Contingency Management for Technology-based Information Systems
Date of Current Revision: January 2008
Responsible Officer: Assistant Vice President Information Technology
- PURPOSE
This policy establishes the requirement for departments to create and maintain written contingency management plans for all information-based applications that support critical functions.
- AUTHORITY
The president has charged Information Technology with managing the University’s technology-based information systems; therefore, Information Technology has the authority to establish policies related to that responsibility..
- DEFINITIONS
Critical functions:
Business processes identified by the division heads that significantly affect service levels to students, affect public safety, impact the budget, and/or are the result of governmental regulations. These functions of information systems that are so important to the university that their loss or unavailability is unacceptable. With a critical function, even a short-term unavailability of the information provided by the system would have a significant negative impact on the fiscal or legal integrity of university operations or on the continuation of essential university programs.
Information sysems:
A set of processes and resources to generate, manipulate, store and/or disseminate data. Information systems are usually part of a larger business function and generally take one of the following three forms::
- Central information systems:
Those that use central computing facilities, the central communications network, and/or other shared resources and are managed by Information Technology;
- Local information systems:
Those that use only individual workstations and/or departmental server resources not managed by Information Technology; and,
- Manual information systems:
Processes that use no technology/automation.
Contingency Management Plan:
A plan that includes an identification of critical functions, an inventory of the backup facilities and other information technology resources required in the event of a contingency, procedures for alternative processing and recovery, procedures for event detection, and requirements for training, testing, and maintenance related to the plan.
- APPLICABILITY
This policy applies to all critical functions supported by technology-based information systems, applications, or services. - POLICY
Departments must have contingency management plans in place and detail how critical functions will be performed should any contingency result in the absence of normal facilities, information resources, or personnel. Information Technology must have a contingency plan for the central computing facilities and the communications network. The plans will also outline the procedures to be used for returning to a normal operating environment. The development and maintenance of contingency management plans must adhere to the appropriate Commonwealth of Virginia policies and standards including that all or part of the plans' contents be tested annually to ensure that they are complete, current and workable. Testing should be done in a manner that will not interfere with the normal quality of university services..
- PROCEDURES
Adequate contingency management plans must be developed and maintained for all technology-based information systems that support critical functions
.
The contingency management plans must be reviewed, tested and updated at least annually and all personnel affected by the plan adequately trained on the content and operation of the plan.
See also Policy 1112 for university requirements related to emergency planning for critical business functions. - RESPONSIBILITIES
7.1 Division heads are responsible for identifying critical functions within their divisions that are supported by technology-based informatiion systems. Division heads are also responsible for:
- informing departments within their divisions of the critical functions;
- ensuring that adequate contingency management plans are in place for critical functions
- ensuring that departments have established alternate procedures to be used during a recovery period for central information systems; and
- deciding when situations require the activation of contingency management plans and/or alternate procedures.
7.2 Department heads/directors are directly responsible for:
- developing and maintaining contingency management plans for local and manual information systems;
- establishing alternate procedures necessary to sustain functionality during the recovery period for central information systems;
- periodically reviewing, testing, and updating contingency management plans and alternate procedures:, and,
- ensuring that personnel within their areas are adequately trained on the contents of the plans.
7.3 The division heads will decide the criticality of functions and/or assignment of responsibilities that are disputed or not organizationally apparent. The Assistant Vice President for Information Technology is responsible for contingency planning for critical technology-based information systems and will represent information technology within the broader continuity of operations/emergency planning context.
7.4 Development of contingency management plans for central information systems is a shared responsibility. Information Technology is responsible for the central computing facilities and the communications network. The system owner is responsible for the contingency management plans and alternate procedures necessary to sustain functionality during the recovery period.
- SANCTIONS
Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination from employment. - EXCLUSIONS
Policy 1206 does not refer to manual systems. - INTERPRETATION
Authority to interpret this policy rests with the President, and is generally delegated to the Assistant Vice President for Information Technology.
Approved by the President: April, 2002
Index Terms
Contingency Management
Critical functions
Critical applications