Contingency Plan Testing (CP-4)

| Show Notes
Created August 15, 2016
Revised September 1, 2016

Description

Periodic testing of the recovery and reconstitution procedures shall be performed to determine the effectiveness of the procedures and organizational readiness to execute the contingency plan.

Guidance

Tests of the recovery procedures may include a range of testing methods from virtual (e.g., table-top) tests to actual events. The tests shall be documented and the results shall be used to update the procedures if necessary. The information resource owner or designee shall approve the results of the tests and any resulting actions.

Applicability

This Control applies to all mission critical information resources, Essential IT Services, and additional resources as noted.

The information resource owner or designee is responsible for ensuring the recovery and reconstitution procedures are tested.

Based on risk management considerations, the university’s Chief Information Security Officer may determine, in consultation with the CIO, that it would be appropriate to apply the requirements of this Control to information resources not meeting the Glossary definition of mission critical.

Implementation

The recovery and reconstitution procedures shall:

1

be tested at least annually. Tests of the recovery procedures may include a range of testing methods from virtual (e.g., tabletop) tests to actual events. The tests shall be documented and the results shall be used to update the procedures, if necessary. The information resource owner or designee shall approve the results of the tests and any resulting actions.

2

provide for testing on a regular basis of backup and/or recovery media to ensure the validity of the recovery media and process.