Technology Models

Contingency Planning and Business Recovery Program

Version: 3.0
Status: Approved: 07/29/03
Contact:  Valerie Adkins

PURPOSE

To define the standards necessary for the development of a Contingency Planning and Business Recovery Program, that is compliant with the COV ITRM Standard SEC2001-01.1  and that is consistent with the college, VCC Utility, and System Office Information Technology infrastructure.

SCOPE

This program covers all VCCS and college business processes and the related Information Technology infrastructure.  The programs provides the information necessary to determine exposures to loss of services by conducting a Business Impact Analysis and Risk Assessment, develop a Business Recovery Plan to enact in the event of a disaster, and to establish Security Safeguards and Awareness Training.

APPLICABILITY

This program is applicable to the System Office, VCC Utility, and all colleges.

MODEL

The model set forth in this document defines a minimum set of expectations.  The model will be reviewed as necessary to reflect changes in the use of technology, State and Federal Laws and State Policies, and Directives.

The Expectations

The System Office, VCC Utility, and each college will allocate the appropriate resources to develop and implement a Contingency Planning and Business Recovery Program.  It is not expected that each college will follow these guidelines in total, only to the extent that the purpose noted above is fulfilled.

The Process

The responsibility for implementing a Contingency Planning and Business Recovery Program resides with the College Presidents and the System Office Vice Chancellors. Initially, all business functions and systems must be reviewed; however, additional reviews can isolate specific business functions and/or systems, at the discretion of the College President or Vice Chancellor.  The diagram at the end of this document provides a graphical representation of the recommended steps that should be completed to fully implement the program.   A brief narrative of each of these steps follows.

1.  Risk Assessment Coordinator

A Risk Assessment Coordinator is appointed to coordinate the Risk Analysis and the Business Impact Analysis process. The person selected should be a senior or mid-level manager that has a good understanding of business applications and processes. This person will serve as the single point of contact for ensuring that a Contingency Planning and Business Recovery Program is developed, deployed, and maintained.  See  Business Analysis Standards Questionnaire for general background information.

2.  Business Impact Analysis

A Business Impact Analysis is scheduled and then conducted. This process consists of a business impact analysis and a risk analysis. These two terms can be defined as:

• Business Impact Analysis - A process that is conducted to identify ALL business functions.
• Risk Analysis - A process that is conducted, if sensitive or critical business functions are identified during the Business Impact Analysis. Sensitive information is information that is both confidential and critical to the ongoing operations of the business.

3.  Risk Assessment for Information Technology Infrastructure

A Risk Assessment of ALL Information Technology services, and applications is conducted to identify risks, to determine their magnitude, and to identify safeguards.

4.  Identify Preventive Controls

After the Business Impact Analysis and the Risk Assessment is completed, a formal document must be prepared summarizing the findings. Successful completion of the Business Impact Analysis should lead to the identification of all business processes and the related automated or manual systems required for successful operation and support.  The Risk Assessment should identify potential threats and/or exposures. The summary must then document existing safeguards for each of the threats. If the appropriate safeguards are not in place, then the summary should document an action plan for developing and deploying all that is deemed necessary. See the VCCS documents entitled "Business Impact Analysis" and "Risk Assessment" for further details.

5.  Develop Recovery Strategies

Recovery strategies provide a means to restore the supporting IT infrastructure and operations quickly and effectively following a service disruption.  The strategies should address disruption impacts and allowable outage times identified in the Business Impact Analysis.  Several alternatives should be considered when developing the strategy, including cost, allowable outage time, security, and other related factors.

The selected recovery strategy should address all the potential impacts identified in step #4 above.

6.  Contingency Management Plan

A Contingency Management Plan is then developed to provide for the continuation of critical business functions in the event of a disruption brought about by a disaster. Each college must allocate the appropriate resources for the development, deployment, and maintenance of a Contingency Plan for critical applications and for the support of essential services. The plan will be developed based on the information obtained by completing the Business Impact Analysis and Risk Assessment outlined above. See the VCCS document entitled "Contingency Planning and Disaster Recovery Model" and "Contingency Planning and Disaster Recovery Guidelines" for suggested procedures.

7.  Develop Training, Test Plan, and Schedule Plan Maintenance

Testing the plan after development is a key ingredient in delivering a viable contingency capability.  Testing enables plan deficiencies to be identified and addressed.  Testing also helps to evaluate the recovery staff ability to implement the plan quickly and effectively.  To derive the most value from the test, the Planning Coordinator should develop a test plan designed to test all elements of the plan against explicit test objectives and success criteria.  Following these guidelines will enable the effectiveness of the overall plan to be assessed.  The test plan should also delineate clear scope, scenarios, and logistics.  The scenario chosen may be a worst-case incident, or an incident most likely to occur.  It should mirror reality as closely as possible.  An additional key element train recovery personnel (Business Recovery Teams).

Testing should take place immediately after the plan is developed.  Key recovery personnel should be involved in plan testing to enhance effectiveness and  preparedness for disaster to provide experience in actual plan activation.  There should also be provisions to update and test the plan on annual basis or whenever major changes in a business process or the supporting technology occurs.

8.  Statement of Compliance

A Statement of Compliance is prepared once all the preceding steps have been completed. The document will be forwarded to the College President or Vice Chancellor confirming that all appropriate steps have been taken, and documents have been prepared in accordance with this program and that the college is in compliance with the COV ITRM Standard SEC2001-01.1. 

9.  Develop Security Awareness Plan 

Security awareness training is conducted to ensure all individuals involved in the management, operation, programming and maintenance, or use of critical applications aware of their security responsibilities and to understand how to fulfill them. See the VCCS document entitled "Security Awareness" for further details.

 

Major Steps and Expected Outputs for Contingency Planning and Business Recovery Program

Return to Technology Models