S 6.9 Contingency plans for selected incidents

Initiation responsibility: Head of IT Section; Head of Organisational Section; IT Security Management; staff responsible for the individual IT applications

Implementation responsibility: Staff responsible for emergency preparedness(contingency planning)

Contingency plans contain instructions on action to be taken and rules of conduct in case of specific damaging incidents. These are incidents jeopardising parts of the IT system which are of vital importance. A contingency plan is aimed at ensuring restoration of availability as quickly as possible.

A contingency plan must also take account of the interaction of a damaging incident and of the respective contingency measure taken. For instance, a fire can be controlled by means of a sprinkler. However, the use of water can, in its turn, give rise to new threats, e.g. to power supply, to data media archives, etc.

Depending on the factors in the operational environment, contingency plans will have to be established to provide against the following incidents:

• fire

• water ingress

• power failure

• failure of the air-conditioning system

• explosion

• breakdown of data transmission (cf. S 6.10 )

• sabotage.

The effectiveness of contingency plans is to be verified by means of emergency preparedness exercises (cf. S 6.12 ).

Additional controls:

• Do contingency plans exist?

• Has the effectiveness of contingency plans been verified?