CP-2 Contingency Plan

Description

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised.

The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency.

Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, executive orders, directives, policies, standards, regulations, and guidelines.

In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems.

Actions addressed in contingency plans include, for example:

1. orderly/graceful degradation,
2. information system shutdown,
3. fallback to a manual mode,
4. alternate information flows, and
5. operating in modes reserved for when systems are under attack.

By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

Applicability

This Control applies to all mission critical information resources, University Essential IT Services, and additional resources as identified by the Chief Information Security and Privacy Officer (CISPO), in consultation with the Chief Information Office (CIO).

The information resource owner or designee is responsible for ensuring planning processes described in this Control are implemented.

Based on risk management considerations, the university’s Chief Information Security and Privacy Officer may determine, in consultation with the CIO, that it would be appropriate to apply the requirements of this Control to information resources not meeting the Glossary definition of mission critical.

Implementation

TAMU-CC shall:

1. Develop a contingency plan for the information system. The plan shall be distributed to key personnel and a copy stored offsite. Elements of the plan for information resources shall include, but are not limited to:
   1. Identifies essential missions and business functions and associated contingency requirements. Business Impact Analysis to systematically assess the potential impacts of a loss of business functionality due to an interruption of computing and/or infrastructure support services resulting from various events or incidents. The analysis shall identify the following elements:
      1. Mission-Critical Information Resources (specific system resources required to perform critical functions) to include:
         1. Internal and external points of contact for personnel that provide or receive data or support interconnected systems.
         2. Supporting infrastructure such as electric power, telecommunications connections, and environmental controls.
      2. Provides recovery objectives, restoration priorities, and metrics. Disruption impacts and allowable outage times to include:
         1. Effects of an outage over time to assess the maximum allowable time that a resource may be denied before it prevents or inhibits the performance of an essential function. ii. Effects of an outage across related resources and dependent systems to assess cascading effects on associated systems or processes.
      3. Recovery priorities that consider geographic areas, accessibility, security, environment, and cost and may include a combination of:
         1. Preventive controls and processes such as backup power, excess capacity, environmental sensors and alarms. ii. Recovery techniques and technologies such as backup methodologies, alternate sites, software and hardware equipment replacement, implementation roles and responsibilities.
      4. Addresses contingency roles, responsibilities, assigned individuals with contact information;
      5. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
      6. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
      7. Is reviewed and approved by Information Resource Manager (IRM);
   2. Risk Assessment to weigh the cost of implementing preventative measures against the risk of loss from not taking action.
   3. Implementation, testing, and maintenance management program addressing the initial and ongoing testing and maintenance activities of the plan.
   4. Disaster Recovery Plan—TAMU-CC shall maintain a written disaster recovery plan for major or catastrophic events that deny access to information resources for an extended period. Information learned from tests conducted since the plan was last updated will be used in updating the disaster recovery plan. The disaster recovery plan will:
      1. Contain measures which address the impact and magnitude of loss or harm that will result from an interruption;
      2. Identify recovery resources and a source for each;
      3. Contain step-by-step implementation instructions;
      4. Include provisions for annual testing.
   5. Coordinates contingency planning activities with incident handling activities;
   6. Reviews the contingency plan for the information system annually;
   7. Updates the contingency plan to address changes to the University, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
   8. Communicates contingency plan changes to Owners and Custodians; and
   9. Protects the contingency plan from unauthorized disclosure and modification.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019