NIST SP 800-34, Revision 1 updates the guidance for contingency planning for federal information systems. The revision:
- Aligns with NIST SP 800-53 and incorporates contingency planning into the Risk Management Framework.
- Provides more templates and guidance for developing system-specific contingency plans tailored to impact levels.
- Clarifies relationships between various continuity/contingency plans like COOP, BCP, and ISCPs.
- Links testing, training, and exercise requirements more closely to NIST and FIPS standards.
This document provides an overview of NIST SP 800-37, Revision 1, which establishes a risk management framework (RMF) for federal information systems. The RMF is a six-step process for managing risk to systems: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls continuously. The RMF aims to integrate security into system development lifecycles and provide near real-time risk management through continuous monitoring. It also links system-level risk management to the organizational level through a risk executive function.
Ise viii-information and network security [10 is835]-solutionVivek Maurya
This document contains the question paper solution from VTU for the course Information and Network Security 10IS835. It discusses various topics in system security policies, including:
- How managerial guidelines and technical specifications can be used in system-specific security policies.
- Who is responsible for policy management and how policies are managed.
- The different approaches for creating and managing issue-specific security policies.
- The major steps and components of contingency planning, including the business impact analysis.
- Pipkin's three categories of incident indicators and the ISO/IEC 270xx standard for information security management.
- The importance of incident response planning and testing security response plans.
- The
PSY 636 Short Paper Guidelines and Rubric Assignment instructi.docxpotmanandrea
PSY 636 Short Paper Guidelines and Rubric
Assignment instructions: As part of this course, you must write short papers on different topics pertaining to corrections. While the topics vary, your papers, at a minimum, should do the following:
· Answer the question or address the issue(s) described in the instructions.
· Include your perspective, when applicable, and share your opinion or explain your rationale for your position.
· Follow word count guidelines. Include references and citations for material presented that are not your own original work. You can use first person to indicate your opinion (I, my, etc.) in lieu of listing yourself as a source.
Format: Short papers should follow these formatting guidelines: use of three sources, 2–4 pages, double spacing, 12-point Times New Roman font, one-inch margins, and citations in APA format.
Instructor feedback: Students can find their feedback in the Grade Center.
Critical Elements
Exemplary
Proficient
Needs Improvement
Not Evident
Value
Analysis
Well-developed, effective, and accurate analysis of the topic and its impact on adolescent development, substantiated with scholarly research
(36-40)
Effective and accurate analysis of the topic and its impact on adolescent development
(32-35)
Accurate analysis on the topic and its impact on adolescent development but requires additional support
(28-31)
Does not accurately analyze topic and its impact on adolescent development
(0-27)
40
Insightful Conclusions
Clearly identifies conclusions and/or perspectives and connects each to specific adolescent development concept with clear supporting details substantiated with scholarly research
(36-40)
Identifies conclusions and/or perspectives and connects each to specific adolescent development concept
(32-35)
Attempts to identify conclusions and/or perspectives but does not always clearly or accurately relate each adolescent development concept
(28-31)
Does not identify conclusions and/or perspectives and does not connect each to specific adolescent development concept
(0-27)
40
Articulation of Response
Submission is free of errors related to citations, grammar, spelling, syntax, and organization and is presented in a professional and easy-to-read format
(18-20)
Submission has no major errors related to citations, grammar, spelling, syntax, or organization
(16-17)
Submission has major errors related to citations, grammar, spelling, syntax, or organization that negatively impact readability and articulation of main ideas
(14-15)
Submission has critical errors related to citations, grammar, spelling, syntax, or organization that prevent understanding of ideas
(0-13)
20
Earned Total
Comments
100%
Please don’t give me a two to three sentence replies. It has to look bulky. At least 8 to 10 sentences. Thank you
Reply needed 1
Introduction
“System security plans (SSP) are living documents that require periodic review, modification, and plans of action and milestones for implementing security contro ...
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development life cycles, and incorporating supply chain risk management. Organizations can use the RMF and its processes to effectively manage security, privacy, and supply chain risks to operations and assets.
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development lifecycles, and incorporating supply chain risk management. Organizations can use the RMF and other frameworks in a complementary manner to effectively manage security and privacy risks.
This document provides an overview of the Risk Management Framework (RMF) and the NIST Special Publication 800-37 Revision 2. It discusses the RMF roles and responsibilities, improvements made in Revision 2 including integrating privacy and supply chain risk management, and the RMF tasks. It also provides timelines for the development and public comment process of SP 800-37 Revision 2 and the upcoming Revision 5 of SP 800-53.
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerDavid Sweigert
This document summarizes the Federal Information Security Management Act (FISMA) reporting requirements and the National Institute of Standards and Technology (NIST) Special Publication 800-37 guidelines for certification and accreditation (C&A) of federal information systems. It outlines the four phases of the C&A process - initiation, security certification, security accreditation, and continuous monitoring. The purpose is to provide guidance to information security managers on applying the NIST risk management framework to comply with FISMA and ensure adequate security of federal information systems.
PYA Principal Barry Mathis presented “The IT Analysis Paralysis,” in which attendees:
Received a compressive review of the many IT frameworks that can be used to develop effective internal audit programs.
Learned the differences between commercial, federal, and industry frameworks.
Received tips, tools, and techniques for creating an effective framework based on risk assessment and identified risks.
This document provides an overview of NIST SP 800-37, Revision 1, which establishes a risk management framework (RMF) for federal information systems. The RMF is a six-step process for managing risk to systems: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls continuously. The RMF aims to integrate security into system development lifecycles and provide near real-time risk management through continuous monitoring. It also links system-level risk management to the organizational level through a risk executive function.
Ise viii-information and network security [10 is835]-solutionVivek Maurya
This document contains the question paper solution from VTU for the course Information and Network Security 10IS835. It discusses various topics in system security policies, including:
- How managerial guidelines and technical specifications can be used in system-specific security policies.
- Who is responsible for policy management and how policies are managed.
- The different approaches for creating and managing issue-specific security policies.
