Probably twice a year is sufficient -- when very cold or harsh weather is imminent and when very hot or stormy conditions are on the horizon.
Why A contingency plan identifies the activities, resources and procedures needed to carry on your systems' processing...
requirements during prolonged interruptions to normal operations. When outside elements affect operations, you need a mechanism that enables you to shut down, secure the equipment and grab what you need to continue operations elsewhere. It's important to remember that alternate power sources aren't for continuing operations as normal -- they allow you to transition to your hot/warm/cold backup site. Also note that if systems are switching to backup power regularly, this could indicate a problem, such as the local circuit grid not being able to carry all of your power requirements under certain conditions. You'll need to diagnose the problem then decide how to solve it.
Your backup power source should sustain your operations long enough to shut down all equipment in a known secure state. If your building or site loses power, does your backup power source give you the necessary amount of time? Work with the building manager or local authorities to simulate a power outage. Follow your contingency plan, verifying the plan works, the appropriate people are notified and you have the wherewithal to continue operations. If you don't have the ability to continue operations with your present equipment, determine which systems are critical and your maximum acceptable downtime. You may also want to get your organization's legal counsel to review your company's business operations insurance to ensure the organization is protected.
Most U.S. government organizations have comprehensive contingency plans -- using it as a template is a place to start. Web sites with good contingency plans or templates include NIST's Contingency Plan Guide SP 800-34 for IT-related issues and FEMA's U.S. Government Interagency Domestic Terrorism Concept of Operations Plan, which explains the Government's procedures in a national disaster. Several professional organizations may help too: http://www.drii.org and http://www.thebci.org.
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to firstname.lastname@example.org.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
Dig Deeper on Information Security Incident Response-Detection and Analysis