CONTINGENCY PLANNING GUIDE

Transcription

1 2017 CONTINGENCY PLANNING GUIDE UTC IT0128-G UTC Information Technology Michael Dinkins, CISO 4/28/2017

2 CONTENTS 1. SCOPE PRINCIPLES REVISIONS OBJECTIVE POLICY APPLICABILITY RESPONSIBILITIES IT SECURITY OFFICE DEFINITIONS

3 1. Scope This Guide applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee at Chattanooga. Users includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University s information technology resources. Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties. 2. Principles This document is a University of Tennessee at Chattanooga-specific Guide based on University policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources. The Associate Vice Chancellor and Chief Information Officer (AVC/CIO) is responsible for information technology and security at the University of Tennessee Chattanooga. The AVC/CIO is the Position of Authority (POA) for Information Technology at UTC. 3. Revisions Date Action Name 4/28/2017 Version 1.0 Michael Dinkins 4. Objective This document provides guidance for developing, maintaining and documenting a Contingency Planning Program for the University of Tennessee at Chattanooga s business-critical information systems. 5. Policy This guide is a supplement to published University of Tennessee Policy IT0128, Contingency Planning. Click here for more information. This policy requires UTC s 2

4 Contingency Planning program to include procedures that address the following for business-critical systems: 1) A Contingency Plan. 2) Contingency Training. 3) Contingency Plan Testing. 4) Alternate Storage Site for university information. 5) An Alternate Processing site that allows for the resumption of mission essential functions. 6) Information system backups. 6. Applicability A formal Contingency Planning program must be applied to the following missionessential systems/subsystems: Banner Banner Banner MISSION-ESSENTIAL SYSTEMS System Subsystem Owner Administrator Contact Enterprise Services (Non-Banner) Banner Services Systems applications Banner Services Systems database Banner Services Systems servers Data Center Banner Systems Support Services Director, Banner Systems Support Services Banner Systems DBA Executive Director, Deputy CIO Infrastructure Network Infrastructure Deputy CIO Infrastructure Telecomm Infrastructure Deputy CIO Moderate-categorized Departments registered with Office of CIO Department Head Department Head 3

5 7. Responsibilities ROLE RESPONSIBILITY Associate Vice- Chancellor & CIO (AV/CIO) Chief Information Security Officer As Position of Authority (POA), the AVC/CIO has overall responsibility of the Audit & Accountability program at UTC. The AVC/CIO ensures: 1) The Contingency Planning program is developed, documented, and disseminated to appropriate UTC entities in accordance with University policy. 2) The program is reviewed and updated annually. 3) Ensure that mission-essential functions are identified and documented. 4) An alternate data storage location is established in the event that the primary storage location is not available. 5) An alternate processing site is established that permits the transfer and resumption of mission-essential functions when primary processing capabilities are unavailable. NOTE: The Associate Vice Chancellor & CIO determines what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern for UTC. The CISO is responsible for overseeing the implementation of the UTC Contingency Planning program for systems that support missionessential functions. The CISO and IT Security Team consults and assists the CIO and systems owners of business-critical systems to ensure procedures address: 1) Development of and compliance to UTC s Contingency Planning program that includes: a) A Business Continuity Plan. b) A Disaster Recovery Plan. Subsystem Owner / Administrator (or assignee) System owners are responsible for: 1) Developing and documenting procedures for their respective system(s). 2) Developing, documenting, and maintaining a contingency plan for their information system that: a) Identifies essential missions and business functions that must be maintained, and associated contingency requirements. b) Provides recovery objectives and restoration priorities. 4

6 8. IT Security Office Michael Dinkins, CISSP Chief Information Security Officer (423) Definitions c) Addresses roles, responsibilities, and assigned individuals with contact information. d) Is reviewed and updated annually. 3) Providing documented contingency training to information system users consistent with assigned roles and responsibilities. 4) Performing and documenting the testing of some facet(s) of the Information Technology system annually. (Once the testing is completed, review the test plan results and implement any corrective actions that improves the effectiveness and efficiency of the plan.) 5) Identifying alternate storage requirements and establishing a separate storage location. 6) Identifying alternate processing requirements and establish a separate processing location. 7) Conducting user-level and system-level backups consistent with system recovery time and recovery point objectives. 8) Protecting backups sufficiently to maintain information confidentiality, integrity and availability at storage locations 9) Testing backup information bi-annually to verify media reliability. Larry Prince IT Security Analyst (423) larry-prince@utc.edu 1) Alternate Processing Site is a geographically distinct site separate from the primary processing site that provides processing capability in the event that the primary processing site is not available. 2) Alternate Storage Site is a geographically distinct site separate from the primary storage site that maintains duplicate copies of information and data in the event that the primary storage site is not available. 3) Contingency Plan Testing determines the effectiveness of the Plan and identifies potential weakness in the Plan. Testing can be in the form of walk-throughs, tabletop exercises, checklists, simulations or a comprehensive exercise. 4) Mission-Essential Functions are those business-critical services and/or activities performed by the University that must be continued throughout, or resumed rapidly after, a disruption of normal operations. 5

7 5) System-level Information includes system-state information, operating system and application software and licenses. 6) User-level Information includes any information other than system-state information. 6