3.3 Contingency planning
Contingency planning comprises safeguards which, in case of failure (due to technical reasons, caused intentionally or as a result of negligence) of an IT system, are designed to restore its operating state. Depending on the time of implementation of these measures, contingency planning safeguards can be grouped into four stages:
Stage 1: Contingency planning
In this stage, the measures suitable and economically viable for a particular IT system are identified. It is determined which measures can be taken during operation of an IT system (e.g. smoking ban, uninterruptible power supply, service, data backup) so that an emergency situation is prevented and that damage resulting from an emergency situation is reduced. Furthermore, contingency plans, which are part of a contingency manual, stipulate which measures must be taken in case of an emergency.
Stage 2: Implementing the contingency measures accompanying IT operation
In stage 2, the contingency measures are implemented and maintained. These must be carried out prior to an emergency situation in order to reduce the probability of an emergency or to allow swift and cost-effective restoration of the operating state.
Stage 3: Emergency preparedness exercises
Emergency drills are particularly important in connection with stage 2 in order to train the implementation of the measures listed in the Emergency Manual and to increase efficiency.
Stage 4: Implementing planned measures after an emergency situation arises
After it has been officially decided that an emergency situation is present, the measures set out in the
Emergency Manual for this case must be implemented without delay.
In order to be able to make contingency planning cost-effective, the costs incurred must be compared to the potential damage (costs due to a lack of availability in the event of an emergency) and assessed. The following costs should be considered:
This chapter offers a systematic approach as to how an Emergency Manual can be compiled and
trained. This covers stage 1 and stages 3 and 4. The Implementation of stage 2 requires an assessment
of the individual IT system. These measures are described in the relevant modules of this manual.
The compilation of an Emergency Manual and the safeguards required involve considerable expense. It is thus particularly recommended to use this chapter for
In this Chapter, the threat
is considered as representative for all threats which could cause failure as regards IT baseline protection.
Recommended Countermeasures (S)
For the implementation of IT baseline protection, selection of the required packages of safeguards
("modules") as described in chapters 2.3 and 2.4, is recommended.
The safeguards should be treated in the order stated so as to ensure that the Emergency Manual is compiled systematically.
© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000
Last Update on 6 April 2000