POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Transcription

1 State f Michigan POLICY 1390 Infrmatin Technlgy Cntinuity f Business Planning Issued: June 4, 2009 Revised: June 12, 2014 SUBJECT: APPLICATION: PURPOSE: CONTACT AGENCY: Plicy fr Infrmatin Technlgy (IT) Cntinuity f Business and Disaster Recvery Planning. This plicy is intended fr statewide cmpliance and applies t all Executive Branch Departments, Agencies, Trusted Partners, Bards r Cmmissins using state f Michigan (SOM) infrmatin netwrks and IT resurces. This plicy establishes the SOM guidelines fr cntinuity f business and disaster recvery planning. It identifies infrmatin security advance arrangements and IT structures that will allw the SOM t respnd t an event in such a manner that critical business functins cntinue withut interruptin r essential change. This plicy als utlines specific respnsibilities fr Agency Directrs and the Directr f the Department f Technlgy, Management and Budget (DTMB). Department f Technlgy, Management and Budget (DTMB) Custmer Services, Deputy Directr and Cybersecurity and Infrastructure Prtectin (CIP) Infrastructure Prtectin (OIP) TELEPHONE: (Custmer Service) (OIP) FAX: SUMMARY: The Cntinuity f Gvernment Initiative (COGI), led by DTMB and cmmissined by the Gvernr, requires state agencies t identify and create a Business Cntinuity Plan, alng with Disaster Recvery Plans that supprt the Cntinuity Plan. The plicy fr cntinuity f business and disaster recvery planning utlines the SOM s practive effrt t minimize lsses resulting frm a disaster and prvide fr the quick resumptin f business-critical functins and custmer service by requiring SOM Agencies t create and stre plans in the DTMB wned and managed plan building repsitry. This plicy als seeks t mitigate the negative effects f a disaster n an agency s strategic plan, reputatin, peratins r ability t remain in cmpliance with applicable laws and regulatins. DTMB with its Disaster Recvery Plan (DRP) is ne element f a larger agency business cntinuity scenari, which is the assurance that critical business functins will remain available. The Business Cntinuity Plan (BCP) is actually the result f a cmprehensive business prcess that incrprates the DRP. Althugh BCP is an agency functin and disaster recvery (DR) is an integral part f the BCP; DR is nt the BCP. 1 f 6

2 Our gal frm an IT perspective and in the cntext f cntinuity f business planning supprts agency business cntinuity strategies fr DR and ensures DR plans dcument the actins that will be taken t prevent, minimize r restre cmputer prcessing, applicatins, telecmmunicatins services and data after a disruptin r disaster. POLICY: It is the respnsibility f each agency t define and dcument thse requirements that are essential t cntinuing their critical business peratins. Agency Directr: As a SOM Netwrk and IT Custmer, the Directr within their area f respnsibility shall ensure: A BCP is develped that incrprates all critical systems and addresses all aspects f business resumptin within their agency in the mst timely and efficient manner pssible within the cnstraints f the utage t reduce the impact f the disruptive event. Ensure that critical applicatins are dcumented using frm DTMB-0208 Business Functin/Service/System/Applicatin Criticality Request and add critical applicatins t the SOM Red Card. Funding t supprt DR requirements is identified in the BCP. The agency BCP includes the apprpriate IT cntingency plan management cmpnent that includes best practice cncepts as identified by COGI. DR plans are develped fr all critical applicatins and systems in cmpliance with the BCP that identify at a minimum: The business impact resulting frm the lss f the applicatin/system. Criticality f the business functin as identified n the SOM Red Card. Pririty in which cmpnents/services need t be recvered. Time the system can be unavailable (Recvery Time Objective (RTO)). Recvery Pint Objective (RPO), including the amunt f data lss that can be tlerated as well as wh has what respnsibility in the recvery effrt. IT security plans are develped that identify all infrmatin assets, the risk t these assets and mitigating strategies fr prtecting these assets. The BCP, DR and IT security plans are created and/r stred in the DTMB wned and managed central repsitry. The BCP, DR and agency IT security plans are updated and tested n an annual basis and prperly dcumented. Agency DRPs fr critical applicatins are reviewed by the apprpriate agency management. Internal agency security plicies and prcedures are implemented, maintained and enfrced that cmpliment and cmply with this plicy. If a desire t implement mre stringent plicies than thse develped by DTMB, agencies d s in cnjunctin with DTMB. Cntingency planning principles are integrated thrughut the system develpment life cycle and prmte system cmpatibility and a cst-effective means t increase an agency s ability t respnd quickly and effectively t a disruptive event. DTMB Directr: As a SOM Netwrk and IT Owner, the Directr shall ensure: An IT strategic plan is develped that addresses disaster recvery strategies fr the SOM. Assessments are perfrmed t dcument the DR requirements fr each agency as identified within the agency s BCP. 2 f 6

