

    Physical supplies for consideration should include plastic tarps to protect systems from water damage in the event of a fire where sprinkler systems are activated.

  13. Transportation and equipment : If you have a disaster or emergency requiring the use of a backup facility or to obtain backup copies of software, etc., you obviously must have transportation and the applicable equipment (e.g., a dolly for hauling heavy items) to do the job. Therefore, you must plan for such things. List emergency transportation needs and sources; how you will obtain emergency transportation and equipment; and which routes and alternate routes to take to the off-site location. Be sure to include maps in the vehicles and also in the plan. Be sure there are fully charged, hand-held fire extinguishers available which will work on various types of fires, such as electrical, paper, or chemical.

  14. Processing locations: Many businesses and agencies sign contractual agreements to ensure that they have an appropriate off-site location to be used in the event their facility is not capable of supporting their activities.

    Ensure that emergency processing agreements are in place that will provide you with priority service and support in the event of an emergency or disaster. Even then, you may have a difficult time using the facility if it is a massive disaster and others have also contracted for the facility.

    Be sure to periodically use the facility to ensure that you can process, store, and/or transmit information at that location. Don't forget to identify on-site locations that can be used or converted for use if the disaster is less than total.

  15. Utilities: Identify on-site and off-site emergency power needs and locations. Don't forget that these requirements change as facilities, equipment, and hardware change. Battery power and uninterruptable power might not be able to carry the load or might be too old to even work. They must be periodically tested. As with the printer cartridge supplies, systems without power are useless. Besides power, don't forget the air conditioning requirements. It would be important to know how long a system can process without air conditioning based on certain temperature and humidity readings.

  16. Documentation: Identify all related documentation; store it in multiple on- and off-site locations; and be sure to include the CEP-DR plan.

  17. Other: Miscellaneous items not covered above.

Test the Plan

Only through testing can the ISSO determine that a plan will work when required. Therefore, it must be periodically tested. It need not be tested all at once, because that would probably cause a loss of productivity by the employees which would not be cost-effective.

It is best to test the plan in increments, relying on all the pieces to fit together when all parts have been tested. Regardless of when and how you test the plan, which is a management decision, it must be tested. Probably the best way to determine how and what to test, and in what order, is to prioritize testing based on prioritized assets.

When testing, the scenarios used should be as realistic as possible. This should include emergency response; testing backup applications and systems; and recovery operations.

Through testing, document the problems and vulnerabilities identified. Determine why they occurred and establish formal projects to fix each problem. Additionally, make whatever cost-effective process changes are necessary to ensure that the same problem would not happen again, or that the chance of it happening is minimized.

The ISSO evaluated IWC organizational structure relative to IWC (Figure 8.11). After coordination with the Director of Security, a process was developed to integrate the ISSO and staff into the current CEP-DR process (Figure 8.12).

click to expand
Figure 8.11: The IWC organization structure relating to CEP-DR.

click to expand
Figure 8.12: The basic process flow of the ISSO's integration into the overall IWC CEP-DR.




The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net