CP-4 Contingency Plan Testing
Description
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises.
Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations.
Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.
Applicability
This Control applies to all mission critical information resources, Essential IT Services, and additional resources as noted.
The information resource owner or designee is responsible for ensuring the recovery and reconstitution procedures are tested.
Based on risk management considerations, the university’s Chief Information Security and Privacy Officer (CISPO) may determine, in consultation with the Chief Information Officer (CIO), that it would be appropriate to apply the requirements of this Control to information resources not meeting the Glossary definition of mission critical.
Implementation
TAMU-CC shall:
- Test the contingency plan for the information system annually using tabletop exercise to determine the effectiveness of the plan and the organizational readiness to execute the plan;
- Reviews the contingency plan test results; and
- Initiates corrective actions, if needed.
- Test the contingency plan at least every three years with a full interruption of mission-critical, on-premises services, and
- Include information resources contingency plan testing in the member’s emergency management plan testing and exercises.
Revision History
Last Updated: February 21, 2025
Previous Versions:
- June 29, 2023
- May 31, 2022
- March 25, 2021
- September 16, 2019