CP-4 - Contingency Plan Testing
Control requirements
CP-4 (a)
Test the contingency plan for the system [IBM Assignment: at least annually] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [IBM Assignment: functional exercises].
CP-4 (b)
Review the contingency plan test results.
CP-4 (c)
Initiate corrective actions, if needed.
Additional IBM Cloud for Financial Services specifications
Tests should be conducted in as close to an operational environment as possible. If feasible, an actual test of the components or systems used to conduct daily operations should be used.
Test documentation must ensure contingency planning metrics such as the RTO, RPO and maximum tolerable downtime (MTD) are verified during testing.
Contingency Plan test reports must be completed within 30 days after completing the Contingency Plan Test.
If lessons learned result in any necessary improvements to existing processes, ensure they are incorporated into the contingency plan no later than 30 days following all contingency events and exercises.
Critical issues discovered during contingency plan testing must be addressed within 45 calendars day.
Contingency plan tests should increase in scope over time in order to validate the operability of the plan and system components in an operational environment.
The organization must participate in customers' and other third parties' contingency plan tests as required.
NIST supplemental guidance
Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.