NIST SP 800-34, Contingency Planning Guide for Federal Information Systems Rev 1
NIST Special Publication 800-34 breaks down the contingency planning process in seven-steps. The process helps organizations develop and maintain a contingency planning program for their assets. These seven steps are designed to be integrated into each stage of the system development life cycle to leverage the overall risk of an information system.
- Develop the contingency planning policy statement. A formal policy provides the authority
and guidance necessary to develop an effective contingency plan.
- Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information
systems and components critical to supporting the organization’s mission/business processes. A
template for developing the BIA is provided to assist the user.
- Identify preventive controls. Measures taken to reduce the effects of system disruptions can
increase system availability and reduce contingency life cycle costs.
- Create contingency strategies. Thorough recovery strategies ensure that the system may be
recovered quickly and effectively following a disruption.
- Develop an information system contingency plan. The contingency plan should contain
detailed guidance and procedures for restoring a damaged system unique to the system’s security
impact level and recovery requirements.
- Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas
training prepares recovery personnel for plan activation and exercising the plan identifies
planning gaps; combined, the activities improve plan effectiveness and overall organization
- Ensure plan maintenance. The plan should be a living document that is updated regularly to
remain current with system enhancements and organizational changes.
This approach very effectively covers all the same “corporate risk” challenge you would see in major organizations. It addresses corporate risk, by introducing a tiered approach to risk.
The Fundamentals of Corporate Risk Management (covered in Chapter 2, of NIST SP 800-39)
800-39 covers corporate risk in three layers (or tiers) of risk management:
- Tier 1: Organization level
- Tier 2: Mission/Business Process level
- Tier 3: Information System level
Tier 1: Corporate Organization Level risk management
NIST 800-39, Tier 1 addresses security from the entire organizations perspective. Corporate risk structure starts from the top down. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.
Tier 2: Corporate/Mission Process Level risk management
Tier 2 risk management activities include: 1) defining the mission/corporate processes to support the organization. 2) Prioritize the mission/corporate process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.
Having a risk-aware process is an important part of tier 2.
To be risk-aware senior leaders/executives need to know:
- types of threat sources and threat events that could have an adverse affect the ability of the organizations
- potential impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised
- Corporations resilience to such an attack that can be achieved with a given mission/business process
Tier 3: Information System risk management
From the information system perspective, tier 3 addresses the following tasks of the DIARMF/risk management framework steps:
Categorization of the information system
Allocating the organizational security control
Selection, implementation, assessment, authorization, and ongoing
Chapter 3 on NIST 800-39 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
- Risk Framing
- Risk Assessing
- Risk Response
- Risk Monitoring
Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organization’s managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships.
Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.
Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.