BUSINESS RESUMPTION AND CONTINGENCY PLANNING PROCEDURES

1. PURPOSE: To establish mandatory operational requirements for business resumption and contingency planning within the Office of the State Attorney. It is designed to provide Office-wide guidance to Chiefs, Supervisors and Staff in responding to catastrophic events involving SAO facilities and information resource service interruptions.

2. BACKGROUND: Traditionally, contingency planning has focused on restoring information resource services for an automation center, wide area network or similar service. While remote sites are still accessed for processing and storing information, most facilities have their own local area networks which link the various personal computers and share various resources. If a catastrophic event occurs that makes it impossible for SAO employees to use that site, the re-establishment of information systems and network functions is only one part of the resumption of services for a facility. The critical functions of that facility must be restored and an interim process must be put into action. "Hot sites" (a reserved space already equipped with processing capability and other services), reciprocal agreements, and other arrangements to provide restored services to their end users should be considered. Critical files that were processed previously on Local Area Network servers need to be restored so they can be used in processing during the contingency period. In summary, both the information technology and the general office environment have to be restored.

3. RESPONSIBILITIES:

a. The SAO Chief Information Officer (CIO) is charged with ensuring that a business resumption plan is developed at all SAO locations. This includes the necessary contingency plans for critical automated information systems. The CIO is also responsible for monitoring, reviewing, and evaluating compliance with this automated information system security.

b. Division Chiefs are responsible for ensuring that offices and facilities under their control can operate despite disruptions. These offices and facilities must include business resumption and contingency planning as vital considerations in their computer security programs in protecting sensitive information in SAO automated information systems.

c. The Chief at each SAO remote office is responsible for the development, periodic testing and updating of a business resumption plan for that field station and contingency plans for all general support systems located at that field station.

a. Identify Mission Critical Functions. The first step of business resumption planning is to identify mission critical functions and determine their priorities. In the event of a disaster, certain functions will not be performed. If appropriate priorities have been set and approved by senior management, it will be easier for the organization to recover from the disaster and resume normal operations. Contingency plans shall be consistent with other site and building emergency plans. All plans designed to continue essential SAO missions and functions must be coordinated with each other and recognize the dependent nature of this process.

b. Identify the Resources that Support Critical Functions. After mission critical functions are identified, the resources to support the critical functions must be identified, determine the time frames in which each resource is used (some are needed daily and others are used only once a month), and to determine the effect on the mission if the resource is not available. One method used to identify mission-critical functions and their impact is called Business Impact Analysis. It includes a review of the site's functions to understand the impact if they are not performed. A review is done of each function regarding its impact on operations, end users, interrelationships with other critical functions, as well as time lines and considering workload peaks and valleys. Also considered are additional expenses caused by overtime, the need for temporary employees and other costs associated with recovery. Finally, the effect of not performing a mission critical function needs to be examined and considered with regard to its impact within the organization, externally, and in the media.

c. Anticipating Potential Contingencies or Disasters. All resources associated with critical functions should be examined with likely problem scenarios. Various types and sizes of contingencies should be considered. To better understand resource needs and their support of critical functions, a contingency planning team should be formed. Team members should include representatives from three main areas: functional/business groups, facilities management, and technology management. This assignment should not preclude members of these groups from serving in other planning roles. Members from these areas may include financial management, personnel, computer security, and physical security. The team should identify likely problems by using analytical tools, such as existing risk assessment methodologies and risk assessment software packages.

d. Selecting Business Resumption and Contingency Planning Strategies. The primary purpose of this step is to plan how to recover needed resources. Alternative strategies should be evaluated to consider what controls are in place to prevent and minimize contingencies.

(1) A contingency planning strategy normally consists of three parts: emergency response, recovery, and resumption. Emergency response encompasses the initial actions taken to protect lives and limit damage. Recovery refers to the steps that are taken to continue support for critical functions. Resumption is the return to normal operations. The relationship between recovery and resumption is important. The longer it takes to resume normal operations, the longer the organization will have to operate in the recovery mode.

(2) The selection of a strategy needs to be based on practical considerations as feasibility and cost. Risk assessment can be used to help estimate the cost of options to decide on an optimal strategy. Questions to be asked are: Is it more expensive to purchase and maintain a generator or to move processing to an alternate site, considering the likelihood of loosing electrical power for serrious lengths of time? Are the consequences of loss of computer-related resources sufficiently high to warrant the cost of disaster recovery strategies? The risk assessment should focus on areas where it is not clear which strategy is the best. In developing contingency planning strategies, there are many factors to consider in addressing each of the resources that support critical functions. The different categories of resources should each be considered. Some of these factors include: human resources, processing capability, automated applications and data, computer-based services, physical infrastructure, documents and papers.

(a) Implementation

(1) Much preparation is needed to implement the strategies for protecting critical functions and their supporting resources. For example, one common preparation is to establish procedures for backing up files and applications. Another is to establish contracts and agreements, if the contingency strategy calls for them. Existing service contracts may need to be re-negotiated to add contingency services. Another preparation may be to purchase equipment, to support a redundant capability.

(2) Backing up data files and applications is a critical part of virtually every contingency plan. Backups are used to restore files after a personal computer virus corrupts the data or after a hurricane destroys an automation center. System backups must be tested on a regular basis to ensure that data can be read from the disks in the event they are needed in an emergency.

(3) It is important to keep preparations, including documentation, up-to-date. Computer systems change rapidly and backup services and redundant equipment should also be kept current. Contracts and agreements also need to reflect any changes. If additional equipment is needed, it must be maintained and periodically replaced when it is no longer dependable or obsolete to an organization's architecture.