- The major steps and components of contingency planning, including the business impact analysis.
- Pipkin's three categories of incident indicators and the ISO/IEC 270xx standard for information security management.
- The importance of incident response planning and testing security response plans.
- The
PSY 636 Short Paper Guidelines and Rubric Assignment instructi.docxpotmanandrea
PSY 636 Short Paper Guidelines and Rubric
Assignment instructions: As part of this course, you must write short papers on different topics pertaining to corrections. While the topics vary, your papers, at a minimum, should do the following:
· Answer the question or address the issue(s) described in the instructions.
· Include your perspective, when applicable, and share your opinion or explain your rationale for your position.
· Follow word count guidelines. Include references and citations for material presented that are not your own original work. You can use first person to indicate your opinion (I, my, etc.) in lieu of listing yourself as a source.
Format: Short papers should follow these formatting guidelines: use of three sources, 2–4 pages, double spacing, 12-point Times New Roman font, one-inch margins, and citations in APA format.
Instructor feedback: Students can find their feedback in the Grade Center.
Critical Elements
Exemplary
Proficient
Needs Improvement
Not Evident
Value
Analysis
Well-developed, effective, and accurate analysis of the topic and its impact on adolescent development, substantiated with scholarly research
(36-40)
Effective and accurate analysis of the topic and its impact on adolescent development
(32-35)
Accurate analysis on the topic and its impact on adolescent development but requires additional support
(28-31)
Does not accurately analyze topic and its impact on adolescent development
(0-27)
40
Insightful Conclusions
Clearly identifies conclusions and/or perspectives and connects each to specific adolescent development concept with clear supporting details substantiated with scholarly research
(36-40)
Identifies conclusions and/or perspectives and connects each to specific adolescent development concept
(32-35)
Attempts to identify conclusions and/or perspectives but does not always clearly or accurately relate each adolescent development concept
(28-31)
Does not identify conclusions and/or perspectives and does not connect each to specific adolescent development concept
(0-27)
40
Articulation of Response
Submission is free of errors related to citations, grammar, spelling, syntax, and organization and is presented in a professional and easy-to-read format
(18-20)
Submission has no major errors related to citations, grammar, spelling, syntax, or organization
(16-17)
Submission has major errors related to citations, grammar, spelling, syntax, or organization that negatively impact readability and articulation of main ideas
(14-15)
Submission has critical errors related to citations, grammar, spelling, syntax, or organization that prevent understanding of ideas
(0-13)
20
Earned Total
Comments
100%
Please don’t give me a two to three sentence replies. It has to look bulky. At least 8 to 10 sentences. Thank you
Reply needed 1
Introduction
“System security plans (SSP) are living documents that require periodic review, modification, and plans of action and milestones for implementing security contro ...
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development life cycles, and incorporating supply chain risk management. Organizations can use the RMF and its processes to effectively manage security, privacy, and supply chain risks to operations and assets.
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development lifecycles, and incorporating supply chain risk management. Organizations can use the RMF and other frameworks in a complementary manner to effectively manage security and privacy risks.
This document provides an overview of the Risk Management Framework (RMF) and the NIST Special Publication 800-37 Revision 2. It discusses the RMF roles and responsibilities, improvements made in Revision 2 including integrating privacy and supply chain risk management, and the RMF tasks. It also provides timelines for the development and public comment process of SP 800-37 Revision 2 and the upcoming Revision 5 of SP 800-53.
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerDavid Sweigert
This document summarizes the Federal Information Security Management Act (FISMA) reporting requirements and the National Institute of Standards and Technology (NIST) Special Publication 800-37 guidelines for certification and accreditation (C&A) of federal information systems. It outlines the four phases of the C&A process - initiation, security certification, security accreditation, and continuous monitoring. The purpose is to provide guidance to information security managers on applying the NIST risk management framework to comply with FISMA and ensure adequate security of federal information systems.
PYA Principal Barry Mathis presented “The IT Analysis Paralysis,” in which attendees:
Received a compressive review of the many IT frameworks that can be used to develop effective internal audit programs.
Learned the differences between commercial, federal, and industry frameworks.
Received tips, tools, and techniques for creating an effective framework based on risk assessment and identified risks.
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
This document provides summaries of several NIST publications related to computer security:
1) SP 500-299 describes a NIST Cloud Computing Security Reference Architecture framework that identifies security components for securing cloud environments and operations.
2) SP 500-304 defines a conformance testing methodology for ANSI/NIST-ITL 1-2011, a standard for biometric data interchange.
3) SP 800-1 is a bibliography of selected computer security publications from 1980 to 1989 covering access controls, auditing, cryptography, and other topics.
How to write an IT security policy guide - Tareq HanayshaHanaysha
This document provides guidance on writing an effective network security policy. It explains that writing security policies is challenging and requires understanding what should be included and who is responsible. The author developed a Network Security Policy Manual (NSPM) based on standards from ISF and ISO to provide an example. When writing policies, it is important to transform standard language into enforceable policy statements, avoid defining specific technologies, and ensure all sections work together cohesively. Maintaining and updating the security policy is crucial to protecting organizational assets and data.
This document compares and analyzes two US federal information security documents: NIST SP 800-37 and ICD 503. It finds that NIST SP 800-37 provides a more detailed and comprehensive certification and accreditation process. However, the documents are not directly comparable as SP 800-37 is a guideline and ICD 503 is a higher-level policy. The document traces the evolution of federal IT security policy and processes over time, showing how SP 800-37 incorporates elements of previous approaches. It concludes that a new, innovative approach may help achieve better information assurance across the government.
The document proposes an agent-based architecture for multi-level security incident reaction in distributed telecommunication networks. The architecture has three levels: a low level interface with the infrastructure, an intermediate level using multi-agent systems to correlate alerts and deploy reactions across domains, and a high level for global supervision and policy management. The architecture was designed based on requirements like scalability, availability, autonomy, and robust reaction and alert management across distributed systems. It was successfully tested for implementing data access control policies.
