Contingency Management for Technology-based Information Systems
Date of Current Revision: April 2012 Responsible Officer: Assistant Vice President Information Technology
This policy establishes the requirement for departments to create and maintain written contingency management plans for all information-based systems/applications that support critical functions.
The president has charged Information Technology (IT) with managing the university’s technology-based information systems; therefore, IT has the authority to establish policies related to that responsibility.
Business Impact Analysis:
Examining the relationship between key business processes of the university and its ability to sustain and execute critical functions. Business impact analysis also identifies the technology resources required to sustain such critical functions
Business processes identified by the division heads that significantly affect service levels to students, affect public safety, impact the budget and/or are the result of governmental regulations; those functions of information systems that are so important to the university that their loss or unavailability is unacceptable. With a critical function, even a short-term unavailability of the information provided by the system would have a significant negative impact on the fiscal or legal integrity of university operations or on the continuation of essential university programs/services.
A set of processes and resources to generate, manipulate, store and/or disseminate data. Information systems are usually part of a larger business function and generally take one of the following three forms:
The academic/administrative unit head responsible for overall functionality of an information system and for stewardship of the data it includes (e.g. the university registrar is the system owner for the Student Administration System). The system owner works in cooperation with IT for effective implementation/operation of the system and to assure appropriate controls are in place.
This policy applies to all critical functions supported by technology-based information systems, applications or services.
Departments must have contingency management plans in place and detail how critical functions will be performed should a contingency event result in the absence of normal facilities, information resources or personnel. IT must have a contingency management plan for the central computing facilities and the communications network. The plans will also outline the procedures to be used for returning to a normal operating environment. The development and maintenance of contingency management plans must adhere to university policies and standards including that all or part of the plans' contents be tested annually to ensure that they are complete, current and workable. Testing should be done in a manner that will not interfere with the normal quality of university services.
Adequate contingency management plans must be developed and maintained for all technology-based information systems that support critical functions
The contingency management plans must be reviewed, tested and updated at least annually and all personnel affected by the plan adequately trained on the content and operation of the plan.
7.1 Division heads are responsible for identifying critical functions within their divisions that are supported by technology-based information systems. Division heads are also responsible for:
7.2 Deans, directors and academic/administrative unit heads are directly responsible for:
7.3 The division heads shall decide the criticality of functions and/or assignment of responsibilities that are disputed or not organizationally apparent. The Assistant Vice President for Information Technology is responsible for identifying the technology resources that support critical functions, for developing contingency plans for critical technology-based information systems and for representing information technology within the broader continuity of operations/emergency planning context.
7.4 Development of contingency management plans for central information systems is a shared responsibility. IT is responsible for the central computing facilities and the communications network. The system owner is responsible for the contingency management plans and alternate procedures necessary to sustain functionality during the recovery period.
Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination from employment.
This policy does not refer to manual systems.
Authority to interpret this policy rests with the president and is generally delegated to the Assistant Vice President for Information Technology.
Previous Version: September, 2010
Approved by the President: April, 2002