1.2 BCP Standards and Guidelines 11
Chapter 1
menting changes in the plan should be performed in a timely manner to
maintain an effective plan.
1.1.4.5 Disposal Phase
Contingency considerations should not be neglected because a computer
system is retired and another system replaces it. Until the new system is
operational and fully tested (including its contingency capabilities), the
original system’s contingency plan should be ready for implementation. As
legacy systems are replaced, they may provide a valuable backup capability
if a loss or failure of the new system should occur. In some cases, equipment
parts (e.g., hard drives, power supplies, memory chips, or network cards)
from hardware that has been replaced by new systems can be used as spare
parts for new operational equipment. In addition, legacy systems can be
used as test systems for new applications, allowing potentially disruptive
system flaws to be identified and corrected on nonoperational systems.
1.2 BCP Standards and Guidelines
Information in this book is consistent with guidance provided in NIST
documentation [5] and with other federal mandates affecting contingency,
continuity of operations, and disaster recovery planning, including:
The Computer Security Act of 1987 [6]
Office of Management and Budget (OMB) Circular A-130, Manage-
ment of Federal Information Resources, Appendix III, November 2000
Federal Preparedness Circular (FPC) 65, Federal Executive Branch
Continuity of Operations, July 1999
Presidential Decision Directive (PDD) 67, Enduring Constitutional
Government and Continuity of Government Operations, October 1998
Presidential Decision Directive (PDD) 63, Critical Infrastructure Pro-
tection, May 1998
Federal Emergency Management Agency (FEMA) Federal Response
Plan (FRP), April 1999.
NIST Special Publication 800-34, Contingency Planning Guide for
Information Technology (IT) Systems, which provides instructions, rec-
ommendations, and considerations for government IT contingency
planning.
12 1.2 BCP Standards and Guidelines
Additionally, the following international standards are available:
ISO/International Electrotechnical Commission (IEC) 17799:2000
Information Technology—This code of practice for information
security management, an international version of British Standard
7799-1:1999, was published in December 2000. It contains 10 major
sections, one of which is Business Continuity Management (Section
11). However, parts of Physical and Environmental Security (7),
Asset Classification and Control (5), and Security Policy (3) would
also apply.
ISO/IEC Technical Report (TR) 13335—Guidelines for the Manage-
ment of IT Security (GMITS), 13335-2: Managing and Planning IT
Security, contains requirements for procedural security, including
business continuity.
ISO 9002—This quality assurance model applies to organizations
that produce, install, and service products. It implies industry stan-
dards for IT security and the broader subject of general product secu-
rity, including continuity planning for IT systems—both as products
themselves and as environmental support—and all other aspects of
business operations (physical, environmental, personnel) that, if dis-
rupted, would affect product security.
1.2.1 Industry-Specific Standards and Regulations
Regulatory compliance can play a major role in motivating companies to
implement thorough business continuity plans. U.S. federal government
agencies with essential missions at federal, state, and local levels have
always had continuity plans. The Continuity of Operations Planning
(COOP) directives produced by the Office of Management and Budget
(OMB) and the President of the United States outline the objectives of
business continuity planning for all federal departments and agencies.
Examples are as follows:
OMB Circular A-130, Appendix III, “Security of Federal Automated
Information Resources” (published in 1993) ensures that appropriate
business continuity plans were put in place for all federal general pur-
pose systems and major applications, which include the mission-criti-
cal applications identified under the Y2K program.
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