NIST to CSF to ISO or EC 27002 2022 with NISTebonyman0007
The document discusses two cybersecurity frameworks that are widely adopted in the US - the NIST Cybersecurity Framework (CSF) and the information security management system (ISMS) defined in ISO 27001. The CSF provides guidance for critical infrastructure sectors through its core functions, profiles, and implementation tiers. ISO 27001 specifies requirements for a best practice ISMS focused on people, processes, and technology. Both frameworks use a risk-based approach and are outcome focused. Adopting one or both can help organizations address the increasing costs and risks of data breaches through a controlled, long-term approach to cybersecurity.
Contractor Responsibilities under the Federal Information Security Management...padler01
This document discusses contractor responsibilities under the Federal Information Security Management Act (FISMA) of 2002. It provides an overview of FISMA and its provisions regarding contractor systems. It notes that while FISMA language applies to contractors, agencies have struggled to effectively oversee contractor compliance. It recommends that agencies improve oversight of contractor systems and inventory of contractor-run systems, and contractually impose compliance requirements.
This 3-page disaster recovery policy from an organization outlines their approach to minimizing business disruption from failures or disasters affecting information systems. It defines responsibilities for developing disaster recovery plans for critical systems, requires the classification of business processes and systems based on importance, and mandates regular testing and evaluation of disaster recovery plans. The policy scope includes all internal and third-party IT systems supporting the organization's business.
This document provides an overview of NIST Special Publication 800-37, which outlines the Risk Management Framework (RMF) for federal agencies. The RMF is a cyclical process for assessing and managing risk to systems and organizations on an ongoing basis. It includes seven steps: (1) prepare the organization; (2) categorize systems and data; (3) select controls; (4) implement controls; (5) assess controls; (6) authorize systems; and (7) monitor systems. The RMF takes a system lifecycle approach and requires coordination between information security and privacy programs to effectively manage risk.
Disaster recovery & business continuityDhani Ahmad
This document discusses contingency planning for disasters and business continuity. It defines incident response planning, disaster recovery planning, and business continuity planning as the three main components of contingency planning. It provides learning objectives and outlines the major steps in contingency planning, including conducting a business impact analysis, developing an incident response plan, and creating disaster recovery and business continuity plans.
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
You have been hired as a consultant to design BCP for SanGrafix, a video and PC game design company. SanGrafix's newest game has become a hot seller, and the company anticipates rapid growth. It's moving into a new facility and will be installing a new network. Because competition is fierce in the game industry, SanGrafix wants to be fully secured, documented, and maintained while providing high availability, scalability, and performance.
Based on your current technology and information security knowledge, for this project you will design a BCP based off of the company profile below:
A. Primary location in San Francisco, CA
B. Secondary location/hot site in Sunnyvale, CA
C. Capable of supporting 220 users in these departments: Accounting and Payroll, 16; Research and Development, 48; Sales and Marketing, 40; Order Processing, Shipping, and Receiving, 36; secretarial and office management staff, 20; upper management (including the president, vice president, and general manager), 10; Customer Relations and Support, 30; Technology Support, 20.
D. Full OC3 Internet connection
First step is to issue a clear policy statement on the Business Continuity Plan. At a minimum, this statement should contain the following instructions:
The organization should develop a comprehensive Business Continuity Plan.
A formal risk assessment should be undertaken in order to determine the requirements for the Business Continuity Plan.
The Business Continuity Plan should cover all essential and critical business activities.
The Business Continuity Plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed.
All staff must be made aware of the Business Continuity Plan and their own respective roles.
The Business Continuity Plan is to be kept up to date to take into account changing circumstances.
BELOW IS THE EXAMPLE
Policy Statement
1. Agencies are required to develop, implement, test and maintain a Business Continuity Plan (BCP) for all Information Technology Resources (ITR) that deliver or support core systems and services on behalf of the Commonwealth of Massachusetts. For purposes of this policy, the BCP is the overall plan that facilitates sustaining critical operations while recovering from a disruption. BCP’s are required to include, at a minimum:
Standard Incident Response Procedures: An information system-focused set of procedures to be used when an event occurs that is not part of the standard operation of a service and may or does cause disruption to or a reduction in the quality of services and Customer productivity.
Disaster Recovery Plan (DRP): An information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure in the event of large scale disaster and/or other cataclysmic event.
Continuity of Operations Plans (COOP): An information system-focused pla.
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
This publication contains comprehensive updates to the
Risk Management Framework. The updates include an
alignment with the constructs in the NIST Cybersecurity
Framework; the integration of privacy risk management
processes; an alignment with system life cycle security
engineering processes; and the incorporation of supply
chain risk management processes. Organizations can
use the frameworks and processes in a complementary
manner within the RMF to effectively manage security
and privacy risks to organizational operations and
assets, individuals, other organizations, and the Nation.
Revision 2 includes a set of organization-wide RMF tasks
that are designed to prepare information system owners
to conduct system-level risk management activities. The
intent is to increase the effectiveness, efficiency, and
cost-effectiveness of the RMF by establishing a closer
connection to the organization’s missions and business
functions and improving the communications among
senior leaders, managers, and operational personnel.
https://doi.org/10.6028/NIST.SP.800-37r2
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
December 2018
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
https://doi.org/10.6028/NIST.SP.800-37r2
NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
________________________________________________________________________________________________
PAGE i
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines,
including minimum requirements for federal information systems, but such standards and
guidelines shall .
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
Metrics to measure response and recovery methods for severe cyber security incidents (that could lead to “black out” events for Critical Infrastructure and Key Resources) need traceable integration within incident management systems and should be offered as a solution as part of the Executive Order 13636 Cybersecurity Framework.
