A. Requirements.
3. Automated Information Security Programs.
a. Controls for general support systems.
2) System Security Plan.
e) Continuity of Support. Establish and periodically test
the capability to continue providing service within a system
based upon the needs and priorities of the participants of
the system.
b. Controls for Major Applications.
2) Application Security Plan.
d) Contingency Planning. Establish and periodically test
the capability to perform the agency function supported by
the application in the event of failure of its automated
support.
B. Descriptive Information.
a. General Support Systems.
2) Security Plan.
e) Continuity of Support. Inevitably, there will be service
interruptions. Agency plans should assure that there is an
ability to recover and provide service sufficient to meet the
minimal needs of users of the system. Manual procedures are
generally NOT a viable back-up option. When automated support
is
not available, many functions of the organization will effectively
cease. Therefore, it is important to take cost-effective steps
to
manage any disruption of service.
Decisions on the level of service needed at any particular
time
and on priorities in service restoration should be made in
consultation with the users of the system and incorporated in
the
system rules. Experience has shown that recovery plans that are
periodically tested are substantially more viable than those that
are not. Moreover, untested plans may actually create a false
sense of security.
b. Controls in Major Applications.
2) Application Security Plans.
d) Contingency Planning. Normally the Federal mission supported
by a major application is critically dependent on the application.
Manual processing is generally NOT a viable back-up option.
Managers should plan for how they will perform their mission
and/or recover from the loss of existing application support,
whether the loss is due to the inability of the application to
function or a general support system failure. Experience has
demonstrated that testing a contingency plan significantly
improves its viability. Indeed, untested plans or plans not
tested for a long period of time may create a false sense of
ability to recover in a timely manner.