3 An effective risk management prgram is implemented t help agencies better manage IT-related risk. This shuld be dne in partnership with the agencies t identify and assess risk and take steps t reduce risk t an acceptable level. Prvide a mechanism fr perfrming a Risk Assessment fr each f the IT services identified in the BCP. This mechanism shuld identify threats, vulnerabilities and cuntermeasures s that apprpriate cntrls can be put int place t either prevent incidents frm happening r t limit the effects f an incident. Prvide a mechanism fr mnitring and measuring the availability and perfrmance fr all critical systems. Prvide a secure and highly available repsitry fr develping and string BCP and DR Plans fr all SOM Agencies. An Emergency Management Plan is develped t manage a crisis that addresses mitigatin, preparedness, respnse and recvery f unplanned events that can cause deaths r significant injuries; r that can shut dwn business, disrupt peratins, cause physical r envirnmental damage, r threaten SOM r agency reputatin and revenue. A full spectrum f slutins are develped that prvide the fllwing: A full range f disaster mitigatin and recvery strategies that allw agencies t cnfidently restart services t its business clients as sn as specified and funded by the agency. An IT infrastructure (if funded by agency) which supprts critical business functins and will be restred in accrdance with the agency s BCP requirements. Cnsultatin services t agencies, assisting them in establishing recvery pint bjectives, recvery time bjectives and recvery capacity bjectives fr their critical applicatins. These services shuld be fully crdinated with agency BCPs and DR Plans. Implementatin and maintenance f a DR plan fr IT services. A mechanism fr mnitring, reprting and alerting agency business wners f the status f critical systems. Assessment and recmmendatin f DR strategies generated by agencies t achieve their business bjectives. Agency DRPs fr critical applicatins are tested, reviewed and revised n an annual basis by the apprpriate agency management. Terms and Definitins: Agency Availability Business Cntinuity Business Cntinuity Management (BCM) The principal department f state gvernment as created by Executive Organizatin Act, P.A. 380 f Ensuring timely and reliable access t and use f infrmatin and assuring that the systems respnsible fr delivering, string and prcessing infrmatin are accessible when needed, by thse wh need them. The ability f an rganizatin t prvide service and supprt t its custmers and t maintain its viability befre, during and after a business cntinuity event. A hlistic management prcess that identifies ptential impacts that threaten an rganizatin. BCM prvides a framewrk fr building resilience and an effective respnse capability that safeguards the interests f its key stakehlders, reputatin, brand and value creating activities. BCM als includes the management f the verall prgram thrugh training, rehearsals and reviews t ensure the plan stays current and up t date. 3 f 6

