1.0 TITLE: Business Contingency Planning Implementation
1.1 EFFECTIVE DATE: October 14, 1999 Revised: April 27, 2006
1.2 TYPE OF ACTION: Update
2.0 PURPOSE: To implement the ITEC Information Technology Policy 5300 concerning Business Contingency Planning for an entity's information technology and communications resources.
3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions and Agencies of state government, hereafter referred to as entities.
4.1 K.S.A. 2005 Supp. 75-7203 authorizes the ITEC to: Adopt information resource policies and procedures and provide direction and coordination for the application of the state's information technology resources for all entities.
5.1 Disaster Recovery/Business Contingency - are commonly used terms to refer to the recovery of service following either a disaster or other actions which would disrupt business activity.
5.2 Disaster - is any sudden or unplanned event that causes a significant disruption in information systems and/or telecommunications systems that affects the operation of an organization.
5.3 Contingency Plan - is a document used to define actions to be taken in the event of a disaster and reduce the number of decisions required during a stressful situation.
5.4 Business resumption - is the process of restoring business activity to an acceptable level, and then to a normal level after an emergency event has disrupted normal operations.
5.5 Business impact analysis is the evaluation of the quantitative effect on the organization if certain business functions or application systems cannot be performed.
6.0 POLICY: All entities shall develop Business Contingency Plans for their information technology and communication resources
7.1 Steps for developing a business contingency plan, as well as questions a business contingency plan needs to address are listed below. The magnitude of the planning effort will relate to the size of the organization. However, each entity needs to follow the same general procedures.
7.1.1 The business contingency planning process includes the following activities:
1. Develop a project plan for the development of the entity’s business contingency plan, including any assumptions and the planning responsibilities.
2. Conduct the business impact analysis/vulnerability assessment.
3. Determine recovery strategies which will be based upon the length of time the entity can function without the business process or the supporting information resources.
4. Identity and acquire cost justified resources to support the plan.
5. Define the emergency response procedures. (What immediate actions are required when a disaster occurs?)
6. Define the recovery operations procedures. (How to get the entity functioning again.)
7. Develop and document the entity business contingency plan based upon the information gathered in the steps above.
8. Train employees on their responsibilities in the event of a disaster.
9. Test the entity’s business contingency plan.
10. Maintain the entity's business contingency plan.
7.1.2 A business contingency plan generally addresses the following:
1. Identification of critical applications and processes.
2. Actions to be taken during the four phases of a business resumption;
a. Response (initial action following a disastrous event),
b. Resumption (establishing the alternate processing site and begin processing time sensitive business functions),
c. Recovery (resume processing for less time-sensitive business functions), and
d. Restoration (returning to the original processing site).
3. Identification of critical personnel and event notification information.
4. Identification of minimum recovery hardware configuration.
5. Required software.
6. Scripts describing how to acquire necessary resources;
a. Vendor information
b. Supplies information
7.2 The entity’s business contingency plans should be reviewed and updated annually by the entity. Portions of the plan, which are name oriented, may need to be reviewed at least quarterly.
8.1 Heads of entities are responsible to establish procedures for their organizations compliance with the requirements of this policy.
8.2 The Chief Information Technology Officer, Executive Branch is responsible for the maintenance of this policy.
9.0 CANCELLATION: Replaces ITEC Policy #3210 titled ‘Business Continuity Planning Implementation’.