Question: What's the difference between contingency planning, crisis planning, continuity planning and disaster recovery planning?
Answer: It depends. Despite what you may read elsewhere, there is no generally-accepted definition of these terms - the language is still evolving along with the underlying concepts. Some people use the terms loosely and interchangeably, others claim to know precisely what they each mean and are outraged if anyone gets it wrong. The following bullet points simply explain what we understand to be the emerging consensus:
Contingency planning is an all-encompassing term meaning making preparations for uncertain future situations (i.e. what we do is literally contingent - depends upon - the situation that actually unfolds). It comprises a suite of techniques designed to identify and minimise risks, largely by preparing for the unexpected. Contingency planning concepts apply to business, IT, political, personal and other situations. Air bags in a car are an example of a contingency measure, while specifying and mandating the use of air bags demonstrates contingency planning.
Crisis planning specifically concerns planning for the immediate aftermath of a disaster - evacuating staff safely, putting out fires, treating casualties and so forth. This is probably the most critical period of all since normal processes and controls have more or less completely failed at this point. Some individuals revert to primitive survival instincts, while others may be physically and/or mentally traumatised to the extent that they are incapable of normal behaviour. A solid crisis plan provides sufficient structure and guidance to stabilise the situation and enable the actual recovery processes to commence. Providing emergency exit signs and conducting evacuation drills illustrates a form of crisis planning.
[Business] continuity planning means preparing to keep the business going despite a disaster. Critical business processes are identified and arrangements made to ensure any associated IT services, suppliers etc. are sufficiently resilient and/or have effective Disaster Recovery plans. Critical functions/processes with the IT department typically include IT and network operations plus help/service desk: these typically deserve their own continuity plans. Resilience is a closely-associated concept in the IT sphere, meaning the ability to withstand most incidents without normal IT-driven services being significantly affected. Resilient IT services, systems and networks use redundancy, automated failover, dual-live “hot sites”, mirroring/clustering and similar high availability techniques, and build on the basics such as sound systems architecture and engineering, preventive maintenance and configuration control.
[IT] Disaster Recovery (DR) planning
concerns making arrangements to recover critical IT services to operation after a serious incident. This typically involves restoring services on standby systems and network equipment at warm- or cold-site recovery site. Finding a competent interim manager
to step in at short notice and hold the reins after the information security manager unexpectedly resigns or is dismissed, is one type of IT DR.
Talk to IsecT about designing, preparing and testing appropriate contingency plans for your business that strike a balance between cost and assurance. We have experience of all aspects noted above, and more besides (e.g. have you planned for 'logical' disasters such as major software bugs, website failures etc.? What about serious frauds, security incidents or infectious diseases causing the sudden loss of key staff, managers or whole teams?). We've seen entirely predictable situations turn into disasters that should never have happened, and contingency plans that are far too complex to manage. It's mostly just common sense to us.