You have all your security systems in order. Your virus definition files are updated, your firewall is properly configured and your uninterruptible power supply batteries are fully charged. What could go wrong? And more importantly, how will you respond when it does? Because that’s when you’ll find out exactly how good your contingency plan is.
The process of developing an effective contingency plan can be broken down into six key stages:
Identify your needs.
Impact assessment.
Select suitable measures and controls.
Develop recovery strategies.
Build the plan.
Test, train and maintain.
Identify your needs
Every organization is different. This might sound obvious, but a common failing when developing a disaster management strategy is to look for a one-size-fits-all solution. Starting out with a clear examination of the specific requirements of your organization helps to make sure the plan you develop is the one you actually need.
It can help clarify your thinking to create a contingency planning policy statement as part of your analysis. The statement should briefly set out the following information in as clear a manner as possible:
The overall contingency objectives. For example, under what circumstances should the contingency plan be invoked?
The individuals/roles and teams responsible for the development, maintenance and implementation of the plan.
The scope of the plan. For example, what platforms, departments and organizational functions will be subject to the plan?
The review process that will apply to the plan.
The requirements for the procurement of resources, training and testing.
Maintenance arrangements. This covers how the plan will be kept up to date with organizational and technological change.
Backup schedules and storage arrangements
Once these objectives have been defined, it's important to ensure that the various departments of the organization who may be impacted by the plan are brought on board. This may include the IT and HR departments, those responsible for physical security and emergency readiness, and the decision makers responsible for these areas. This shouldn't be regarded as a comprehensive list; the circumstances of a particular organization must be individually assessed.
