Technology Standard

Version: 1.0
Status: Approved 02/21/07
Contact: Director, Technology Services

To define the standards necessary to develop and maintain an effective contingency plan and business recovery program that is in compliance with the Commonwealth of Virginia (COV) Information Technology Resource Management Standard, COV ITRM 501-01, VCCS and applicable State and Federal requirements.

This program covers all System Office and College business processes and the related Information Technology infrastructure.  The program provides the information necessary to determine exposures to loss of services by conducting a Business Impact Analysis, identifying the necessary Preventive Controls, developing Recovery Strategies, and insuring there is appropriate staff training and a formal process for developing and maintaining the Contingency Management and Disaster Recovery Plan. The program also provides the information necessary to address Risk Analysis as it applies within the context of the Contingency Planning and Business Recovery Program. Security Awareness Training and IT Asset Management programs further enhance this program.

The Contingency Planning and Business Recovery Program is applicable to the System Office and all Colleges.

MODEL

The model set forth in this document defines a minimum set of expectations.  The model will be reviewed as necessary to reflect changes in the use of technology, State and Federal Laws and State Policies, and VCCS Directives.

Contingency planning and business recovery refers to an organizations ability to recover from a disaster and/or unexpected events and resume and continue operations. The protection and continuation of personnel, assets, and critical business functions for the System Office and twenty-three colleges are the responsibility of the VCCS Vice Chancellors and College Presidents. A diagram at the end of this document provides a graphical representation of the recommended steps that should be followed to fully implement a successful program. This document also provides an overview of the key elements and steps in the Contingency Planning and Business Recovery Program. Each process is addressed in detail, where required, in its own document and is linked accordingly.

Step 1: Appoint a Program Planning Coordinator

A Program Planning Coordinator is appointed to serve as the focal point for the Contingency Planning and Business Recovery Program. The person selected should be a senior member of the college management team and who has broad knowledge of the college business applications and processes. While information technology personnel will contribute to the processes within the plan, these personnel should not be assigned the role of Planning Coordinator. This appointment is intended to provide the required senior management support, resources, and cooperation that is critical to a successful program and plan. This person will serve as a single point of contact to ensure the Contingency Planning and Business Recovery Program and associated plans are completed, tested, and maintained.

Step 2: Conduct a Business Impact Analysis

The Business Impact Analysis (BIA) is the core of the program. The BIA process must have the support from the highest level of management and involve all functional business units and their key stakeholders. The BIA is conducted to identify all business processes or job tasks, correlate business functions with specific information technology components, and the services they provide, and based on that information, characterize the impact on the VCCS and/or college when specific business functions fail due to the disruption of one or more of these system components. The Planning Coordinator must prepare a report which summarizes the data found in the BIA. Results from the BIA may be used to support other VCCS or college plans (COOP for example).

Information documented in the BIA will also be used as primary input to the IT System and Data Sensitivity Classification, IT System Inventory and Definition, and Risk Assessment processes, and development of the IT Contingency Management Plan.

In conjunction with the Business Impact Analysis, formal assignment of IT security roles and responsibilities will assist the VCCS and individual college in managing and protecting the security of IT systems.

Related Links:

Forms:

Step 3: Perform a Risk Assessment for Information Technology Infrastructure

A risk assessment is conducted of all information technology services and applications. Risk assessment is a process of analyzing threats to and vulnerabilities of an information system and the potential impact the loss of information or capabilities of a system would have on the VCCS and/or colleges. The resulting analysis is used as a basis for identifying appropriate and cost-effective countermeasures.

Related Links:

Controls are a combination of people, processes and tools that are put in place to prevent, detect or correct issues caused by unwanted events. In some cases, the outage impacts identified in the BIA may be mitigated or eliminated through preventive measures that deter, detect, and/or reduce impacts to the system. Where feasible and cost-effective, preventive methods should be used rather than measures designed to recover the system after a disruption.

Use of additional security controls is an effective means of protecting against risks discovered during the risk assessment process. Additional control areas include IT Systems Security, Logical Access Control, Data Protection, Threat Management, Personnel Security, and Facilities Security. Preventive controls should be documented in the contingency plan, and personnel associated with the system should be trained on how and when to use the controls. These controls should remain current to ensure their effectiveness in an emergency.

Recovery strategies provide a means to restore IT operations quickly and effectively following a service disruption. The strategies should address disruption impacts and maximum allowable outage times identified in the BIA and Risk Assessment processes. Several alternatives should be considered when developing the strategy, including cost, allowable outage time, security, and other related factors.

A Contingency Management Plan is then developed to provide for the continuation of critical business functions in the event of a disruption brought about by a disaster. Each college must allocate the appropriate resources for the development, deployment, and maintenance of a Contingency Plan for critical applications and for the support of essential services. The plan should contain detailed roles, responsibilities, identification of teams, and procedures associated with restoration following a disruption. The plan will be developed based on the information obtained by completing the Business Impact Analysis and Risk Assessment outlined above.

Testing the plan immediately after development is a key ingredient in delivering a viable contingency capability.  Testing enables plan deficiencies to be identified and addressed.  Testing also helps to evaluate key recovery staff ability to implement the plan quickly and effectively.  To derive the most value from the test, a senior staff member should be assigned to develop a test plan designed to test all elements of the plan against explicit test objectives and success criteria.  While various tasks may be delegated within the testing process, the senior staff member assigned remains responsible for the overall result. This is a functional role not generally assigned to the Planning Coordinator.

Following these guidelines will enable the effectiveness of the overall plan to be assessed.  The test plan should also delineate clear scope, scenarios, and logistics.  Testing may include but not limited to table top exercises, live testing of key components, or use of an off site facility.

Training for personnel with contingency plan responsibilities should complement testing. Training should include the purpose of the plan, cross-team coordination and communication, reporting procedures, security requirements, and team and individual specific processes and responsibilities.

There should also be provisions to update and test the plan on annual basis or whenever major changes in a business process or the supporting technology occurs. This allows the plan to constantly be in a ready state that accurately reflects the current system and components. Copies of the plan should be maintained as confidential and copies kept off-site.

An annual Statement of Compliance is prepared once all the preceding steps have been completed. The document will be forwarded to the College President or Vice Chancellor confirming that all appropriate steps have been taken, and documents have been prepared in accordance with this program and that the college is in compliance with the Commonwealth of Virginia (COV) Information Technology Resource Management Standard, COV ITRM 501-01, VCCS and applicable State and Federal requirements.

Contingency Planning and Business Recovery Program, VCCS Check List and Statement of Compliance

Security awareness training is conducted to ensure all individuals involved in the management, operation, programming and maintenance, or use of critical applications and supporting infrastructure are aware of their security responsibilities and to understand how to fulfill them.

IT Asset Management protects the VCCS and college IT assets by managing the assets in a planned, organized, and secure fashion.

---

---

 

Return to Information Security Program