POLICY NUMBER: 3 INFORMATION SYSTEMS SECURITY POLICY NAME: CONTINGENCY PLAN CONTROLS Responsible Office HSC IT Group Effective Date 10/31/2011 Responsible Official William Chamberlin Last Revision 10/31/2011 Policy Sections 3.0 Purpose... 2 3.1 Policy Delegation... 3 3.2 Policy... 3 3.2.1 Data Backup Plan... 3 3.2.2 Disaster Recovery Plan... 3 3.2.3 Emergency Mode Operation Plan... 4 3.2.4 Testing and Revision Procedure... 5 3.2.5 Applications and Data Criticality Analysis... 5 3.3 Policies or Procedures Required by or Referencing this Policy... 5 3.4 Forms Required by or Referencing this Policy... 5 3.5 Guidelines Required by or Referencing this Policy... 5 3.6 Standards Required by or Referencing this Policy... 5 3.7 Violations... 5 3.8 Policy Authority... 5 3.9 Responsibility for Process and Procedure... 6 3.10 Compliance Monitor... 6 3.11 Special Situations/Exceptions... 6 3.12 Contacts... 6 3.13 Revision History... 7 POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 1 of 7
3.0 Purpose The have adopted this policy to provide a framework for contingency planning within the Colleges. This Policy covers the contingency planning policy, application and data criticality, preventive measures, recovery strategy, data backup and disaster recovery planning, development and implementation of an emergency mode operation plan, and developing and testing revision procedures. This Policy is a statement of the minimum requirements, responsibilities, and accepted behaviors required to establish and maintain a secure technology environment within the Health Sciences Colleges, as well as to achieve the stated security objectives. This information security Policy emphasizes the Health Sciences Colleges commitment to strong information security; any individuals who use the information technology resources of the Health Sciences Colleges or the University resources that they depend upon are required to adhere to this Policy. The University s Combined Covered Entity 1, including the Health Sciences Colleges, is committed to securing and protecting High Risk data 2 including electronic Protected Health Information (ephi), 3 in accordance with widely accepted information systems security best practices and standards including those established by the International Organization for Standardization and the International Electrotechnical Commission (IEC); the ISO/IEC 27000 series of Information Systems Security standards; the National Institute of Standards and Technology (NIST) Information Security Standards and Guides; and the Standards for Security and Privacy of individually identifiable health information established by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) subject to later modification by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 as part of the American Recovery and Reinvestment Act (ARRA) of 2009. 1, 2, 3 See Covered Entity, High Risk data, and electronic Protected Health Information (ephi) definitions in HSC Policy Definitions POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 2 of 7
3.1 Policy Delegation An individual Health Science College may delegate the duties herein to departments or other units within the individual Health Science College, or to other campus units or external vendors. If a duty is delegated, then a Service Agreement defining what is delegated, to whom it is delegated, and the duties still required of the individual Health Science College will be identified. 3.2 Policy 3.2.1 Data Backup Plan a. The business units will establish and implement a Data Backup Plan that will detail all backups to be performed, media used for the backups, location used to store the backups, and that will allow for retrieval of copies of all data and files on systems in the event of an emergency, significant interruption, and/or disaster. b. The Data Backup Plan will require that a copy of all media used for the backups be stored in a physically secure location off-site. c. All individuals with specific responsibilities in the Data Backup Plan must be trained in those responsibilities. d. The Data Backup Plan will be documented and available to key personnel. 3.2.2 Disaster Recovery Plan a. The individual and their business units will create a Disaster Recovery Plan with procedures to recover the College s systems and data in a timely manner from an emergency, significant outage, or disaster such as fire, vandalism, terrorism, system failure, or natural disaster. b. The Disaster Recovery Plan will include procedures to restore data from backups, and the necessary steps and procedures to restore, recover, and resume Critical POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 3 of 7
