disaster recovery plan nist

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

IT Disaster Recovery Plan

IT Recovery

Data backup.

Data Backup Plan

Businesses large and small create and manage large volumes of electronic information or data. Much of that data is important. Some data is vital to the survival and continued operation of the business. The impact of data loss or corruption from hardware failure, human error, hacking or malware could be significant. A plan for data backup and restoration of electronic information is essential.

An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan . Priorities and recovery time objectives for information technology should be developed during the business impact analysis . Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery.

Priorities for IT recovery should be consistent with the priorities for recovery of business functions and processes that were developed during the business impact analysis . IT resources required to support time-sensitive business functions and processes should also be identified. The recovery time for an IT resource should match the recovery time objective for the business function or process that depends on the IT resource.

Recovery strategies should be developed to anticipate the loss of one or more of the following system components:

Computer room environment (secure computer room with climate control, conditioned and backup power supply, etc.)
Hardware (networks, servers, desktop and laptop computers, wireless devices and peripherals)
Connectivity to a service provider (fiber, cable, wireless, etc.)
Software applications (electronic data interchange, electronic mail, enterprise resource management, office productivity, etc.)
Data and restoration

Developing an IT Disaster Recovery Plan

Businesses should develop an IT disaster recovery plan. It begins by compiling an inventory of hardware (e.g. servers, desktops, laptops and wireless devices), software applications and data. The plan should include a strategy to ensure that all critical information is backed up.

Identify critical software applications and data and the hardware required to run them. Using standardized hardware will help to replicate and reimage new hardware. Ensure that copies of program software are available to enable re-installation on replacement equipment. Prioritize hardware and software restoration.

Document the IT disaster recovery plan as part of the business continuity plan . Test the plan periodically to make sure that it works.

Businesses generate large amounts of data and data files are changing throughout the workday. Data can be lost, corrupted, compromised or stolen through hardware failure, human error, hacking and malware. Loss or corruption of data could result in significant business disruption.

Data backup and recovery should be an integral part of the business continuity plan and information technology disaster recovery plan. Developing a data backup strategy begins with identifying what data to backup, selecting and implementing hardware and software backup procedures, scheduling and conducting backups and periodically validating that data has been accurately backed up.

Developing the Data Backup Plan

Identify data on network servers, desktop computers, laptop computers and wireless devices that needs to be backed up, along with other hard copy records and information. The backup plan should include regularly scheduled backups from wireless devices, laptop computers and desktop computers to a network server. Data on the server then can be backed up. Backing up hard copy vital records can be accomplished by scanning paper records into digital formats and allowing them to be backed up along with other digital data.

Data should be backed up frequently. The business impact analysis should evaluate the potential for lost data and define the “recovery point objective.” Data restoration times should be confirmed and compared with the IT and business function recovery time objectives.

Resources for Information Technology Disaster Recovery Planning

Computer Security Resource Center - National Institute of Standards and Technology (NIST), Computer Security Division Special Publications
Contingency Planning Guide for Federal Information Systems - NIST Special Publication 800-34 Rev. 1
Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities – NIST Special Publication 800-84
Building An Information Technology Security Awareness and Training Program - NIST Special Publication 800-50

Last Updated: 09/07/2023

Return to top

This is a potential security issue, you are being redirected to https://csrc.nist.gov .

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

Official websites use .gov A .gov website belongs to an official government organization in the United States.

NIST SP 800-34

Contingency planning guide for information technology systems.

Documentation

Date Published: June 2002

Supersedes: FIPS 87 (03/27/1981)

Marianne Swanson (NIST) , Amy Wohl , Lucinda Pope , Tim Grance (NIST) , Joan Hash (NIST) , Ray Thomas

The Contingency Planning Guide for Information Technology (IT) Systems provides instructions, recommendations, and considerations for government IT contingency planning. Contingency planning refers to interim measures to recover IT services after an emergency or system disruption. Interim measures may include the relocation of IT systems and operations to an alternate site, the recovery of IT functions using alternate equipment, or the performance of IT functions using manual methods. The information presented in this document addresses specific contingency planning recommendations and provides strategies and techniques common to desktops and portable systems, servers, Web sites, local area networks, wide area networks, distributed systems, and mainframe systems.The document also defines the following seven-step contingency process that an agency may apply to develop and maintain a viable contingency planning program for their IT systems. These seven progressive steps develop the contingency planning policy statement, conduct the business impact analysis (BIA), identify preventive controls, develop recovery strategies, develop an IT contingency plan, plan testing/training/exercises, and plan maintenance are designed to be integrated into each stage of the system development life cycle.