White Paper Aaci Data Center Physical Security Mc DonaldJames McDonald
Data Center Best Practices for Integrated Physical Security Technology Solutions and SAS 70 and Homeland Security Presidential Directive 7 (HSPD-7) Compliance
For more classes visit
www.snaptutorial.com
This Tutorial contains 2 Answers for each Question
HCS 533 Week 1 Definition Worksheet
Definition of Terms
The health care environment is constantly changing, new systems arise every day with terminology of
their own to reflect the changes. As a health care professional
NOTE This sample template is provided to address NIST SP 800-53 s.docxvannagoforth
NOTE: This sample template is provided to address NIST SP 800-53 security controls from the Contingency Planning family for a moderate impact information system. The template provided is a guide and may be customized and adapted as necessary to best fit the system or organizational requirements for contingency planning.
[System Name]
Security Categorization: Moderate
[Organization Name]
Information System Contingency Plan (ISCP)
Version [#]
[Date]
Prepared by
[Organization Name]
[Street Address]
[City, State, and Zip Code]
TABLE OF CONTENTS
Plan Approval…………………………………………………….………..….……….……A.2-3
1. Introduction ………………………………………………….……..……….…….……..A.2-4
1.1 Background………..………………………………………….………………..A.2-4
1.2 Scope……..………..…………………………..…….……….……….………..A.2-4
1.3 Assumptions..…….………………………..….……………….……….……...A.2-4
2. Concept of Operations ………………………….……..…………………………..…..A.2-5
2.1 System Description………………....……………………………………..…..A.2-5
2.2 Overview of Three Phases..………………………………………………….A.2-5
2.3 Roles and Responsibilities…….…......……………………………………....A.2-6
3. Activation and Notification………………....………………………..………….……..A.2-6
3.1 Activation Criteria and Procedure ...………………………..………………..A.2-6
3.2 Notification…………………...………………………………..………………..A.2-7
3.3 Outage Assessment…………....…......……………………..………………..A.2-7
4. Recovery……………………….……………....…………………………………………..A.2-7
4.1 Sequence of Recovery Activities ....……………………………..…………..A.2-7
4.2 Recovery Procedures ……...………………………………………..………..A.2-8
4.3 Recovery Escalation Notices/Awareness..…………………………..……...A.2-8
5. Reconstitution..……………….……………....………………….………………..……..A.2-8
5.1 Validation Data Testing………….…………………….………………….…..A.2-8
5.2 Validation Functionality Testing…......……………….………………….…...A.2-8
5.3 Recovery Declaration…………........………………….………………….…..A.2-9
5.4 Notification (users)…. ……...………………………….………………….…..A.2-9
5.5 Cleanup ...……………………...…......……………….………………….…....A.2-9
5.6 Offsite Data Storage……………. ....………………….………………….…..A.2-9
5.7 Data Backup………………...………………………….…………………..…..A.2-9
5.8 Event Documentation…………..…......……………….………………….…..A.2-9
5.9 Deactivation……………………..…......……………….………………….…..A.2-10
APPENDICES
Plan Approval
Provide a statement in accordance with the agency’s contingency planning policy to affirm that the ISCP is complete and has been tested sufficiently. The statement should also affirm that the designated authority is responsible for continued maintenance and testing of the ISCP. This statement should be approved and signed by the system designated authority. Space should be provided for the designated authority to sign, along with any other applicable approving signatures. Sample language is provided below:
As the designated authority for {system name}, I hereby certify that the information system contingency plan (ISCP) is complete, and that the information contained in this ISCP provides an accurate representation of the application, its hardware, softw ...
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
More Related Content
Similar to 2-2b-contingency-planning-swanson-nist.pdf
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
This document provides summaries of several NIST publications related to computer security:
1) SP 500-299 describes a NIST Cloud Computing Security Reference Architecture framework that identifies security components for securing cloud environments and operations.
2) SP 500-304 defines a conformance testing methodology for ANSI/NIST-ITL 1-2011, a standard for biometric data interchange.
3) SP 800-1 is a bibliography of selected computer security publications from 1980 to 1989 covering access controls, auditing, cryptography, and other topics.
How to write an IT security policy guide - Tareq HanayshaHanaysha
This document provides guidance on writing an effective network security policy. It explains that writing security policies is challenging and requires understanding what should be included and who is responsible. The author developed a Network Security Policy Manual (NSPM) based on standards from ISF and ISO to provide an example. When writing policies, it is important to transform standard language into enforceable policy statements, avoid defining specific technologies, and ensure all sections work together cohesively. Maintaining and updating the security policy is crucial to protecting organizational assets and data.
This document compares and analyzes two US federal information security documents: NIST SP 800-37 and ICD 503. It finds that NIST SP 800-37 provides a more detailed and comprehensive certification and accreditation process. However, the documents are not directly comparable as SP 800-37 is a guideline and ICD 503 is a higher-level policy. The document traces the evolution of federal IT security policy and processes over time, showing how SP 800-37 incorporates elements of previous approaches. It concludes that a new, innovative approach may help achieve better information assurance across the government.
The document proposes an agent-based architecture for multi-level security incident reaction in distributed telecommunication networks. The architecture has three levels: a low level interface with the infrastructure, an intermediate level using multi-agent systems to correlate alerts and deploy reactions across domains, and a high level for global supervision and policy management. The architecture was designed based on requirements like scalability, availability, autonomy, and robust reaction and alert management across distributed systems. It was successfully tested for implementing data access control policies.
NIST to CSF to ISO or EC 27002 2022 with NISTebonyman0007
The document discusses two cybersecurity frameworks that are widely adopted in the US - the NIST Cybersecurity Framework (CSF) and the information security management system (ISMS) defined in ISO 27001. The CSF provides guidance for critical infrastructure sectors through its core functions, profiles, and implementation tiers. ISO 27001 specifies requirements for a best practice ISMS focused on people, processes, and technology. Both frameworks use a risk-based approach and are outcome focused. Adopting one or both can help organizations address the increasing costs and risks of data breaches through a controlled, long-term approach to cybersecurity.
Contractor Responsibilities under the Federal Information Security Management...padler01
This document discusses contractor responsibilities under the Federal Information Security Management Act (FISMA) of 2002. It provides an overview of FISMA and its provisions regarding contractor systems. It notes that while FISMA language applies to contractors, agencies have struggled to effectively oversee contractor compliance. It recommends that agencies improve oversight of contractor systems and inventory of contractor-run systems, and contractually impose compliance requirements.
