CP-04-727 Contingency Plan Testing

Contingency Plan Testing

Control ID

CP-04-727

Control Name

Contingency Plan Testing

Control Category

Contingency Planning

Functional Areas

Protect

Sub-Areas

Contingency Planning

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

December 8, 2016

Agency Implementation

The agency's information system contingency plan has provisions for contingency testing. The chief information security officer shall publish a testing schedule each calendar year. The test shall be documented by the principal administrator for the affected system(s) and reviewed and approved by the chief information security officer and chief information officer. The chief information security officer will forward corrective actions derived during review of the test report to the associate director for operations for action.

Risk Statement

Disaster recovery plans fail because they were not tested, maintained or re-assessed.

Control Description

The organization: a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions, if needed.

Control Example

The organization: a. Tests, reassesses and maintains the disaster recovery plans regularly to determine that they are up to date and effective; and b. Conducts regular sessions analyze the disaster recovery plan’s test results for further upgrades.

State Implementation

Each state organization’s written disaster recovery plan will include provisions for annual testing.

Testing Procedures

Obtain contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; security plan; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records and ascertain if : (I)the organization defines in the security plan, explicitly or by reference, the contingency plan tests and/or exercises to be conducted. (ii)the organization defines in the security plan, explicitly or by reference, the frequency of contingency plan tests and/or exercises and the frequency is at least annually. (iii)the organization tests/exercises the contingency plan using organization-defined tests/exercises in accordance with organization-defined frequency. (iv)the organization reviews the contingency plan test/exercise results and takes corrective actions. (v)the contingency plan tests/exercises confirm the plan’s effectiveness.