Course Project

NOTE: This sample template is provided to address NIST SP 800-53 security controls from the Contingency Planning family for a high impact information system. The template provided is a guide and may be customized and adapted as necessary to best fit the system or organizational requirements for contingency planning. Veterinary Practice Management Software Security Categorization: High Coastal Veterinary Clinic Information System Contingency Plan (ISCP) Version [1 ] [November 6, 2023 ] Prepared by Coastal Veterinary Clinic 123 Dog St Jacksonville, Floridia, 32034

Plan Approval 4 1. Introduction 5 1.1 Background 5 1.2 Scope 5 1.3 Assumptions 6 2. Concept of Operations 6 2.1 System Description 7 2.2 Overview of Three Phases 7 2.3 Roles and Responsibilities 8 3. Activation and Notification 9 3.1 Activation Criteria and Procedure 9 3.2 Notification 9 3.3 Outage Assessment 10 4. Recovery 10 4.1 Sequence of Recovery Activities 10 4.2 Recovery Procedures 11 4.3 Recovery Escalation Notices/Awareness 11 5. Reconstitution 11 5.1 Concurrent Processing 11 5.2 Validation Data Testing 12 5.3 Validation Functionality Testing 12 5.4 Recovery Declaration 13 5.5 Notifications (users) 13 5.6 Cleanup 13 5.7 Offsite Data Storage 13 5.8 Data Backup 14 5.9 Event Documentation 14 5.10 Deactivation 15 APPENDIX A PERSONNEL CONTACT LIST 15 APPENDIX B VENDOR CONTACT LIST 17 APPENDIX C DETAILED RECOVERY PROCEDURES 17 APPENDIX D ALTERNATE PROCESSING PROCEDURES 17 APPENDIX E SYSTEM VALIDATION TEST PLAN 18 Page 2

Plan Approval Provide a statement in accordance with the agency’s contingency planning policy to affirm that the ISCP is complete and has been tested sufficiently. The statement should also affirm that the designated authority is responsible for continued maintenance and testing of the ISCP. This statement should be approved and signed by the system designated authority. Space should be provided for the designated authority to sign, along with any other applicable approving signatures. A sample language is provided below: As the designated authority for {Veterinary Practice Management Software } , I hereby certify that the information system contingency plan (ISCP) is complete, and that the information contained in this ISCP provides an accurate representation of the application, its hardware, software, and telecommunication components. I further certify that this document identifies the criticality of the system as it relates to the mission of the {Coastal Veterinary Clinic } , and that the recovery strategies identified will provide the ability to recover the system functionality in the most expedient and cost-beneficial method in keeping with its level of criticality. I further attest that this ISCP for {Veterinary Practice Management Software } will be tested at least annually. This plan was last tested on {November 6, 2023 } ; the test, training, and exercise (TT&E) material associated with this test can be found in the attacked document “ISCP TT&E November 6, 2023”. This document will be modified as changes occur and will remain under version control, in accordance with Coastal Veterinary Clinic ’s contingency planning policy. ________________________________________ ________________________ Jordan Thompson November 6, 2023 Business Owner/ISCP Coordinator Page 4

1. Introduction Information systems are vital to Coastal Veterinary Clinic’s mission/business processes; therefore, it is critical that services provided by Veterinary Practice Management Software are able to operate effectively without excessive interruption. This Information System Contingency Plan (ISCP) establishes comprehensive procedures to recover Veterinary Practice Management Software quickly and effectively following a service disruption. 1.1 Background This Veterinary Practice Management Software ISCP establishes procedures to recover Veterinary Practice Management Software following a disruption. The following recovery plan objectives have been established: § Maximize the effectiveness of contingency operations through an established plan that consists of the following phases: o Activation and Notification phase to activate the plan and determine the extent of damage; o Recovery phase to restore Veterinary Practice Management Software operations; and o Reconstitution phase to ensure that Veterinary Practice Management Software is validated through testing and that normal operations are resumed. § Identify the activities, resources, and procedures to carry out the Veterinary Practice Management Software processing requirements during prolonged interruptions to normal operations. § Assign responsibilities to designated Coastal Veterinary Clinic personnel and provide guidance for recovering Veterinary Practice Management Software during prolonged periods of interruption to normal operations. § Ensure coordination with other personnel responsible for Coastal Veterinary Clinic contingency planning strategies. Ensure coordination with external points of contact and vendors associated with Veterinary Practice Management Software and execution of this plan. 1.2 Scope This ISCP has been developed for the Veterinary Practice Management Software , which is classified as a high-impact system, in accordance with Federal Information Processing Standards (FIPS) 199 – Standards for Security Categorization of Federal Information and Information Systems. Procedures in this ISCP are for high- impact systems and designed to Page 5

