NIST Special Publication 800-34: Contingency Planning Guide for Information Technology (IT) Systems
Transcription
NIST Special Publication 800-34: Contingency Planning Guide for Information Technology (IT) Systems
NIST Special Publication 800-34: Contingency Planning Guide for Information Technology (IT) Systems NIST Computer Security Division Gaithersburg, Maryland Background • IT Contingency Planning is the development of interim measures to recover IT services after an emergency or system disruption. – Relocation of IT systems and operations to an alternative site – Recovery of IT functions using alternative equipment – Performance of IT functions using manual methods 2 Background Differences among the types of plans Type of Plan Focus Business Continuity Plan (BCP) Sustain/Recover Business Business Recovery/Resumption Plan (BRP) Recover Business Continuity of Operations Plan (COOP) Sustain Headquarters Continuity of Support/IT Contingency Plan* Recover IT (subject of 800-34) Crisis Communications Plan Communications Cyber Incident Response Plan Recover IT (malicious attack) Disaster Recovery Plan (DRP) Recover IT (large scale disruption) Occupant Emergency Plan (OEP) Personnel Safety * OMB A-130 recommends a Continuity of Support Plan for general support systems; Contingency Plan for major applications. NIST SP 800-34 considers these plans to be interchangeable. 3 Background 8 types of plans make up the “Suite” 4 IT Contingency Planning Process 5 IT Contingency Planning Process • The IT contingency planning process is made up of fundamental planning principles for developing an effective contingency capability • Principles outlined in SP 800-34 are universal to all IT systems • The process must be supported by senior management (e.g., Chief Information Officer [CIO]) • A Contingency Planning Coordinator should be assigned responsibility for— – Coordinating the planning process – Strategy development – Coordination with senior management 6 IT Contingency Planning Process The seven steps of IT contingency planning 1. Develop the contingency planning policy statement 2. Conduct the business impact analysis (BIA) 3. Identify preventive controls 4. Develop recovery strategies 5. Develop an IT Contingency Plan (discussed last, slide 25) 6. Plan testing, training, & exercises 7. Plan maintenance Develop Contingency Planning Policy • Identify statutory or regulatory requirements for contingency plans • Develop IT contingency planning policy statement • Obtain approval of policy • Publish policy Conduct Business Impact Analysis • Identify critical IT resources • Identify outage impacts and allowable outage times • Develop recovery priorities Identify Preventive Controls • Implement controls • Maintain controls Develop Recovery Strategies • Identify methods • Integrate into system architecture Develop Contingency Plan* • Document recovery strategy *Discussed in Section 4 Plan Testing, Training, and Exercises • Develop test objectives • Develop success criteria • Document lessons learned • Incorporate into the plan • Train personnel Plan Maintenance • Review and update plan • Coordinate with internal/external organizations • Control distribution • Document changes 7 IT Contingency Planning Process Step 1: Develop the Contingency Planning Policy Statement • Policy must be supported by senior management (CIO) • Key policy elements include – – Roles and responsibilities – Scope – Resource requirements – Training requirements – Exercise and testing schedules – Plan maintenance schedule – Backup frequency and storage method 8 IT Contingency Planning Process Step 2: Conduct a Business Impact Analysis • The business impact analysis (BIA) characterizes system contingency requirements and priorities in the event of a disruption Step 1: Identify critical IT resources Step 2: Identify disruption impacts and allowable outage times Step 3: Develop recovery priorities Identify Critical IT Resources Input from users, business process owners, application owners, and other associated groups Identify Disruption Impacts and Allowable Outage Times PROCESS: 2. Time and Attendance Reporting Critical Business Process Critical Resources Critical Resource 1. Payroll Processing 2. Time and Attendance Reporting 3. Time and Attendance Verification 4. Time and Attendance Approval .. . X • LAN Server • LAN Server • WAN Access • WAN Access • E-mail • Mainframe Access • Mainframe Access • E-mail Server . . . . • E-mail Server . . . . Max Allowable Outage Develop Recovery Priorities Resource Recovery Priority Impact 8 hours • Delay in time sheet processing • Inability to perform routine payroll operations • Delay in payroll processing . . . • LAN Server • WAN Access High Medium • E-mail Low • Mainframe Access High • E-mail Server . . . . High • Results are key to development of recovery strategy and should also be used for COOP, BCP, and BRP development 9 IT Contingency Planning Process Step 3: Identify Preventive Controls • Preventive controls should be selected and implemented to mitigate some of the impacts identified • Controls include, but are not limited to – – Uninterruptible Power Supplies (UPS) and power generators – Fire suppression systems and detectors – Offsite storage and system documentation – Technical security controls 10 IT Contingency Planning Process Step 4: Develop Recovery Strategies • Recovery strategies are a means to restore IT operations quickly and effectively following a disruption • The strategies should: – Address residual risks and impacts identified by the BIA – Use a combination of methods to cover full spectrum of identified risks – Integrate with the design and implementation phases of the system development life cycle • Strategy should consider: – Backup methods – Alternate sites – Equipment replacement – Roles and responsibilities – Cost considerations 11 IT Contingency Planning Process…Develop Recovery Strategies Backup Methods • A backup policy should define the – – Backup media (e.g., electronic vaulting, mirrored disks, floppy disks) – Frequency (i.e., daily or weekly; incremental or full) – Storage requirements (i.e., offsite storage, frequency of rotation, transportation methods) 12 IT Contingency Planning Process…Develop Recovery Strategies Alternate Sites • An