Describe the importance of contingency planning for mission/business continuity of operations, including the purpose of various cyber and emergency management-related plans. Based on your analysis of contingency planning, what is a role of ISCP? How is this planning integrated into an information system's SDLC? 

 

No one can predict the future or how external events and market conditions will affect its ability to continue to operate. But businesses can prepare for events beyond their control. Using a "what if" process, organizations develop contingency plans, sometimes called business continuity plans, to identify unknown scenarios that may affect their operations, such as earthquakes, fires, violence and other situations and how they will respond to each scenario.

What is Contingency Planning?

A contingency is anything that occurs outside the range of normal operations that may adversely affect an organization's ability to operate. Simply stated, contingency planning is about being prepared and is an integral part of regular operations planning. A contingency plan is a blueprint for how to deal with unusual events. Regardless of size, all organizations need contingency plans.

Why Does a Business Need Contingency Goals?

The purpose of a contingency plan is to allow an organization to return to its daily operations as quickly as possible after an unforeseen event. The contingency plan protects resources, minimizes customer inconvenience and identifies key staff, assigning specific responsibilities in the context of the recovery. For example, human resources may develop employee evacuation plans; support employee benefits programs, such as health care or worker's compensation; or hire temporary workers as needed.

Contingency plans are both organization-wide and department-specific. For example, information services departments typically have a disaster recovery plan to protect, restore and use company data, including computer hardware, software and instructional manuals.

Who is Responsible for Risk Contingency? 

Senior leadership has overall responsibility for contingency planning, including funding the work to develop, test and maintain the plan. Many organizations appoint a contingency plan coordinator or manager who has overall responsibility for developing and maintaining the plan. In a small business, the coordinator may be the owner or a manager. She communicates with employees and trains them on the plan and their responsibilities. She regularly tests the plan using mock situations to identify problems and areas for improvement and updates the plan to reflect changes in the organization and technology.

Stake-holders' issues and regulatory requirements are also incorporated into the planning process. For example, if a hurricane is moving into the area, client account managers would have a script or checklist to use in communicating with each client.

Tips for Developing a Contingency Plan

Developing a contingency plan begins by identifying the functional areas essential to business operations and then following key steps for each area as follows:

• Determine how each situation, such as fire or flood, would affect these key areas; what actions would be taken; and the resources needed for each one. 
• Set goals for the return to essential operations and return to full normal operations. 
• Identify each required process and document each step in the process, what needs to be done, along with the employees and other resources needed to complete the work. 
• Develop plans for each functional area and the organization as a whole and then test and refine the plans on a regular basis. 
• Finally, implement a communications and education plan to keep employees informed of changes and remind them of their roles and responsibilities.

Role of ISCP in the analysis of contingency planning:

CACI is looking for an Information System Contingency Planning (ISCP) lead, responsible for executing the Information System Contingency Plan (ISCP) testing, training and exercises (TT&E). Demonstrate applied knowledge and provide senior-level, advanced Subject Matter Expertise in developing an Information System Contingency Plan (ISCP), template and repository. Perform advanced technical writing to design, develop, write and edit approximately 200 ISPC deliverables for client review and approval. Performs duties in support of in-house and external customers. Designs, develops or recommends integrated system solutions ensuring proprietary/confidential data and systems are protected in accordance with mandated standards. Participates with the client in the strategic design process to translate security and business requirements into technical designs. Implement ISCP templates when developing ISCP cross-walks in connection with TT&E. Research data, document business impact analysis, and document responses to threats and vulnerabilities as required to provide effective and efficient recovery solutions for hardware, software and telecommunication systems. Designs and implements plans of action and milestones to remediate findings from vulnerability and risk assessments. Assist, collect and evaluate Business Impact Analysis (BIA) and Business Program Analysis (BPA) data. Assist the client ISCP Coordinator in interacting with Security Risk Management (SRM) to identify threat assessment or to issue a program memorandum specific to Information System Contingency Plan (ISCP) testing for the current fiscal year. The memorandum shall include any changes in regulations, testing requirements/guidance and Risk-Based Decision (RBD)

More about the Role:

Develop an Integrated Master Schedule (IMS) detailing ISCP milestones and timelines for pre-and-post-testing to include at a minimum:

• Resources allocated, dependencies, critical paths, and cost.
• The Contractor shall also include timelines and milestones of Components and other internal/external organization industry upgrades that may impact processes or results of ISCP TT&E, such as changes to Operating Systems (OS), server upgrades, moratoriums

Additional Job Duties:

