| Author: | Bill Rust |
|---|---|
| Contact: | rustb@musc.edu |
| Version: | 0.3 |
| Date: | 03 May 2005 |
| Status: | DRAFT |
The purpose of a contingency plan is to document the specific procedures and activities necessary to (a) reduce recovery and business continuity risks to acceptable levels, and (b) meet all legal, regulatory and policy requirements. These standards apply to all MUSC information systems for which contingency plans are required by applicable policies.
A contingency plan involves establishing and maintaining set of procedures and record keeping activities intended to ensure that information systems and their data are recoverable in the event of major system failure or disaster, and to safeguard the continuity of mission-critical business operations (including academic, patient care, administrative, financial, and infrastructure systems) during such events.
The designated Owner of each information system in the MUSC enterprise is required to develop and maintain a contingency plan.
The Owner of every information system within the MUSC enterprise is required to ensure that contingency plans are implemented and maintained, to reduce risks to reasonable and appropriate levels, and to comply with MUSC's business continuity priorities, applicable laws, regulations, and policies.
It would be unreasonably burdensome for MUSC to require documented contingency plans for every system within the MUSC enterprise, regardless of the size, purpose, or nature of the system, or the environment in which the system is used. MUSC requires a documented contingency plan for only those systems that meet one or both of the following criteria:
Protected information is defined in the Information Security policy as “information that, because of its criticality, its sensitivity, and/or legal or regulatory requirements, requires special safeguards.” A documented contingency plans is required for any system that stores protected information. Certain other systems, even though they do not store any protected information, may nevertheless be designated as critical systems by the Office of the CIO; documented contingency plans are also required for these designated systems.
Important
The Owner of a system that does not meet either of the above criteria is still expected to consider contingency planning and to document and implement appropriate procedures, but MUSC does not require formally documented contingency plans for such a system, and MUSC will not require the Owner of such a system to meet the documentation standards in this document (3.6. What needs to be documented in a contingency plan?, 3.7 Should contingency planning documents be shared or published? and 3.8 Is there a retention period for contingency plans?).
Contingency plans need to be developed and/or updated at different points in a system's life cycle:
The System Owner must ensure that the contingency planning team has members whose collective knowledge of the (planned or production) system, whose knowledge of the organization, and whose understanding of applicable policies and regulations, are sufficient to enable the team to identify potential points of failure, assess risks associated with downtime, analyze potential countermeasures (fail-over, mirrored site, etc.), specify an optimal set of countermeasures if any, and communicate their recommendations to management.
A system's contingency plan must mesh with the contingency plans, business continuity plans, and disaster preparedness and recovery plans for the business unit(s) that the system supports. The System Owner must ensure that his contingency planning team has the organizational knowledge and the contacts needed to ensure coordination with these other planning efforts.
The following core information must be included in any documented contingency plan:
Additional documentation standards are listed below for each of the major procedural areas that should be addressed in a system contingency plan.
Beyond the core information given above, and the standard procedural areas given below, the specific business requirements of the system itself may require additional elements to be included in the system contingency plan.
The System Owner should include all necessary information on hardware, software, documentation, skill set, data recovery procedure, order of actions and other procedures necessary to recover from a disaster or other adverse event. This document should be reviewed by appropriately skilled staff to verify its completeness and understandability.
The System Owner should fully document the specific resources required to restore or re-create the system in the event that it were completely destroyed or damaged beyond repair. Such documentation should include:
The System Owner should document the detail narrative instructions for accomplishing system recovery. These instructions should include details necessary for recovering from different scenarios as follows:
While it is not necessary to address these three levels specifically, it is necessary to include enough instruction to deal successfully with Levels I and II. Some mission-critical systems may be required to include a viable plan for a Level III disaster.
The System Owner should document the procedural steps for recovering the system. Steps should contain enough detail so that given the personnel with the skills specified above, a successful system recovery can be accomplished.
The System Owner should document the specific procedures to be followed and resources available in the case of system downtime. If there are alternate methods to meet the need of the end-user they should be specified in the downtime procedures. The plan should also specify the events, conditions and/or circumstances that will trigger the use of downtime procedures.
The System Owner should document the plan for communicating system status and related information to the end-user community and management. This should include the plan for communication during downtime.
The System Owner must retain all documents and records related to system contingency plans for a minimum of six years.
The System Owner is not required to test all aspects of the contingency plan since complete testing could be significantly disruptive to ongoing operations and/or prohibitively expensive. However, it is expected that reasonable measures will be taken to regularly test aspects of the plan to achieve acceptable levels of confidence that the plan is viable.