Resources » Governance » IT Executive Council » ITEC Policies & Standards

ITEC Policy 5300 - Business Contingency Planning

Information Technology Policy 5300 Revision 2 - Continuity of Operations Planning

1.0 TITLE: Continuity of Operations Planning

1.1 EFFECTIVE DATE: October 14, 1999

Revised: April 27, 2006
Revised: September 14, 2021

1.2 TYPE OF ACTION: Update

2.0 PURPOSE: This policy is for the development of entity’s Continuity of Operations Plan (COOP) and Disaster Recovery Plan to ensure that all entities can continue critical operations during any disruption and resume normal operations within a reasonable period of time. As the mission and nature of each entity differ considerably, the specific risks associated with information technology facilities and services will require the tailoring of COOP plans to these needs. However, the format and contents need to be compatible with accepted COOP principles and practices.

3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions and Agencies of state government, hereafter referred to as “entities”.

4.0 REFERENCES:

4.1 K.S.A. 75-7203: The Information Technology Executive Council (ITEC) is hereby authorized to adopt such policies and rules and regulations as necessary to implement, administer and enforce the provisions of this act.

4.2 Kansas Response Plan: 133.4 Continuity of Operations (COOP). The COOP is an effort to provide for the stability of essential functions during a wide range of potential emergencies.

4.3 NIST Special Publication 800-34 Rev.1, Contingency Planning for Federal Information Systems

4.4 NIST Cyber Security Framework v1.1

5.0 DEFINITIONS:

5.1 Disaster: Any sudden or unplanned event that causes a significant disruption in an organization’s operation capability, information technology systems and/or telecommunications systems that significantly affects an entity.

5.2 Business Resumption: The process of restoring business activity to an acceptable level, and then to a normal level after an emergency event has disrupted normal operations, information technology systems and/or telecommunication systems.

5.3 Continuity of Operations Planning: Policies and procedures used to guide an enterprise response to a major loss of enterprise capabilities or damage to its' facilities. It defines the activities of individual departments and agencies and their subcomponents to ensure their essential functions are performed.

5.4 Continuity of Operations Plan: Documented procedures that guide entities to respond, recover, resume and restore to a pre-defined level of operation following disruption, and may include moving to an alternate site.

5.5 Disaster Recovery Planning: The process of developing and maintaining recovery strategies for information technology (IT) systems, applications and data. This includes networks, servers, desktops, laptops, wireless devices, data and connectivity.

5.6 Disaster Recovery Plan: The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort.

5.7 Business Impact Analysis (BIA): The process of analyzing activities and the effect that an organizational disruption might have on them.

5.8 Recovery Point Objective (RPO): The point in time in which information regarding an activity, product or service must be restored to enable an Entity to operate upon resumption.

5.9 Recovery Time Objective (RTO): The period of time following an incident within which a product or service or an activity must be resumed, or resources must be recovered.

6.0 POLICY: All entities shall:

6.1 Raise the awareness within their organization of the need to protect the State's investment in people, information resources and related business processes.

6.2 Develop various information system disaster recovery plans and contingency or continuity plans, to enable the organization to recover from disruption events.

6.3 All entities must take in to account ITEC Policies 1000, 6000 and 7000 series, respectfully.

6.4 Implement, maintain and test disaster recovery, and continuity of operations plans. All entities are responsible and accountable for their own plans.

6.5 Actively pursue means of mitigating business disruptions. Cost-justified controls should be implemented to lessen service disruptions. disaster recovery procedures should be developed for all new systems and major upgrades to existing systems.

6.6 Designate a person(s) to be responsible for disaster recovery and continuity of operations planning, which includes coordinating the development and maintenance of the plan.

6.7 Train employees in the implementation and execution of the continuity of operations plan. Recovery teams should exercise the procedures documented in the plan.

6.8 Additional standards for the implementation of this policy are contained in Policy 5310.

7.0 RESPONSIBILITIES:

7.1 Heads of entities are responsible for implementing this policy within their organizations.

7.2 The Office of Information Technology Services (OITS), working in cooperation with the Kansas Department of Emergency Management, is responsible for the coordination of a statewide information technology resource COOP plan.

7.3 The Chief Information Technology Officer (CITO), Executive Branch is responsible for the maintenance of this policy.