This 3-page disaster recovery policy from an organization outlines their approach to minimizing business disruption from failures or disasters affecting information systems. It defines responsibilities for developing disaster recovery plans for critical systems, requires the classification of business processes and systems based on importance, and mandates regular testing and evaluation of disaster recovery plans. The policy scope includes all internal and third-party IT systems supporting the organization's business.
This document provides an overview of NIST Special Publication 800-37, which outlines the Risk Management Framework (RMF) for federal agencies. The RMF is a cyclical process for assessing and managing risk to systems and organizations on an ongoing basis. It includes seven steps: (1) prepare the organization; (2) categorize systems and data; (3) select controls; (4) implement controls; (5) assess controls; (6) authorize systems; and (7) monitor systems. The RMF takes a system lifecycle approach and requires coordination between information security and privacy programs to effectively manage risk.
Disaster recovery & business continuityDhani Ahmad
This document discusses contingency planning for disasters and business continuity. It defines incident response planning, disaster recovery planning, and business continuity planning as the three main components of contingency planning. It provides learning objectives and outlines the major steps in contingency planning, including conducting a business impact analysis, developing an incident response plan, and creating disaster recovery and business continuity plans.
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
You have been hired as a consultant to design BCP for SanGrafix, a video and PC game design company. SanGrafix's newest game has become a hot seller, and the company anticipates rapid growth. It's moving into a new facility and will be installing a new network. Because competition is fierce in the game industry, SanGrafix wants to be fully secured, documented, and maintained while providing high availability, scalability, and performance.
Based on your current technology and information security knowledge, for this project you will design a BCP based off of the company profile below:
A. Primary location in San Francisco, CA
B. Secondary location/hot site in Sunnyvale, CA
C. Capable of supporting 220 users in these departments: Accounting and Payroll, 16; Research and Development, 48; Sales and Marketing, 40; Order Processing, Shipping, and Receiving, 36; secretarial and office management staff, 20; upper management (including the president, vice president, and general manager), 10; Customer Relations and Support, 30; Technology Support, 20.
D. Full OC3 Internet connection
First step is to issue a clear policy statement on the Business Continuity Plan. At a minimum, this statement should contain the following instructions:
The organization should develop a comprehensive Business Continuity Plan.
A formal risk assessment should be undertaken in order to determine the requirements for the Business Continuity Plan.
The Business Continuity Plan should cover all essential and critical business activities.
The Business Continuity Plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed.
All staff must be made aware of the Business Continuity Plan and their own respective roles.
The Business Continuity Plan is to be kept up to date to take into account changing circumstances.
BELOW IS THE EXAMPLE
Policy Statement
1. Agencies are required to develop, implement, test and maintain a Business Continuity Plan (BCP) for all Information Technology Resources (ITR) that deliver or support core systems and services on behalf of the Commonwealth of Massachusetts. For purposes of this policy, the BCP is the overall plan that facilitates sustaining critical operations while recovering from a disruption. BCP’s are required to include, at a minimum:
Standard Incident Response Procedures: An information system-focused set of procedures to be used when an event occurs that is not part of the standard operation of a service and may or does cause disruption to or a reduction in the quality of services and Customer productivity.
Disaster Recovery Plan (DRP): An information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure in the event of large scale disaster and/or other cataclysmic event.
Continuity of Operations Plans (COOP): An information system-focused pla.
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
This publication contains comprehensive updates to the
Risk Management Framework. The updates include an
alignment with the constructs in the NIST Cybersecurity
Framework; the integration of privacy risk management
processes; an alignment with system life cycle security
engineering processes; and the incorporation of supply
chain risk management processes. Organizations can
use the frameworks and processes in a complementary
manner within the RMF to effectively manage security
and privacy risks to organizational operations and
assets, individuals, other organizations, and the Nation.
Revision 2 includes a set of organization-wide RMF tasks
that are designed to prepare information system owners
to conduct system-level risk management activities. The
intent is to increase the effectiveness, efficiency, and
cost-effectiveness of the RMF by establishing a closer
connection to the organization’s missions and business
functions and improving the communications among
senior leaders, managers, and operational personnel.
https://doi.org/10.6028/NIST.SP.800-37r2
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
December 2018
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
https://doi.org/10.6028/NIST.SP.800-37r2
NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
________________________________________________________________________________________________
PAGE i
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines,
including minimum requirements for federal information systems, but such standards and
guidelines shall .
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
Metrics to measure response and recovery methods for severe cyber security incidents (that could lead to “black out” events for Critical Infrastructure and Key Resources) need traceable integration within incident management systems and should be offered as a solution as part of the Executive Order 13636 Cybersecurity Framework.
White Paper Aaci Data Center Physical Security Mc DonaldJames McDonald
Data Center Best Practices for Integrated Physical Security Technology Solutions and SAS 70 and Homeland Security Presidential Directive 7 (HSPD-7) Compliance
For more classes visit
www.snaptutorial.com
This Tutorial contains 2 Answers for each Question
HCS 533 Week 1 Definition Worksheet
Definition of Terms
The health care environment is constantly changing, new systems arise every day with terminology of
their own to reflect the changes. As a health care professional
NOTE This sample template is provided to address NIST SP 800-53 s.docxvannagoforth
NOTE: This sample template is provided to address NIST SP 800-53 security controls from the Contingency Planning family for a moderate impact information system. The template provided is a guide and may be customized and adapted as necessary to best fit the system or organizational requirements for contingency planning.