Levels 4 1, 2, and 3 processes, functions, and technology infrastructure components of the College. c. The Disaster Recovery Plan will include a set of procedures, plans, and details to be used for all identified contingencies, including emergency-mode operations planning. The recovery site, recovery responsibilities, and service levels, along with Recovery Point Objectives and Recovery Time Objectives, will be identified. d. All individuals with specific responsibilities in the Disaster Recovery Plan must be trained in those responsibilities. e. The Disaster Recovery Plan will be documented and available to key personnel. A complete copy of the current Disaster Recovery Plan, or copy of the portion pertinent to personnel performing recovery efforts, will be retained off-site in a reliably retrievable form by the relevant personnel as identified in the Plan. 3.2.3 Emergency Mode Operation Plan a. Each business unit will establish procedures to enable continuation of business processes in Critical Levels 5 1, 2, and 3 to ensure protection of the security of ephi while operating in an Emergency Mode. b. Additionally, a business unit may establish a Emergency Operation Plan to address matters beside ephi such as continuing critical business operations requiring secure access to the more generic data class, High Risk Data. c. All individuals with specific responsibilities in the Emergency Mode Operation Plan must be trained in those responsibilities. d. The Emergency Mode Operation Plan will be documented and available to key personnel. 4 See Critical Level definition in HSC Policy Definitions 5 See Critical Level definition in HSC Policy Definitions POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 4 of 7
3.2.4 Testing and Revision Procedure The Health Science College and the business units will establish a process to test the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan. Testing should occur after all individuals with specific responsibilities have been trained in their respective roles and duties. 3.2.5 Applications and Data Criticality Analysis The individual and their business units will assess the relative criticality of their specific applications and data in support of other Contingency Plan components. 3.3 Policies or Procedures Required by or Referencing this Policy This: References: HSC Policy 4.2.4, Develop Data Backup and Storage Procedures 3.2.1 3.4 Forms Required by or Referencing this Policy None 3.5 Guidelines Required by or Referencing this Policy None 3.6 Standards Required by or Referencing this Policy None 3.7 Violations Any individual found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, regardless of tenure status. 3.8 Policy Authority Information Technology Group POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 5 of 7
3.9 Responsibility for Process and Procedure The Individual Health Science College Information Security Officer 3.10 Compliance Monitor The Individual Health Science College Information Security Officer 3.11 Special Situations/Exceptions Any exceptions to this policy must be approved by the College Information Security Officer or delegate. 3.12 Contacts Subject Contact Phone Applied Health Sciences Mike Kirda Dr. Annette Valenta 312-996-8236 312-996-1452 Dentistry Jay Dean 312-996-7495 Medicine Andre Pavkovic 312-413-1154 Interpretation of Policy Nursing Ursula Brozek Bala Ramaraju 312-996-8883 312-355-3651 Pharmacy Philip J. Reiter 312-996-4682 Public Health Faith Davis Dr. Sylvia Furner La Don Reed 312-996-5019 312-996-5013 312-996-3891 POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 6 of 7
3.13 Revision History 12/10/2007 Initial draft composed by College of Medicine: Ian Huggins, Robert McAuley, Andre Pavkovic 3/25/2009 Reviewed and Approved by HSC IT Group College of Medicine: Robert McAuley, Andre Pavkovic, Ian Huggins. College of Applied Health Sciences: Mike Kirda, Dr. Annette Valenta. College of Dentistry: Jay Dean. College of Nursing: Bala Ramaraju. College of Pharmacy: Philip Reiter. School of Public Health: La Don Reed (with input by Academic Computing and Communications Center and University of Illinois Medical Center) 3/03/2010 Updated 1.12 Contacts, completed first annual review of HSC Policies 7/07/2011 10/2010 through 6/2011 HSC IT Group Review of Policies - Edited by Judith Grobe Sachs; Group s following consensus revisions summarized by Ian Huggins 7/21/2011 Updated language by Mike Kirda, Judith Grobe Sachs, and Doug McCarthy 8/19/2011 Updated language, added numbering and automatic table of contents, added cross-references by Doug McCarthy. 10/31/2011 HSC IT Group approval of 10/2010 through 8/2011 Policy revisions, this completes the second annual review of the Policies. POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 7 of 7