Contingency Planning Information Security contingency plans are very important for firms operating in today's world, where cyber security is a top issue a result of business's technological and digital dependence. This paper will discuss the planning steps, possible recovery options, and recommended testing requirements needed to support a successful business contingency/continuity of operations environment. Included will be recommendations for a proposed 24-month cycle business contingency testing plan, what should be tested and how the test should be conducted. Critical corporate assets will be ranked with the type of testing (i.e. plan reviews, tabletop exercises and backup recovery tests). Costs associated with the recommended testing process will also be taken into consideration, including personnel, equipment and production costs.

Planning Steps

Step 1 is to examine the organization of the IS department. An IS department should be organized in order to guard against an attack, blackout or any other natural or man-made disaster that can impact the integrity of information related to a business's procedures and processes. The purpose of a contingency plan/continuity of operations environment is to ensure that the hierarchy of structure (including hardware, software, work teams, management and crews involved in supervision) are able to conduct business fluidly and without interruption while maintaining safety of data through secure networks and storage devices. This requires a high degree of diligent oversight, supported by weekly assessments, made routine according to a standardized formula that incorporates analysis of the latest development in technology, threats, and safety issues related to cyber security. Advisory notices should be directed towards proper personnel within the IS department, so that individual staff members are alerted to any adjustments that require attention; and the department should organize itself into teams or squads consisting of a threat recognition team, a problem solving team, an info/data gathering team, a specs squad, a systems design unit, and a maintenance/review squad.

Once the IS department is organized, it can proceed to Step 2: risk assessment and business impact assessment. The purpose of each is to analyze the impact that a disruption can have on the organization and how to mitigate it (Vacca, 2009). Stakeholders in the organization (including but not limited to: directors, board members, employees, creditors, government advisors/agencies, owners, unions, and suppliers) must be called upon to assess the drivers that propel the firm forward and that are indispensible to the business's smooth operation. Drivers are the core components/strategies that offer real value to the organization, such as intellectual property or operations of data -- and once these are determined and rated, the organization can perceive how much time, energy, and available resources should be directed towards ensuring that the driver is supported and backed-up should a disaster strike. As Bahan (2003) indicates, it is the top priority of managers overseeing the business impact assessment to determine a top-down arrangement of drivers that require immediate support and are, therefore, first in line to be restored to working order in an infrastructure collapse event.

The risk assessment development can then proceed: it is accomplished by identifying risks to operational facilities based on precedent as well as potential threats that are currently at large (this is why a department team should be assigned to threat identification). Stemming the impact of potential disasters via risk management is a necessary step in any contingency/continuity of operations plan. The more potential disasters that can be averted ahead of time, the better (Haes, Grembergen, 2009).

Recovery Options

A recovery option is only as effective as the organization's ability to maintain communication lines in the event of a disaster. Therefore, a contingency plan as well as a continuity of operations plan must consider how a communications strategy that will enable the business to stay online in terms of connectivity between stakeholders (i.e., suppliers, supply chain managers, directors, consumers, clients, etc.). Recovery options are available for a range of scenarios for a range of business types. Selecting the right option will depend on the type of business being conducted and the type of disaster being prepared for. Strategic continuity software can be purchased by any business from a number of distributers/producers who specialize in supporting organizations in recovery type situations. Ponemon Institute and companies like Symantec are leaders in the industry of helping firms to identify their recovery needs (cyber security options include utilizing a data breach risk calculator, which helps in the risk management stage identified above, and which can be used to help the firm develop its recovery plan). Other recovery...

A recovery manager should be appointed and should be able to identify the various options to key players in the firm. These would include cloud services, virtualization, mobile connectivity, social networking, electronic-based vaulting (if applicable), managed recovery, and recovery point objectives (LaChapelle, 2014).
Cloud-based recovery options allow firms to back up data systems by utilizing cloud technology, which stores data for smaller firms at affordable rates. Virtualization is another option that gives firms even more flexibility by allowing them duplicate a total copy of a data center, which can then be accessed and utilized when needed. Virtual machines are available for server extension. Mobile connectivity can be an essential element of a recovery plan and should be considered as a potential additional option for helping workers to stay connected and in communication. Likewise, social networking facilitates this end. At the same time, some firms may not have the resources to manage their own recovery; therefore, outsourcing may be a recovery option to consider (this would be a managed recovery. Another option is to cut the amount of backups that are needed by the firm by implementing an electronic-based vaulting system (such as remote libraries and software replication systems). Finally, recovery point objectives are an option as they cover a total scenario in which strategic points are identified and objectives (whether zero data loss prevention is critical or whether recover time objectives are critical) in the maintaining of business operations).

Recommended Testing Requirements

In order for effective testing of the firm's contingency plan and continuity of operations place to be enacted, it is essential to have the complete staff trained on what is in store for the operation. Training the staff about how a contingency operation is the highest imperative/requirement at this stage of the implementation program.

A contingency response team should be organized and trained to handle an emergency event that requires implementation of the continuity plan. The response team is responsible for restoring system functions and ensuring that data is back online within the requisite amount of time.

At the same time, test objectives must be identified and met. In order to guarantee that these objectives are met, a review process should be in place for verifying response times, achievement, and maintenance of data and support systems.

Prior to the implementation of the testing of the plan, a series of pre-tests can be conducted in order to test the effectiveness of the risk management portion of the cyber security contingency plan.

Penetration testing is one method of testing cyber security as a means of risk management -- the first stage of a contingency plan. The method of testing is one in which hacker's attack is simulated so the operating form can observe whether there is any exposure or holes in the system's security (Haes, Grembergen, 2009). Auditing and monitoring tools incorporated in the plan are the use of CORE Security Technology which is a security auditing tool that graphs security-related data for users to see a visual representation of the degree to which the security system in place is effectively thwarting attacks and is set up to protect against possible assaults from a number of areas. The determination of where backups are stored is based on system preferences, whether backups are desired to be locally controlled or whether cloud backups are desired in which case an alternate system is in control. Both are approved in the case of disaster to guarantee the integrity of the data (Krutz, Vines, 2010).

Another area of concern that is a recommended area for testing is the use of cell phones, laptops and other mobile devices within a firm. The Government Accountability Office reported in 2012 that laptops and cellular devices are a risk for businesses and that one way to mitigate this risk is to enable encryption for these devices. Users are susceptible to hacking and can thereby be used by cyber attackers to gain access to data inside a firm's secure walls. Thus testing should include these devices as well and to make sure that networks are properly secured via pass codes.

Once these pre-tests are conducted, the contingency test can proceed. An effective contingency plan test will involve developing

Notification procedures

Coordination among recovery the recover team(s)

A plan for systems recovery on…