[System Name]
Security Categorization: Moderate
[Organization Name]
Information System Contingency Plan (ISCP)
Version [#]
[Date]
Prepared by
[Organization Name]
[Street Address]
[City, State, and Zip Code]
TABLE OF CONTENTS
Plan Approval…………………………………………………….………..….……….……A.2-3
1. Introduction ………………………………………………….……..……….…….……..A.2-4
1.1 Background………..………………………………………….………………..A.2-4
1.2 Scope……..………..…………………………..…….……….……….………..A.2-4
1.3 Assumptions..…….………………………..….……………….……….……...A.2-4
2. Concept of Operations ………………………….……..…………………………..…..A.2-5
2.1 System Description………………....……………………………………..…..A.2-5
2.2 Overview of Three Phases..………………………………………………….A.2-5
2.3 Roles and Responsibilities…….…......……………………………………....A.2-6
3. Activation and Notification………………....………………………..………….……..A.2-6
3.1 Activation Criteria and Procedure ...………………………..………………..A.2-6
3.2 Notification…………………...………………………………..………………..A.2-7
3.3 Outage Assessment…………....…......……………………..………………..A.2-7
4. Recovery……………………….……………....…………………………………………..A.2-7
4.1 Sequence of Recovery Activities ....……………………………..…………..A.2-7
4.2 Recovery Procedures ……...………………………………………..………..A.2-8
4.3 Recovery Escalation Notices/Awareness..…………………………..……...A.2-8
5. Reconstitution..……………….……………....………………….………………..……..A.2-8
5.1 Validation Data Testing………….…………………….………………….…..A.2-8
5.2 Validation Functionality Testing…......……………….………………….…...A.2-8
5.3 Recovery Declaration…………........………………….………………….…..A.2-9
5.4 Notification (users)…. ……...………………………….………………….…..A.2-9
5.5 Cleanup ...……………………...…......……………….………………….…....A.2-9
5.6 Offsite Data Storage……………. ....………………….………………….…..A.2-9
5.7 Data Backup………………...………………………….…………………..…..A.2-9
5.8 Event Documentation…………..…......……………….………………….…..A.2-9
5.9 Deactivation……………………..…......……………….………………….…..A.2-10
APPENDICES
Plan Approval
Provide a statement in accordance with the agency’s contingency planning policy to affirm that the ISCP is complete and has been tested sufficiently. The statement should also affirm that the designated authority is responsible for continued maintenance and testing of the ISCP. This statement should be approved and signed by the system designated authority. Space should be provided for the designated authority to sign, along with any other applicable approving signatures. Sample language is provided below:
As the designated authority for {system name}, I hereby certify that the information system contingency plan (ISCP) is complete, and that the information contained in this ISCP provides an accurate representation of the application, its hardware, softw ...
Similar to 2-2b-contingency-planning-swanson-nist.pdf (20)
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
1. Marianne Swanson
NIST SP 800-34, Revision 1 –
Contingency Planning Guide for
Federal Information Systems
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
2. 1
Filename/RPS Number
Table Of Contents
–Introduction to NIST SP 800-34
–Summary of Changes in NIST SP 800-34
Revision 1
–NIST Future Plans
–Questions
3. 2
Filename/RPS Number
Introduction to NIST SP 800-34
National Institute of Standards and Technology (NIST) is responsible for “developing
standards and guidelines for providing adequate information security for all agency operations
and assets”.
NIST has a series of Special Publications (SP) and Federal Information Processing
Standards (FIPS) that provide federal agencies with standards and guidelines for most
aspects of information systems security.
– NIST security Publications can be found at: http://csrc.nist.gov/publications/index.html
NIST SP 800-34 – Contingency Planning Guide for Information Technology (IT) Systems
-was first published in June 2002, and provides instructions, recommendations, and
considerations for government IT contingency planning.
Contingency Planning refers to interim measures to recover IT services following an
emergency or system disruption.
While designed for federal systems, NIST SP 800-34 has been used as the guideline for
contingency planning throughout much of the private sector.
4. 3
Need for the Revision to NIST SP 800-34
Aligns NIST SP 800-53 Rev. 3, contingency planning security
controls (CP-family).
– FIPS 199 impact levels
– Annual testing for FIPS 199 low impact systems
Incorporates contingency planning into the six phases of the
Risk Management Framework.
5. 4
Overall Changes to NIST SP 800-34
Filename/RPS Number
Revision 1 covers three common types of platforms, making the scope more
inclusive (Client/servers, Telecommunications systems, and Mainframes).
There is a bigger focus on the Information System Contingency Plan (ISCP)
as it relates to the differing levels of FIPS 199 impact levels.
General Support Systems (GSS) and Major Applications (MA) categories have
been removed.
Introduces the concept of resiliency and shows how ISCP fits into an
organization’s resiliency effort.
Works to more clearly define the different types of plans included in resiliency,
continuity and contingency planning.
Throughout the guide, call out boxes clarify the specific differences and
relationships between COOP and ISCP.
6. 5
Resiliency is a concept that is gaining widespread acceptance in
the continuity and contingency planning
Department of Homeland Security (DHS) defines resiliency as the “ability to resist, absorb,
recover from or successfully adapt to adversity or a change in conditions”.
Resiliency is not a process, but rather an end-state for organizations.
Resilient organizations continually work to adapt to changes and risks that can affect their
ability to continue critical functions.
An effective resiliency program includes risk management, contingency and continuity
planning, and other security and emergency management activities.
Filename/RPS Number
The Goal of A Resilient Organization
Continue Mission Essential Functions at All Times
During Any Type of Disruption
7. 6
NIST SP 800-34 Revision 1 provides more clarity to the role
and function of various contingency and continuity plans
Plan Purpose Scope Plan Relationship
Business Continuity Plan (BCP) Provides procedures for
sustaining business operations
while recovering from a
significant disruption.
Addresses business processes
at a lower or expanded level
from COOP mission essential
functions
Mission/business process
focused plan that may be
activated in coordination with a
COOP plan to sustain non-
mission essential functions .
Continuity of Operations (COOP)
Plan
Provides procedures and
guidance to sustain an
organization’s mission essential
functions at an alternate site for
up to 30 days; mandated by
federal directives.
Addresses the mission essential
functions; facility- based plan;
information systems are
addressed based only on their
support to the mission essential
functions.
Mission essential function
focused plan that may also
activate several business unit-
level BCPs, ISCPs, or DRPs, as
appropriate.
