---

Technology Standard

---

Contingency Planning and Business Recovery Program

PURPOSE

To define the standard that outlines IT security roles and responsibilities within the VCCS necessary to manage and protect the security of VCCS and COV IT systems, as required by the Information Technology Security Policy (COV ITRM Policy SEC500-02)

SCOPE

The ISO Designation Standard of the Contingency Planning and Business Recovery Program covers all VCCS and college business processes and the related Information Technology infrastructure.

The ISO Designation Standard is applicable to the System Office and all Colleges.

A key component of the IT Security Program is the appropriate development of Administrative IT security roles. The required responsibilities for each administrative IT security role are listed below.

The designation of the System Office and College Information Security Officer is a required step in the IT Security Program.

College Presidents – Each College President is responsible for college’s IT systems and data. Their IT security responsibilities include:

1. Designate via e-mail an ISO for the College and provide the employees name, title and contact information to VCCS annually or as personnel changes are made. The College President is strongly encouraged to designate at least one backup for the ISO, as well.



2. Determine the optimal place of the IT security function within the College hierarchy with the shortest practicable reporting line to the College President.



3. Maintain an IT security program that is sufficient to protect the College’s IT systems, and that is documented and effectively communicated.



4. Review and approve the College’s Business Impact Analyses (BIA), a Risk Assessment (RA), and a Continuity of Operations Plan (COOP), to include an IT Disaster Recovery Plan, if applicable.



5. Accept residual risk as described in section 2.5 of the IT Security Audit Standard (COV ITRM Standard SEC502-00).



6. Maintain compliance with IT Security Audit Standard (COV ITRM Standard SEC502-00) and the guidance provided in the VCCS Contingency Planning and Business Recovery Program. This compliance must include, but is not limited to:



1. Requiring development and implementation of the College Contingency Planning and Business Recovery Program, and submitting the Annual Statement of Compliance to the System Office;
2. Requiring that the planned IT security audits are conducted;
3. Receiving reports of the results of IT security audits;
4. Requiring development of Corrective Action Plans to address findings of IT security audits; and
5. Reporting to the System Office all IT security audit findings and progress in implementing corrective actions in response to IT security audit findings.



7. Facilitate the communication process between IT staff and those in other areas of the College.



8. Establish a program of IT security safeguards.



9. Establish an IT security awareness and training program.



10. Provide the resources to enable employees to carry out their responsibilities for securing IT systems and data.
    
11. Ensuring managers in the colleges at all levels provide for the IT security needs under their jurisdiction and they take all reasonable actions to provide adequate IT security and to escalate problems, requirements, and matters related to IT security to the highest level necessary for resolution.

VCCS Information Security Officer – The System Office ITS Office has been designated as the primary liaison for developing and managing the VCCS IT security program and the supporting security infrastructure. As such, this office will perform the following duties:

1. Administers the VCCS Contingency Planning and Business Recovery Program and periodically assesses whether the program is implemented in accordance with COV IT Security Policies and Standards.



2. Prepares requested exceptions to COV IT Security Policies, Standards and Procedures.



3. Provides solutions, guidance, and expertise in IT security.



4. Maintains awareness of the security status of sensitive IT systems.



5. Facilitates effective implementation of VCCS Planning and Business Recovery Program, by:



1. Preparing, disseminating, and maintaining IT security, policies, standards, guidelines and procedures as appropriate;
2. Collecting data relative to the state of IT security in VCCS and communicating as needed;


3. Providing consultation on balancing an effective IT security program with college needs.



6. Provides networking and liaison opportunities to the College Information Security Officers (ISOs).
   
   
7. Serves as the VCCS primary security liaison with VITA and the Chief Information Security Officer (CISO) facilitating the required communications on all IT matters that may impact the System Office and the twenty three colleges.

College Information Security Officer (ISO) - The ISO is responsible for the development and administration of the college Contingency Planning and Business Recovery Program as well as the college local IT security architecture. They are expected to perform the following duties:

1. Develop and manage the college IT security program that meets or exceeds the requirements of VCCS and COV IT security policies and standards in a manner commensurate with risk.



2. Develop and maintain an IT security awareness and training program for the college staff, including contractors and IT service providers.



3. Coordinate and provide IT security information to the VCCS ISO as required.



4. Implement and maintain the appropriate balance of protective, detective and corrective controls for college and VCCS IT systems commensurate with data sensitivity, risk and systems criticality.



5. Mitigate and report all IT security incidents in accordance with §2.2-603 of the Code of Virginia and related VCCS requirements and take appropriate actions to prevent recurrence.



6. Maintain liaison with the VCCS ISO.

This standard statement and all supporting standards, models, procedures and guidelines issued in support of the standard shall serve as an adequacy standard and as the foundation for the review of information security safeguards.