There are several steps entities can take to improve their chances of quickly recovering from an IT disruption.
Assemble a Team – Assemble a team responsible for drafting an IT contingency plan for management’s review and approval. The team should include individuals with knowledge about critical business functions as well as those with appropriate technical knowledge of the organization’s IT systems and electronic data. It may be necessary to include outside parties such as the organization’s IT vendor.
Identify Critical Processes and Services – Identify and prioritize the organization’s critical business processes and services and the IT systems, components and data that support the processes and services. In the event of an incident, personnel need to quickly recognize situations that are of greater severity and demand immediate attention. For example, if the payroll process is identified as a critical function, the plan should include an explanation of how payroll processing will continue in the event of an unplanned IT incident that renders the current payroll system inoperable and/or electronic data inaccessible.
Develop a Plan – Organizations should develop a written IT contingency plan that addresses the range of threats to their IT system(s), distribute the plan to all responsible parties and ensure that it is periodically tested and updated as needed. The plan should focus on sustaining critical IT functions during and after a disruption. Technology recovery strategies should consider the possible restoration of hardware, applications, data and connectivity. The plan should also include policies and procedures to ensure that all critical information is routinely backed up so that it is available in the event of an emergency.
An IT contingency plan is the organization’s recovery strategy. It can include, among other items deemed necessary by the organization, the following:
- Roles and responsibilities of key personnel;
- Communication protocols with outside parties (e.g., law enforcement, IT vendors);
- Prioritized mission-critical processes and services;
- Technical details concerning how systems and data will be restored;
- Resource requirements necessary to implement the plan;
- Backup methods and storage policies (see next section entitled Backup Procedures); and
- Details concerning how the plan will be periodically tested.
The plan should also address how employees will communicate, where they will go and how they will continue to do their jobs during a disruption. The details will vary depending on the size and scope of the entity and its computerized operations. It’s important to remember to distribute the plan and subsequent updates to all parties who have responsibilities in the event of a disruption; otherwise, the plan’s value is significantly diminished.
Train Personnel and Test the Plan – Personnel expected to execute the plan must understand the plan and, as necessary, be trained to perform their duties. Where appropriate, elements of the plan should be tested, for example, by verifying the organization’s ability to restore backup data. Subsequent revisions to the plan should be redistributed to key personnel to ensure they understand the changes.
Revise the Plan – The IT contingency plan should be periodically reviewed and, as appropriate, revised to ensure it still meets the organization’s needs. Changes in personnel, IT infrastructure, organizational priorities, or facilities identified as alternative processing sites may require plan revisions. The revised plan should then be distributed to personnel who have key responsibilities.