Crisis Communications Plan Provides procedures for
disseminating internal and
external communications; means
to provide critical status
information and control rumors.
Addresses communications with
personnel and the public; not
information system focused.
Incident-based plan often
activated with a COOP or BCP,
but may be used alone during a
public exposure event.
Critical Infrastructure Protection
(CIP) Plan
Provides policies and
procedures for protection of
national critical infrastructure
components, as defined in the
National Infrastructure Protection
Plan.
Addresses critical infrastructure
components that are supported
or operated by an agency or
organization.
Risk management plan that
supports COOP plans for
organizations with CI/KR assets.
Filename/RPS Number
8. 7
NIST SP 800-34 Revision 1 provides more clarity to the role
and function of various contingency and continuity plans
Plan Purpose Scope Plan Relationship
Cyber Incident Response Plan Provides procedures for
mitigating and correcting a
system cyber attack, such as a
virus, worm, or Trojan horse.
Addresses mitigation and
isolation of affected systems,
cleanup, and minimizing loss of
information.
Information system focused plan
that may activate an ISCP or
DRP, depending on the extent of
the attack.
Disaster Recovery Plan (DRP) Provides procedures for
relocating information systems
operations to an alternate
location.
Activated after major system
disruptions with long-term
effects.
Information system focused plan
that activates one or more ISCPs
for recovery of individual
systems..
Information System Contingency
Plan (ISCP)
Provides procedures and
capabilities for recovering an
information system.
Location-independent plan that
focuses on the procedures
needed to recovery a system at
the current or an alternate
location.
Information system focused plan
that may be activated
independent from other plans or
as part of a larger recovery effort
coordinated with a DRP, COOP,
and/or BCP.
Occupant Emergency Plan
(OEP)
Provides coordinated procedures
for minimizing loss of life or
injury and protecting property
damage in response to a
physical threat.
Focuses on personnel and
property particular to the specific
facility; not business process or
information system-based.
Incident-based plan that is
initiated immediately after an
event, preceding a COOP or
DRP activation.
Filename/RPS Number
9. 8
A new graphic has been developed to better convey the
relationships of the different types of plans to the organization
Filename/RPS Number
10. 9
The Business Impact Analysis (BIA) was revised to more closely tie
to Federal standards and guidelines
The process for the BIA has been revised to closely tie to FIPS 199 impact levels
and NIST SP 800-53 Rev. 3 Contingency Planning (CP) controls.
– The BIA process now takes into consideration that impact levels are determined as part of the security
categorization process.
– Federal Information Processing Standard (FIPS 199) - http://csrc.nist.gov/publications/fips/fips199/FIPS-
PUB-199-final.pdf
The term Maximum Tolerable Downtime (MTD) is defined and discussed in relation
to Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
The BIA discussion addresses the differences between BIAs required for systems
and those required by Federal Continuity Directives (FCD) -1 and 2 for Continuity of
Operations (COOP) Mission Essential Functions (MEF).
Filename/RPS Number
11. 10
NIST SP 800-53 – Recommended Security Controls for Federal
Information Systems and Organizations define 9 CP controls
Filename/RPS Number
Control No. Control Name
Security Control Baselines
Low Moderate High
CP-1 Contingency Planning Policy and Procedures CP-1 CP-1 CP-1
CP-2 Contingency Plan CP-2 CP-2 (1) CP-2 (1) (2) (3)
CP-3 Contingency Training CP-3 CP-3 CP-3 (1)
CP-4 Contingency Plan Testing and Exercise CP-4 CP-4 (1) CP-4 (1) (2) (4)
CP-5 Contingency Plan Update (Withdrawn) ------ ----- ------
CP-6 Alternate Storage Site Not Selected CP-6 (1) (3) CP-6 (1) (2) (3)
CP-7 Alternate Processing Site Not Selected CP-7 (1) (2) (3) (5) CP-7 (1) (2) (3) (4) (5)
CP-8 Telecommunications Services Not Selected CP-8 (1) (2) CP-8 (1) (2) (3) (4)
CP-9 Information System Backup CP-9 CP-9 (1) CP-9 (1) (2) (3)
CP-10
Information System Recovery and
Reconstitution
CP-10 CP-10 (2) (3) CP-10 (2) (3) (4)
12. 11
Testing, Training and Exercises Section is also more closely linked
to other federal Standards and guidelines
There is more clarity when defining testing, training and exercises (TTE).
References are included for NIST SP 800-84 – Guide to Test, Training, and
Exercise Programs for IT Plans and Capabilities -
http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf
TTE is also linked to FIPS 199 impact levels.
– For low-impact systems, a yearly tabletop exercise is sufficient
– For moderate-impact systems, a yearly functional exercise should be conducted
– For high-impact systems, a yearly full-scale functional exercise should be conducted.
Sample activities are presented to assist in development of effective TTE
programs for systems.
Filename/RPS Number
13. 12
TTE programs and exercise types are defined to address
requirements to NIST SP 800-53 Rev. 3 security control CP-4
NIST SP 800-53 Rev. 3 Contingency Planning (CP)-4 defines requirements for
contingency plan test and exercise.
A Tabletop Exercise is a “Discussion-based simulation of an emergency situation
in an informal, stress-free environment; designed to elicit constructive scenario-
based discussions for an examination of the existing ISCP and individual state of
preparedness..”
A Functional Exercise is a “Simulation of a disruption with a system recovery
component such as backup tape restoration or server recovery.”
A Full-Scale Functional Exercise is a “Simulation prompting a full recovery and
reconstitution of the information system to a known state and ensures that staff are
familiar with the alternate facility. “
Filename/RPS Number
14. 13
The flow for steps performed during a contingency event have
been revised in the ISCP development
The flow has switched activation and notification steps in the assumption that an
ISCP would not be considered for routine downtimes, but would be used for major
issues.
– The original SP 800-34 had notification followed by activation – This sometimes created confusion on how
to follow a plan’s notification procedures without activating the plan itself.
