Contingency Management for Technology-based Information Systems
Date of Current Revision: July 2015
Primary Responsible Officer: Assistant Vice President Information Technology
This policy establishes the requirement for departments to create and maintain written contingency management plans for all information-based systems/applications that support critical functions.
The Board of Visitors has been authorized by the Commonwealth of Virginia to govern James Madison University. See Code of Virginia section 23-164.6; 23-9.2:3. The board has delegated the authority to manage the university to the president.
Business Impact Analysis:
Examining the relationship between key business processes of the university and its ability to sustain and execute critical functions. Business impact analysis also identifies the technology resources required to sustain such critical functions.
Contingency Management Plan:
A plan that includes an identification of critical functions, an inventory of the backup facilities and other information technology resources required in the event of a contingency, procedures for alternative processing and recovery, procedures for event detection, and requirements for training, testing and maintenance related to the plan.
Business processes identified by the vice presidents that significantly affect service levels to students, affect public safety, impact the budget and/or are the result of governmental regulations; those functions of information systems that are so important to the university that their loss or unavailability is unacceptable. With a critical function, even a short-term unavailability of the information provided by the system would have a significant negative impact on the fiscal or legal integrity of university operations or on the continuation of essential university programs/services.
A set of processes and resources to generate, manipulate, store and/or disseminate data. Information systems are usually part of a larger business function and generally take one of the following three forms:
- Central information systems:
Information systems that use central computing facilities, the central communications network and/or other shared resources and are managed by Information Technology;
- Local information systems:
Information systems that use only individual workstations and/or departmental server resources not managed by IT; and,
- Manual information systems:
Information processes that use no information technology/electronic automation.
The academic/administrative unit head responsible for overall functionality of an information system and for stewardship of the data it includes (e.g. the university registrar is the system owner for the Student Administration System). The system owner works in cooperation with IT for effective implementation/operation of the system and to assure appropriate controls are in place.
This policy applies to all critical functions supported by technology-based information systems, applications or services.
Departments must have contingency management plans in place and detail how critical functions will be performed should a contingency event result in the absence of normal facilities, information resources or personnel. IT must have a contingency management plan for the central computing facilities and the communications network. The plans will also outline the procedures to be used for returning to a normal operating environment. The development and maintenance of contingency management plans must adhere to university policies and standards including that all or part of the plans' contents be tested annually to ensure that they are complete, current and workable. Testing should be done in a manner that will not interfere with the normal quality of university services.
Adequate contingency management plans must be developed and maintained for all technology-based information systems that support critical functions
The contingency management plans must be reviewed, tested and updated at least annually and all personnel affected by the plan adequately trained on the content and operation of the plan.
7.1 Vice presidents are responsible for identifying critical functions within their divisions that are supported by technology-based information systems. Vice presidents are also responsible for:
- informing departments within their divisions of the critical functions;
- ensuring that adequate contingency management plans are in place for critical functions;
- ensuring that departments have established alternate procedures to be used during a recovery period for central information systems; and,
- deciding when situations require the activation of contingency management plans and/or alternate procedures.
7.2 Deans, Associate/Assistant vice presidents, directors and academic/administrative unit heads are directly responsible for:
- developing and maintaining contingency management plans for local and manual information systems;
- establishing alternate procedures necessary to sustain functionality during the recovery period for central information systems;
- periodically reviewing, testing, and updating contingency management plans and alternate procedures; and,
- ensuring that personnel within their areas are adequately trained on the contents of the plans.
7.3 The vice presidents shall decide the criticality of functions and/or assignment of responsibilities that are disputed or not organizationally apparent. The Assistant Vice President for Information Technology is responsible for identifying the technology resources that support critical functions, for developing contingency plans for critical technology-based information systems and for representing information technology within the broader continuity of operations/emergency planning context.
7.4 Development of contingency management plans for central information systems is a shared responsibility. IT is responsible for the central computing facilities and the communications network. The system owner is responsible for the contingency management plans and alternate procedures necessary to sustain functionality during the recovery period.
Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination from employment.
This policy does not refer to manual systems.
Authority to interpret this policy rests with the president and is generally delegated to the Assistant Vice President for Information Technology.
Previous Version: April 2012
Approved by the President: April 2002