Maintaining a contingency plan as part of Continuity of Operations Program (COOP) is of key importance to minimize the effects of a manmade or natural disruptive event or disaster. A contingency plan kept up to date and tested on a regular basis allows a unit to resume critical functions in a timely and predictable manner.

The degree and scope of a contingency plan shall be commensurate with the risk and value of the computer system and data. One must take into account the likelihood of a disruptive event as well as the impact of such an event.  Risk tolerance and risk appetite must be clearly understood and established. The cost of implementing preventive measures, should be weighed against the risk of loss from not taking action.  IT professionals and information resource owners must work together to ensure that the risk is clearly understood so that responsible contingency planning decisions can be made.


  • This Control applies to all high and moderate impact information resources, University Essential IT Services, and additional resources as identified by the CISO, in consultation with the CIO.

  • The information resource owner or designee is responsible for ensuring planning processes described in this Control are implemented.

  • Based on risk management considerations, the university’s Chief Information Security Officer may determine, in consultation with the CIO, that it would be appropriate to apply the requirements of this Control to information resources not meeting the Glossary definition of high and moderate impact.


  • 1

    Information resource owners or designees shall document and maintain a Contingency Plan for all high and moderate impact information resources. The plan will contain:

    • 1.1

      Business Impact Analysis to systematically assess the potential impact of a loss of business functionality due to an interruption of computing and/or infrastructure support services resulting from a disruptive event or incident. The analysis shall identify the following elements:

      • 1.1.1

        High and moderate impact Information Resources including:


          Internal and external points of contact for personnel who provide or receive data; and


          Supporting infrastructure such as electric power, telecommunications connections, and environmental controls.

      • 1.1.2

        A determination of the Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

      • 1.1.3

        Dependent information resources to assess the impact on associated resources or processes.

      • 1.1.4

        Relevant recovery priorities that consider geographic areas, accessibility, security, environment, and cost, including:


          Preventative controls and processes such as backup power, excess capacity, environmental sensors and alarms; and


          Recovery techniques and technologies such as backup methodologies, alternate sites, software and hardware equipment replacement, implementation roles and responsibilities.

    • 1.2

      A Cost Benefit Analysis for University Essential IT Services shall be conducted to weigh the cost of implementing preventative measures against the risk of loss from not taking action. For high and moderate impact information resources, a cost benefit analysis shall be conducted at the discretion of the information resource owner.


      IT Policy and Risk Management is planning future courses on the elements of cost benefit analysis for Contingency Planning. Keep an eye on the Events Calendar on the home page for future training dates, times and locations.

    • 1.3

      Recovery and reconstitution (aka “disaster recovery”) procedures for major or catastrophic events that deny access to high and moderate impact information resources for an extended period. The procedures will:

      • 1.3.1

        be implemented as described in CP-10 Information Systems Recovery and Reconstitution;

      • 1.3.2

        be tested as described in CP-4 Contingency Plan Testing.


        Tests of the recovery procedures may include a range of testing methods from virtual (e.g., tabletop) tests to actual events. The tests shall be documented and the results used to update the procedures, if necessary. The information resource owner or designee shall approve the results of the tests and any resulting actions.