ITEC Policy 5310 - Business Contingency Planning Implementation
Planning Implementation
1.0 TITLE: Continuity of Operations Planning Implementation
1.1 EFFECTIVE DATE: October 14, 1999
Revised: April 27, 2006
Revised: September 14, 2021
1.2 TYPE OF ACTION: Update
6.0 Standards:
6.1. Entities must conduct an inventory of hardware, software, identification of critical applications and essential personnel positions. Entities must also identify, and document required equipment to support remote work environments.
6.2 Entities must conduct a Business Impact Analysis (BIA) to identify and prioritize information systems and components critical to supporting the organizations mission/business processes and people.
6.2.1 BIAs must identify potential impacts such as financial, public health, public safety, or any other impacts from disruptions of systems
6.2.2 BIA must identify information system recovery time objective and recovery point objective
6.2.3 BIA shall also examine three security objectives: confidentiality, integrity and availability.
6.2.4 Continuity of Operations Plan (COOP): Provides procedures and guidance to sustain and organization’s mission essential-functions for an undetermined amount of time. COOP must include:
6.2.4.1 Disaster or disruption detection and response
6.2.4.2 Continuity of essential functions/business
6.2.4.3 Delegations of authority
6.2.4.4 Orders of succession
6.2.4.5 Continuity of facilities and equipment
6.2.4.6 Continuity of communications
6.2.4.7 Vital records
6.2.4.8 Personnel management
6.2.4.9 Testing, training and exercises (TT&E)
6.2.4.10 Recovery/Reconstitution
6.2.5 Disaster Recovery (DR) Plan: Provides procedures and capabilities for recovering an information system. DR plans must include:
6.2.5.1 Outage impacts
6.2.5.2 Notification procedures personnel, partners, vendors
6.2.5.3 Recovery time and priorities
6.2.5.4 Step by step system recovery procedures for all system components of the information system
6.2.5.5 Alternate facility site, or remote work options
6.2.5.6 Equipment and cost considerations
6.2.5.7 Document-recovery options
6.2.5.8 Testing, training and exercises (TT&E)
6.2.5.9 Security plans
6.2.5.10 Recovery plan and coordination
6.2.6 Disaster recovery plans should be tested annually