The activation and notification phase focuses on initial actions taken once a system
disruption or outage has been detected or appears to be imminent. This phase includes activities
to notify recovery personnel, conduct an outage assessment, and activate the plan.
Recovery Phase.The recovery phase focuses on implementing recovery strategies to restore
system capabilities, repair damage, and resume operational capabilities at the original or new
alternate location.
Reconstitution Phase.The reconstitution phase is the third and final phase of ITCP
implementation and defines the actions taken to test and validate system capability and
functionality. This phase includes data validation testing, functional validation testing, recovery
declaration, user notification, cleanup, returning backup media, backing up restored systems, and
Business continuity and disaster recovery are not the same but complement each other. Planning on BCP and DRP is necessary for all business. This slide contains information on how to achieve and maintain them.
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
Hazard is typically defined as a potential source of harm, or an adverse health effect on a person or persons. This simply means that anything that has the potential to cause damage or harm can be considered a hazard.
Business continuity and disaster recovery are not the same but complement each other. Planning on BCP and DRP is necessary for all business. This slide contains information on how to achieve and maintain them.
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
Hazard is typically defined as a potential source of harm, or an adverse health effect on a person or persons. This simply means that anything that has the potential to cause damage or harm can be considered a hazard.
Data Protection Officer Dashboard | GDPRCorporater
Data Protection Officers (DPOs) have a very critical role to play in today's organizations, especially with the implementation of GDPR. Data Protection Officer dashboards are an essential aid to DPOs to stay on top of GDPR compliance activities, and to implement and monitor GDPR projects.
The presentation gives insight into the essentials of a DPO dashboard.
This Presentation explains what GDPR is and the impact it'll have for Companies who process data of EU Citizens.
This Guide explains the principles of GDPR, Consent, User Rights and also explains how to implement GDPR in your organization.
Originally appeared at
http://backlinkme.net/definitive-guide-for-general-data-protection-regulation-gdpr-compliance/
Practical guide for performing a Data Privacy Impact Assessment (DPIA). Great hints to support you in GDPR and mapping how data flows through your organisation and external vendors;
Please reach out if you need PPT/Notes
Vision, collaboration, credibility, communication, action orientation, feedback and recognition, accountability.
All these factors work in parallel when all we talk is safety, safety management systems and exemplary safety culture.
Here's a slideshare to testify the same.
After all, it starts with a personal commitment to workers first, not last!
#management #communication #safety #culture #collaboration
This is a business plan for the successful operation of a security business, identifying sources of revenue, the intended customer base, products, and details of financing.
Site Induction Training for UK Security 2007 - 2012
All employees have this training prior to starting an assgnment or as soon as they start work at a project... Along with security we want safety to be a top priority
...
The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly. This document, released originally in Template format, has been designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are to be recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR).
The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly. This document, released originally in Template format, has been designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are to be recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR).
Data Protection Officer Dashboard | GDPRCorporater
Data Protection Officers (DPOs) have a very critical role to play in today's organizations, especially with the implementation of GDPR. Data Protection Officer dashboards are an essential aid to DPOs to stay on top of GDPR compliance activities, and to implement and monitor GDPR projects.
The presentation gives insight into the essentials of a DPO dashboard.
This Presentation explains what GDPR is and the impact it'll have for Companies who process data of EU Citizens.
This Guide explains the principles of GDPR, Consent, User Rights and also explains how to implement GDPR in your organization.
Originally appeared at
http://backlinkme.net/definitive-guide-for-general-data-protection-regulation-gdpr-compliance/
Practical guide for performing a Data Privacy Impact Assessment (DPIA). Great hints to support you in GDPR and mapping how data flows through your organisation and external vendors;
Please reach out if you need PPT/Notes
Vision, collaboration, credibility, communication, action orientation, feedback and recognition, accountability.
All these factors work in parallel when all we talk is safety, safety management systems and exemplary safety culture.
Here's a slideshare to testify the same.
After all, it starts with a personal commitment to workers first, not last!
#management #communication #safety #culture #collaboration
This is a business plan for the successful operation of a security business, identifying sources of revenue, the intended customer base, products, and details of financing.
Site Induction Training for UK Security 2007 - 2012
All employees have this training prior to starting an assgnment or as soon as they start work at a project... Along with security we want safety to be a top priority
...
The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly. This document, released originally in Template format, has been designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are to be recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR).
The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly. This document, released originally in Template format, has been designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are to be recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR).
This benchmark is the result of the collaboration between Burstorm and Rice University and uses a high degree of automation. The scope of the first benchmark is seven suppliers across three continents with a total of 96 different instance types. The benchmark was executed every day, for at least 15 days. The results are normalized to a monthly pricing model to establish the price-performance metrics.
Cloud Computing is an information technology gold rush. Everything from social media and smart phones to streaming video and additive games come from the cloud. This revolution has also driven many to wonder how they can retool themselves to take advantage of this massive shift. Many in IT see the technology as an opportunity to accelerate their careers but in their attempt to navigate their cloud computing future, the question of what type of training, vendor-neutral or vendor-specific, is right for them
The Federal government today is in the midst of a revolution. The revolution is challenging the norms of government by introducing new ways of serving the people. New models for creating services and delivering information; new policies and procedures that are redefining federal acquisition and what it means to be a federal system integrator. This revolution also lacks the physical and tangible artifacts of the past. Its ephemeral nature, global expanse and economic impact all combine in a tidal wave of change. This revolution is called cloud computing.
Since announcing its “Cloud First” policy in 2010, the Federal government has correctly identified cloud computing as a way to reduce costs and improve the use of existing assets, and has accordingly prioritized its adoption. It has also taken judicious steps to protect Federal networks from nefarious cyber-attacks and promote the dissemination of best practices for cybersecurity. The Federal government has also embraced mobility as a means to conduct work from any location. But until now, the implementation of these initiatives has been fragmented and lacked coordination across Federal agencies. This paper offers a framework for integrating these programs in a way that enables the Federal government to realize the economic, technological, and mission-effectiveness benefits of cloud services while simultaneously meeting current Federal cybersecurity
requirements. It advocates shifting from a compliance-based cybersecurity paradigm to
one that is risk-based and focusing on how to most effectively secure their implementation of cloud services.
GovCloud Network, LLC helps its clients develop and execute mission and business strategies to leverage the parallel and global nature of cloud-based services. We employ our technology, strategy, digital publishing and social media expertise across three lines of business- Business Strategy & Design, Digital Publishing & Social Media and Education.
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.
Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.
Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher PageGovCloud Network
Assured C2 sets conditions for Navy commanders to maintain the IT- enabled ability to exercise C2 authorities across the sea, land, air, space, and cyberspace domains in heavily contested or denied operating conditions.
Navy must continue to clearly define and manage capability-based Assured C2 requirements and resources, and align those requirements and resources with JIE/IC ITE through the IDEA
The primary beneficiaries of the effort to deliver Assured C2 capabilities are the requirements stakeholders: USFF, USPACFLT, and USFLTCYBERCOM subordinate commanders who execute Navy’s warfighting mission in all domains.
Agile Cloud Conference 2 Introduction - John BrennanGovCloud Network
Develop and open and inclusive cloud service brokerage environment that provides the Government the capability for rapid acquisition of proven innovative technologies on a fee for service basis
To the maximum extent possible leverage what already exits versus custom development to include incorporation of industry standards and a consistent implementation environment
DoD Business Capability Lifecycle (BCL) Guide (Draft)GovCloud Network
BCL is tailored for the rapid delivery of enterprise business capability. It combines multiple, disjointed oversight processes into a single process. It recognizes that technology rapidly evolves and changes, and consequently, BCL mandates rapid capability delivery – within
eighteen months or less of program initiation. BCL is outcome-based, and modeled on best commercial practices. The process allows for the fact that not all solutions are purely technical. The entire DOTMLPF (Doctrine, Organization, Training, Materiel, Leadership
and education, Personnel and Facilities) spectrum of potential solutions are considered.
Intrusion Detection on Public IaaS - Kevin L. JacksonGovCloud Network
Cloud computing is driving the business of information technology today.
“A recent Gartner survey on the future of IT services found that only 38 percent of all organizations surveyed indicate cloud services use today. However, 80 percent of organizations said that they intend to use cloud services in some form within 12 months, including 55 percent of the organizations not doing so today.“ (Gartner, Inc, 2013)
As companies rush to adopt cloud, however, information technology (IT) security sometimes seems to be an afterthought.
The goal of this paper is to provide a survey of the current state of IT security within public cloud infrastructure-as-a-service providers. After first providing a cloud computing overview, the paper will focus on the infrastructure-as-a-service (IaaS) deployment model, the typical home of IaaS intrusion detection components. The Gartner Cloud Use Case Framework will then be introduced as it will also serve as the framework for this survey. An in-depth review of public cloud intrusion detection studies, options and expert observations will then follow. The paper will then offer the authors conclusions and cloud computing IDS recommendations for enterprises considering a move to the cloud.
A Framework for Cloud Computing Adoption in South African GovernmentGovCloud Network
Technology adoption is always a critical concern in organizations (private and public). South African government experienced this encounter when adopted Open Source Software (OSS) with the objective to reduce ICT services costs among others. The implementation of OSS in SA government has faced several challenges such as user resistance, human factor, support and funding. As a result of these challenges cost reduction has not been fully achieved. Cost reduction issue ultimately affects implementation of other government programmes such as those who yields job creation, better education, and improving health, etc. The potential alternative to address the same objective as aimed by OSS is Cloud Computing adoption. Cloud Computing promise to offer the SA government more advantages OSS. This study explore the feasibility of Cloud Computing adoption as an alternative to enable cost reduction, effectiveness and efficient of IT services in SA government as was aimed by OSS initiative.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Essentials of Automations: Optimizing FME Workflows with Parameters
Information Technology Contingency Plan (Template)
1. IT Contingency Plan
<Information System Name>, <Date>
Information Technology Contingency Plan
(Template)
<Vendor>
<Information System Name>
Version 1.0
May 2, 2012
Proprietary and Confidential
For Authorized Use Only
2. IT Contingency Plan
<Information System Name>, <Date>
Information Technology Contingency Plan
Prepared by
Identification of Organization that Prepared this Document
Organization Name
Street Address
<insert logo>
Suite/Room/Building
City, State Zip
Prepared for
Identification of Cloud Service Provider
Organization Name
Street Address
<insert logo>
Suite/Room/Building
City, State Zip
Executive Summary
Company Sensitive and Proprietary Page 2
3. IT Contingency Plan
<Information System Name>, <Date>
This document supports Information Technology (IT) Contingency Plan requirements for
the Federal Risk and Authorization Management Program (FedRAMP) and contains the
ITContingency Plan for the <Information System Name>. An IT Contingency Plan
denotes interim measures to recover IT services following an unprecedented emergency
or system disruption. Interim measures include the relocation ofITsystems and services to
an alternate site or the recovery of IT functions using alternate equipment at the primary
site.
Company Sensitive and Proprietary Page 3
4. IT Contingency Plan
<Information System Name>, <Date>
Document Revision History
Date Version Description Author
5/2/2012 1.0 Document Published FedRAMP Office
Company Sensitive and Proprietary Page 4
5. IT Contingency Plan
<Information System Name>, <Date>
Table of Contents
About this document .....................................................................................................................................................9
Who should use this document? .....................................................................................................................9
How this document is organized .....................................................................................................................9
Conventions used in this document ................................................................................................................9
How to contact us..........................................................................................................................................10
Contingency Plan Approvals ........................................................................................................................................11
1. Introduction and purpose ...............................................................................................................................12
1.1 Applicable Laws and Regulations.......................................................................................................12
1.2 Applicable Standards and Guidance ..................................................................................................12
1.3 Information System Name and Identifier ..........................................................................................13
1.4 Scope .................................................................................................................................................13
1.5 Assumptions ......................................................................................................................................14
2. Concept of Operations....................................................................................................................................14
2.1 System Description ............................................................................................................................14
2.2 Three Phases .....................................................................................................................................14
2.3 Data Backup Readiness Information ..................................................................................................15
2.4 Site Readiness Information ................................................................................................................17
2.5 Roles and Responsibilities .................................................................................................................18
2.3.1. Contingency Planning Director (CPD) ............................................................................................18
2.3.2. Contingency Planning Coordinator (CPC) ......................................................................................18
2.3.3. Outage and Damage Assessment Lead (ODAL) .............................................................................19
2.3.4. Hardware Recovery Team .............................................................................................................19
2.3.5. Software Recovery Team ...............................................................................................................19
2.3.6. Telecommunications Team ............................................................................................................20
2.3.7. Procurement and Logistics Coordinator (PLC) ...............................................................................20
2.3.8. Security Coordinator .....................................................................................................................20
2.3.9. Plan Distribution and Availability ..................................................................................................21
2.3.10. Line of Succession/Alternates Roles .........................................................................................21
3. Activation and Notification .............................................................................................................................21