Control Families

None selected

Documentation

Publication: https://doi.org/10.6028/NIST.SP.800-34 Download URL

Supplemental Material: None available

Document History: 06/13/02: SP 800-34 (Final)

Florida State University

FSU | Information Technology Services

Information Technology Services

Cybersecurity

IT Disaster Recovery Planning Standard

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It defines the requirements for business continuity planning to ensure that the FSU infrastructure is as secure and resilient as it can be. Business Impact Analysis, data backup and IT disaster recovery planning to are critical for facilitating continuity, restoration and timely recovery IT systems that support access to FSU’s critical business functions and data.

Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the Request for Exception to IT Security Policy .

II. Definitions

Business Impact Analysis (BIA) – identifies critical business functions and documents the potential impacts resulting from disruption.

Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Continuity of Operations Plan (COOP) – a COOP focuses on restoring an organization’s mission-essential functions at an alternate site and performing those functions for up to 30 days before returning to normal operations. Minor threats or disruptions that do not require relocation to an alternate site are typically not addressed in a COOP.

Critical Business Functions - critical operational and/or business support functions that cannot be interrupted or unavailable for more than a mandated or predetermined timeframe without significantly jeopardizing University operations.

Disaster Recovery Plan – a written plan that defines technical activities that enable the continued availability or recovery of IT systems and services to an acceptable level of performance. A DR Plan is used to address major disruptions to service that deny access to the primary facility infrastructure for an extended period.

Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Mission Critical – any factor (component, equipment, personnel, process, procedure, software, etc.) that is essential to business operations. Mission Critical IT systems and data enable essential IT functions that would have an immediate detrimental effect on the University and CUUs if there was an interruption or failure of services including, but not limited to, one or more of the following:

Risk to human life or safety
Significant impact on the University’s research, learning and teaching, and administrative functions
Significant legal, regulatory, or financial costs
Loss of access to critical data or the ability to carry out critical business functions following an event

Tabletop Exercise – a discussion-based simulation of an emergency situation in an informal, stress-free environment; designed to elicit constructive scenario-based discussions.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity and the NIST Privacy Framework in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Full CSF Crosswalk to Controls: NIST Crosswalk *The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO) The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information. Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH) The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU. Consolidated University Unit (CUU) Information Security Manager (ISM) The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions. IT Asset Custodian An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, computers, servers, workstations, IoT devices, applications, databases, operating systems, and firmware. Application Custodian The Dean, Director, Department Head, or other manager who is ultimately responsible for an application system, including appropriate security safeguards. Data Custodian The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on classification level identified by the Data Security Standard . For more information, see IT Roles and Responsibilities .

Business Impact Analysis (BIA)

To protect against the loss of data in the event of a physical disaster (natural or manmade), database corruption, hardware or software failure, or other incident which may lead to the loss of services or data, CUUs are required to conduct Business Continuity and IT Disaster Recovery (DR) Planning. Business Continuity planning includes conducting a Business Impact Analysis (BIA) to address availability of essential business functions and vital infrastructure:

Determine mission critical business processes and recovery time. Critical business processes must be identified, and the impact of a system disruption to those processes must be determined along with outage impacts and estimated downtime. The estimated downtime should reflect the maximum time that an organization can tolerate while still maintaining the mission.
Identify resource requirements. Realistic recovery efforts require an evaluation of the critical resources required to resume the critical business processes and related interdependencies as quickly as possible. Resources that may be required include facilities, personnel, IT systems, services, infrastructure (equipment, software, data files, system components, etc.), and essential records.
Identify recovery priorities for system resources. Priority levels can be established for sequencing recovery activities and resources.

CUUs will complete BIAs regularly, on a rotating schedule as defined by the Seminole Secure Schedule . See Seminole Secure for more information.