• Provide support for the clients Information System Contingency Plan (ISCP) testing, training and exercises (TT&E) to ensure customer systems maintain Contingency in accordance with DHS 4300A and NIST SP guidance
• Conduct advanced technical writing to assist the Information System Contingency Plan Coordinator (ISCPC) in executing the Information System Contingency Plan (ISCP) testing, training and exercises (TT&E) for OCIO essential systems activities (ESA).
• Ensure HQ OCIO Information Systems Contingency Plan (ISCP) aligns with DHS Disaster Recovery (DR) and Continuity of Operations (COOP) for OCIO and other DHS Components planning for the National Level Exercise (NLE) meeting 95% National Institute of Standards and Technology (NIST) process development criteria 60 Calendar days prior to the NLE
• Create templates for the Information System Contingency Plan (ISCP)
• Provide technical writing support to include, but not limited to, research, writing, designing, editing, proofreading, stakeholder coordination and records management in a highly visible, fast-paced, time-sensitive, IT-driven environment
• Perform advanced technical writing to design, develop, write and edit approximately 200 ISPC deliverables for Client review and approval
• Develop a Project Plan detailing the proposed plan for project implementation, including but not limited to, project milestones, Life-Cycle costs, scope, schedule, risks, deliverables and quality controls.
• Develop and maintain a Risk Management Plan (RMP) identifying, analyzing and evaluating program and project risks.
• Develop and maintain a Quality Control Plan reporting quality control metrics, gap analysis, recommendations and solutions for program quality control requirements

planning integrated into an information system's SDLC

This is the first phase in the systems development process. It identifies whether or not there is the need for a new system to achieve a business"s strategic objectives. This is a preliminary plan (or a feasibility study) for a company"s business initiative to acquire the resources to build on an infrastructure to modify or improve a service. The company might be trying to meet or exceed expectations for their employees, customers and stakeholders too. The purpose of this step is to find out the scope of the problem and determine solutions. Resources, costs, time, benefits and other items should be considered at this stage.

Step-by-step explanation

The System Development Life Cycle, "SDLC" for short, is a multistep, iterative process, structured in a methodical way. This process is used to model or provide a framework for technical and non-technical activities to deliver a quality system which meets or exceeds a business"s expectations or manage decision-making progression.

Traditionally, the systems-development life cycle consisted of five stages. That has now increased to seven phases. Increasing the number of steps helped systems analysts to define clearer actions to achieve specific goals.

Similar to a project life cycle (PLC), the SDLC uses a systems approach to describe a process. It is often used and followed when there is an IT or IS project under development.

The SDLC highlights different stages (phrases or steps) of the development process. The life cycle approach is used so users can see and understand what activities are involved within a given step. It is also used to let them know that at any time, steps can be repeated or a previous step can be reworked when needing to modify or improve the system.

Following are the seven phases of the SDLC

1. Planning

This is the first phase in the systems development process. It identifies whether or not there is the need for a new system to achieve a business"s strategic objectives. This is a preliminary plan (or a feasibility study) for a company"s business initiative to acquire the resources to build on an infrastructure to modify or improve a service. The company might be trying to meet or exceed expectations for their employees, customers and stakeholders too. The purpose of this step is to find out the scope of the problem and determine solutions. Resources, costs, time, benefits and other items should be considered at this stage.

2. Systems Analysis and Requirements

The second phase is where businesses will work on the source of their problem or the need for a change. In the event of a problem, possible solutions are submitted and analyzed to identify the best fit for the ultimate goal(s) of the project. This is where teams consider the functional requirements of the project or solution. It is also where system analysis takes place—or analyzing the needs of the end users to ensure the new system can meet their expectations. Systems analysis is vital in determining what a business"s needs are, as well as how they can be met, who will be responsible for individual pieces of the project, and what sort of timeline should be expected.

There are several tools businesses can use that are specific to the second phase. They include:

• CASE (Computer Aided Systems/Software Engineering)
• Requirements gathering
• Structured analysis

3. Systems Design

The third phase describes, in detail, the necessary specifications, features and operations that will satisfy the functional requirements of the proposed system which will be in place. This is the step for end users to discuss and determine their specific business information needs for the proposed system. It"s during this phase that they will consider the essential components (hardware and/or software) structure (networking capabilities), processing and procedures for the system to accomplish its objectives.

4. Development

The fourth phase is when the real work begins—in particular, when a programmer, network engineer and/or database developer are brought on to do the major work on the project. This work includes using a flow chart to ensure that the process of the system is properly organized. The development phase marks the end of the initial section of the process. Additionally, this phase signifies the start of production. The development stage is also characterized by instillation and change. Focusing on training can be a huge benefit during this phase.

5. Integration and Testing

The fifth phase involves systems integration and system testing (of programs and procedures)—normally carried out by a Quality Assurance (QA) professional—to determine if the proposed design meets the initial set of business goals. Testing may be repeated, specifically to check for errors, bugs and interoperability. This testing will be performed until the end user finds it acceptable. Another part of this phase is verification and validation, both of which will help ensure the program"s successful completion.

6. Implementation

The sixth phase is when the majority of the code for the program is written. Additionally, this phase involves the actual installation of the newly-developed system. This step puts the project into production by moving the data and components from the old system and placing them in the new system via a direct cutover. While this can be a risky (and complicated) move, the cutover typically happens during off-peak hours, thus minimizing the risk. Both system analysts and end-users should now see the realization of the project that has implemented changes.

7. Operations and Maintenance

The seventh and final phase involves maintenance and regular required updates. This step is when end users can fine-tune the system, if they wish, to boost performance, add new capabilities or meet additional user requirements.

Importance of the SDLC

If a business determines a change is needed during any phase of the SDLC, the company might have to proceed through all the above life cycle phases again. The life cycle approach of any project is a time-consuming process. Even though some steps are more difficult than others, none are to be overlooked. An oversight could prevent the entire system from functioning as planned.