Introduction
Life happens to come with many unprecedented and unpredicted disasters. Halfway across the world there are news of tornadoes, fires, earthquakes, and floods. News reporters give statistics of the many lives that are lost in such disasters and in many instances, the policy makers are not able to correctly determine the monetary value of property and businesses lost in such instances. Such happenings are taking place across the world and some of the greatest losers are business entities. Owing to these disasters and many more such disasters, business organizations have to think beyond the normal operations (Cobanoglu, Blasik, & Haley, 2009). In other words, businesses have to consider a situation in which the normal operations are disrupted. This understanding brings forth the concept of contingency planning.
Contingency Plan Explained
Contingency planning is a risk management concept that describes the process through which business entities prepare for an outcome that deviates from the usual plan. A contingency plan is a risk management tool that is used in instances where the occurrence of a specified but unprecedented risk is highly likely to result in catastrophic consequences. Taking an example, there may a nuclear power plant that is designed to be operated through computer networks. If for any reason the computer networks get hacked, there is the high likelihood that terrorists could allow harmful materials to leak out of the plants. The organization or government agency running such a facility must then understand that there is the possibility of such a risk occurring. Since insurance and other tools of risk management may not solve such a problem, the organization or government agency must have a contingency plan. Probably, the firm will have a manually operated system of ensuring that the hazardous materials do not leak out of the facilities. If the material leak, there must be a proper plan of the course of action that the staff at the organization must take to reduce the damage caused by those materials. Such actions could involve the reporting procedures as well as the evacuation procedures and the procedures are contained in the contingency plan (Dawson Jr, Crespo, & Brewster, 2013).
The above-explained illustration is meant to have the reader get a deeper understanding of the term contingency plan. In general, it is referred to many people as the ‘plan-B’ which is taken only if ‘plan-A’ fails (International Federation of Red Cross and Red Crescent Societies, 2012). The illustration may lead the reader to thinking that contingency plans only apply to large disasters such as the leaking of radioactive materials. This is a mistake that is often made by many people across the world and this includes a few people in risk management. However, it is important to understand that contingency planning is not just concerned with calamities and major disasters. In fact, it is important to view a contingency plan as the normal thrown around ‘plan-B’ that is used by many people in more simplistic situations. The following paragraph illustrates the scale to which contingency planning of having a plan-B applies to a smaller scale in the business setting hence bringing this discussion closer home.
Contingency Planning in Business Settings
Businesses interact with a lot of people, data, and information in their daily operations. For many years or even decades, it is possible that the business may fail to face any major or minor risk requiring the actualization of a contingency plan. Many organizations continuously use contingency plans even though this information does not get to the glare of the media. Some of the common instances in which organizations require and do use contingency plans include instances of supply stoppage simply because one of the suppliers went bankrupt (Ruiz-Torres, Mahmoodi, & Zeng, 2013). In the technology era, data is increasingly being lost to ‘anonymous’ and in banking businesses, bank runs come and kills the smaller banks. Such occurrences may appear common but for any business to survive through similar conditions there must be a contingency plan detailing how the organizations seeks to respond to such an issue.
One thing that the reader must appreciate is the fact that such risks as described in the paragraph above exist inherently in every organization’s operations. It is possible that the firm may face a little bit different situations than those explained above but as sure as day and night, such situations must always be there. Notably, in the era of the connected generations, the need for contingency plans had become even bigger. Today all firms have a large part of their operations and business processes running on computer programs and networks (Skipper, Hall, Hazen, & Hanna, 2014). This by itself exposes the firms to many attacks and therefore the need for contingency planning and it is for this reason that the next few paragraphs of this paper will provide details of how the organization can go about the contingency plan. Ideally, the contingency planning process captures three major steps that include risk assessment, followed by contingency plan development, and lastly there is the maintenance of the plan.
Contingency Planning Process
In the first stage, the organization must understand and be able to answer the question ‘what happens when plan-A fails to continue as expected?’ The answer to this question enables the business organization or government agency to identify the risk that the firm faces. Ideally, the objective of contingency planning is to ensure continuity in the operations of the organization. Consequently, the firm must identify the risks to continuity in the normal operations. Secondly, the firm must prioritize the risk. The risk in this is that the firm may just plan too much and appear skeptical hence that should be avoided. Lastly, the firm must determine the impact of the risk using probability charts but again it must avoid the risk of overly planning to the extent of forgetting it core objective (Sittig, Gonzalez, & Singh, 2014).
The second major step is the development of the contingency plan. Ideally, the contingency plan tells the organization what to do if the first option fails. It identifies the trigger for the application of the contingency plan, the definition of the times in which the contingency plan applies, the roles of everyone involves in core operations, and the limitations related to its application. One of the core factors in the contingency plan includes the following of the standard operating procedures to avoid the failure of the contingency plan. One things that the reader ought to be keen about is the fact that people and organizations invest a lot of time in the first option or plan A. However, the same people and organizations are poorly motivated with regard to the development of a plan B due to the assumption of risk or the assumption that the identified risks have a low probability of occurring. Such assumptions lead to the relegation of the contingency planning process to the bottom of the to-do list and it may never get done. It is important to understand the importance of contingency planning as a way of encouraging engagement and investment in the development of plan B (Sittig, Gonzalez, & Singh, 2014).
