|
New Hanover County Information Technology Department |
Issued: 01/22/02 |
|
|
Policy Number: 01-08 |
||
|
Subject: BUSINESS CONTINUITY PLAN |
||
PURPOSE AND SCOPE:
The purpose of this document is to establish the requirement for the development of a Business Continuity Plan that is devoted to the concept of keeping the county’s essential Information Technology functions operational in all foreseeable circumstances. This plan will insure the continued successful operations of essential Information Technology functions in three environments: (1) Normal Operation Environment, (2) Emergency Operation Environment and (3) Return to Normal Operation Environment.
The Scope of this policy covers all Information Technology equipment and systems owned by the county. The IT Department Management is responsible for constructing, updating and testing the plan. The IT Staff is responsible for the implementation and testing of the plan. The county management is responsible for the funding of the plan.
CHANGE SUMMARY:
None. This is the Original Document
POLICY:
It is the policy of the Information Technology Department that its staff shall create and maintain a Business Continuity Plan that will direct the operation of the Information Technology department should a threat to its normal operations arises. It is the responsibility of the management of the IT Department to create such a plan, maintain it in current status and test the plan from time to time. It is the responsibility of the staff to implement this plan and to switch the departmental operational mode to those specified in the plan when directed by management.
New Hanover County has selected a five-step process
that will serve as the model for the development of its Business Continuity
Plan. This model was selected because it is a simple, straight forward
method for defining and documenting the process the county will follow
in the event its business processes are threatened or if a loss of a business
process, in whole or in part, occurs.
PROCEDURE:
The procedure to be used to create this
plan consists of 5 specific phases. Each phase is briefly described below:
1. Risk
Analysis - The Information Technology Department
will identify any and all risks that threaten its successful operation. These
risks may exist at all times or they may exist only under certain
situations. Their threat will range from those with minor impacts
to those with disastrous consequences.
2. Contingency
Planning - Each
risk that is identified will be studied to determine what actions
can be taken to mediate or eliminate its impact. The plan will
insure that the mediation action defined is implemented in a timely
and orderly manner.
3. Impact
Analysis - Each
of the risks will be evaluated, based on the mediation actions
taken, as to its impact on the department if it should materialize. Two
measures will be specified: (1) Probability that the risk will
actually occur and (2) the measure of its impact on the successful
operation of the department. Numeric values will be assigned to
the two factors and their product will be an indication of its
relative impact on department operations.
4. Disaster
Recovery - This
section will discuss measures that will be taken if the threat
becomes a reality. The realization of the onset of that threat
will result in an impact on the department’s operation. This step
identifies methods and practices the department will utilize to
recover from this event and to facilitate the return to normal
operations.
5. Test
Plan - The
management of the Information Technology Department will insure
that the entire plan is tested according to a predetermined schedule. The
test results will be analyzed and any irregularities will be noted. If
necessary, the Business Continuity Plan will be modified to insure
that the irregularities do not occur in future tests.
OBJECTIVES OF BUSINESS CONTINUITY PLAN:
It is the objective of this plan to identify all threats that exist to the normal operation of the Information Technology Department, to perform all reasonable mediation actions on those threats and to minimize the impact of each threat that actually materializes in the county. Specific objectives that are to be accomplished are listed below.
1. Prevent all interruptions to normal operations
2. Protect County Data, Hardware, Software Programs and Computer Processes from damage.
3. Contain the impact of a threat if one does occur.
4. Provide an organized response to a disaster or incident
5. Minimize cost of response
6. Provide alternative methods for serving the citizens during the life of an interruption
7. Insure a quick and orderly return to normal operations
EXAMPLE OF BUSINESS CONTINUITY PLAN:
A summary of a sample plan is shown on the following
page. The purpose of this example is to show the relationship between
the five sections of the plan and to demonstrate how a specific plan is
developed for each identified threat. The actual plan will be much more
specific and will contain much more detail about each identified threat. It
will also provide much more information about actions that will be required
to either eliminate the threat or mitigate its impact on the county.
CHANGE HISTORY:
|
Version |
Date |
Author |
Comments |
|
A |
01/23/02 |
BC |
Original Document |