3.1 Activation Criteria and Procedure .....................................................................................................22
3.2 Notification Instructions ....................................................................................................................22
3.3 Outage Assessment ...........................................................................................................................22
4. Recovery .........................................................................................................................................................23
4.1 Sequence of Recovery Operations.....................................................................................................23
Company Sensitive and Proprietary Page 5
6. IT Contingency Plan
<Information System Name>, <Date>
4.2 Recovery Procedures .........................................................................................................................23
4.3 Recovery Escalation Notices/Awareness ...........................................................................................23
5. Reconstitution ................................................................................................................................................24
5.1 Data Validation Testing ......................................................................................................................24
5.2 Functional Validation Testing .............................................................................................................24
5.3 Recovery Declaration .........................................................................................................................24
5.4 User Notification ...............................................................................................................................24
5.5 Cleanup ..............................................................................................................................................25
5.6 Returning Backup Media ...................................................................................................................25
5.7 Backing Up Restored Systems ............................................................................................................25
5.8 Event Documentation ........................................................................................................................25
6. Contingency Plan Testing ................................................................................................................................26
APPENDIX A KEY PERSONNEL AND TEAM MEMBERS CONTACT LIST ...........................................................................27
APPENDIX B VENDOR CONTACT LIST ...........................................................................................................................28
APPENDIX C.1 ALTERNATE STORAGE SITE INFORMATION ...........................................................................................29
APPENDIX C.2 ALTERNATE PROCESSING SITE INFORMATION ......................................................................................30
APPENDIX C.3 ALTERNATE TELECOMMUNICATIONS PROVISIONS ...............................................................................31
APPENDIX D ALTERNATE PROCESSING PROCEDURES ..................................................................................................32
APPENDIX E SYSTEM VALIDATION TEST PLAN ..............................................................................................................33
APPENDIX F CONTINGENCY PLAN TEST REPORT .........................................................................................................34
APPENDIX G DIAGRAMS ..............................................................................................................................................35
APPENDIX H HARDWARE AND SOFTWARE INVENTORY ..............................................................................................36
APPENDIX I SYSTEM INTERCONNECTIONS ...................................................................................................................37
APPENDIX J TEST AND MAINTENANCE SCHEDULE ......................................................................................................38
APPENDIX K ASSOCIATED PLANS AND PROCEDURES ...................................................................................................39
APPENDIX L BUSINESS IMPACT ANALYSIS ....................................................................................................................40
List of Tables
Company Sensitive and Proprietary Page 6
7. IT Contingency Plan
<Information System Name>, <Date>
Table 3-1. Information System Name and Title............................................................................................................13
Table 2-1. Backup Types ...............................................................................................................................................15
Table 2-3. Backup System Components .......................................................................................................................16
Table 2-4. Alternate Site Types ....................................................................................................................................17
Table 2-5. Primary and Alternate Site Locations ..........................................................................................................17
Table 6-1. Personnel Authorized to Activate the ITCP .................................................................................................22
Table 5-2. Cleanup Roles and Responsibilities .............................................................................................................25
Table 5-3. Event Documentation Reponsibility ............................................................................................................26
Company Sensitive and Proprietary Page 7
8. IT Contingency Plan
<Information System Name>, <Date>
List of Figures
No table of figures entries found.
Company Sensitive and Proprietary Page 8
9. IT Contingency Plan
<Information System Name>, <Date>
ABOUT THIS DOCUMENT
This document has been developed to provide guidance on how to participate in and understand
the FedRAMP program.
Who should use this document?
This document is intended to be used by Cloud Service Providers (CSPs), Third Party Assessor
Organizations (3PAOs), government contractors working on FedRAMP projects, government
employees working on FedRAMP projects, and any outside organizations that want to make use
of the FedRAMP Contingency Planning process.
How this document is organized
This document is divided into tensections. Most sections include subsections.
Section 1 describes the introduction section which orients the reader to the type and location of
information contained in the plan.
Section 2 describes concept of operations and provides additional details about the information
system, the three phases of the contingency plan (Activation and Notification, Recovery, and
Reconstitution), and a description of the information system contingency plan roles and
responsibilities.
Section 3 describes the Activation and Notification Phase and defines initial actions taken once a
system disruption or outage has been detected or appears to be imminent. This phase includes
activities to notify recovery personnel, conduct an outage assessment, and activate the plan.
Section 4 describes the Recovery Phase activities and focuses on implementing recovery
strategies to restore system capabilities, repair damage, and resume operational capabilities at the
original or new alternate location.
Section 5 describes the Reconstitution Phase which is the third and final phase of ITCP
implementation and defines the actions taken to test and validate system capability and
functionality.
Section 6 describes how the ITCP Test Plan.
Conventions used in this document
This document uses the following typographical conventions:
Italic
Italics are used for email addresses, security control assignments parameters, and formal
document names.
Italic blue in a box
Company Sensitive and Proprietary Page 9
10. IT Contingency Plan
<Information System Name>, <Date>
Italic blue text in a blue boxindicates instructions to the individual filling out the template.
Instruction: This is an instruction to the individual filling out of the template.
Bold
Bold text indicates a parameter or an additional requirement.
Constant width
Constant width text is used for text that is representative of characters that would show up on a
computer screen.
<Brackets>
Bold bluetext in brackets indicates text that should be replaced with user-defined values. Once
the text has been replaced, the brackets should be removed.
Notes
Notes are found between parallel lines and include additional information that may be helpful
to the users of this template.
Note: This is a note.
Sans Serif
Sans Serif text is used for tables, table captions, figure captions, and table of contents.
How to contact us
If you have questions about FedRAMP or something in this document, please write to:
info@fedramp.gov
For more information about the FedRAMP project, please see the website at:
http://www.fedramp.gov.
Company Sensitive and Proprietary Page 10
11. IT Contingency Plan
<Information System Name>, <Date>
CONTINGENCY PLAN APPROVALS
x x
<Name> <Date> <Name> <Date>
<Title> System Owner <Title>System Owner
<Cloud Service Provider> <Cloud Service Provider>
x x
<Name> <Date> <Name> <Date>
<Title> System Owner FedRAMP Authorizing Official
<Cloud Service Provider>
Company Sensitive and Proprietary Page 11
12. IT Contingency Plan
<Information System Name>, <Date>
1. INTRODUCTION AND PURPOSE
Information systems are vital to <Cloud Service Provider> mission/business functions;
therefore, it is critical that services provided by <Information System Name> are able to
operate effectively without excessive interruption. This Information Technology Contingency
Plan (ITCP) establishes comprehensive procedures to recover <Information System Name>
quickly and effectively following a service disruption.
