Business Impact Analysis for Business Continuity and Disaster Recovery
A. Introduction: Technology systems and the required data are vital elements in most mission/business processes. Because information system resources are so essential to an organization's success, it is critical that identified services provided by these systems are able to operate effectively without excessive interruption. Contingency planning supports this requirement by establishing thorough plans, procedures and technical measures that can enable a system to be recovered as quickly and effectively as possible following a service disruption. Contingency planning refers to interim measures to recover information system services after a disruption. A formal policy provides the authority and guidance necessary to develop an effective contingency plan. This policy serves as that guidance.
B. The purpose of this policy is to establish a business process and standard for ensuring Chattanooga State Community College contingency planning, including a Business Impact Analysis, (BIA) is in place for all information systems and the corresponding business processes. This will ensure that processes are identified correctly and are tested to ensure recovery of critical systems based on service levels of agreement between Technology and our customers.
C. Contingency planning is unique to each system, providing preventive measures, recovery strategies, and technical considerations appropriate to the system's information confidentiality, integrity, and availability requirements and the system impact level. Chattanooga State's mission is vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g. flood or equipment destruction.) System vulnerability can be minimized or eliminated through management and operational/technical controls. Contingency planning is designed to mitigate the risk of system and service unavailability by providing effect and efficient solutions to enhance system availability.
1. The scope of this policy includes all of the information system processes, including hardware/software and/or third party applications and tools as supported by Technology Division and listed in the Chattanooga State Contingency Plan or Disaster Recovery Plan. Chattanooga State business units that own and/or support information systems that are not supported by Technology or not managed by a Technology Division BIA or Service Level Agreement (SLA) with contingency support, that system will not be included within the recovery plan.
2. Everyone (students, faculty, staff, adjuncts, contractors and vendors, etc.) that are included or impacted by this process will need to receive training for their part of the process on an annual basis.
D. There are three types of business emergency support plans:
1. Business Continuity Plan: The BCP focuses on sustaining an organization mission/business processes during and after a disruption.
2. Disaster Recovery Plan: The DR plan is an information system-focused plan designed to restore operability of the target system, applications, or computer facility. The DRP only addresses information system disruptions that require relocation.
3. Information System Contingency Plan: The ISCP provides procedures and capabilities for recovering a single information system. Addresses single information system recovery at the current or, if appropriate alternate location.
E. An organization must have the ability to withstand all hazards and sustain its mission through environmental changes. These changes can be gradual, such as economic or mission changes, or sudden changes as in a disaster event. Resilience is the ability to quickly adapt and recover from any known or unknown changes to the environment. Resiliency is not a process, but rather an end-state for organizations. The goal of a resilient organization is to continue mission critical or "high" rated processes at all times as stated in the BIA.
F. Effective contingency planning begins with the subjecting all information system processes through the business impact analysis. This provides a formula for determining criticality of the process by examining three security objectives: confidentiality, integrity and availability.
- Confidentiality: preserves authorized restrictions on information access and disclosure, including means for protecting Personal Identifiable Information (PPI).
- Integrity: guards against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
- Availability: ensures timely and reliable access to and use of information.
- The impact for each security objective is determine to be high, moderate, or low based on these definitions. The highest of these impact levels are used to determine the overall security impact level.
G. BIAs will be conducted with each organization that supports or owns processes supported with technology. BIAs should be reviewed annually to ensure level of support provided in the contingency plan or disaster recovery plan is still viable. Projects that utilize information systems technology processes or hardware/software will include a BIA review to determine if a new BIA for the process or just an update to the current BIA is required. Decision will be made as to placement on Disaster Recovery Plan (DRP) as well. This project piece must be completed before the project is considered complete.
H. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency lifecycle costs. Implementing necessary controls can be prohibitive. National Institute of Standards and Technology 800-53 allows for compensating security controls to provide comparable protection for an information system to comply with the intent of a contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system's security impact level and recovery requirements.
I. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps. Technology should work with various other Chattanooga State agencies to ensure testing is as detailed as possible. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.
1. NIST Special Publication 800-34 Rev 1 Contingency Planning Guide for Federal Information Systems
2. NIST SP 800-53 Rev 4, Security Privacy Controls for Federal Information Systems and Organizations
3. NIST Special Publication 800-60 Volume 1 Rev 1 Guide for Mapping Types of Information and Information Systems to Security Categories
4. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
5. State of Tennessee Department of Finance and Administration Office/Office for Information Resources Aug 2007/Apr 2008
6. TBR Institutional Emergency Preparedness Plan B-100
Dr. Rebecca Ashford, President October 24, 2017
Division Name: Technology Division
Policy Number and Title: 08:28:00 Business Impact Analysis for Business Continuity and Disaster Recovery
- Reformatted the whole policy to new format.
- All pages - Information Technology Services was changed to new division name - Technology Division.