The last requirement is the maintenance of the contingency plan. The maintenance part is one that is easily forgotten simply because it is considered irrelevant by some people. Notably, the maintenance takes place between the time of the development of the contingency plan to the period when such a plan may be required. This may take a few days, months or even decades and as human nature has it, tracking the contingency plan over such a long period of time may be difficult. The importance of maintenance of the contingency plan is the fact that conditions change over time and so are the risks. In the highly fluid world of technology for instance, it is very difficult for a given technology to last longer than eighteen months. This is why maintenance of the contingency plan is important; to ensure that the contingency plan is relevant to the changing business conditions and the definitions of risk facing the normal operations of the organization. In other words, it is critically important for the organization to continuously review the contingency plan to ensure that it fits the changing conditions (Sittig, Gonzalez, & Singh, 2014).
Contingency Plan Recommendation
This section of the paper looks into the application of an important tool in the case of a Computer Forensic Investigation Services (CFIS) organization. The model of Computer Forensic Investigation Services (CFIS) works a little different from other business models considering the sensitivity of the matters that this type of an organization handles as well as the high likelihood of attacks to destroy files of cyber and other criminals. Consequently, it becomes important for the Computer Forensic Investigation Services (CFIS) to have a contingency plan that ensures that no attack would result in total destruction of investigation files and that in the instance of an attack, that the organization is able to ensure that it has the shortest downtime and that all culprits of such an attack are positively identified and apprehended.
Computer Forensic Investigation Services (CFIS) organization must ensure that other than the computer records that are based in the main operating area of the organization, there are back up files stored in a remote area of the organization. These could include both physical copies of the investigation process or secondly, the availability of computer networks that provide a more secure backup option and ease of access when such an action is required. Having a backup plan recognizes that the organization’s physical location as well as its computer networks are susceptible to attacks and that in the incidence of an attack the operations of the organization are likely to be decimated. This recognition brings to the forefront the need for the development of a contingency plan that anticipates certain types of risks and how such risks must be handled by the organization. As a matter of fact, being in the Computer Forensic Investigation Services (CFIS) means that attacks similar to those that the organization investigates are also possible take place especially on the security of the organization at hand. How then does the organization develop a working contingency plan?
Developing a contingency plan for a Computer Forensic Investigation Services (CFIS) organization begins with risk assessment as identified above with the main risk being the cyber attacks or attacks on its computer networks aiming at frustrating the computer forensic processes. When such an attack takes place, sensitive data is likely to be lost and leaked out to the public which is why the organization ought to know how to handle a similar attack on itself (Kent, Chevalier, Grance, & Dang, 2006).
The second step is the development of a contingency plan after the identification of the risks. The contingency plan captures the security level matters that the company ought to be have and the protocols to be activated in the event of an attack. For instance, breaches on the organization’s multi-level firewalls ought to be the starting point. In a three-level firewall system, the first consideration ought to touch on the way the company respond to the attack on each level of the security system. For instance, a breach on the first level should prompt the organization’s computer and network security personnel to quickly collect data on the attack identifying its source and preventing the attack on the second level. A breach on the second level should result in the anticipation of a third level attack which is why at this stage an auto-delete or auto-encrypt system should be put in place to ensure that any information held in the company’s servers is not in a format that is understandable to the attackers. An attack on the last level ought to result in auto-destruction of any evidence considered as classified hence limiting its exposure to the criminals. The systems may shut down automatically and disconnect from the network on which the attack is staged until the threat is eliminated. With the backup options mentioned in the paragraph above, the Computer Forensic Investigation Services (CFIS) organization ought to be able to continue with its investigations though on a different platform that allows for safer operations and continuity of services. Notably, the back-up options must have control levels that separate authority and responsibility or powers hence making it difficult for any attacks to be made on the contingency systems (Nelson, Phillips, & Steuart, 2014).
The last stage in the contingency planning is the maintenance and review of the systems. The objective of such tests would be to ensure that any attacks on the system are preempted in advance and that following the developments in computing power, networking capabilities, and technologies, the Computer Forensic Investigation Services (CFIS) organization is able to withstand any kind of attack on its systems. This requires training of the staff, simulations on the systems, tests on areas of possible weakness, and even updates on the contingency plan as the case may demand and based on available information on the possibility of attacks, types of attacks, and the possible sources of such attacks (Nelson, Phillips, & Steuart, 2014).
Contingency Plan Testing
Putting into consideration the fluidity of technology and the changes that occur in this field almost every eighteen months, the organization should have no longer than 24-month cycle business contingency testing plan. In other words, the organization must consider whether the plan prepared in the last 24-months would still be applicable in the coming period. The reason for this testing is to ensure that the organization does not have an obsolete contingency plan (Nelson, Phillips, & Steuart, 2014). Notably, testing the systems against the plan would also help the organization to determine whether there are any required systems improvements in line with the newer technologies. It also helps the organization in determining whether the risk environment has changed over the time. Thirdly, it helps the organization to project the possibilities of risk occurrences over the next 24-month period. Notably, the testing the systems within the 24-month business cycle helps the organization in keeping in touch with the systems of the organization help gauging its preparedness in the handling of certain risks.
One particular question that the reader may have with regard to the testing of the contingency plans regards what the organizations should be looking for and how often. A particular test that the organization must continuously is the manner in which the backup of data and information functions. This test should be conducted in every three months to ensure that all data used by the organization has been backed up in secure servers or locations. In the modern cloud storage enables organizations to easily backup data and so there will be many options at the disposal of the organization (Nelson, Phillips, & Steuart, 2014). In case of any accident that leads to distortions in option A, then the organization goes to option B hence ensuring continuity of their services but this does not result in any stoppage of the first option or the major business process.
Periodically, Computer Forensic Investigation Services (CFIS) may be required to conduct simulations of the possible problem to help the employees gain a better understanding of the plausible impact of the occurrence of certain events and gauge their readiness in the handling of similar occurrences in the real-time set-up. Notably, the simulation testing process does not only help the organization in understanding risk and how to handle uncertain situations. Rather, simulation testing helps the personnel to appreciate the importance of contingency planning, especially when noted that many people often relegate the need to have contingency plans at the bottom of the to-do list.
Costs Associated With the Recommended Testing Process
Testing the recommended contingency plan as explained above come with personnel, equipment, and data mining costs. Notably, one of the things that the contingency planning team must recognize is the fact that running the simulation as herein explained requires personnel and equipment for data collection. The data is means to allow the organization to get a clear understanding of all possible sources of risk. Considering that the business of Computer Forensic Investigation Services (CFIS) is data driven, all the points of data sourcing present potential sources of risk and it would be important to know how the organization would deal with the risks coming from all the high risk data sources. Depending on the pervasiveness of the risks and the data sources that the organization identities, it is important to note that one of the cost may vary greatly from the level that this report would recommend (Perrier, Agard, Baptiste, Frayret, Langevin, Pellerin, & Trépanier, 2013). It is for this reason that the paper focuses on ensuring that the organization is able to develop the resource needs based on the requirements. The only thing that the organization must take into consideration when dedicating funds for the contingency plan testing is ensuring that the funds and resources dedicated to this endeavor are not in any way wasted in courses that are not geared towards the establishment of a more robust contingency plan.
Conclusion
In conclusion, it is important to note that it is of critical importance for any given business organization or government agency to have a clear understanding of the risks facing the business. It is also important for the business to get a clear understanding of the importance of contingency planning considering the fact that the risks can strike the business at any time and when that happens, it is important for the business to be able to understand how it will continue its operations. The three key elements in the contingency planning process involve risk assessment, plan development, and plan review and maintenance. There are several elements that the organization must consider under each of the elements. However, the most important thing is for the organization to have personnel who are motivated enough to engage in the contingency planning process.
References
Cobanoglu, C., Blasik, S. & Haley, M. (2009). Computer systems failure contingency planning. American Hotel & Lodging Educational Foundation: NY
Dawson Jr, M. E., Crespo, M., & Brewster, S. (2013). DoD cyber technology policies to secure automated information systems. International Journal of Business Continuity and Risk Management, 4(1), 1-22.
International Federation of Red Cross and Red Crescent Societies. (2012). Contingency Planning Guide. IFRC: Geneva.
Kent, K., Chevalier, S., Grance, T. & Dang, H. (2006). Guide to Integrating Forensic Techniques into Incident Response: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-86.
Nelson, B., Phillips, A., & Steuart, C. (2014). Guide to computer forensics and investigations. Cengage Learning.
Nolan, R., O’Sullivan, C., Branson, J. & Waits, C. (2005). First Responders Guide to Computer Forensics. Carnegie Mellon Software Engineering Institute: Pittsburg.
Perrier, N., Agard, B., Baptiste, P., Frayret, J. M., Langevin, A., Pellerin, R., & Trépanier, M. (2013). A survey of models and algorithms for emergency response logistics in electric distribution systems. Part II: Contingency planning level. Computers & Operations Research, 40(7), 1907-1922.
Ruiz-Torres, A. J., Mahmoodi, F., & Zeng, A. Z. (2013). Supplier selection model with contingency planning for supplier failures. Computers & Industrial Engineering, 66(2), 374-382.
Sittig, D. F., Gonzalez, D., & Singh, H. (2014). Contingency planning for electronic health record-based care continuity: a survey of recommended practices. International journal of medical informatics, 83(11), 797-804.
Skipper, J. B., Hall, D. J., Hazen, B. T., & Hanna, J. B. (2014). Achieving flexibility via contingency planning activities in the supply chain. International Journal of Information Systems and Supply Chain Management (IJISSCM),7(2), 1-21.