The Environmental Protection Agency (EPA) utilizes NIST’s “SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems,” to ensure the continued operation of the many facets of their organization in the event of a disaster, incident, or unplanned downtime. Overall, I felt that the document is satisfactory in planning for the restoration of IT services in the event of an outage; however, the general procedures felt quite bland and not formulated for their specific systems and personnel; this could be merely due to the fact that CP’s aren’t necessarily so detailed, and instead, only a form of a ‘playbook’ used while attempting to fix assets and operations that are disrupted.

In EPA’s document, there are several methods available for restoring IT business operations by using various contingency plan controls (CPs), such as ensuring that all affected staff have the necessary training to understand the situation at hand, the risks involved, the steps to restore services, and what to do in the varying scenarios when the condition worsens. Also, conducting exercises based on every possible disaster scenario or outage, and performing them in both regular and irregular intervals (to add the element of surprise to the test to simulate a real-word event) are correctly designed and can be extremely useful. Documenting training and exercises to further hone the necessary skills in creating an adequate CP is critical in today’s always-changing technological environment.

Creating, maintaining, and updating plans, procedures, and documents related to the restoration of IT services (ensuring that they all evolve with the organization as personnel, location, products, hardware/software, and new policies and laws are adopted) is another aspect of the EPA’s CP document. The use of a Business Impact Analysis (BIA) allows a CP to be focused on what areas/sectors of IT business operations need to be restored first or are at the most risk, as well as how to go about the process. Finally, the recovery strategies listed, such as using alternate sites and associated resources, backups, and procedures to replace equipment of the primary site, are all vital in any CP.

There are several instances in EPA’s document that are excellent for the given situation, and some that can be improved. Under CP-9, I believe that for moderate to high information systems, scans and tests in monthly intervals are not sufficient to combat the risk of corruption or data loss in backups. Although, I believe that, as part of CP testing, EPA’s data restoration processes to be quite efficient in ensuring the quick restoration of operations, as well as confirming that the data is readily accessible and secure. Furthermore, under CP-6, the addition of offsite data storage is vital to ensuring the availability and integrity of data; however, while I see that it is indeed intended to be in a separate building, having the facility in a different region (not just physical location) isn’t mentioned. In a situation like a flood or other far-reaching disaster, impacts can occur in multiple facilities in the area, rendering offsite (but still nearby) data storage useless. The use of numerous physical backup sites (in separate regions), in conjunction with Cloud storage, is by far the best choice for data storage backups.

Similar to EPA’s use of CP-6, CP-7 fails to address the requirement of having the alternate processing site in a different region, to further increase fault tolerance and risk transference. In CP-4, phone tree exercises are mentioned; the use of these hierarchical communication models can reduce the speed at which the message is relayed, as well as spread misinformation. If instead, the use of an automated phone tree is utilized at EPA, there should be a carefully drafted guideline for its usage and testing procedures. In CP-8, I feel the telecommunications controls are sufficient to ensure continued communication during an outage, incident, or disaster; I am also glad that they are tested regularly, as too often than not, telecommunications can be either the most significant cause, or solution, to many issues during an incident, disaster, or unplanned outage of IT services.

Overall, I felt that The Environmental Protection Agency (EPA) utilizes NIST’s “SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems,” in an effective manner; however, one would think such a sizeable and influential organization would surpass my highest expectations when it comes to contingency planning. While the EPA appears to have met all the requirements of a proper contingency planning guide, I wouldn’t expect the system and procedures set in-place to completely satisfy what many security and IT professionals strive for, the quest for five nine’s and C.I.A. triad excellence.

References

Whitman, M. & Mattord, H. (2016). Management of Information Security (6th ed.). Boston, MA: Cengage Learning.

NIST. (2010). Contingency Planning Guide for Federal Information Systems. Retrieved February 13, 2020, from https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final.

EPA. (2012). Information Security- Interim Contingency Planning Procedures- V:3.2. Retrieved February 13, 2020, from https://content.bellevue.edu/cst/cis/608/cd/docs/information-security%E2%80%93interim-contingency-planning-procedures-v3-2.pdf.

Swanson, Marianne. (n.d.). NIST SP 800-34, Revision 1 – Contingency Planning Guide for Federal Information Systems. Retrieved February 13, 2020, from https://csrc.nist.gov/csrc/media/events/hipaa-2010-safeguarding-health-information-buil/documents/2-2b-contingency-planning-swanson-nist.pdf.