|
|
|
Policy 6111
CONTINGENCY MANAGEMENT POLICY FOR INFORMATION-BASED
APPLICATIONS
I. PURPOSE
This
policy establishes the requirement for departments to create and maintain written
contingency management plans to provide for the continuation of critical
business functions throughout the University in the event of disruptions and to
minimize the effect of those disruptions.fordisruptions for all
information-based applications that support critical functions.
II. DEFINITIONS
A. Critical Business
Functions Applications:
Functions which are supported by
critical information assets the department could not operate without even for a
short period of time. For example, the
unavailability of a database may adversely affect the ability of a department
to function.Critical applications are
those applications whose loss would have a significant effect on the University
to remain operational. At Longwood, these two (2) applications are the
Student Information System (SIS) and the Financial Reporting System
(FRS). With a critical application, even a short-term
unavailability of the information provided by the application would have a
significant negative impact on the health and safety of the public or Longwood
employees, on the fiscal or legal integrity of Longwood operations; or on
the continuation of essential Longwood programs.
B. Information-Based Applications: Information-based applications are those
applications that generate, manipulate, or depend on data. They are
usually part of a larger function. Information-based applications
generally take one (1) of the following three (3) forms:
1.
Automated Central Applications which use central computing facilities, the
central communications network, and/or other shared resources.
2. Automated Local Applications which use only resources on individual
personal computers or departmental LANs (Local Area Networks) not connected to
the campus network.
3. Manual applications which use no form of automation.
C.
Contingency Management Plan: A Contingency Management Plan includes
detailed instructions for handling contingencies and disasters to provide for
the continuation of critical business functions in the event of disruptions and
to minimize the effect of those disruptions.
III. POLICY
A. Responsibilities:
1. Vice Presidents’ Responsibilities:
All vice Vice presidents
Presidents are
responsible for identifying critical business functions within their divisions
which are supported by critical information assets as identified in their Business
Impact Analysis/Risk Assessments (BIA/RA)-based applications.
Vice presidents are also responsible for insuring that adequate
contingency management plans are developed and maintained for all critical applications
business functions in
their areas and for deciding when situations require the activation of
contingency plans and/or alternate procedures.
2. Information and Instructional
Technology Services (Shared IITS) Responsibility:
The
development of contingency management plans for central applications is a
shared responsibility. Information and
Instructional Technology Services (IITS)
is responsible for the central computing facilities and the
communications network plans
including restoration of operations at an
alternate site if required. . The department
operating the application is responsible for the contingency management plans and
alternate procedures necessary for the application itself.
3. Department
Responsibility: Plans for automated local
applications and for manual applications are the direct responsibility of the
department that developed and operates the application. Directors
or department heads are also responsible for
ensuring that their such plans
are periodically reviewed, tested, and updated, and for insuring
that employees within their areas are adequately trained on the contents of the plans.
4. . Chief Information Officer (CIO)
Responsibility: The Vice President for
IITS is the Chief Information Officer (CIO)
or his/her
designee and
will decide the criticality of applications business functions and/or assignment
of responsibilities that are disputed or not organizationally apparent.
The CIO is also responsible for appointing a Contingency Management
Coordinator.
5. Contingency Management Coordinator (CMC) Responsibility: The CMC will
represent the University to the Department of Information Technology (DIT) Virginia Information Technologies Agency (VITA)
and to vendors during a contingency situation. The CMC is
responsible for coordinating the development of all contingency
management plans for central applications and for facilitating
any local or manual application plans. To assist in this
responsibility, vVice
pPresidents are responsible for notifying
the CMC as contingency management plans are developed and/or updated.
B. Contingency Management Plan Requirements:
Contingency management plans must detail
how critical business functions applications
will be performed should any contingency result in
the absence of normal facilities, information resources, or employees.situation
occur. The plans will
also detail the procedures to be used for returning to a normal operating
environment.
1. The IITS plan will include
adequate coverage of:
a.
Emergency response procedures
appropriate to any incident or activity that may endanger lives, property, or
the capability to perform critical
business functions.
a.
b.
a. Emergency response procedures
appropriate to any incident or activity that may endanger lives, property, or
the capability to perform essential critical business
functions.
c.
b. and offsite
storage, and
contingency safeguards to ensure that critical operations can be
continued and that sensitive information can be protected if normal
processing or data communications isare
interrupted for any reason for an unacceptable period of time.
d.
c. ,
or other interruptions at the primary site.
e.
A minimally acceptable prioritized level
of degraded operation
of
d. the
critical systems or
functions to guide implementation at the
backup operational site. The contingency plan must
accommodate the established
priorities .of
need.
2. Departmental plans will include
adequate coverage of:
a.
a. Emergency response procedures
appropriate to any incident or activity that may endanger lives, property, or
the capability to perform critical business functions.
a.
a.
b. Aarrangements,
procedures, and responsibilities, including data backup, and
offsite storage, and
contingency safeguards, that to
ensure that critical operations can be
continued and that sensitive information can be protected if normal processing or
data communications are interrupted for any reason for an unacceptable
period of time.
b.
c.
c.
c. Interim
manual processes to enable the continuance of critical operations in the
absence of data processing support.
Revised
and approved by the Board of Visitors, September 7, 2002.