Disaster Recovery Plan

IT disaster recovery planning is the ongoing process of planning, developing, implementing, and testing disaster recovery management procedures and processes to ensure the efficient and effective resumption of critical functions in the event of an unscheduled interruption. This planning ensures that all essential business functions, resources, IT systems, and supporting technology infrastructure that must be available to enable the university to continue critical operations have been identified and prioritized. FSU data and systems essential to the continued operation of critical University functions must be recoverable through the use of backup, replication, high availability, or other technology. System dependencies and risks must be identified and accounted for when developing the order of recovery, establishing tolerance for downtime and recovery objectives, and documenting the roles of required personnel. The CUU Dean, Director or Department Head (DDDH) is responsible for ensuring appropriate contingency planning related to critical business functions within the CUU’s university units, that if disrupted could:

impede the university’s ability to meet its mission and/or strategic goals,
have a major financial or reputational impact, or
result in significant regulatory or contractual noncompliance.

CUU ISMs are responsible for coordinating disaster recovery planning, testing and implementation efforts for the IT resources identified as critical to the CUU’s Continuity of Operations (COOP). IT Asset Custodians who manage mission critical IT Assets that support critical CUU business functions are responsible for identifying critical IT Assets in their BIA and all necessary contingency planning related to those assets. This includes:

identifying and prioritizing essential business functions, facilities, and infrastructure that are most vital to operations.
understanding the adverse impacts (fiscal, operational, reputational, safety) if such capabilities are not available.
identifying the IT systems, data, services, and personnel required to enable required capabilities.
determining when systems & services need to be available. (Recovery Times)

Disaster Recover Plans, BIAs and other required contingency planning documentation must be made available upon request to ISPO and ITS. CUUs will complete DR plans regularly, on a rotating schedule. See Seminole Secure Schedule for more information on requirements for completion. See Seminole Secure for more information. Review, Test and Validate DR Plans IT Disaster Recovery Plans must be reviewed and tested at least annually or whenever significant system architecture or personnel changes occur. Plans must be tested on an annual basis and updated to document lessons learned and remediation steps to address plan weaknesses. Training and Awareness Each CUU must identify the responsibilities associated with IT Disaster Recovery to ensure that staff understand their roles and are capable of carrying out their responsibilities in the event a recovery is necessary. The Information Security and Privacy Office (ISPO) will partner with CUUs to assist with the onboarding of tools and to provide training and support for IT Disaster Recovery activities. For more information, see IT Security and Privacy Training Standard .

Data Backup Requirements

Information on recurring backup procedures for critical data and IT Assets must be included in each CUU’s written business continuity plans. Backups are required for all data, systems and infrastructure necessary to support the recovery and resumption of essential business operations identified by the BIA, COOP, and DR plan. This applies to all University Units/CCUs and third-party vendors who use computing devices connected to the FSU network, or who process or store critical data owned by the University. CUU/University Unit ISMs are responsible for ensuring adequate data backup procedures for the data required to be backed up. The responsibility for backing up data held on the workstations of individuals, regardless of whether they are owned privately or by the university, falls entirely to the user. Data stored on workstations and other devices or locations under the user’s control must be routinely backed up by the user. University users should consult their CUU ISM about local back-up procedures. It is the responsibility of units, research programs, and individual faculty, staff, and workforce members within each CUU to:

Classify institutional data based on data classifications as defined by the Data Security Standard and determine the backup method best suited to their classification level
Identify primary responsibility within the CUU or research program for data backup; appropriate roles and responsibilities must be defined for data backup and restoration to ensure timeliness and accountability
Ensure backups containing information classified as High Risk and Moderate Risk Data are encrypted-in-transit and at rest, as defined by the Encryption Standard .
Ensure backups are secure, regularly validated, and accessible, and created using a methodology and frequency that meets the desired recovery (RTO, RPO).

Information Technology Services (ITS) is responsible for the backup of data held in central systems and related databases. Data stored on shared directories are routinely backed up by ITS. All backups must conform to the following best practice procedures:

All data, operating systems and utility files must be adequately and systematically backed up (includes all patches, fixes, and updates).
Records must be maintained identifying the information backed up and its location.
Records of software licensing should be backed up.
Backup media must be precisely labeled and recorded.
Ensure backups containing information classified as High Risk and Moderate Risk Data are encrypted in transit and at rest.
Copies of the backup media, together with the backup record, should be stored safely in a remote location, at a sufficient distance away to escape any damage from a disaster at the main site.
Regular tests should be conducted for restoring data/software from backup copies to ensure reliability.

