From Traditional Security
Part of Information Assurance - COOP Plan and Testing
Associated with IA controls: COMS-1, CODP-1, COTR-1, COAS-2, COPS-2, DCAR-1, DCHW-1, COEF-2, COEF-1, COSW-1, CODP-3, CODB-3, COBR-1, COAS-1, COMS-2, COPS-1, CODP-2, COED-2, CODB-2, COSP-2, COSP-1, COEB-2, COEB-1, COED-1, COPS-3, CODB-1
Failure to develop a COOP and test it periodically can result in the partial or total loss of operations
Check there is a written COOP plan for inspected systems: 1. For Mission Assurance Category (MAC) III systems only: If a COOP or Disaster Recovery Plan is not in place, ensure the DAA has considered and accepted the risk (specifically for lack of COOP) in a Risk Assessment. 2. Check COOP documentation for plan testing, discrepancies noted and if corrective action taken. 3. Conduct a cursory review of the COOP to ensure it is commensurate with the MAC Level of the system concerning recovery times and testing requirement(s). NOTES: 1. Certain large computing centers like the DISA Computing Services (DECCs) may offer COOP as a fee for service option. Since this is applicable to "customer" applications it should not be a finding attributed to the DECC. If appropriate, COOP or lack thereof if cited as a finding in this instance should be attributed to the specific customer. 2. This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting operations within a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.
Continuity of Operations Plans (COOP) must be developed and tested commensurate with Mission Assurance Category (MAC) Level for ALL DISN connected systems to ensure system and data availability in the event of any type of failure. For MAC III systems only: If no COOP is in place ensure the risk has been (specifically) accepted by the responsible DAA in a Risk Assessment.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer