CP-4: Contingency Plan Testing

NIST Baseline: Low

Backup and recovery procedures documented in Disaster Recovery Plans will be tested periodically and the overall Disaster Recovery Plan will be tested at least annually in accordance with Texas Department of Information Resources (DIR) Security Control Standards.
- Annual tests are required for High Impact Information Resources in accordance with Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security. Any additional testing requirements for otherwise Low or Moderate Impact Information Resources is at the discretion of the Tarleton Chief Information Officer (CIO) and/or Chief Information Security Officer (CISO).
- Testing methods can include, but are not limited to:
  - Virtual (e.g. table-top) tests
  - Actual events
  - Risk assessments (that include testing)
- Information resource owners or their designees, in coordination with the Tarleton CISO, are responsible for ensuring that the recovery and reconstitution procedures are tested.
Lessons learned from testing, training, or actual contingency activities will be documented and incorporated into the Disaster Recovery Plan and training. See Control AT-3, Role-Based Training for additional information.
Test results will be sent to the Tarleton CIO for review.
Corrective actions from the review of the test report will be sent to information resource custodian(s) for action. Updates to the Disaster Recovery Plan and procedures for backup and recovery will be made, if necessary.