One of the goals of an IT Contingency Plan is to establish procedures and mechanisms that
obviate the need to resort to performing IT functions using manual methods. If manual methods
are the only alternative; however, every effort should be made to continue IT functions and
processes manually.
The nature of unprecedented disruptions can create confusion, and often predisposes an
otherwise competent IT staff towards less efficient practices. In order to maintain a normal level
of efficiency, it is important to decrease real-time process engineering by documenting
notification and activation guidelines and procedures, recovery guidelines and procedures, and
reconstitution guidelines and procedures prior to the occurrence of a disruption. During the
notification/activation phase, appropriate personnel are apprised of current conditions and
damage assessment begins. During the recovery phase, appropriate personnel take a course of
action to recover the <Information System Name> components a site other than the one that
experienced the disruption. In the final, reconstitution phase, actions are taken to restore IT
system processing capabilities to normal operations.
1.1 Applicable Laws and Regulations
The following laws and regulations are applicable to contingency planning:
Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]
Management of Federal Information Resources [OMB Circular A-130]
Records Management by Federal Agencies [44 USC 31]
1.2 Applicable Standards and Guidance
The following standards and guidance are useful for understanding contingency planning:
Computer Security Incident Handling Guide [NIST SP 800—61, Revision 1]
Contingency Planning Guide for Federal Information Systems [NIST SP 800-34,
Revision 1]
Guide for Developing the Risk Management Framework to Federal Information Systems:
A Security Life Cycle Approach [NIST SP 800-37, Revision 1]
Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities [NIST SP
800-84]
Information Security Continuous Monitoring for Federal Information Systems and
Organizations [NIST SP 800-137]
Company Sensitive and Proprietary Page 12
13. IT Contingency Plan
<Information System Name>, <Date>
Recommended Security Controls for Federal Information Systems [NIST SP 800-53,
Revision 3]
Risk Management Guide for Information Technology Systems [NIST SP 800-30]
Technical Guide to Information Security Testing and Assessment [NIST SP 800-115]
1.3 Information System Name and Identifier
This ITCP applies to the <Information System Name> which has a unique identifier as noted in
Table 3-1.
Table 3-1.Information System Name and Title
UniqueIdentifier Information System Name Information System Abbreviation
1.4 Scope
This ITCP has been developed for <Information System Name>which is classified as a
moderate-impact system, in accordance with Federal Information Processing Standards (FIPS)
199. FIPS 199 provides guidelines on determining potential impact to organizational operations
and assets, and individuals through a formula that examines three security objectives:
confidentiality, integrity, and availability.The procedures in this ITCP have been developed for a
moderate-impact system and are designed to recover the<Information System Name>within
<Recovery Time Objective (RTO) hours>. The replacement or purchase of new equipment,
short-term disruptions lasting less than <RTO hours>, or loss of data at the primary facility or at
the user-desktop levels is outside the scope of this plan.
Note: Recovery Time Objective (RTO) defines the maximum amount of time
that a system resource can remain unavailable before there is an unacceptable
impact on other system resources and supported mission/business processes.
Instruction: Edit the below list to name other plans and circumstances that are related but
are outside the scope of this ITCP.
This ITCP does not apply to the following situations:
Overall recovery and continuity of mission/business operations. The Business
Continuity Plan (BCP) and Continuity of Operations Plan (COOP) address continuity of business
operations.
Company Sensitive and Proprietary Page 13
14. IT Contingency Plan
<Information System Name>, <Date>
Emergency evacuation of personnel. The Occupant Emergency Plan (OEP) addresses
employee evacuation.
1.5 Assumptions
Instruction: A list of default assumptions are listed in the section that follows. The
assumptions should be edited, revised, and added to so that they accurately characterize the
information system described in this plan.
The following assumptions have been made about the <Information System Name>:
The Uninterruptable Power Supply (UPS) will keep thesystem up and running for <total
number of seconds/minutes>
The generators will kick in after <total number of seconds/minutes> from time of a
power failure
Current backups of the application software and data are intact and available at theoffsite
storage facility in <City, State>
The backup storage capability is approved and has been accepted by the JAB
The <Information System Name>is inoperable if it cannot be recovered within <RTO
hours>
Key personnel have been identified and are trained annually in their roles
Key personnel are available to activate the ITCP
<Cloud Service Provider>defines circumstances that can inhibit recovery and
reconstitution to aknown state
2. CONCEPT OF OPERATIONS
This section provides details about the<Information System Name>, an overview of the three
phases of the ITCP (Activation and Notification, Recovery, and Reconstitution), and a
description of the roles and responsibilities of key personnel during contingency operations.
2.1 System Description
Instruction: Provide a general description of the system architecture and components.
Include a network diagram that indicates interconnections with other systems.Ensure that
this section is consistent with information found in the System Security Plan. Provide a
network diagram and any other diagrams in Appendix G.
2.2 Three Phases
This plan has been developed to recover and reconstitute the <Information System
Name>using a three-phased approach. The approach ensures that system recovery and
reconstitution efforts are performed in a methodical sequence to maximize the effectiveness of
Company Sensitive and Proprietary Page 14
15. IT Contingency Plan
<Information System Name>, <Date>
the recovery and reconstitution efforts and minimize system outage time due to errors and
omissions.The three system recovery phases consist of activation and notification, recovery, and
reconstitution.
Activation and Notification Phase.Activation of the ITCP occurs after a disruption, outage, or
disaster that may reasonably extend beyond the RTO established for a system. The outage event
may result in severe damage to the facility that houses the system, severe damage or loss of
equipment, or other damage that typically results in long-term loss.
Once the ITCP is activated, the information system stakeholders are notified of a possible long-
term outage, and a thorough outage assessment is performed for the information system.
Information from the outage assessment is analyzed and may be used to modify recovery
procedures specific to the cause of the outage.
Recovery Phase.The Recovery phase details the activities and procedures for recovery of the
affected system. Activities and procedures are written at a level such that an appropriately skilled
technician can recover the system without intimate system knowledge. This phase includes
notification and awareness escalation procedures for communication of recovery status to system
stakeholders.
Reconstitution.The Reconstitution phase defines the actions taken to test and validate system
capability and functionality at the original or new permanent location. This phase consists of two
major activities: validating data and operational functionality followed by deactivation of the
plan.
During validation, the system is tested and validated as operational prior to returning operation to
its normal state. Validation procedures include functionality or regression testing, concurrent
processing, and/or data validation. The system is declared recovered and operational by upon
successful completion of validation testing.
Deactivation includes activities to notify users of system operational status. This phase also
addresses recovery effort documentation, activity log finalization, incorporation of lessons
learned into plan updates, and readying resources for any future events.