2. Concept of Operations The Concept of Operations section provides details about the Veterinary Practice Management Software , an overview of the three phases of the ISCP (Activation and Notification, Recovery, and Reconstitution), and a description of roles and responsibilities of Coastal Veterinary Clinic’s personnel during a contingency activation. 2.1 System Description NOTE: Information for this section should be available from the system’s System Security Plan (SSP) and can be copied from the SSP, or reference the applicable section in the SSP and attach the latest version of the SSP to this contingency plan. Provide a general description of system architecture and functionality Indicate the operating environment, physical location, general location of users, and partnerships with external organizations/systems. Include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures. 2.2 Overview of Three Phases This ISCP has been developed to recover the Veterinary Practice Management Software using a three-phased approach. This approach ensures that system recovery efforts are performed in a methodical sequence to maximize the effectiveness of the recovery effort and minimize system outage time due to errors and omissions. The three system recovery phases are: Activation and Notification Phase – Activation of the ISCP occurs after a disruption or outage that may reasonably extend beyond the RTO established for a system. The outage event may result in severe damage to the facility that houses the system, severe damage or loss of equipment, or other damage that typically results in long-term loss. Once the ISCP is activated, system owners and users are notified of a possible long-term outage, and a thorough outage assessment is performed for the system. Information from the Page 7

outage assessment is presented to system owners and may be used to modify recovery procedures specific to the cause of the outage. Recovery Phase – The Recovery phase details the activities and procedures for recovery of the affected system. Activities and procedures are written at a level that an appropriately skilled technician can recover the system without intimate system knowledge. This phase includes notification and awareness escalation procedures for communication of recovery status to system owners and users. Reconstitution – The Reconstitution phase defines the actions taken to test and validate system capability and functionality at the original or new permanent location. This phase consists of two major activities: validating successful reconstitution and deactivation of the plan. During validation, the system is tested and validated as operational prior to returning operation to its normal state. Validation procedures may include functionality or regression testing, concurrent processing, and/or data validation. The system is declared recovered and operational by system owners upon successful completion of validation testing. Deactivation includes activities to notify users of system operational status. This phase also addresses recovery effort documentation, activity log finalization, incorporation of lessons learned into plan updates, and readying resources for any future events. 2.3 Roles and Responsibilities The ISCP establishes several roles for the Veterinary Practice Management Software recovery and reconstitution support . Persons or teams assigned ISCP roles have been trained to respond to a contingency event affecting Veterinary Practice Management Software. Describe each team and role responsible for executing or supporting system recovery and reconstitution. Include responsibilities for each team/role, leadership roles, and coordination with other recovery and reconstitution teams, as applicable. At a minimum, a role should be established for a system owner or business unit point of contact, a recovery coordinator, and a technical recovery point of contact. Page 8

3.2 Notification The first step upon activation of the Veterinary Practice Management Software ISCP is notification of appropriate business and system support personnel. Contact information for appropriate POCs is included in Appendix A . For the Veterinary Practice Management Software , the following method and procedure for notifications are used: The ICSP Coordinator will notify the IT Support Company via phone call and email to let them know that the ICSP needs to be activated. After the ICSP Coordinator informs the IT Support Company that they ICSP needs to be activated, they will notify the ICSP Coordinator and the business unit of the activation of the ICSP via email and phone call. 3.3 Outage Assessment Following notification, a thorough outage assessment is necessary to determine the extent of the disruption, any damage, and expected recovery time. This outage assessment is conducted by IT Support Company Assessment results are provided to the ISCP Coordinator to assist in the coordination of the recovery of the Veterinary Practice Management Software. Outline detailed procedures to include how to determine the cause of the outage; identification of potential for additional disruption or damage; assessment of affected physical area(s); and determination of the physical infrastructure status, IS equipment functionality, and inventory. Procedures should include notation of items that will need to be replaced and estimated time to restore service to normal operations. 4. Recovery The Recovery Phase provides formal recovery operations that begin after the ISCP has been activated, outage assessments have been completed (if possible), personnel have been notified, and appropriate teams have been mobilized. Recovery Phase activities focus on implementing recovery strategies to restore system capabilities, repair damage, and resume operational capabilities at the original or an alternate location. At the completion of the Recovery Phase, the Veterinary Practice Management Software will be functional and capable of performing the functions identified in Section 2.1 of this plan. 4.1 Sequence of Recovery Activities The following activities occur during recovery of Veterinary Practice Management Software: Page 10

