This Control applies to all high and moderate impact information resources, University Essential IT Services, and additional resources as identified by the CISO, in consultation with the CIO.

The information resource owner or designee is responsible for ensuring planning processes described in this Control are implemented.

Based on risk management considerations, the university’s Chief Information Security Officer may determine, in consultation with the CIO, that it would be appropriate to apply the requirements of this Control to information resources not meeting the Glossary definition of high and moderate impact.

Information resource owners or designees shall document and maintain a Contingency Plan for all high and moderate impact information resources. The plan will contain:

• 1.1

  Business Impact Analysis to systematically assess the potential impact of a loss of business functionality due to an interruption of computing and/or infrastructure support services resulting from a disruptive event or incident. The analysis shall identify the following elements:

  Related Resource

  Please see Business Impact Analysis templates. You may also use your own template if it is approved by the CISO or designee.

  • 1.1.1

    High and moderate impact Information Resources including:

    • 1.1.1.1

      Internal and external points of contact for personnel who provide or receive data; and

    • 1.1.1.2

      Supporting infrastructure such as electric power, telecommunications connections, and environmental controls.

  • 1.1.2

    A determination of the Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

    Related Resource

    See Section 3.1.1. of Business Impact Analysis Template for determining Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

  • 1.1.3

    Dependent information resources to assess the impact on associated resources or processes.

  • 1.1.4

    Relevant recovery priorities that consider geographic areas, accessibility, security, environment, and cost, including:

    • 1.1.4.1

      Preventative controls and processes such as backup power, excess capacity, environmental sensors and alarms; and

    • 1.1.4.2

      Recovery techniques and technologies such as backup methodologies, alternate sites, software and hardware equipment replacement, implementation roles and responsibilities.

• 1.2

  A Cost Benefit Analysis for University Essential IT Services shall be conducted to weigh the cost of implementing preventative measures against the risk of loss from not taking action. For high and moderate impact information resources, a cost benefit analysis shall be conducted at the discretion of the information resource owner.

  Tip

  IT Policy and Risk Management is planning future courses on the elements of cost benefit analysis for Contingency Planning. Keep an eye on the Events Calendar on the home page for future training dates, times and locations.

• 1.3

  Recovery and reconstitution (aka “disaster recovery”) procedures for major or catastrophic events that deny access to high and moderate impact information resources for an extended period. The procedures will:

  • 1.3.1

    be implemented as described in CP-10 Information Systems Recovery and Reconstitution;

  • 1.3.2

    be tested as described in CP-4 Contingency Plan Testing.

    Tip

    Tests of the recovery procedures may include a range of testing methods from virtual (e.g., tabletop) tests to actual events. The tests shall be documented and the results used to update the procedures, if necessary. The information resource owner or designee shall approve the results of the tests and any resulting actions.