Note: For most important and time-critical data, a mirror system or disk may be needed for a quick recovery.

IV. References

NIST Cybersecurity Framework (CSF)
NIST 800-53 Rev. 4, High Impact Controls
IT Security and Privacy Incident Response and Reporting Procedures
Seminole Secure
ISPO Support Resources | Information Technology Services (fsu.edu)
NIST SP 800-34 Rev 1 Contingency Planning Guide
4-OP-E-10 Continuity of Operations Planning (COOP) | Policies and Procedures (fsu.edu)

Staff
IT Pros

Information Technology Services · 1721 W Paul Dirac Drive · Tallahassee, FL 32310

PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed

Pf v1.0 references:, description.

[csf.tools Note: Subcategories do not have detailed descriptions.]

Related Controls

Nist special publication 800-53 revision 5, cp-1: policy and procedures.

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…

CP-2: Contingency Plan

Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; Addresses eventual, full system restoration without deterioration…

CP-7: Alternate Processing Site

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; Make available at the alternate processing site, the equipment and…

CP-10: System Recovery and Reconstitution

Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.

IR-1: Policy and Procedures

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] incident response policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…

IR-7: Incident Response Assistance

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

IR-8: Incident Response Plan

Develop an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size,…

IR-9: Information Spillage Response

Respond to information spills by: Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills; Identifying the specific information involved in the system contamination; Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; Isolating the contaminated system or system component; Eradicating…

NIST Special Publication 800-171 Revision 2

3.6.1: establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring,…

3.6.2: Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization

Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator…

Cloud Controls Matrix v3.0.1

Bcr-01: business continuity planning.

A consistent unified framework for business continuity planning and plan development shall be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business continuity plans include the following: Defined purpose and scope, aligned with relevant dependencies Accessible to and understood…

BCR-03: Datacenter Utilities / Environmental Conditions

Data center utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions.

BCR-05: Environmental Risks

Physical protection against damage from natural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied.

BCR-06: Equipment Location

To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks and supplemented by redundant equipment located at a reasonable distance.

BCR-08: Equipment Power Failures

Protection measures shall be put into place to react to natural and man-made threats based upon a geographically-specific business impact assessment.

BCR-09: Impact Analysis

There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following: Identify critical products and services Identify all dependencies, including processes, applications, business partners, and third party service providers Understand threats to critical products and services Determine impacts resulting…

BCR-11: Retention Policy

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obligations. Backup and recovery measures shall be incorporated as part of business continuity planning…

SEF-01: Contact / Authority Maintenance

Points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities shall be maintained and regularly updated (e.g., change in impacted-scope and/or a change in any compliance obligation) to ensure direct compliance liaisons have been established and to be prepared for a forensic investigation requiring rapid engagement with law…

SEF-02: Incident Management

Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures.

SEF-03: Incident Reporting

Workforce personnel and external business relationships shall be informed of their responsibilities and, if required, shall consent and/or contractually agree to report all information security events in a timely manner. Information security events shall be reported through predefined communications channels in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations.

SEF-04: Incident Response Legal Preparation

Proper forensic procedures, including chain of custody, are required for the presentation of evidence to support potential legal action subject to the relevant jurisdiction after an information security incident. Upon notification, customers and/or other external business partners impacted by a security breach shall be given the opportunity to participate as is legally permissible in the…

SEF-05: Incident Response Metrics

Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents.

Critical Security Controls Version 8

11: data recovery.

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

17: Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

NIST Special Publication 800-53 Revision 4

The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full…

The organization: Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; Ensures that equipment and supplies required to transfer and…

CP-12: Safe Mode

The information system, when [Assignment: organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation].

CP-13: Alternative Security Mechanisms

The organization employs [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

The organization: Develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to…

The organization responds to information spills by: Identifying the specific information involved in the information system contamination; Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; Isolating the contaminated information system or system component; Eradicating the information from the contaminated information system or component;…

PE-17: Alternate Work Site

The organization: Employs [Assignment: organization-defined security controls] at alternate work sites; Assesses as feasible, the effectiveness of security controls at alternate work sites; and Provides a means for employees to communicate with information security personnel in case of security incidents or problems.

