The goal of contingency planning is to be prepared, so that in the event of an emergency you can respond efficiently; building a resilient infrastructure minimises the impact of any disruption of critical functions.
The process to develop and maintain an IT contingency plan is based on the following steps:
– Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
– Conduct the Business Impact Analysis (BIA). The Business Impact Analysis helps to identify and prioritise information systems and components critical to supporting the organisation’s business processes.
Once you have identified the key risk areas for your business and the information gathering process has been completed, you are able to define the recovery and continuity objectives, including:
- Maximum Tolerable Downtime (MTD), the total amount of time that the organisation is willing to accept for a disruption. Setting the MTD helps contingency planners to identify the right recovery method and develop appropriate recovery procedures.
- Recovery Time Objective (RTO), the maximum amount of time that a system resource can remain unavailable. This is important for selecting the best technology to meet the RTO requirements.
- Recovery Point Objective (RPO), the amount of data loss that can be tolerated by your critical IT system.
– Identify preventive controls and create a contingency strategy. The defined recovery objective information allows you to identify suitable backups and recovery strategies to restore the system operations quickly and efficiently following a disruption.
Specific recovery methods may include commercial contracts with alternative vendors, reciprocal agreements with internal or external organisations, and service-level agreements (SLAs) with equipment vendors. In addition, technologies such as Redundant Arrays of Independent Disks (RAID), automatic failover, Uninterruptible Power Supplies (UPS), server clustering, and mirrored systems should be considered when developing a system recovery strategy.
– Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system; it should identify key individuals who should be familiar with their duties under the plan and establish the recovery priorities.
– Plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation, and exercising identifies planning gaps – the combined activities improve plan effectiveness.
– Plan maintenance. The plan should be kept up to date regularly to remain applicable; you should make sure that any system enhancements and organisational changes are communicated immediately and properly.