September is National Preparedness Month and October is National Cybersecurity Awareness Month, which makes it an excellent time to review your organization’s disaster preparedness strategy. Implementing a contingency plan for a natural disaster could be the difference between minimal business interruption and weeks or even months of lost revenue. Even if you’re not a federal contractor, NIST 800-53 is a great resource for creating solid security policies and implementing effective security controls. The Contingency Planning control family in NIST 800-53 is no exception. The control family contains everything you need to set up a robust plan to ensure your organization is ready for any natural disaster.
This section contains all the planning, training, and testing that is needed to create and maintain a successful disaster preparedness plan.
CP-1 Contingency Planning Policy and Procedures
Establishing planning policy and procedures will help to implement the rest of the security controls in the Contingency Planning control family. Develop, document, and disseminate contingency policy and procedures to relevant personal in the organization. The planning policy and procedures should reflect applicable laws, organizational directives, local regulations, and other relevant factors. Revisit the plan regularly to ensure policy is up to date.
CP-2 Contingency Plan
The contingency plan will be the game plan for your organization when a disaster happens, and it is a critical aspect to a quick and effective response.
The plan should include the following:
Essential missions and business functions, and their associated contingency requirements
Recovery objectives, restoration priorities, and metrics to gauge progress
Defined contingency roles and responsibilities, and assigned personal with contact info
Plan to maintain essential mission and business functions in the event of disruption, compromise, or failure
Define process for full information system restoration without deterioration of security safeguards
The contingency plan should be distributed to contingency personnel and relevant organizational elements, reviewed regularly, and modified if shortcomings are identified. To maintain operational security, ensure that the contingency plan is not disclosed to unauthorized parties.
CP-3 Contingency Training
After the contingency plan is formed, personnel need to be trained on their assigned contingency roles and responsibilities. Training can utilize simulated events and automated training environments to make the training more dynamic and effective. Training should be conducted when roles are initially assigned and when significant changes to the contingency plan are made. Additionally, refresher training should be done at regular intervals.
CP-4 Contingency Plan Testing
To ensure that the contingency plan is effective, it should be tested regularly. This can be done through tabletop exercises, simulations, walkthroughs, and testing of alternate site and recovery technology. If weaknesses are identified, the contingency plan should be edited to address them. As with all security topics, contingency planning should be iterative and reflect emerging threats as they appear; it’s not a “one and done” process.
Contingency services allow an organization to operate when main services have been damaged or taken offline by a natural disaster. Organizations that employ these services are fault-tolerant and can continue to operate with minimal interruption during a disaster, even when an entire site or datacenter is taken offline.
CP-6 Alternate Storage Site
Establish an alternative storage site that is geographically separated from the main site to store duplicate copies of information to ensure no data is lost during a disaster. If your off-site backups are across town, a wide area disaster such as a hurricane or flooding can easily destroy both your primary data as well as your backups, so ensure that the alternate storage site is sufficiently separated geographically. Managing off-site backups can be expensive, but they are orders of magnitude cheaper than losing all your organization’s data in a flood. Additionally, organizations should have the capability to rapidly restore from an alternate storage site to quickly resume normal operations after a data loss event.
CP-7 Alternate Processing Site
An alternate processing site should be established to operate essential business services if the primary site is unavailable or disabled to a disaster. Like the alternative storage site, the alternative processing site should be geographically separated from the primary processing site to prevent a wide area disaster from disabling both sites simultaneously. Alternative processing sites should have the ability to transfer and resume operation from the primary to alternative site, as well as transfer back to the primary site, once the disaster is over to ensure smooth operation during and after a disaster.
CP-8 Telecommunications Services
If an earthquake (or gardener) severs your building’s fiber line, do you have an alternative uplink ready to go? Telecommunication services like internet connections, phone lines, and cell towers are often unreliable or destroyed during a disaster. Having backup telecommunications systems in place is critical to quickly resuming operations following a disaster. Alternate telecommunication systems should not share a point of failure with main communication lines to prevent both the primary and alternate systems from going down at the same time.
CP-9 Information System Backup
Both user-level and system-level information should be backed up regularly, with a defined recovery time and recovery point objectives. This will ensure that backups stored at the alternate storage site are up to date and easily recoverable in the case of a data loss event due to a disaster. Documentation, including disaster recovery plans, should also be backed up to help with the recovery process. Ensuring that backups are properly secured is critical. Check out our article on securing backups for more information.
CP-10 Information System Recovery and Reconstitution
Organizations need to have the capability to recover and restore systems after a disaster if they’re damaged or destroyed. A system to recover and reconstitute critical information systems can be the difference between getting up and running quickly and having to rebuild your environment from scratch. The confidentiality, integrity, and availably of backed up data should be preserved through the backup and restoration process to ensure that operational security isn’t compromised. Regularly test reliability of backups as well as the restoration process to ensure a quick and complete recovery after a data loss event.
When a natural disaster hits, your organization needs to be ready to react quickly and efficiently to minimize downtime and data loss. Using NIST 800-53 as a starting point to develop your organization’s disaster preparedness plan and infrastructure is a great way to get the ball rolling. Do you want to bring your security program (including disaster preparedness) to the next level?
As your end-to-end security provider, NuHarbor is ready to help your organization with risk assessments, security program reviews, incident response planning, and much more. Contact us today!