URP: I.19.o Information System Contingency Planning

Tags techurp


STATEMENT OF PURPOSE
This document establishes the enterprise information system contingency planning regulations and procedures. The purpose of these regulations and procedures are to manage risks from Texas Woman’s University’s (TWU) information asset disruptions, failures, and disasters through the establishment of an effective contingency planning program.


DEFINITIONS
Contingency Plan is a course of action to be followed if a preferred plan fails or an existing situation changes.


SCOPE
The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.


REGULATIONS AND PROCEDURES
The State of Texas has chosen to adopt the contingency planning principles established in NIST SP 800-34 “Contingency Planning Guide for Federal Information Systems.” The following subsections outline the contingency planning standards that constitute TWU regulations and procedures.

CP-1 Contingency Planning:

 Regulations:
▪ TWU must develop, adopt or adhere to a formal, documented contingency planning regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
 Procedures:
▪ The Office of Technology (OOT) will maintain regulations and procedures for contingency planning that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CP-2 Contingency Plan:
 Regulations:
▪ TWU must develop a contingency plan for the information system that:
• Identifies essential missions and business functions and associated contingency requirements;
• Provides recovery objectives, restoration priorities, and metrics;
• Addresses contingency roles, responsibilities, assigned individuals with contact information;
• Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
• Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
• Is reviewed, updated, and approved annually.
▪ TWU must securely communicate and distribute copies of the contingency plan to appropriate personnel.
▪ TWU must coordinate contingency planning activities with incident handling activities.
 Procedures:
▪ The OOT Security team shall maintain a contingency plan for the information system that:
• Identifies essential missions and business functions and associated contingency requirements;
• Provides recovery objectives, restoration priorities, and metrics;
• Addresses contingency roles, responsibilities, assigned individuals with contact information;
• Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
• Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;
• Is reviewed and updated by the Information Security Officer (ISO);
• Is approved annually by the Chief Information Officer (CIO).
▪ The OOT Security team must securely communicate and distribute copies of the contingency plan to appropriate personnel.
▪ The OOT Security team must coordinate contingency planning activities with incident handling activities.

CP-4 Contingency Plan Testing:
 Regulations:
▪ TWU must test the contingency plan annually to determine the effectiveness of the plan and initiates corrective actions, if needed.
 Procedures:
▪ The OOT Security Team shall test the contingency plan annually and initiate needed corrective actions; unless an actual event occurs that requires the contingency plan to be executed, in which case, the event fulfills the annual test requirement.

CP-6 Alternate Storage Site:
 Regulations:
▪ TWU must establish an alternate storage site including necessary agreements to permit the storage and recovery of information asset backup information.
 Procedures:
▪ OOT maintains geographically independent server rooms where data is stored.
▪ Primary information systems located in Denton and Dallas are backed up daily and have these daily backups copied to an offsite backup location for disaster recovery purposes.

CP-9 Information System Backup:
 Regulations:
▪ TWU must conduct backups of information systems within defined recovery time and recovery point objectives.
 Procedures:
▪ OOT performs daily, weekly, and monthly backups, scheduled on a per information system basis. The frequency of the backup depends on the application requirements and nature of data stored.

CP-10 Information System Recovery and Reconstitution:
 Regulations:
▪ TWU must provide for the recovery and reconstitution of information systems to a known state after a disruption, compromise, or failure.
 Procedures:
▪ OOT ensures that information systems defined as critical in the information system contingency plan are replicated nightly to a geographically separate data center.
▪ OOT ensures that information systems not defined as critical in the information system contingency plan are recoverable depending on application requirements and nature of data stored.

APPLICABILITY TWU Students, Faculty, Staff, and Guest 

COMPLIANCE
Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; termination of access; legal action; termination for interns and volunteers; disciplinary review; suspension or expulsion (in the case of a student).

SPECIAL NOTES
Department of Information Resources Security Standards Catalog http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf

Owner:Associate Provost for Technology

Details

Article ID: 56384
Created
Fri 6/22/18 11:17 AM
Modified
Mon 3/25/19 11:20 AM