Jun 26, 2019  
Policies 
    
Policies

Technology


08:28:00 Technology Business Continuity and Disaster Recovery Plan

 

  1. Introduction: Technology systems and the required data are vital elements in most mission/business processes. Because information system resources are so essential to an organization's success, it is critical that identified services provided by these systems are able to operate effectively without excessive interruption. Technology contingency planning supports this requirement by establishing thorough plans, procedures and technical measures that can enable a system to be recovered as quickly and effectively as possible following a service disruption. Contingency planning refers to interim measures to recover information system services after a disruption. 
  2. The purpose of this policy is to support the ChSCC Emergency Preparedness Plan. Technology provides this support by establishing a business process and standard for ensuring Business Impact Analysis, (BIAs) are in place for all critical information systems and the corresponding business processes. This will ensure that processes are identified correctly and are tested to ensure recovery of critical systems based on service levels of agreement between Technology and our customers. 
  3. Technology contingency planning is unique to each system, providing preventive measures, recovery strategies, and technical considerations appropriate to the system's information confidentiality, integrity, and availability requirements and the system impact level. The scope of this policy includes all of the information system processes, including hardware/software and/or third party applications and tools as supported by Technology Division and listed in the Technology Contingency Plan and/or Disaster Recovery Plan.  ChSCC business units that own and/or support information systems that are not supported by Technology or not managed by a Technology Division BIA or Service Level Agreement (SLA) with contingency support, that system will not be included within the recovery plan.
  4. Effective contingency planning begins with the subjecting all information system processes through the business impact analysis. This provides a formula for determining criticality of the process by examining three security objectives: confidentiality, integrity and availability.
  5. BIAs will be conducted with each organization that supports or owns processes supported with technology. BIAs should be reviewed on a regular basis to ensure level of support provided in the contingency plan or disaster recovery plan is still viable. Projects that utilize information systems technology processes or hardware/software will include a BIA review to determine if a new BIA for the process or just an update to the current BIA is required. Decision will be made as to placement on Disaster Recovery Plan (DRP) as well. This project piece must be completed before the project is considered complete. 
  6. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency lifecycle costs. Implementing necessary controls can be prohibitive. National Institute of Standards and Technology 800-53 allows for compensating security controls to provide comparable protection for an information system to comply with the intent of a contingency plan. 
  7. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps. Technology should work with various other ChSCC agencies to ensure testing is as detailed as possible.  The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.  


References:

1. NIST Special Publication 800-34 Rev 1 Contingency Planning Guide for Federal Information Systems
2. NIST Special Publication 800-60 Volume 1 Rev 1 Guide for Mapping Types of Information and Information Systems to Security Categories
4. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems 
5. State of Tennessee Department of Finance and Administration Office/Strategic Technology Solutions Information Security Program Version 2.3 Dec 21, 2018
6. TBR Institutional Emergency Preparedness Plan B-100, 2014
7. This policy was previously numbered as 08:15:01 

 

Submitted to Policy Review Committee on 2019.02.18

Submitted to Policy Review Board on 2019.04.08

Approved by Policy Review Board on 2019.04.24