2.3 Data Backup Readiness Information
A common understanding of data backup definitions is necessary in order to ensure that data
restoration is successful. <Cloud Service Provider> recognizes different types of backups
which have different purposes and those definitions are found in Table 2-1.
Table 2-1. Backup Types
Backup Type Description
Company Sensitive and Proprietary Page 15
16. IT Contingency Plan
<Information System Name>, <Date>
Backup Type Description
Full Backup A full backup is the starting point for all other types of backup and contains all the data in
the folders and files that are selected to be backed up. Because full backup stores all files
and folders, frequent full backups result in faster and simpler restore operations
Differential Backup Differential backup contains all files that have changed since the last FULL backup. The
advantage of a differential backup is that it shortens restore time compared to a full
backup or an incremental backup. However, if you perform the differential backup too
many times, the size of the differential backup might grow to be larger than the baseline
full backup.
Incremental Backup Incremental backup stores all files that have changed since the last FULL, DIFFERENTIAL
OR INCREMENTAL backup. The advantage of an incremental backup is that it takes the
least time to complete. However, during a restore operation, each incremental backup
must be processed, which could result in a lengthy restore job.
Mirror Backup Mirror backup is identical to a full backup, with the exception that the files are not
compressed in zip files and they cannot be protected with a password. A mirror backup is
most frequently used to create an exact copy of the source data.
The hardware and software components used to create the <Information System Name>
backups are noted in Table 2-3.
Table 2-3. Backup System Components
System/Component Description
Software Used
Hardware Used
Frequency
Backup Type
Retention Period
Current backups of the <Information System Name> system software and data are
intact and available at the offsite storage facility located at:
<Site Name>
<Street Address>
<City, State, Zip Code>
Personnel who are authorized to retrieve backups from the offsite storage location, and may
authorize the delivery of backups, are noted in Appendix C.1.
Company Sensitive and Proprietary Page 16
17. IT Contingency Plan
<Information System Name>, <Date>
<Cloud Service Provider>maintains both an online and offline (portable) set of backup copies
of the following types of data on site at their primary location:
user-level information
system-level information
information system documentation including security information.
2.4 Site Readiness Information
<Cloud Service Provider> recognizes different types of alternate sites which are defined in
Table 2-4.
Table 2-4. Alternate Site Types
Type of Site Description
Cold Sites Cold Sites are typically facilities with adequate space and infrastructure (electric power,
telecommunications connections, and environmental controls) to support information system
recovery activities.
Warm Sites Warm Sites are partially equipped office spaces that contain some or all of the system
hardware, software, telecommunications, and power sources.
Hot Sites Hot Sites are facilities appropriately sized to support system requirements and configured with
the necessary system hardware, supporting infrastructure, and support personnel.
Mirrored Sites Mirrored Sites are fully redundant facilities with automated real-time information mirroring.
Mirrored sites are identical to the primary site in all technical respects.
Alternate facilities have been established for the <Information System Name>as noted in Table
2-5. Detailed information about the alternate processing site, the alternate storage site, and
alternate telecommunications can be found in Appendix F.
Table 2-5.Primary and Alternate Site Locations
Designation Site Name Site Type Address
Primary Site
Alternate Site
Alternate Site
Company Sensitive and Proprietary Page 17
18. IT Contingency Plan
<Information System Name>, <Date>
2.5 Roles and Responsibilities
<Cloud Service Provider> establishes multiple roles and responsibilities forresponding to
outages, disruptions, and disasters for the <Information System Name>. Individuals who are
assigned roles for recovery operations collectively make up the Contingency Plan Team and are
are trained annually in their duties. Contingency Plan Team members are chosen based on their
skills and knowledge. each team and role responsible for executing or supporting system
Instruction: Describe
recovery and reconstitution. Include responsibilities for each team/role including leadership
roles. FedRAMP has established default roles and a small set of default responsibilities
which should be edited and modified to match the actual organizational role names,
responsibilities, and associated duties for your organization.
The Contingency Plan Team consists of personnel who have been selected to perform the roles
and responsibilities described in the sections that follow. All team leads are considered key
personnel.
2.3.1. Contingency Planning Director (CPD)
The Contingency Planning Director (CPD) is a member of senior management and owns the
responsibility for all facets of contingency and disaster recovery planning and execution.
The CPD performs the following duties:
Makes the decision on whether or not to activate the ITCP
Provides the initial notification to activate the ITCP
Reviews and approves the ITCP
Reviews and approves the Business Impact Analysis (BIA)
Notifies the Contingency Plan Team leads and members as necessary
Advises other Contingency Plan Team leads and members as appropriate
Issues a recovery declaration statement after the system has returned to normal operations
Designated as key personnel
2.3.2. Contingency Planning Coordinator (CPC)
The CPC performs the following duties:
Develops and documents the ITCP under direction of the CPD
Uses the BIA to prioritize recovery of components
Updates the ITCP annually
Ensures that annual ITCP training is conducted
Facilitates periodic ITCP testing exercises
Distributes copies of the plan to team members
Authorizes travel and housing arrangements for team members
Manages and monitors the overall recovery process
Leads the contingency response effort once the plan has been activated
Company Sensitive and Proprietary Page 18
19. IT Contingency Plan
<Information System Name>, <Date>
Advisesthe Procurement and Logistics Coordinator on whether to order new equipment
Receives updates and status reports from team members
Sends out communications about the recovery
Advises the CPD on status as necessary
Designated as key personnel
2.3.3. Outage and Damage Assessment Lead (ODAL)
The ODAL performs the following duties:
Determines if there has been loss of life or injuries
Assesses the extent of damage to the facilities and the information systems
Estimates the time to recover operations
Determines accessibility to facility, building, offices, and work areas
Assesses the need for and adequacy of physical security/guards
Advises the Security Coordinator that physical security/guards are required
Identifies salvageable hardware
Maintains a log/record of all salvageable equipment
Supports the cleanup of the data center following an incident
Develops and maintains a Damage Assessment Plan
Estimates levels of outside assistance required
Reports updates, status, and recommendations to the CPC
Designated as key personnel
2.3.4. Hardware Recovery Team
The hardware recovery team performs the following duties:
Installs hardware and connects power
Runs cables and wiring as necessary
Makes arrangements to move salvageable hardware to other locations as necessary
Ensures electrical panels are operational
Ensures that fire suppression system is operational
Communicates with hardware vendors as needed (Appendix B)
Creates log of missing and required hardware
Advises the PLC if new hardware should be purchased
Connects network cables
Connects wireless access points
2.3.5. Software Recovery Team
The software recovery team performs the following duties:
Installs software on all systems at alternate site
Performs live migrations to alternate site prior to predictable disasters and outages
Company Sensitive and Proprietary Page 19
20. IT Contingency Plan
<Information System Name>, <Date>
Installs servers in the order described in the BIA (Appendix L)
Communicate with software vendors as needed (Appendix B)
Advises the PLC if new software needs to be purchased
Creates log of software installation problems
Restore systems from most current backup media
Maintains current system software configuration information in an off-site storage facility
2.3.6. Telecommunications Team
The Telecomm team performs the following duties:
Assesses the need for alternative communications
Communicates Internet connectivity requirements with providers
Communicates with telephone vendors as needed
Establishes communications between the alternate site and the users
Coordinates transportation of salvageable telecomm equipment to the alternative site
Plans for procuring new hardware and telecommunication equipment
Advises the PLC if new equipment needs to be purchased
Retrieving communications configuration from the off-site storage facility
Plans, coordinates and installs communication equipment as needed at the alternate site
Maintains plan for installing and configuring VOIP
Maintains current telecommunications configuration information at off-site storage
facility.
