MUSC Policy: Information Security - Contingency Plan

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 5, 2005
 REVIEWED: President's Council  DATE: Feb 16, 2005
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Feb 16, 2005
 IMPLEMENTATION: Enterprise-wide  DATE: Feb 16, 2005

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.308(a)(7)(i) Standard: Contingency plan
HIPAA Security: 164.308(a)(7)(ii)(A) Data backup plan
HIPAA Security: 164.308(a)(7)(ii)(B) Disaster recovery plan
HIPAA Security: 164.308(a)(7)(ii)(C) Emergency mode operation plan
HIPAA Security: 164.308(a)(7)(ii)(D) Testing and revision procedures
HIPAA Security: 164.308(a)(7)(ii)(E) Applications and data criticality analysis

2. POLICY

A contingency plan should be developed and maintained for each MUSC information system. The plan should include policies and procedures for handling disasters and other types of emergencies that might disrupt the operation of the system and/or interrupt access to its information by authorized users.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Assigned Responsibilities

The designated Owner of each MUSC information system is required to develop and maintain a contingency plan for the system. The depth and breadth of the contingency plan, and the degree of detail and testing required, should be determined by on-going risk assessments, by business continuity requirements (including applications and data criticality analysis), and by legal and regulatory requirements.

Contingency plans should encompass backup procedures, restoration and recovery procedures, and emergency mode operations procedures. Contingency plans should be periodically tested, and should be revised as needed in response to environmental, operational, policy or regulatory changes.

Designated System Owners should coordinate the development of their contingency plans with their Entity IACOs, who should ensure that the procedures documented in these plans are available to the persons responsible for their implementation.

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Risk Management

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.