(ii) Implementation specifications:
(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
Tell Me More:
The Testing and Revision Procedures implementation specification requires covered entities to address implementing procedures for periodic testing and revision of contingency plans. Testing and revision procedures are documented procedures for periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary.
Written testing and feedback mechanisms are keys to successful testing, as mentioned earlier. This implementation specification ensures that contingency plans are kept up-to-date when business processes change. Often, simple steps in conducting disaster recovery or other business continuity planning revival are missed because they have not been tested from start to finish. While implementing a testing and revision procedure or process is considered addressable, it is worthwhile to periodically prepare a “test run.” Human emotions and inability to think clearly during a crisis situation alone drive the need to routinely test and revise procedures to assure that even staff unfamiliar with the process can follow step by step instructions to facilitate continuity of the business during and immediately after a crisis.
For more information, read “The Truth about HIPAA‐HITECH and Data Backup“.
Questions to consider:
- Has the organization tested its plan? Testing the plan will help the organization determine how it will work in a crisis. In addition, testing helps train personnel.
- Has the organization evaluated the results of the test and revised its plan as appropriate? It is not enough simply to perform a test. The organization should strive to learn from the test and revise its plan as needed.
- Does the testing occur on a routine basis? Over time personnel, systems and system configurations, and the security environment change. As such, ongoing testing is important.
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-12 chapter 11 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations