Personal Assignment 2

Session 3
1. Why is it important to implement Information Technology (IT) risk management?
2. What is contingency planning? Please explain in your word in detail.
3. Who will be responsible to implement IT risk management? How the organization
structure base on the book Principles of Incident Response and Disaster Recovery by
Whitman.
4. Please explain the four documents that need to be prepared in implement contingency
planning.
Name : Togi Josua Hutapea
Answer:
1. Implementation of the goals and objectives of IT risk management is to reduce the risks
that might arise in the system or IT infrastructure (threat). With the expected adoption of
IT risk management threats and risks that can disrupt the system can be avoided or
mitigated. And also if the threat is indeed the case, expected activities of the company are
not stalled. So it does not cause a significant loss for the company.

2.
According to Childs and Dietrich (2002) contingency are:
The additional effort to be prepared for unexpected or quickly changing circumstances (Childs
& Dietrich, 2002: 241)
According to Oxford Dictionary & BNPB, ( 2011) contingency are:
a condition or situation that is expected to happen, but it probably will not happen.
According to me, contingency plan are :
plan prepared to confront a situation or a situation that is expected to happen, but it probably
will not happen
Common errors that occur in preparing a contingency plan is to develop a contingency plan as an
action when there are problems, not the action that has been prepared.
Examples of incorrect contingency plan is:
Broken machine, a contingency plan:
Fix the machine, or set the priority of production
Report manager / customer.
Shortage of labor, contingency plan:
Setting workforce.
Set priorities.
The above example is action when there is a problem, so it is not a contingency plan, because it
is not an act of anticipation that had been prepared in advance.

Contingency planning is one of the various plans that are used in the risk management cycle. The
following are activities undertaken and planned use of the stages of the risk management cycle:
Table 1: Activities and Plans Used in Risk Management Cycle
Cycle
The situation does not occur
the disaster
Potentially catastrophic
situation
Disaster
After disaster
Source: BNPB (2011)

activity
Prevention and
mitigation
Preparedness

Plan
Mitigation plan

Emergency respon
Recovery

Operation planning
Recovery planning

contingency plans

From the table above we can see that contingency planning is done when there is
the potential for Disaster Risk or at the stage of preparedness activities.

3.
Develop the risk management plan in collaboration with stakeholders (policy and
operational): Involve people with expertise, competency and different skills or
backgrounds to ensure that the best available advice informs the risk management
plan. Implementation agencies are often better placed than policy agencies to
identify implementation risks, suggest treatment strategies, and advise on risk
tolerances.
The organization structure base are :
Managers responsible for overseeing IT operations or business processes that
rely on IT systems;
o
System administrators responsible for maintaining daily IT operations;
o Information System Security Officers (ISSOs) and other staff responsible
for developing, implementing, and maintaining an organizations IT
security activities;
- System engineers and architects responsible for designing, implementing, or
modifying information systems;
- Users who employ desktop and portable systems to perform their assigned job
functions; and
- Other personnel responsible for designing, managing, operating, maintaining, or
using information systems.

4. -

Identify preventive controls. In some cases, the outage impacts identified in

the BIA may be mitigated or eliminated through preventive measures that deter,
detect, and/or reduce impacts to the system. Where feasible and cost-effective,
preventive methods are preferable to actions that may be necessary to recover the
system after a disruption. Preventive controls should be documented in the
contingency plan, and personnel associated with the system should be trained on
how and when to use the controls.
Develop an IT Contingency Plan. IT contingency plan development is a critical
step in the process of implementing a comprehensive contingency planning program.
The plan contains detailed roles, responsibilities, teams, and procedures associated
with restoring an IT system following a disruption. The contingency plan should
document technical capabilities designed to support contingency operations. The
contingency plan should be tailored to the organization and its requirements. Plans
need to balance detail with flexibility; usually the more detailed the plan, the less
scalable and versatile the approach. The information presented in NIST SP 800-34 is
meant to be a guide; however, the plan format may be modified as needed to better
meet the users specific system, operational, and organization requirements.
In our approach, the contingency plan comprises five main components: Supporting
Information, Notification/Activation, Recovery, Reconstitution, and Plan Appendices.
The first and last components provide essential information to ensure a
comprehensive plan. The Notification/Activation, Recovery, and Reconstitution phases
address specific actions that the organization should take following a system
disruption or emergency.

Develop recovery strategies. Recovery strategies provide a means to restore

IT operations quickly and effectively following a service disruption. Strategies should
address disruption impacts and allowable outage times identified in the BIA (business
impact analysis). Several alternatives should be considered when developing the
strategy, including cost, allowable outage time, security, and integration with larger,
organization-level contingency plans.
The selected recovery strategy should address the potential impacts identified in the
BIA and should be integrated into the system architecture during the design and
implementation phases of the system life cycle.
Plan Maintenance. To be effective, the plan must be maintained in a ready
state that accurately reflects system requirements, procedures, organizational
structure, and policies. IT systems undergo frequent changes because of shifting
business needs, technology upgrades, or new internal or external policies. Therefore,
it is essential that the contingency plan be reviewed and updated regularly, as part of
the organizations change management process, to ensure new information is
documented and contingency measures are revised if required. As a general rule, the
plan should be reviewed for accuracy and completeness at least annually or
whenever significant changes occur to any element of the plan. Certain elements will
require more frequent reviews, such as contact lists. Based on the system type and
criticality, it may be reasonable to evaluate plan contents and procedures more
frequently.