4 Business Cntinuity Plan (BCP) Business Cntinuity Planning Business Cntinuity Strategy Business Partner/ Trusted Partner Cnfidentiality Cntinuity f Gvernment Initiative (COGI) Data Custdian Data/Infrmatin Data Owner Disaster Disaster Recvery Plan (DRP) Prcess f develping and dcumenting arrangements and prcedures that enable an rganizatin t respnd t an event that lasts fr an unacceptable perid f time and return t perfrming its critical functins. A business functin and the prcess f practively develping, dcumenting and integrating prcesses, prcedures and enabling technlgies that will allw the SOM r agency t respnd t a disruptin r disaster event. Business cntinuity planning prvides that critical business functins will cntinue with minimal, if any, interruptin r significant changes until such time as its nrmal facilities are restred after a disruptive event. An apprach by an rganizatin that will ensure its recvery and cntinuity in the face f a disaster r ther majr utage. Plans and methdlgies are determined by the rganizatin s strategy. There may be mre than ne slutin t fulfill an rganizatin s strategy. Examples: internal r external ht-site r cld-site, Alternate Wrk Area reciprcal agreement, Mbile Recvery, Quick Ship/Drp Ship, Cnsrtium-based slutins, etc. A persn (i.e., vendr, cntractr, 3rd party, etc.) r entity that has cntracted with the SOM t perfrm a certain service r prvide a certain prduct in exchange fr valuable cnsideratin, mnetary, r gds and services. Prtecting infrmatin frm unauthrized disclsure r interceptin and assuring that infrmatin is shared nly amng authrized persns and rganizatins. Statewide inter-agency effrt t develp and maintain Cntinuity f Gvernment and Cntinuity f Operatins aimed at ensuring that critical gvernment services cntinue t perate during a crisis r emergency that culd cause disruptin t gvernment infrastructure. An individual r rganizatin delegated by a data wner that has respnsibility fr maintenance and technlgical management f data and systems. SOM agency infrmatin. N distinctins between the wrds data and infrmatin are made fr purpses f this plicy. An individual r rganizatin usually a member f senir management f an rganizatin wh is ultimately respnsible fr ensuring the prtectin and use f data. Includes, but is nt limited t, a sudden, unplanned catastrphic event causing unacceptable damage r lss which cmprmises an rganizatin s ability t prvide critical functins, prcesses r services fr sme unacceptable perid f time. A disaster is als an event where an rganizatin s management invkes their recvery plans. A management-apprved dcument that defines the resurces, actins, tasks and data required t manage the technlgy recvery effrt. A DRP usually refers t the technlgy recvery effrt and is a cmpnent f the BCM prgram. 4 f 6

5 Disaster Recvery (DR) Infrmatin Technlgy (IT) Resurces The ability f an rganizatin t respnd t a disaster r an interruptin in services by implementing a DR plan t stabilize and restre the rganizatin s critical functins. Includes, but is nt limited t: cmputers, servers, strage peripherals, telecmmunicatins equipment, netwrk equipment and wiring, netwrkattached printers and fax machines. Integrity Guarding against imprper infrmatin mdificatin and/r destructin, ensuring infrmatin has nt been altered by unauthrized peple and the assurance that the infrmatin can be relied upn t be sufficiently accurate fr its purpse. Red Card Risk Assessment SOM Netwrk and IT Custmer SOM Netwrk and IT Owner Technical Plicy Technical Standard Technical Prcedure A dcument that identifies IT services and applicatins that are assciated with Agency defined critical business functins. A prcess by which SOM identifies its assets, as well as the risks t thse assets, t estimate the likelihd f cntinuity f business failures. Risk Assessment als identifies apprpriate cntrls fr prtecting assets and resurces t ensure business can resume with minimal risk and lss t the state. Same as Data Owner. Same as Data Custdian. High level executive management statement used t set directin in an rganizatin that dcuments infrmatin, values, prtectin respnsibilities and management cmmitment fr prtecting its cmputing and infrmatin assets. Plicies are strategic in nature. Published dcument cntaining technical specificatins r ther precise criteria designed t be used cnsistently as a rule, guideline r definitin. They are als a cllage f best practices and business cases specific t addressing an rganizatin s technlgical needs. Standards are tactical in nature and derive their authrity frm a plicy. A series f prescribed steps fllwed in a definite rder which ensure adherence t the standards and cmpliance as set frth in the plicy t which the prcedure applies. Prcedures are peratinal in nature and derive their guidance frm a standard and authrity frm a plicy. 5 f 6

6 Authrity: This plicy btains its authrity frm: Administrative Guide Plicy 1305 Enterprise Infrmatin Technlgy. The. DTMB IT Technical Plicies, Standards and Prcedures, which can be fund n the DTMB Intranet. Enfrcement: All enfrcement fr this plicy shall be in cmpliance with the standards and prcedures f Administrative Guide Plicy 1305 Enterprise Infrmatin Technlgy. Develping Standards and Prcedures fr this Plicy: All requirements fr develping standards and prcedures fr this plicy shall be in cmpliance with Administrative Guide Plicy 1305 Enterprise Infrmatin Technlgy. Exceptins: All exceptin requests t this plicy must be prcessed in cmpliance with Administrative Guide Plicy 1305 Enterprise Infrmatin Technlgy. Effective Date: This plicy will be effective upn signature f the Administrative Guide apprval mem by the DTMB Directr. *** 6 f 6