Contingency Planning
Organizations must plan for many events. Contingency plans do not focus just on an organization’s information technology (IT) assets. Instead, the field has grown to include all types of planning to make sure that an organization can continue to operate in the event of an interruption, emergency, or disaster. In recent years, the United States has seen several dramatic events that highlight the need for all types of contingency plans: the September 11 terrorist attacks of 2001, the northeastern U.S. power-grid failure in 2003, the H1N1 flu outbreak in 2009, Hurricane Sandy in 2012, and power blackouts caused by California wildfires in 2019.
When organizations talk about contingency plans, they are talking about holistic plans. These are plans that cover the whole organization and all of its processes. They identify operations that are critical to the business’s survival and recovery. These plans must include IT resources and operations. Many organizations store their data and records electronically. Many of them have grown dependent on their IT resources and the automated processes those resources provide. Thus, focusing on how to protect and recover IT assets is an important contingency planning component. This is especially important for small organizations. For example, some studies indicate that 43 percent of cyberattacks target smaller businesses.1
This chapter discusses contingency planning processes as they relate to IT resources. The different planning processes discussed in this chapter are:
- Incident response (IR) planning
- Disaster recovery (DR) planning
- Business continuity (BC) planning
The scope of any kind of contingency planning is very broad. It can range from planning for life safety issues to how to conduct business without electricity. This chapter focuses on only one narrow piece: planning for the security of IT resources. Although all contingency plans have different goals, the foundation for these processes is the same. In order to prepare contingency plans, organizations must analyze and plan for the IT risks that they face. The risk analysis and foundation process helps an organization understand how it needs to protect its IT resources. An organization cannot make any contingency plans until it understands the risks to its IT resources.
FYI
This chapter talks about risk management, incident response, and contingency planning. Risk management and contingency planning are used to protect IT resources. Incident response is a type of contingency planning that an organization uses to react to attacks against its IT infrastructure. Disaster recovery (DR) and business continuity (BC) plans are contingency plans that help an organization continue business operations following a disaster.
It is important to remember that protecting IT resources is not the only goal of a contingency plan. It is not even the most important goal. Natural and man-made events disrupt thousands of lives each year. The most important goal of any type of contingency plan is to preserve human life. Continuing business operations and restoring data are secondary goals.