Critical Security Controls Version 7.1

19: incident response and management.

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

Our Approach
Identify Gaps in My Cybersecurity Plan
Detect and Respond to Threats in My Environment
Fulfill Compliance Assessments and Requirements
Verify Security With Expert-Led Testing
Manage Complex Cybersecurity Technologies
Security Monitoring With Splunk
State & Local Government
Higher Education

2022 SLED Cybersecurity Priorities Report

Infrastructure Penetration Testing
Application Penetration Testing
Vulnerability Scanning
Wireless Penetration Testing
CMMC Compliance
NIST 800-53
HIPAA Security Standards
MARS-E Security Standards
New York Cybersecurity (23 NYCRR 500)
Payment Card Industry (PCI)
Security Strategy
Incident Response Planning
Security Program Reviews
Security Risk Assessments
Virtual CISO
Policy Review
Managed Detection and Response (MDR)
SOC as a Service
Vulnerability Management
Vendor Security Assessments
Curated Threat Intelligence
Browse Resources
Consult with an expert
Cybersecurity Technology
Security Operations
Industry Insights
Security Testing
Application Security
Managed Detection and Response
Advisory and Planning
Threat Intelligence

Disaster Preparedness With NIST 800-53

September is National Preparedness Month and October is National Cybersecurity Awareness Month, which makes it an excellent time to review your organization’s disaster preparedness strategy. Implementing a contingency plan for a natural disaster could be the difference between minimal business interruption and weeks or even months of lost revenue. Even if you’re not a federal contractor, NIST 800-53 is a great resource for creating solid security policies and implementing effective security controls. The Contingency Planning control family in NIST 800-53 is no exception. The control family contains everything you need to set up a robust plan to ensure your organization is ready for any natural disaster.

Contingency Preparation

This section contains all the planning, training, and testing that is needed to create and maintain a successful disaster preparedness plan.

CP-1 Contingency Planning Policy and Procedures

Establishing planning policy and procedures will help to implement the rest of the security controls in the Contingency Planning control family. Develop, document, and disseminate contingency policy and procedures to relevant personal in the organization. The planning policy and procedures should reflect applicable laws, organizational directives, local regulations, and other relevant factors. Revisit the plan regularly to ensure policy is up to date.

CP-2 Contingency Plan

The contingency plan will be the game plan for your organization when a disaster happens, and it is a critical aspect to a quick and effective response.

The plan should include the following:

Essential missions and business functions, and their associated contingency requirements
Recovery objectives, restoration priorities, and metrics to gauge progress
Defined contingency roles and responsibilities, and assigned personal with contact info
Plan to maintain essential mission and business functions in the event of disruption, compromise, or failure
Define process for full information system restoration without deterioration of security safeguards

The contingency plan should be distributed to contingency personnel and relevant organizational elements, reviewed regularly, and modified if shortcomings are identified. To maintain operational security, ensure that the contingency plan is not disclosed to unauthorized parties.

CP-3 Contingency Training

After the contingency plan is formed, personnel need to be trained on their assigned contingency roles and responsibilities. Training can utilize simulated events and automated training environments to make the training more dynamic and effective. Training should be conducted when roles are initially assigned and when significant changes to the contingency plan are made. Additionally, refresher training should be done at regular intervals.

CP-4 Contingency Plan Testing

To ensure that the contingency plan is effective, it should be tested regularly. This can be done through tabletop exercises, simulations, walkthroughs, and testing of alternate site and recovery technology. If weaknesses are identified, the contingency plan should be edited to address them. As with all security topics, contingency planning should be iterative and reflect emerging threats as they appear; it’s not a “one and done” process.

Contingency Services

Contingency services allow an organization to operate when main services have been damaged or taken offline by a natural disaster. Organizations that employ these services are fault-tolerant and can continue to operate with minimal interruption during a disaster, even when an entire site or datacenter is taken offline.

