Are Traditional Disaster Recovery Plans Still Relevant? Bobby Williams, MBCP, MBCI Director, IT Resiliency Planning Fidelity Investments
Who am I? Bobby Williams is the Director of IT Resiliency Planning for Fidelity Investments. He has earned his MBCP from the DRII and his MBCI from the BCI. Bobby chairs the DRII International Glossary Committee. He also serves on the NFPA 1600 Emergency Management and Business Continuity committee. Bobby has worked in the IT industry for 25 years in technical roles, vendor education, pre/post sales engineering, disaster recovery management, and business continuity management. He earned his BSEE degree from the University of Tennessee, Chattanooga. Bobby retired from the Tennessee Army National Guard where he served as an artillery officer in the 196th Field Artillery Brigade. Bobby.Williams@fmr.com Office: 919-458-4239
Agenda NIST Cybersecurity Framework & Special Publications Overview of the NIST SP 800-34 (rev 1) Move from DR to Contingency Planning Major Points in the NIST Contingency Plan Incorporating NIST Contingency plans into an existing DR program
Who are you? Technical? BC? Risk? Finance? Health Care?
Overview Banks and OCC regulated financial institutions are now expected to follow the FFIEC Cybersecurity Assessment Tool which is based on the NIST Cybersecurity Framework. We will look at the NIST SP 800-34 (rev 1) and see how the controls can aid us to create or evaluate our technology recovery program to see how it could help with creating a robust Information Security program based on the NIST SP 800-53 controls.
NIST Cybersecurity Framework Contingency Planning (CP) controls referenced in the CSF come from NIST SP 800-53 Rev 4 NIST Special Publication 800-53 Rev 4 - Security and Privacy Controls for Federal Information Systems and Organizations All 5 functions within the CSF have contingency planning controls. 23 subcategories include CP controls NIST Special Publication 800-34 Rev 1 - Contingency Planning Guide for Federal Information Systems
What types of plans does NIST list? Business Continuity (BCP) Continuity of Operations (COOP) Crisis Communications Critical Infrastructure Protection (CIP) Cyber Incident Response Occupant Emergency Plan (OEP) Disaster Recovery (DRP) Information System Contingency Plan (ISCP)
Crosswalk of plan types SP 800-34 Rev 1
Is a Contingency Plan different from a DR plan? According to SP 800-34 Rev 1 Disaster Recovery Plan (DRP) The DRP applies to major, usually physical, disruptions to service that deny access to the primary facility infrastructure for an extended period. A DRP is an information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency. The DRP only addresses information system disruptions that require relocation.
Is a Contingency Plan different from a DR plan? According to SP 800-34 Rev 1 Contingency Plan (CP) An CP provides established procedures for the assessment and recovery of a system following a system disruption. The CP provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures, and testing of a system.
Is a Contingency Plan different from a DR plan? The CP differs from a DRP primarily in that the contingency plan procedures are developed for recovery of the system regardless of site or location.
Contingency Planning Controls
CP-2 Control CP-2 CONTINGENCY PLAN Control: The organization: a. Develops a contingency plan for the information system that: i. Identifies essential mission and business processes and associated contingency requirements; ii. Provides restoration priorities and metrics; iii. Addresses contingency roles, responsibilities, and assigned individuals with contact information; iv. Addresses maintaining essential missions and business processes despite an information system disruption, compromise, or failure; v. Addresses eventual full information system restoration without deterioration of the security measures originally planned; and vi. Is reviewed and approved by designated officials within the organization; b. Distributes copies of the contingency plan to key contingency personnel; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system at periodic intervals; e. Revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing ; and f. Communicates contingency plan changes to key contingency personnel.
Implementation Steps Program should focus on standardized CP s for each application/system based on the impact NIST has an SP for the risk management process CP s must be reviewable, revisable, and reasonable CP originally intended for the system level Some companies implement at the application level Some companies implement at the IT product level Your mileage may vary
Process to create a CP 1. Develop the contingency planning policy; 2. Conduct the business impact analysis (BIA); 3. Identify preventive controls; 4. Create contingency strategies; 5. Develop an information system contingency plan; 6. Ensure plan testing, training, and exercises; and 7. Ensure plan maintenance.
What should be included in a CP? Who is responsible for recovery? How are they notified? Recovery Time and Recovery Point Objectives How is the system configured? Architectural Diagrams Upstream dependencies What does this application need to function? Downstream dependencies What depends on this application? Recovery steps Appendix references
Questions? NIST Special Publications SP 800-53 (rev 4) http://nvlpubs.nist.gov/nistpubs/specialpublications/nist. SP.800-53r4.pdf SP 800-34 (rev 1) http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpubli cation800-34r1.pdf Bobby.Williams@fmr.com Office: 919-458-4239