NIST's 7-Step Contingency Planning ProcessMeasures Designed to be Integrated Into Systems' Life Cycle NIST on Monday issued revised guidance that defines a seven-step contingency planning process that federal agencies and other organizations in fields such as healthcare and banking can use to develop and maintain a viable interim recovery program for their information systems.
The National Institute of Standards and Technology designed the seven progressive steps to be integrated into each stage of the system development life cycle. They include:
- Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
- Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization's mission/business functions. A template for developing the BIA is provided to assist the user.
- Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
- Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
- Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system's security impact level and recovery requirements.
- Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness.
- Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.
Formally, the revised standard is known as Special Publication 800-34, Revision 1: Contingency Planning Guide for Federal Information Systems.