1.0 TITLE: Business Contingency Planning
1.1 EFFECTIVE DATE: October 14, 1999 Revised: April 27, 2006
1.2 TYPE OF ACTION: Update
2.0 PURPOSE: This policy is for the development of entity business continuity plans to ensure that all entities can continue critical operations during any disruption and resume normal operations within a reasonable period of time. As the mission and nature of each entity differs considerably, the specific risks associated with information technology facilities and services will require tailoring of business contingency plans to these needs. However, the format and contents need to be compatible with accepted business contingency principles and practices.
3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions and Agencies of state government, hereafter referred to as entities.
4.1 K.S.A. 2005 Supp. 75-7203 authorizes the ITEC to: Adopt information resource policies and procedures and provide direction and coordination for the application of the state's information technology resources for all entities.
5.1 Disaster Recovery/Business Contingency - are commonly used terms to refer to the recovery of service following either a disaster or other actions which would disrupt business activity.
5.2 Disaster - is any sudden or unplanned event that causes a significant disruption in information systems and/or telecommunications systems that affects the operation of an organization.
5.3 Recovery Plan - is a document used to define actions to be taken in the event of a disaster and reduce the number of decisions required during a stressful situation.
5.4 Business contingency - is the process of restoring business activity to an acceptable level, and then to a normal level after an emergency event has disrupted normal operations.
5.5 Business impact analysis is the evaluation of the quantitative effect on the organization if certain business functions or application systems cannot be performed.
6.0 POLICY: All entities shall:
6.1 Raise the awareness within their organization of the need to protect the State's investment in information resources and related business processes;
6.2 Develop entity business contingency plans capable of being incorporated into an over all state wide business contingency plan. All data resources are to be included within the scope of these planning efforts;
6.3 Develop, implement, maintain and test business contingency plans for mission critical information and telecommunication systems. All entities are responsible and accountable for their own business recovery plan; and
6.4 Actively pursue means of mitigating business disruptions. Cost justified controls should be implemented to lessen service disruptions. Business contingency procedures should be developed for all new systems and major upgrades to existing systems.
7.1 Designate a person(s) to be responsible for business contingency planning, which includes coordinating the development and maintenance of the plan;
7.2 Train employees in the implementation and execution of the business contingency plan. Recovery teams should exercise the procedures documented in the plan;
7.3 Additional, procedures for the implementation of this policy are contained in policy 5310; and
7.4 Perform a Business Impact Analysis to identify and define the entity’s critical applications and potential financial and other risks associated with the disruption of these applications.
8.1 Heads of entities are responsible for implementing this policy within their organizations;
8.2 The Division of Information Systems and Communications (DISC) is responsible for the coordination of a statewide information resource disaster recovery/business resumption plan; and
8.3 The Chief Information Technology Officer, Executive Branch is responsible for the maintenance of this policy.
9.0 CANCELLATION: Replaces ITEC Policy #3200 titled ‘Business Continuity Planning’.