An organization should activate an ISCP to be able to follow the procedures for
notifying assessment and recovery teams.
– The first step after activating an ISCP is to notify the key stakeholders and to start assessing the
disruption.
Escalation and notification has been added to convey the need to continually
provide updates and escalation problems as necessary for resolution.
– Procedures have been added to keep upper management informed of the progress of recovery efforts
and to escalate the recovery as needed to more specialized or trained personnel.
Filename/RPS Number
15. 14
While overall ISCP primary sections have been reduced, several
sub sections have been added to Reconstitution and Deactivation
Reconstitution and Deactivation are now a single primary section.
Reconstitution has been reworked to include data validation and functionality
testing, a declaration of the end of recovery efforts, and more details regarding
deactivation.
– Declaration of the end of recovery efforts is a key addition to the process. This step defines the return of
the system to operational status, and stops the recovery effort clock, to determine if the RTO and RPO
objectives have been met during the incident.
– More work is required to have the organization ready for the next event.
Deactivation now includes: Notification of the end of recovery and return to
operations, cleanup of recovery documentation, returning backup data to offsite
storage, performing a baseline data backup, and documenting the event, lessons
learned, and updating the ISCP.
– Deactivation of the ISCP after a contingency event and plan activation may take several days, weeks, or
months to complete. The intent is to provide defined processes for an organization to ready itself and
improve the ISCP.
Filename/RPS Number
16. 15
The Technical Considerations section has been updated to better
reflect current trends and standards in common platforms
Technical Considerations (Section 5) have been simplified to emphasize options for
contingency planning for different types of platforms, rather than technologies, and
with less emphasis in explaining the different types.
– Section 5 now focus on three common platform types: Client/servers, Telecommunications systems, and
Mainframes.
– The old categories, including desktop computers, servers, web sites, local area networks, wide area
networks and distributed systems have been consolidated into the three defined platform types.
Older technologies and terminologies (Zip drives, 3.5” floppies, etc.) have been
removed and more generic technologies incorporated to reduce obsolescence.
Cloud computing is not included, as the technology is still emerging and not yet
stabilized.
Contingency Considerations and Contingency Solutions for each type of system are
still included in the Technical Considerations.
Filename/RPS Number
17. 16
Appendices to NIST SP 800-34 have been expanded and include
more ISCP templates
There are now 3 templates, 1 each for low, moderate and high FIPS 199 impact
levels. The templates also provide more instruction and explanation for filling out
separate sections.
The templates also include ISCP appendices appropriate to the system’s impact
level that can provide complementary information to assist in recovery efforts.
The sections in the templates have been rearranged to keep the main body of the
ISCP focused on the steps required for recovery, with supplemental and supporting
information put into ISCP Appendices.
Templates now include suggested ISCP appendices.
Filename/RPS Number
18. 17
The appendices have been sorted to provide the more critical
information needed up front, and background and supplemental
information toward the back
The Appendices are suggestions, and a planner may use none, some or all of them.
Filename/RPS Number
Suggested Appendices
Appendix A – Personnel Contact List
Appendix B – Vendor Contact List
Appendix C – Detailed Recovery Procedures
Appendix D – Alternate Processing Procedures
Appendix E – System Validation Test Plan
Appendix F – Alternate Storage, Site and Telecommunications*
Appendix G – Diagrams (System and Input/Output)
Appendix H - System Inventory
Appendix I – Interconnections Table
Appendix J – Test and Maintenance Schedule
Appendix K – Associated Plans and Procedures
Appendix L – Business Impact Analysis
Appendix M – Document Change Page
* Note that Appendix F is only required
for Moderate and High impact systems,
and is not included in the Low Impact
template
19. 18
Appendices within NIST SP 800-34 have been expanded and
changed in Revision 1
An updated Business Impact Analysis template is provided in Appendix B.
Appendix C is the Frequently Asked Questions section.
Personnel Considerations in Continuity Planning (Appendix D) now includes the use
of social networking as part of communications with personnel.
– Since social networking is an evolving concept, guidance is geared more towards why to
use it and what to be aware of rather than what tools to use.
Appendix E has been added to provide the contingency planning (CP) controls from
NIST SP 800-53, Rev. 3.
Filename/RPS Number
20. 19
The System Development Lifecycle (SDLC) has been moved from
the main body of the guide to Appendix F
SDLC steps are tied to SP 800-53 CP controls and FIPS 199 impact levels to clarify when to
get contingency planning included in an SDLC effort.
Very little in the SDLC has changed, other than tying CP controls into the process. This
revision better integrates the three major areas of consideration (contingency planning, SDLC
and controls).
Filename/RPS Number
21. 20
Conclusions
NIST SP 800-34 Rev.1 is the first major update to a contingency planning guideline that is
being used by all federal agencies, as well as many state and local agencies.
The guide is also commonly used for contingency plan development within the private sector,
and is the most downloaded NIST standard in their library.
Revision 1 focuses more on systems recovery, and incorporates guidance and requirements
from NIST SP 800-53, FIPS 199, and FCD-1 and 2.
The flow for recovery has been redefined and expanded to provide guidance in all aspects of
recovery after a disaster or contingency event.
New templates have been provided, with more instruction and detail for the contingency
planner to better develop effective ISCPs.
Filename/RPS Number
22. 21
Future NIST Activities
NIST SP 800-39, Enterprise-wide Risk Management: Organization, Mission, and Information
Systems View
– Public Draft: June 2010
NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments
– Public Draft: July 2010
NIST SP 800-53-A Rev.3, Guide for Assessing the Security Controls in Federal Information
Systems and Organizations
– Public Draft: June 2010
NIST SP 800-18 Rev.2, Guide for Developing Security Plans for Federal Information Systems
and Organizations
– Public Draft: October 2010
Questions?
23. 22
For more information,
Filename/RPS Number
Marianne Swanson – Senior Advisor for Information System Security, National Institute of
Standards and Technology
– Address: 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
– Work Phone: (301) 975-3293
– Email: marianne.swanson@nist.gov