According to the Assignment 2 instructions, page 2, provided to you under the Assessment Hub in FLO, in this assignment, you as CISO, need to create a preliminary report for all personnel in your organisation for given Energy Industry. You are not writing the contingency plan in Assessment 2. However, you are creating a document that explains what needs to be in the contingency plan, what should be in it, how it should be structured and who should be responsible or be involved in the creation of the actual contingency plan. This includes a timeline and how long it might take to gather the information needed and who from, and any consultation that may be needed. The point is that it is not an IT or security document and should not be devised just by the IT department. It must reflect that it is responding to incidents and maintaining business as usual - which is vital in the organisation you are working in as a CISO. Think of it as an Action Plan - something that must be practical and will require significant research and data to be useful to the organisation. In general, to create a contingency plan, organisations need to: 1. Identify and prioritise resources - what are the crucial resources needed - people, teams, tools, facilities etc - prioritise these from the most important to the least important. Your Assessment 1 should help you identify the critical resources. 2. What are the most important risks? What events or types of events would compromise or bring critical operations to a halt? What could stop the organisation from providing its essential services? (What are its essential services for your organisation in the given energy industry? What are its specific systems operational functionalities?). This would require consulting with all stakeholders (end-users, third-party contractors, critical systems operators, owners and so on). 3. A risk register is an important part of the plan development. - How will this be created if not already in existence? Again, this relates to all the functions and services that an organisation provides - not just a technology risk register. 4. A draft of the contingency plan is then usually created - that starts with the most critical aspects that would need addressing if anything happened. 5. The final step is to share and circulate and test the plan. 6. Continual review and revision of the plan. The contingency plan must be updated to accommodate changes in staff, situation, risks, and resources - like enhancing requirements for new information systems.

Assessment 2 - is a plan for how to achieve these above steps.

Timeline and also who reports whom .