Modify the following list as appropriate for the selected system recovery strategy: 1. Identify recovery location (if not at original location); 2. Identify required resources to perform recovery procedures; 3. Retrieve backup and system installation media; 4. Recover hardware and operating system (if required); and 5. Recover system from backup and system installation media. 4.2 Recovery Procedures The following procedures are provided for recovery of Veterinary Practice Management Software at the original or established alternate location . Recovery procedures are outlined per team and should be executed in the sequence presented to maintain an efficient recovery effort. The system will be recovered by recovering from the tape backups that are stored off-site. The backups will be stored in Savannah, Georgia to make sure they will not be affected by the same incident/disaster. The IT Support company will go through the procedure of recovering the data from the backups. 4.3 Recovery Escalation Notices/Awareness If the IT Support company will go through the procedure of recovering the data from backups. 5. Reconstitution Reconstitution is the process by which recovery activities are completed and normal system operations are resumed. If the original facility is unrecoverable, the activities in this phase can also be applied to preparing a new permanent location to support system processing requirements. A determination must be made on whether the system has undergone significant change and will require reassessment and reauthorization. The phase consists of two major activities: validating successful reconstitution and deactivation of the plan. 5.1 Concurrent Processing Page 11

5.5 Notifications (users) Upon return to normal system operations, Veterinary Practice Management Software users will be notified by IT Support Company using email and a phone call. 5.6 Cleanup Cleanup is the process of cleaning up or dismantling any temporary recovery locations, restocking supplies used, returning manuals or other documentation to their original locations, and readying the system for a possible future contingency event. The organization will cease operation at the temporary recovery location, and they will return all information assets to the primary location. The ISCP Coordinator will make sure that the hardcopy of the ISCP is returned to its rightful place, and they will make sure that the backup media is returned to the off-site facility in Savannah, Georgia by the IT Support Company. 5.7 Offsite Data Storage It is important that all backup and installation media used during recovery be returned to the offsite data storage location. The following procedures should be followed to return backup and installation media to its offsite data storage location. The IT Support Company will take care of returning the backup media to the off-site location in Savannah, Georgia. They will do this by sending someone directly to the off-site location with the backups, and the backup tapes will be logged back in at the off-site location. 5.8 Data Backup As soon as reasonable following recovery, the system should be fully backed up and a new copy of the current operational system stored for future recovery efforts. This full backup is then kept with other system backups. The procedures for conducting a full system backup are: The IT Support Company will complete a new, full back up of the system using a tape drive within 4 hours of the system being fully functional, and they will transport it to the off-site storage location following the same procedure as section 5.7. Page 13

5.9 Event Documentation It is important that all recovery events be well-documented, including actions taken and problems encountered during the recovery and reconstitution effort, and lessons learned for inclusion and update to this ISCP. It is the responsibility of each ISCP team or person to document their actions during the recovery and reconstitution effort, and to provide that documentation to the ISCP Coordinator. The IT Support Company will supply the ISCP Coordinator with the activity logs of what they did to respond to the incident and the testing results for testing system functionality. The ISCP Coordinator will then use these documents to write the lessons learned documentation and the after-action report. The ISCP Coordinator will then use these documents to better the ISCP plan in the future 5.10 Deactivation Once all activities have been completed and documentation has been updated, the business owner will formally deactivate the ISCP recovery and reconstitution effort. Notification of this declaration will be provided to all business and technical POCs. SUGGESTED APPENDICES ISCP appendices included should be based on system and plan requirements. The following appendices are recommended: APPENDIX A PERSONNEL CONTACT LIST Provide contact information for each person with a role or responsibility for activation or implementation of the ISCP, or coordination with the ISCP. For each person listed, at least one office and one non-office contact number is recommended. Note: Information may contain personally identifiable information and should be protected. Page 14

Cellular Email APPENDIX B VENDOR CONTACT LIST IT Support Company – 555-555-5555 – IT_Support@ITSupport.com APPENDIX C DETAILED RECOVERY PROCEDURES This appendix includes the detailed recovery procedures for the system, which may include items such as: § Keystroke-level recovery steps; § System installation instructions from tape, CD, or other media; § Required configuration settings or changes; § Recovery of data from tape and audit logs; and § Other system recovery procedures, as appropriate. If the system relies totally on another group or system for its recovery and reconstitution (such as a mainframe system), information provided should include contact information and locations of detailed recovery and reconstitution procedures for that supporting system. APPENDIX D ALTERNATE PROCESSING PROCEDURES This section should identify any alternate manual or technical processing procedures available that allow the business unit to continue some processing of information that would normally be done by the affected system. Examples of alternate processes include manual forms processing, input into workstations to store data until it can be uploaded and processed, or queuing of data input. Page 16

APPENDIX E SYSTEM VALIDATION TEST PLAN This appendix includes system acceptance procedures that are performed after the system has been recovered and prior to putting the system into full operation and returned to users. The system validation test plan may include the regression or functionality testing conducted prior to implementation of a system upgrade or change. An example of a system validation test plan: Once the system has been recovered, the following steps will be performed to validate system data and functionality: Procedure Expected Results Actual Results Successful? Performed by At the Command Prompt, type in sysname System Log-in Screen appears Log in as user testuser, using password testpass Initial Screen with Main Menu shows From Menu - select 5- Generate Report Report Generation Screen shows - Select Current Date Report - Select Weekly Report is generated on screen with last successful transaction Page 17

§ Delivery schedule and procedures for packaging media to go to alternate storage facility; § Procedures for retrieving media from the alternate storage facility; § Names and contact information for those persons authorized to retrieve media; § Alternate storage configuration features that facilitate recovery operations (such as keyed or card reader access by authorized retrieval personnel); § Any potential accessibility problems to the alternate storage site in the event of a widespread disruption or disaster; § Mitigation steps to access alternate storage site in the event of a widespread disruption or disaster; § Types of data located at alternate storage site, including databases, application software, operating systems, and other critical information system software; and § Other information as appropriate. Alternate Processing Site: § City and state of alternate processing site, and distance from primary facility; § Whether the alternate processing site is owned by the organization or is a third-party site provider; § Name and points of contact for the alternate processing site; § Procedures for accessing and using the alternate processing site, and access security features of alternate processing site; § Names and contact information for those persons authorized to go to alternate processing site; § Type of alternate processing site, and equipment available at site; § Alternate processing site configuration information (such as available power, floor space, office space, telecommunications availability, etc.); § Any potential accessibility problems to the alternate processing site in the event of a widespread disruption or disaster; § Mitigation steps to access alternate processing site in the event of a widespread disruption or disaster; § SLAs or other agreements of use of alternate processing site, available office/support space, setup times, etc.; and § Other information as appropriate. Page 19

Alternate Telecommunications: § Name and contact information of alternate telecommunications vendors; § Geographic locations of alternate telecommunications vendors facilities (such as central offices, switch centers, etc.); § Contracted capacity of alternate telecommunications; § SLAs or other agreements for implementation of alternate telecommunications capacity; § Information on alternate telecommunications vendor contingency plans; § Names and contact information for those persons authorized to implement or use alternate telecommunications capacity; and § Other information as appropriate. APPENDIX G DIAGRAMS (SYSTEM AND INPUT/OUTPUT) NOTE: Information for this section should be available from the system’s System Security Plan (SSP) and can be copied from the SSP, or reference the applicable section in the SSP and attach the latest version of the SSP to this contingency plan. Include any system architecture, input/output, or other technical or logical diagrams that may be useful in recovering the system. Diagrams may also identify information about interconnection with other systems. APPENDIX H HARDWARE AND SOFTWARE INVENTORY Provide the hardware and software inventory for the system. Inventory information should include type of server or hardware on which the system runs, processors and memory requirements, storage requirements, and any other pertinent details. The software inventory should identify the operating system (including service pack or version levels, and any other applications necessary to operate the system, such as database software). APPENDIX I INTERCONNECTIONS TABLE NOTE: Information for this section should be available from the system’s System Security Plan (SSP) and can be copied from the SSP, or reference the applicable section in the SSP and Page 20