CP-01-727 Contingency Planning Policy and Procedures

Contingency Planning Policy and Procedures

Control ID

CP-01-727

Control Name

Contingency Planning Policy and Procedures

Control Category

Contingency Planning

Functional Areas

Protect

Sub-Areas

Contingency Planning

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

Continuity of Operations for Agency-owned information resources are documented in the TTI Information System Contingency Plan & Disaster Recovery Plan.

The chief information security officer shall review the Information System Contingency Plan & Disaster Recovery Plan at least annually, and ensure the plan compliments other relevant Agency plans and complies with Federal, State, and TAMUS contingency and continuity of operations planning requirements.

Risk Statement

The BCM Program is ineffective since the Business Continuity documentation has not been created and maintained.

Control Description

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].

Control Example

Written, documented COOP documentation is in place.

State Implementation

State organizations shall maintain written Continuity of Operations Plans that address information resources so that the effects of a disaster will be minimized, and the state organization will be able either to maintain or quickly resume mission-critical functions.

Testing Procedures

Obtain Contingency planning policy and procedures; other relevant documents or records and ascertain if: (I)the organization develops and documents contingency planning policy and procedures. (ii)the organization disseminates contingency planning policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review contingency planning policy and procedures. (iv)the organization updates contingency planning policy and procedures when organizational review indicates updates are required. (v)the contingency planning policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. (vi)the contingency planning policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vii)the contingency planning procedures address all areas identified in the contingency planning policy and address achieving policy-compliant implementations of all associated contingency planning controls.