by Dr. Greg White, Executive Director, CIAS-ISAO

In the world today there are any number of events that could cause a disruption or even a complete shutdown of an organization’s operations. Should this occur to your organization what would be the impact? All too often, if a business experiences an extended disruption, they might find out that they are not able to recover at all. Organizations, both public and private, need to be prepared to address a disruption to operations whether it is due to a natural disaster, terrorist event or cyber incident. One of the first things that should be done to prepare is to develop a plan that can be put into action when a disruption occurs.

There are several different types of plans related to disruptions that occur to organizations. Three that we will discuss in this article are Business Continuity Plans (BCP), Continuity of Operations (COOP) plans, and Information Systems Contingency Plans (ISCP). NIST SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems defines each of these as follows: [1]

The table included two acronyms that need to also be defined. Mission Essential Functions, or MEFs, are those operations that are critical for the mission of your organization. Disaster Recovery Plans, or DRPs, are an additional related type of plan for contingency planning. Some use the terms COOP, BCP and DRP synonymously but there are officially differences between them. Again, according to NIST SP 800-34, the three are defined as follows: [1]

The BCP focuses on sustaining an organization’s mission/business processes during and after a disruption. An example of a mission/business process may be an organization’s payroll process or customer service process. A BCP may be written for mission/business processes within a single business unit or may address the entire organization’s processes. The BCP may also be scoped to address only the functions deemed to be priorities. A BCP may be used for long-term recovery in conjunction with the COOP plan, allowing for additional functions to come online as resources or time allow. Because mission/business processes use information systems (ISs), the business continuity planner must coordinate with information system owners to ensure that the BCP expectations and IS capabilities are matched.

COOP focuses on restoring an organization’s mission essential functions (MEF) at an alternate site and performing those functions for up to 30 days before returning to normal operations. Additional functions, or those at a field office level, may be addressed by a BCP. Minor threats or disruptions that do not require relocation to an alternate site are typically not addressed in a COOP plan.

The DRP applies to major, usually physical disruptions to service that deny access to the primary facility infrastructure for an extended period. A DRP is an information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency. The DRP may be supported by multiple information system contingency plans to address recovery of impacted individual systems once the alternate facility has been established. A DRP may support a BCP or COOP plan by recovering supporting systems for mission/business processes or mission essential functions at an alternate location. The DRP only addresses information system disruptions that require relocation.

You can see the somewhat subtle difference between these plans but at this point, if you have none of these in place, the most important thing is to establish SOME plan that can be invoked should your organization suffer a disruption of operations. Later, as you refine your plan you can worry about the other plans that you can have in place. The ISCP is a more specific plan that is focused on information systems. The NIST definition for this type of plan is: [1]

An ISCP provides established procedures for the assessment and recovery of a system following a system disruption. The ISCP provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures and testing of a system.

In this article we want to primarily consider the information systems important to your organization. A complete BCP and DRP will cover many more elements beyond the information systems we are going to start by concentrating on the computers, networks and communication systems that you require. Start by answering a few questions:

• What operations are essential to the functioning of your organization?
  • For a short period of time (your MEFs)
  • For an extended period of time
• What computer systems are required to conduct your essential functions?
• What data is required to conduct your essential functions?
• What personnel are required to conduct your essential functions?
• What personnel, data and equipment is necessary for your non-MEF operations but are important for an extended period of operations?
• What communications/Internet access is required for your organization to function?
• What are three to five events that could catastrophically disrupt your operations?

These are just a few of the questions you will need to answer but they will help you recognize what you will need to focus on to restore and maintain essential functions. An ISCP is a detailed document that will focus on the recovery of a specific system. After answering the questions above, you will have a better feel for which of your information systems you will need to focus on first to restore operations. An example template for an ISCP can be found in NIST 800-34. The publication offers three templates for small, medium and large systems. The type of information that you will incorporate into your ISCP includes:

• Description of the system and its role and function for the organization
• Description of the activities in the three system recovery phases (written at a level so that recovery personnel will know what must be done and how to accomplish the tasks).
  • Activation of the ISCP and notification of appropriate personnel. This includes
    • The criteria for activating the ISCP
    • Who should be notified and in what order
    • Steps to conduct an assessment of the disruption and its impact on the system
  • Recovery of the affected system. Plans should include
    • Sequence of recovery activities
    • Procedures for the recovery activities
  • Reconstitution to include testing to ensure system capability and functionality are restored, then steps to deactivate the ISCP
• Roles and responsibilities of personnel involved in the recovery of the system

You can see from this brief description the detail that should be included in the ISCP. Remember that your COOP, which is a higher-level document, will outline what the MEFs are for the organization and which ISCPs should be invoked given a specific incident disrupting your organization.

COOPs and ISCPs are not single page documents and they take time to develop. A complete coverage of the topic cannot be accomplished in just a few pages. Fortunately, there are a lot of documents available for free that discuss the topic in much greater detail. The NIST publication referenced several times in this article [1] is a good place to start as it has templates that can provide a starting point. Other documents include [2] and [3]. Please note that while these documents are intended for federal agencies, they nonetheless contain much useful information for both the public and private sector. Finally, various organizations offer seminars and training to help you develop your own COOP and ISCPs. This article hopefully served to explain the basics and to encourage you to start on the development of your own documents or to review the plans you may have in place to ensure they are adequate and up-to-date.

References

[1] “Contingency Planning Guide for Federal Information Systems”, SP 800-34 Rev.1, National Institute of Standards and Technology, May 2010. Downloaded 3 Feb 2021 from: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

[2] “Continuity Guidance Circular”, Feb 2018, FEMA National Continuity Programs downloaded 3 Feb 2021 from https://www.fema.gov/sites/default/files/2020-07/Continuity-Guidance-Circular_031218.pdf

[3] “Continuity of Operations Plan Template and Instructions for Federal Departments and Agencies”, July 2011, FEMA National Continuity Programs, downloaded 3 Feb 2021 from https://www.fema.gov/pdf/about/org/ncp/coop/continuity_plan_federal_d_a.pdf