IT Baseline Protection Manual S 6.3 Development of an Emergency Procedure Manual
S 6.3 Development of an Emergency Procedure Manual
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Head of IT Section; staff responsible for the individual IT applications
A Contingency Manual should contain all measures to be taken after an emergency situation arises and all other relevant information. This Manual must be organised in such a way that an expert third person will be in a position to carry out the respective contingency measures.
By way of example, a comprehensive table of contents of a Contingency Manual is provided in the following for orientation. Which parts of this proposal are taken over depends on the existing system and application documentation and can thus only be decided on an individual basis.
TABLE OF CONTENTS - CONTINGENCY MANUAL
Part A: Immediate Measures
Warning in an Emergency
1.1 Alert plan and reporting channels
1.2 Lists of the addresses of the staff members concerned
1.3 Determination of specific tasks for individual persons/functions in an emergency
1.4 Emergency Call Numbers
(e.g. fire department, police, doctor, water and power utility, alternate computer centre, external data-media archive, external telecommunications supplier)
Instructions on Actions to be taken as regards Special Incidents
2.1 Fire
2.2 Ingress of water
2.3 Power failure
2.4 Failure of the air-conditioning system
2.5 Explosion
2.6 Sabotage
2.7 Failure of data transmission facilities
2.8 Unauthorised entry into a building
2.9 Vandalism
2.10 Bomb threat
2.11 Strikes/Demonstrations
2.12 ......
Part B: Contigency Provisions
General Regulations for an Actual Emergency
3.1 Staff responsible for emergency preparedness(contingency planning)
3.2 Designation of the organisational units involved in the implementation of contingency plans; division of responsibilities
3.3 Organisational guidelines; rules of conduct
Table of Availability Requirements
Part C: Post-Incident Recovery Plans for Critical Components
Recovery Plans
5.1 Post-incident recovery plan for Component 1 (e.g. host)
5.1.1 Replacement options
5.1.2 Internally/externally available alternatives
5.1.3 Data transmission provision
5.1.4 Restricted IT operation
5.1.5 Post-incident recovery procedure
15.2 Post-incident recovery plan for Component 2 (e.g. printer)
...
Part D: Documentation
Description of the IT Systems
6.1 Description of the IT system A (outline)
6.1.1 Description of hardware components
6.1.2 Description of software components
6.1.2.1 Inventory of system software
6.1.2.2 Inventory of the system data belonging to the IT system
6.1.3 Description of the network connections of the IT system
6.1.4 Description of the IT applications
6.1.4.1 Inventory of the application software
6.1.4.2 Inventory of the system data belonging to the IT application
6.1.4.3 Capacity requirements of individual IT applications in normal situations
6.1.4.4 Minimum capacity requirements of IT applications for an emergency
6.1.4.5 Restart procedures of the IT applications
6.1.5 Data backup policy
6.1.6 Description of required infrastructure
6.1.7 Other documentation (manuals, etc.)
6.2 Description of the IT system B
...
Important Information
7.1 Replacement procurement plan
7.2 List of manufacturers and suppliers
7.3 List of service companies in the area of "redevelopment"
Date of last change _____________
The Contingency Manual is to be enforced by the agency/company management and must be up-dated when required. Availability of the Emergency Procedure Manual is of critical importance. Therefore, a copy of the most recent edition must be deposited and held externally. A copy must also be submitted to every person and organisational unit mentioned in the Manual.
(The detailed contents of important items can be inferred from the following description of measures.)
Additional controls:
Is the contingency manual up-to-date?
Is consideration given to all possible emergencies?