2.3.7. Procurement and Logistics Coordinator (PLC)
The PLCperforms the following duties:
Procures new equipment and supplies as necessary
Prepares, coordinates, and obtains approval for all procurement requests
Authorizes purchases up to <$ amount> for recovery operations
Ensures that equipment and supplies are delivered to locations
Coordinates deliveries
Updates the CPC with status
Workswith the CPC to provide transportation for staff as needed
Ensuring details of administering emergency funds expenditures are known.
Processes requests for payment of all invoices related to the incident
Arranging for travel and lodging of staff to the alternate site as needed
Procures telephone equipment and leased lines as needed
Procures alternate communications for teams as needed.
2.3.8. Security Coordinator
The Security Coordinator performs the following duties:
Company Sensitive and Proprietary Page 20
21. IT Contingency Plan
<Information System Name>, <Date>
Provides training for employees in facility emergency procedures and measures
Providesphysical security, access control, and safety measures to support recovery effort
Cordons off the facility including offices to restrict unauthorized access
Coordinates with the building management and theCPCfor authorized personnel access
Coordinates and manages additional physical security/guards as needed
Acts as a liaison with emergency personnel, such as fire and police departments
Provides assistance to officials in investigating the damaged facility/site
Ensures that data room/center at alternate site has locks (access controls) on the doors
Coordinates and secures the transportation of files, reports, and equipment in
coordination with theCPC.
2.3.9. PlanDistribution and Availability
During a disaster situation, the availability of the contingency plan is essential to the success of
the restoration efforts. The Contingency Plan Team has immediate access to the plan upon
notification of an emergency. The Contingency Plan Coordinator ensures that a copy of the most
current version of the Contingency Plan is maintained at the <Cloud Service
Provider’s>facility.This plan has been distributed to all personnel listed in Appendix A.
Contingency Plan Team members are obligated to inform the Contingency Planning Coordinator,
if and when, they no longer require a copy of the plan. In addition, each recipient of the plan is
obligated to return or destroy any portion of the plan that is no longer needed and upon
termination from <Cloud Service Provider>.
2.3.10. Line of Succession/Alternates Roles
The <Cloud Service Provider>sets forth an order of succession, in coordination with the order
set forth by the organization to ensure that decision-making authority for the <Information
System Name> ITCP is uninterrupted.
In order to preserve the continuity of operations, individuals designated as key personnel have
been assigned an individual who can assume the key personnel’s position if the key personnel is
not able to perform their duties. Alternate key personnel are named in a line of succession and
are notified and trained to assume their alternate role, should the need arise. The line of
succession for key personnelcan be found in Appendix A.
3. ACTIVATION AND NOTIFICATION
The activation and notification phase defines initial actions taken once a <Information System
Name>disruption has been detected or appears to be imminent. The Recovery Time Objective
(RTO) defines the maximum amount of time that a system resource can remain unavailable
before there is an unacceptable impact on other system resources, supported mission/business
processes, and the maximum tolerable downtime. Determining the information system resource
RTO is important for selecting appropriate technologies that are best suited for meeting the
Company Sensitive and Proprietary Page 21
22. IT Contingency Plan
<Information System Name>, <Date>
maximum tolerable downtime.This phase includes activities to notify recovery personnel,
conduct an outage assessment, and activate the ITCP.
At the completion of the Activation and Notification Phase, key <Information System
Name>ITCP staff will be prepared to perform recovery measures to restore system functions.
3.1 Activation Criteria and Procedure
The <Information System Name>ITCP may be activated if one or more of the following
criteria are met:
1. The type of outage indicates <Information System Name>will be down for more than
RTO hours>
2. The facility housing <Information System Name>is damaged and may not be available
within <RTO hours>
3. Other criteria, as appropriate.
Personnel/roles listed in Table 6-1 are authorized to activate the ITCP.
Table 6-1.Personnel Authorized to Activate the ITCP
Name Title and ITCP Role Contact Information
3.2 NotificationInstructions
Instruction: Describe established notifications procedures. Notification procedures should
include who makes the initial notifications, the sequence in which personnel are notified and
the method of notification (e.g., email blast, call tree, text messaging, automated notification
system, etc.).
Contact information for key personnel is located in Appendix A.
3.3 Outage Assessment
Following notification, a thorough outage assessment is necessary to determine the extent of the
disruption, any damage, and expected recovery time. This outage assessment is conducted
by<role name>. Assessment results are provided to the Contingency Planning Coordinator to
assist in the coordination of the recovery effort.
Instruction: Outline detailed procedures to include how to determine the cause of the outage;
identification of potential for additional disruption or damage; assessment of affected physical
area(s); and determination of the physical infrastructure status, IS equipment functionality, and
Company Sensitive and Proprietary Page 22
inventory. Procedures should include notation of items that will be needed to be replaced and
estimated time to restore service to normal operations.
23. IT Contingency Plan
<Information System Name>, <Date>
4. RECOVERY
The recovery phase provides formal recovery operations that begin after the ITCP has been
activated, outage assessments have been completed (if possible), personnel have been notified,
and appropriate teams have been mobilized. Recovery phase activities focus on implementing
recovery strategies to restore system capabilities, repair damage, and resume operational
capabilities at the original or an alternate location. At the completion of the recovery phase,
<Information System Name>will be functional and capable of performing the functions
identified in Section 4.1 of the plan.
4.1 Sequence of Recovery Operations
The following activities occur during recovery of <Information System Name>:
Instruction:Modify the following list as appropriate for the system recovery strategy.