CP-6 Alternate Storage Site

Establish an alternative storage site that is geographically separated from the main site to store duplicate copies of information to ensure no data is lost during a disaster. If your off-site backups are across town, a wide area disaster such as a hurricane or flooding can easily destroy both your primary data as well as your backups, so ensure that the alternate storage site is sufficiently separated geographically. Managing off-site backups can be expensive, but they are orders of magnitude cheaper than losing all your organization’s data in a flood. Additionally, organizations should have the capability to rapidly restore from an alternate storage site to quickly resume normal operations after a data loss event.

CP-7 Alternate Processing Site

An alternate processing site should be established to operate essential business services if the primary site is unavailable or disabled to a disaster. Like the alternative storage site, the alternative processing site should be geographically separated from the primary processing site to prevent a wide area disaster from disabling both sites simultaneously. Alternative processing sites should have the ability to transfer and resume operation from the primary to alternative site, as well as transfer back to the primary site, once the disaster is over to ensure smooth operation during and after a disaster.

CP-8 Telecommunications Services

If an earthquake (or gardener) severs your building’s fiber line, do you have an alternative uplink ready to go? Telecommunication services like internet connections, phone lines, and cell towers are often unreliable or destroyed during a disaster. Having backup telecommunications systems in place is critical to quickly resuming operations following a disaster. Alternate telecommunication systems should not share a point of failure with main communication lines to prevent both the primary and alternate systems from going down at the same time.

CP-9 Information System Backup

Both user-level and system-level information should be backed up regularly, with a defined recovery time and recovery point objectives. This will ensure that backups stored at the alternate storage site are up to date and easily recoverable in the case of a data loss event due to a disaster. Documentation, including disaster recovery plans, should also be backed up to help with the recovery process. Ensuring that backups are properly secured is critical. Check out our article on securing backups for more information.

CP-10 Information System Recovery and Reconstitution

Organizations need to have the capability to recover and restore systems after a disaster if they’re damaged or destroyed. A system to recover and reconstitute critical information systems can be the difference between getting up and running quickly and having to rebuild your environment from scratch. The confidentiality, integrity, and availably of backed up data should be preserved through the backup and restoration process to ensure that operational security isn’t compromised. Regularly test reliability of backups as well as the restoration process to ensure a quick and complete recovery after a data loss event.

When a natural disaster hits, your organization needs to be ready to react quickly and efficiently to minimize downtime and data loss. Using NIST 800-53 as a starting point to develop your organization’s disaster preparedness plan and infrastructure is a great way to get the ball rolling. Do you want to bring your security program (including disaster preparedness) to the next level?

As your end-to-end security provider, NuHarbor is ready to help your organization with risk assessments, security program reviews, incident response planning, and much more. Contact us today!

Included Topics

Managed Detection and Response ,
Cybersecurity Technology ,

Subscribe via email.

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest pwned episodes.

Episode 186 - The Acquisition of Revelstoke

Cyberstrong

Resource Center

Case Studies
Webinar Channel
In The Press
How It Works
Request a Demo
CyberStrong Pricing
CyberBase Pricing

NIST Cybersecurity Framework

Breaking Down the NIST Cybersecurity Framework: Recover

In the past few blog posts, we've been going over the five NIST Framework functions. In the last blog post , we covered the Respond function . In this post, we'll be going over the last Framework function, Recover.

"The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Sub category" - NIST CSF

According to NIST, Recover is defined as the need to "develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.

The Recover Function supports timely recovery to normal operations to reduce the impact of a cybersecurity incident. Examples of outcomes for this function include Recovery Planning, Improvements, and Communications."

Recover includes these areas:

Recovery Planning: Recovery procedures are tested, executed, and maintained so that your program can mitigate the effects of an event sooner rather than later
Improvement: Disaster recovery plans and processes are amended when security incidents occur. Areas for improvement are identified and recovery processes and solutions are put together
Communication: Coordinate internally and externally for greater crisis management, recovery time, thorough planning, and execution

Cyber attack recovery from major events is important not only for your organization but also for your customers and market. Swift cyber security recovery, handled with grace and tactfulness, will allow you to end up in a much stronger position internally and externally than you would otherwise. Prioritizing these focus areas and knowing how to recover from a cyber attack with a cyber attack recovery plan will ensure that your organization has a business continuity and response plan that is up to date and matches your organization’s goals and objectives.

CyberStrong streamlines all your compliance regs while giving visibility into NIST CSF best practices…