The agency's information system contingency plan has provisions for contingency testing. The chief information security officer shall publish a testing schedule each calendar year. The test shall be documented by the principal administrator for the affected system(s) and reviewed and approved by the chief information security officer and chief information officer. The chief information security officer will forward corrective actions derived during review of the test report to the associate director for operations for action.
Disaster recovery plans fail because they were not tested, maintained or re-assessed.
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
The organization:
a. Tests, reassesses and maintains the disaster recovery plans regularly to determine that they are up to date and effective; and
b. Conducts regular sessions analyze the disaster recovery plan’s test results for further upgrades.
Each state organization’s written disaster recovery plan will include provisions for annual testing.
Obtain contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; security plan; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records and ascertain if :
(I)the organization defines in the security plan, explicitly or by reference, the contingency plan tests and/or exercises to be conducted.
(ii)the organization defines in the security plan, explicitly or by reference, the frequency of contingency plan tests and/or exercises and the frequency is at least annually.
(iii)the organization tests/exercises the contingency plan using organization-defined tests/exercises in accordance with organization-defined frequency.
(iv)the organization reviews the contingency plan test/exercise results and takes corrective actions.
(v)the contingency plan tests/exercises confirm the plan’s effectiveness.