1. Identify recovery location (if not at original location)
2. Identify required resources to perform recovery procedures
3. Retrieve backup and system installation media
4. Recover hardware and operating system (if required)
5. Recover system from backup and system installation media
6. Implement transaction recovery for systems that are transaction-based.
4.2 Recovery Procedures
The following procedures are provided for recovery of <Information System Name>at the
original or established alternate location. Recovery procedures are outlined per team and should
be executed in the sequence presented to maintain an efficient recovery effort.
Instruction: Provide general procedures for the recovery of the system from backup media.
Specific keystroke-level procedures may be provided in an appendix. If specific procedures
are provided in an appendix, a reference to that appendix should be included in this section.
Teams or persons responsible for each procedure should be identified.
4.3 Recovery Escalation Notices/Awareness
Notifications during recovery include problem escalation to leadership and status awareness to
system owners and users. This section describes the procedures for handling escalation notices
which defines and describes the events, thresholds, or other types of triggers that may be
necessary for additional action.
Instruction: Provide appropriate procedures for escalation notices during the recovery
efforts. Teams or persons responsible for each escalation/awareness procedure should be
identified.
Company Sensitive and Proprietary Page 23
24. IT Contingency Plan
<Information System Name>, <Date>
5. RECONSTITUTION
Reconstitution is the process by which recovery activities are completed and normal system
operations are resumed. If the original facility is unrecoverable, the activities in this phase can
also be applied to preparing a new permanent location to support system processing
requirements. A determination must be made on whether the system has undergone significant
change and will require reassessment and reauthorization. The phase consists of two major
activities: validating successful reconstitution and deactivation of the plan.
Concurrent processing is the process of running a system at two separate locations concurrently
until there is a level of assurance that the recovered system is operating correctly and securely.
5.1 Data Validation Testing
Validation data testing is the process of testing and validating data to ensure that data files or
databases have been recovered completely at the permanent location.
Instruction: Describe procedures for testing and validation of data to ensure that data is
correct and up to date as of the last available backup. Teams or persons responsible for each
procedure should be identified.An example of a validation data test for a moderate-impact
system would be to compare a database audit log to the recovered database to make sure all
transactions were properly updated. Detailed data test procedures may be provided in
Appendix E, System Validation Test Plan.
5.2 Functional Validation Testing
Functionality testing is a process for verifying that all system functionality has been tested, and
the system is ready to return to normal operations.
Instruction: Describe procedures for testing and validation functional and operational
aspects of the system.
5.3 Recovery Declaration
Upon successfully completing testing and validation, the <role name> will formally declare
recovery efforts complete, and that <Information System Name> is in normal operations.
<Information System Name> business and technical POCs will be notified of the declaration
by the Contingency Plan Coordinator.The recovery declaration statement notifies the
Contingency Plan Team and executive management that the <Information System Name>has
returned to normal operations.
5.4 User Notification
After the recovery declaration statement is made, notifications are sent to users and customers.
Notifications to customers are made in accordance with predetermined notification procedures.
Instruction: Describe the notification procedures. Ensure that the procedures described are
consistent with Service Level Agreements and contracts.
Company Sensitive and Proprietary Page 24
25. IT Contingency Plan
<Information System Name>, <Date>
5.5 Cleanup
Cleanup is the process of cleaning up or dismantling any temporary recovery locations,
restocking supplies used, returning manuals or other documentation to their original locations,
and readying the system for a possible future contingency event.
Instruction: Describe cleanup procedures and tasks including cleanup roles and
responsibilities. Insert cleanup responsibilities in Table 5-1. Add additional rows as needed.
Table 5-2. Cleanup Roles and Responsibilities
Role Cleanup Responsibilities
5.6 Returning Backup Media
It is important that all backup and installation media used during recovery be returned to the
offsite data storage location. The following procedures should be followed to return backup and
installation media to its offsite data storage location.
Instruction: Provide procedures for returning retrieved backup or installation media to its
offsite data storage location. This may include proper logging and packaging of backup and
installation media, preparing for transportation, and validating that media is securely stored
at the offsite location.
5.7 Backing Up Restored Systems
As soon as reasonable following recovery, the system should be fully backed up and a new copy
of the current operational system stored for future recovery efforts. This full backup is then kept
with other system backups. The procedures for conducting a full system backup are:
Instruction:Provide appropriate procedures for ensuring that a full system backup is conducted
within a reasonable time frame, ideally at the next scheduled backup period.
5.8 Event Documentation
It is important that all recovery events be well-documented, including actions taken and
problems encountered during the recovery and reconstitution effort. Information on lessons
learned should be included in the annual update to theITCP. It is the responsibility of each ITCP
team or person to document their actions during the recovery event.
Company Sensitive and Proprietary Page 25
26. IT Contingency Plan
<Information System Name>, <Date>
Instruction: Provide details about the types of information each ITCP team member is required
to provide for the purpose of updating the ITCP. Types of documentation that should be
generated and collected after a recovery operation include: activity logs (including recovery
steps performed and by whom, the time the steps were initiated and completed, and any
problems or concerns encountered while executing activities); functionality and data testing
results; lessons learned documentation; and an After Action Report.
Table 5-3.Event DocumentationResponsibility
Role Name Documentation Responsibility
Activity log
Functionality and data testing results
Lessons learned
After Action Report
6. CONTINGENCY PLAN TESTING
Contingency Plan operational tests of the <Information System Name> are performed annually.
A Contingency Plan Test Report is documented after each annual test. A template for the
Contingency Plan Test Report is found in Appendix F.
Note: Please refer to NIST SP 800-34, Revision 1, Section 5, for guidance on
Contingency Plan Testing.
Instruction: Please describe the procedures for the annual contingency plan testing. Include a
description of the required test environment. Operational tests typically include the following:
Restore files from backup tapes
Verify that backup tapes are stored at designated off-site locations
Determine whether data stored on backup tapes is valid and retrievable
Perform failover testing
Test the UPS to ensure that it operates correctly in the event of a power disruption;
Test the offsite backup vendor’s delivery response timeliness of media during normal
daytime hours and during nighttime hours
Test to ensure that offsite storage vendor only supplies backup tapes to authorized
individuals
Test the generators to ensure that they turn on automatically
Perform call tree exercises to ensure that employees can be reached in a timely manner.
Whatever methods you use to test your plan, please describe those tests in this section.
Company Sensitive and Proprietary Page 26
27. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX A KEY PERSONNEL AND TEAM MEMBERS CONTACT LIST
Instruction: All key personnel (and their alternates) and Contingency Plan Team members
should be noted on this contact list. The ITCP should be distributed to everyone on this list.
