Home | Press | Contact Us | Testimonials | Clients | Sitemap


Pabrai Blogs on “Is Your IT Contingency Plan Updated and Current?”

The NIST Special Publication 800-34 Rev 1 defines a seven-step IT contingency planning process that an organization may apply to develop and maintain a viable contingency planning program for their information systems. Contingency Plan is a Standard defined in the HIPAA Security Rule – and like any Standard in the regulation it must be met. The seven-steps outlined for an IT contingency plan in the NIST 800-34 Rev 1 publication are:

  1. Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
  2. Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization’s mission/business functions.  
  3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
  4. Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
  5. Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system’s security impact level and recovery requirements.
  6. Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness.
  7. Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.

It all starts with first creating a policy that establishes the scope of your IT contingency plan. The NIST SP 800-34 Rev 1 is an excellent reference to use as you look to create or update your contingency plans.

So when is the last time you reviewed and updated your IT contingency plan? Is it an actionable plan that has been tested?

http://searchhealthit.techtarget.com/healthitexchange/pabraionhipaahitechcompliance/is-your-it-contingency-plan-updated-and-current/