ITEC Policy 5310 - Business Contingency Planning Implementation

Information Technology Policy 5310 Revision 2 - Continuity of Operations

Planning Implementation

1.0 TITLE: Continuity of Operations Planning Implementation
      1.1 EFFECTIVE DATE: October 14, 1999
            Revised: April 27, 2006
            Revised: September 14, 2021
      1.2 TYPE OF ACTION: Update

2.0 PURPOSE: To implement the ITEC Information Technology Policy 5300 concerning the Disaster Recovery and Continuity of Operations Plan (COOP) for an entity's information technology and communications resources.

3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions and Agencies of state government, hereafter referred to as “entities”.

4.1 K.S.A. 75-7203:  The Information Technology Executive Council (ITEC) is hereby authorized to adopt such policies and rules and regulations as necessary to implement, administer and enforce the provisions of this act.
4.2 Kansas Response Plan: 133.4 Continuity of Operations (COOP). The COOP is an effort to provide for the stability of essential functions during a wide range of potential emergencies.
4.3 NIST Special Publication 800-34 Rev.1, Contingency Planning for Federal Information Systems
4.4 NIST Cyber Security Framework v1.1

5.1 Please refer to ITEC Policy 5300 for relevant definitions.

6.0 Standards:

6.1. Entities must conduct an inventory of hardware, software, identification of critical applications and essential personnel positions. Entities must also identify, and document required equipment to support remote work environments.
6.2 Entities must conduct a Business Impact Analysis (BIA) to  identify and prioritize information systems and components critical to supporting the organizations mission/business processes and people.
6.2.1 BIAs must identify potential impacts such as financial, public health, public safety, or any other impacts from disruptions of systems
6.2.2 BIA must identify information system recovery time objective and recovery point objective
6.2.3 BIA shall also examine three security objectives: confidentiality, integrity and availability.
6.2.4 Continuity of Operations Plan (COOP): Provides procedures and guidance to sustain and organization’s mission essential-functions for an undetermined amount of time. COOP must include: Disaster or disruption detection and response Continuity of essential functions/business Delegations of authority Orders of succession Continuity of facilities and equipment Continuity of communications Vital records Personnel management Testing, training and exercises (TT&E) Recovery/Reconstitution
6.2.5 Disaster Recovery (DR) Plan: Provides procedures and capabilities for recovering an information system.  DR plans must include: Outage impacts Notification procedures personnel, partners, vendors Recovery time and priorities Step by step system recovery procedures for all system components of the information system Alternate facility site, or remote work options Equipment and cost considerations Document-recovery options Testing, training and exercises (TT&E) Security plans Recovery plan and coordination
6.2.6 Disaster recovery plans should be tested annually

6.3 The entity’s continuity of operations plans shall be reviewed and updated annually, and a table-top exercise conducted every two years. Portions of the plan, which are name-oriented, shall be reviewed semiannually. Documentation of the exercises should be kept for review based on current state policy.

7.1 Head of each entity is responsible to establish procedures for the organization compliance with the requirements of this policy.
7.2 The Chief Information Technology Officer (CITO), Executive Branch is responsible for the maintenance of this policy.