alternative site is a facility for recovering and operating a system for an extended period of time when the primary site is unavailable Cost Hardware Equipment Telecommunications Setup Time Location Cold Site Low None None Long Fixed Warm Site Medium Partial Partial/Full Medium Fixed Hot Site Medium/High Full Full Short Fixed Mobile Site High Dependent Dependent Dependent Not Fixed Mirrored Site High Full Full None Fixed 13 IT Contingency Planning Process…Develop Recovery Strategies Equipment Replacement Strategies • Damaged or lost hardware or software can be replaced (or duplicated if primary site is unavailable) via: – Vendor agreements – Equipment inventory – Existing compatible equipment 14 IT Contingency Planning Process…Develop Recovery Strategies Recovery Roles & Responsibilities • Specific teams should be staffed based on their skills, knowledge, and normal operating responsibilities • Team members should be trained to be ready to deploy and implement the plan when necessary • Inter-team training will facilitate coordination and ease staff shortages during a response • Role-based teams should be developed; do not use actual names and titles 15 IT Contingency Planning Process…Develop Recovery Strategies Recovery Roles & Responsibilities • Senior management (e.g., CIO) should have authority over plan activation and execution; may be supported by a management team • Line of succession should define delegation of authority • All teams are lead by a team leader; team leaders should have alternatives designated 16 IT Contingency Planning Process…Develop Recovery Strategies Cost Considerations • Recovery strategy costs should be weighed against budget limitations • Costs related to alternative site, equipment replacement, and storage options include: – Hardware, software, and other supplies – Vendors and labor hours/contractors – Testing, travel, and shipping 17 IT Contingency Planning Process Step 6: Plan Testing, Training, & Exercises • Objectives, success criteria, schedule, scope, scenario, and logistics should be defined in the test plan • Recovery staff should be trained on team procedures and responsibilities • Plan deficiencies and ability to implement the plan should be evaluated through testing • 2 basic types of tests – Classroom (tabletop) – Functional (simulation) 18 IT Contingency Planning Process Step 7: Plan Maintenance • Plan effectiveness relies on up-to-date system, organization, and procedural information • Reviews, followed by updates, should be conducted: – At least annually for technical, operational, and system requirements – At least annually for alternative site/offsite requirements and vital records information • All changes made to the plan should be communicated to POCs of associated plans and procedures • All changes should be recorded in the Record of Changes (included in the plan) 19 IT Contingency Plan Development 20 IT Contingency Plan Development • The IT contingency plan is the resulting documentation of recovery activities developed through Process steps 1-4 • Plans must be tested and maintained (Process steps 6 and 7) to ensure viability and validity • IT contingency plans are a part of the overall system security package • 5 major components of the IT contingency plan – Supporting Information – Notification/Activation Phase – Recovery Phase – Reconstitution Phase – Plan Appendices 21 IT Contingency Plan Development Supporting Information • Introduction orients the reader to the type and location of information in the plan – Purpose – Applicability – Scope – References/Requirements – Record of Changes • Concept of Operations provides contextual information about the IT system and framework of the plan – System Description – Line of Succession – Responsibilities 22 IT Contingency Plan Development Notification/Activation Phase • Notification methods should be documented to address: – Procedures for business/non-business hours – Use of multiple technologies/methods such as phone, cell phone, page, or e-mail – Necessary information about the event to be relayed • Criteria for plan activation should be clearly identified 23 IT Contingency Plan Development Recovery Phase • Temporary IT processing capabilities are established, damage repaired, and operational capabilities are restored during the recovery phase • Recovery procedures should be documented to: – Reflect system priorities from BIA – Account for system and activity details, including shipment/receipt of offsite materials and procurements – Guide teams in a sequential, step-by-step manner 24 IT Contingency Plan Development Reconstitution Phase • Recovery operations are terminated and normal operations are transferred to the original or new site during the reconstitution phase • Procedures should be written to address: – Preparing the original/new site/system for normal operations – Testing original/new system prior to cut over – Data backup and graceful shutdown of redundant system – Termination of contingency operations and cleanup of alternative site 25 IT Contingency Plan Development Plan Appendices • Important information which supports execution of the IT contingency plan should be appended to the plan – – – – – – – – – – Personnel Contact List Vendor Contact List Equipment and Specifications Service Level Agreements and Memorandums of Understanding IT Standard Operating Procedures Business Impact Analysis Related Contingency Plans Emergency Management Plan Occupant Evacuation Plan Continuity of Operations Plan. 26 Summary • An IT contingency plan is part of a larger “suite” of plans • Strategies developed in the IT contingency plan must be coordinated with other plans in the suite • Senior management (e.g., CIO) must support the contingency planning policy statement • A BIA should be conducted to determine impacts to the system and appropriate recovery strategies • Notification procedures must be clearly outlined in the plan • Role-based teams must be trained to execute the plan • IT contingency plans must be tested and maintained to ensure viability and validity 27 For Additional Information Download SP 800-34 from: http://csrc.nist.gov Marianne Swanson Senior Advisor for IT Security Management Computer Security Division PHONE: (301) 975-3293 [email protected] 28