 |
Longwood
University |
Policy 6111
CONTINGENCY MANAGEMENT POLICY
I. PURPOSE
This policy establishes the requirement for departments to create and maintain written contingency management plans to provide for the continuation of critical business functions throughout the University in the event of disruptions and to minimize the effect of those disruptions.
II. DEFINITIONS
A. Critical Business Functions: Functions which are supported by critical information assets the department could not operate without even for a short period of time. For example, the unavailability of a database may adversely affect the ability of a department to function.
III. POLICY
A. Responsibilities:
1. Vice President's Responsibilities: All Vice Presidents are responsible for identifying critical business functions within their divisions which are supported by critical information assets as identified in their Business Impact Analysis/Risk Assessments (BIA/RA). Vice presidents are also responsible for insuring that adequate contingency management plans are developed and maintained for all critical business functions in their areas and for deciding when situations require the activation of contingency plans and/or alternate procedures.
2. Information and Instructional Technology Services (IITS) Responsibility: IITS is responsible for the central computing facilities and the communications network plans including restoration of operations at an alternate site if required.
3. Department Responsibility: Directors or department heads are responsible for ensuring that their plans are periodically reviewed, tested, and updated, and for insuring that employees within their areas are adequately trained on the contents of the plans.4. Chief Information Officer (CIO) Responsibility: The CIO or his/her designee will decide the criticality of business functions and/or assignment of responsibilities that are disputed or not organizationally apparent. The CIO is also responsible for appointing a Contingency Management Coordinator.
5. Contingency Management Coordinator (CMC) Responsibility: The CMC will represent the University to the Virginia Information Technologies Agency (VITA) and to vendors during a contingency situation. The CMC is responsible for coordinating the development of all contingency management plans. To assist in this responsibility, Vice Presidents are responsible for notifying the CMC as contingency management plans are developed and/or updated.B. Requirements: Contingency management plans must detail
how critical business functions will be performed should any contingency situation occur. The plans will also detail the procedures to be used for returning to a normal operating environment.1. The IITS plan will include adequate coverage of:
a. Emergency response procedures appropriate to any incident or activity that may endanger lives, property, or the capability to perform critical business functions.
b. Arrangements, procedures, and responsibilities, including data backup, offsite storage and contingency safeguards to ensure that critical operations can be continued and that sensitive information can be protected if normal processing or data communications are interrupted for any reason for an unacceptable period of time.
c. Recovery procedures and responsibilities to facilitate the rapid restoration of normal operations at the primary site, or if necessary, at a new facility, following the destruction, major damage or other interruptions at the primary site.
d. A minimally acceptable prioritized level of degraded operation of critical systems or functions to guide implementation at the backup operational site. The contingency plan must accommodate the established priorities.2. Departmental plans will include adequate coverage of:
a. Emergency response procedures appropriate to any incident or activity that may endanger lives, property, or the capability to perform critical business functions.
b. Arrangements, procedures, and responsibilities, including data backup, offsite storage and contingency safeguards, that ensure critical operations can be continued and that sensitive information can be protected if normal processing or data communications are interrupted for any reason for an unacceptable period of time.
c. Interim manual processes to enable the continuance of critical operations in the absence of data processing support.
Revised and approved by the Board of Visitors, September 7, 2002.
Revised and approved by the Board of Visitors, September 15, 2006.