Role Name and Home Address Email Phone
Contingency Plan Director Primary:
Alternate:
Alternate Contingency Plan Primary:
Director
Alternate:
Contingency Plan Primary:
Coordinator
Alternate:
Alternate Contingency Plan Primary:
Coordinator
Alternate:
Outage and Damage Primary:
Assessment Lead
Alternate:
Alternate Outage and Primary:
Damage Assessment Lead
Alternate:
Procurement and Logistics Primary:
Coordinator
Alternate:
Alternate Procurement and Primary:
Logistics Coordinator
Alternate:
Company Sensitive and Proprietary Page 27
28. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX B VENDOR CONTACT LIST
Product or ServiceLicense #, Contract #, Account #,
Vendor Phone
or SLA
Primary:
Alternate:
Primary:
Alternate:
Primary:
Alternate:
Primary:
Alternate:
Primary:
Alternate:
Primary:
Alternate:
Company Sensitive and Proprietary Page 28
29. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX C.1 ALTERNATE STORAGE SITE INFORMATION
Address of alternate storage site
Distance from primary facility
Is alternate storage facility owned by the organization or is
a third-party storage provider?
Points of contact at alternate storage location
Delivery schedule and procedures for packaging media for
delivery to alternate storage facility
Procedures for retrieving media from the alternate storage
facility
Names and contact information for those persons
authorized to retrieve media
Potential accessibility problems to the alternate storage
site in the event of a widespread disruption or disaster
(e.g. roads that might be closed, anticipate traffic)
Mitigation steps to access alternate storage site in the
event of a widespread disruption or disaster
Types of data located at alternate storage site, including
databases, application software, operating systems, and
other critical information system software
Company Sensitive and Proprietary Page 29
30. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX C.2 ALTERNATE PROCESSING SITE INFORMATION
Alternate Processing Site:
Address
Distance from primary facility
Alternate processing site is owned by the
organization or is a third-party site
provider
Point of Contact
Procedures for accessing and using the
alternate processing site, and access
security features of alternate processing
site
Names and contact information for those
persons authorized to go to alternate
processing site
Type of Site (from Table 2-4)
Mitigation steps to access alternate
processing site in the event of a
widespread disruption or disaster
Company Sensitive and Proprietary Page 30
31. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX C.3 ALTERNATE TELECOMMUNICATIONS PROVISIONS
Alternate Telecommunications
Name and contact information of
alternate telecommunications vendors by
priority
Agreements currently in place with
alternate communications vendors
Contracted capacity of alternate
telecommunications
Names and contact information of
individuals authorized to implement or
use alternate telecommunications
Company Sensitive and Proprietary Page 31
32. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX DALTERNATE PROCESSING PROCEDURES
Instruction: This section should identify any alternate manual or technical processing
procedures available that allow the business unit to continue some processing of
information that would normally be done by the affected system. Examples of alternate
processes include manual forms processing, input into workstations to store data until it can
be uploaded and processed, or queuing of data input.
Company Sensitive and Proprietary Page 32
33. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX ESYSTEM VALIDATION TEST PLAN
Instruction: Describe the system acceptance procedures that are performed after the system has
been recovered and prior to putting the system into full operation and returned to users. The
System Validation Test Plan may include the regression or functionality testing conducted prior
to implementation of a system upgrade or change. Edit (or replace) the sample validation test
plan provided to reflect the actual validation test plan for the system.
Procedure Expected Results Actual Results Successful? Performed by
At the Command Prompt, System Log-in Screen
type in sysname appears
Log-in as user testuser, Initial Screen with Main
using password testpass Menu shows
From menu, select Report Generation Screen
5-Generate Report shows
Select Current Date Report is generated on
Report screen with last successful
transaction included
Select Weekly
Select To Screen
Select Close Report Generation Screen
Shows
Select Return to Main Initial Screen with Main
Menu Menu shows
Select Log-Off Log-in Screen appears
Company Sensitive and Proprietary Page 33
34. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX F CONTINGENCY PLAN TEST REPORT
Instruction: This section should include a summary of the last Contingency Plan Test. The
actual procedures used to test the plan should be described in Section 6, not here.
Test Information Description
Name of Test
System Name
Date of Test
Team Test Lead and Point of Contact
Location Where Conducted
Participants
Components
Assumptions
Objectives Assess effectiveness of system recovery at alternate site
Assess effectiveness of coordination among recovery teams
Assess systems functionality using alternate equipment
Assess performance of alternate equipment
Assess effectiveness of procedures
Assess effectiveness of notification procedures
Methodology
Activities and Results (Action, Expected
Results, Actual Results)
Post Test Action Items
Lessons Learned and Analysis of Test
Recommended Changes to Contingency
Plan Based on Test Outcomes
Company Sensitive and Proprietary Page 34
35. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX GDIAGRAMS
Instruction: Insert network diagrams, data flow diagrams, and any relevant component
diagrams here. All of the diagrams used should be consistent with those found in the System
Security Plan.
Company Sensitive and Proprietary Page 35
36. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX H HARDWARE AND SOFTWARE INVENTORY
Instruction: Insert a hardware and software inventory here. The inventory should be
consistent with the one found in the System Security Plan.
Company Sensitive and Proprietary Page 36
37. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX ISYSTEM INTERCONNECTIONS
Instruction: Provide a systemInterconnection Table which should be consistent with the
Interconnections Table found in the System Security Plan. The Interconnections Table from
the System Security Plan can be copied and pasted into this Appendix.
Company Sensitive and Proprietary Page 37
38. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX J TEST AND MAINTENANCE SCHEDULE
Instruction: All ITCPs should be reviewed and tested at least annually or whenever there is a
significant change to the system. Provide information and a schedule for the testing of the
system. For moderate-impact systems, a yearly functional test is required.
Company Sensitive and Proprietary Page 38
39. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX K ASSOCIATED PLANS AND PROCEDURES
Instruction: ITCPs for other systems that either interconnect or support the system should be
identified in this Appendix. The most current version of the ITCP, location of ITCP, and primary
point of contact (such as the ITCP Coordinator) should be noted.
System Name Plan Name
Company Sensitive and Proprietary Page 39
40. IT Contingency Plan
<Information System Name>, <Date>
APPENDIX L BUSINESS IMPACT ANALYSIS
Instruction: Insert your Business Impact Analysis here. Please see NIST SP 800-34, Revision 1
for more information on how to conduct a Business Impact Analysis.
Company Sensitive and Proprietary Page 40