(4) Preparation should also include formally designating people who are responsible for various tasks in the event of a contingency. These people are often referred to as the contingency response team. This team is often composed of people who were also members of the contingency planning team.

(5) There are many important implementation issues for an organization to consider. Two of the most important are 1) how many plans should be developed and 2) who will prepare each plan. The answer will depend on the organization's overall strategy for contingency planning, and should be documented in the organization's policy and procedures document.

(6) For small or less complex systems, the contingency plan may be a part of the computer security plan. For larger complex systems, the computer security plan could contain a brief synopsis of the contingency plan, which should be a separate document. The purpose of the computer security plan is to provide a basic overview of the security and privacy requirements for a computer system and the responsible SAO component's plan for meeting those requirements. It also serves as documentation of the process of planning adequate, cost-effective security protection for a system. The purpose of the contingency plan is to document the specific methodology, structure, discipline, and procedures to be used for emergency response, backup operations, and post-disaster recovery maintained by the responsible SAO office as part of its IR security program. This planning will help ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.

(7) Some organizations have one plan for the entire organization; others have a plan for each distinct computer system, application, or other resource. Other approaches recommend a plan for each business or mission function, with separate plans, as needed, for critical resources.

(8) The number of actual plans needed depends upon the unique circumstances for each organization. Coordination and cooperation between resource managers and functional managers responsible for the mission or business is critical to the success of any plan.

(b) Documentation. The contingency plan needs to be: documented, kept up-to-date as the personnel responsible for implementation of the contingency plan and other factors change. A written plan is essential to have during a contingency situation. It should clearly state in simple language sequence of tasks to be performed in the event of a contingency so that someone with minimal knowledge can immediately begin to execute the plan. It is important to store, in a secure environment, up-to-date copies, including one in electronic format, of the contingency plan in several locations, including any off-site locations, such as alternate processing sites or backup data storage facilities. Each member of the contingency plan response team should have copies of the plan.

(c) Training. All personnel should be trained in their contingency-related duties. New personnel should be trained as they join the organization. Refresher training may be needed and personnel need to practice their skills. Training is particularly important for effective employee response during emergencies. Depending on the nature of the emergency, there may be inadequate time to check a manual to determine correct procedures to protect equipment and other assets. Practice is necessary in order to react correctly, especially when human safety is involved.

e. Testing and Revising

(1) A contingency plan should be tested periodically to identify and correct any problems in implementation. The plan will become dated as time passes and as the resources used to support critical functions change. Responsibility for keeping the contingency plan current should be specifically assigned. The extent and frequency of testing will SAOry between organizations and among systems. There are several types of testing, including reviews, analyses, and simulations of disasters.

(a) A review can be a simple test to check the accuracy of contingency plan documentation. For instance, a reviewer could check if individuals listed are still in the organization and still have the responsibilities that caused them to be included in the plan. This test can check home and work telephone numbers, organizational codes, and building and room numbers. The review can determine if files can be restored from backup tapes or if employees know emergency procedures.

(b) An analysis may be performed on the entire plan or portions of it, such as emergency response procedures. It is more beneficial if the analysis is performed by a member of the facility staff who did not participate in the development of the contingency plan, but has a sound knowledge of the critical functions and supporting resources. This person may also interview functional managers, resource managers, and their staff to uncover missing or unworkable sections of the plan.

(c) Organizations may also arrange disaster simulations. These tests provide  information about flaws in the contingency plan and provide practice for a real emergency. While they can be expensive, these tests can also provide critical information that can be used to ensure the continuity of important functions. In general, the more critical the functions and the resources addressed in the contingency plan, the more cost-beneficial it is to perform a disaster simulation.

(2) The results of a "test" often imply a grade assigned for a specific level of performance, or simply pass or fail. However, in the case of contingency planning, a test should be used to improve the plan. If organizations do not use this approach, flaws in the plan may remain undetected and not corrected.

f. Interdependencies. Controls can prevent or reduce the effects of a disaster at the facility. Ideally, controls mutually support and compliment each other. In combination, they eliminate or lessen the damage occurring as a result of the destruction, disclosure, or denial of service to critical resources.

(1) Risk assessment provides a tool (process) for analyzing the security costs and benefits of  contingency planning options. In addition, a risk assessment effort can be used to help identify critical resources needed to support the organization and the likely threat to those resources. It is not necessary, however, to perform a risk assessment prior to contingency planning, since the identification of critical resources can be performed during the contingency planning process itself.

(2) Physical and environmental controls help prevent the destruction of automated information systems, although many of the other controls, such as logical access controls, also prevent damage. The main threats that a contingency plan address are physical such as: fires; loss of power; plumbing breaks; and natural disasters.

(3) Incident handling can be viewed as a subset of contingency planning. It is the emergency response capability for SAOrious technical threats. Incident handling can also help an organization prevent future incidents by recording the incident and educating personnel about the incident, the circumstances, and the corrective action taken.

(4) Support and operations in most organizations include the periodic backing up of critical files. It also includes the prevention and recovery from more common contingencies, such as a disk failure or corrupted data files.

(5) Policy is needed to create and document the organization's approach to contingency planning. The policy should explicitly assign responsibilities.

g. Cost Considerations. The cost of developing and implementing contingency planning strategies should be taken into account and, when included in the strategy, additional expenses for contracting backup services or duplicate equipment. One contingency cost that is often overlooked is the cost of testing a plan. Testing provides many benefits and should be performed, although some of the less expensive methods (such as a review) may be sufficient for less critical resources.

5. REFERENCES

a. National Institute of Standards and Technology, Guidelines for ADP Contingency Planning, FIPS Pub 87; 1981.