Goal: Establish (and implement as needed) policies and procedures to respond to an emergency or other occurrence (i.e. hurricanes, floods, earthquakes, fires, etc.) that may potentially damage systems containing or handling ePHI.
The purpose of this policy is to mitigate the damaging consequences of unexpected and undesirable events to key business systems and operations. This contingency plans will consider the possibility of catastrophically destructive occurrences and accounts for less-than- cataclysmic events that may also seriously impede data processing functions.
Procedure: These Contingency policies shall ensure that Information Systems Security controls function reliably and, if not, that adequate backup functions are in place to ensure that security functions are maintained continuously during interrupted service. If data is modified or destroyed, procedures must be in place for recovery.
The contingency plan at large (subsequent policies) addresses the areas of:
- Data Backup Plan
- Disaster Recovery Plan
- Emergency Mode Operation Plan
- Testing and Revision Procedure
- Applications and Date Criticality Analysis
This policy in particular addresses:
- Preliminary Planning. The Security Manager shall organize the appropriate parties to describe the purpose, scope, assumptions, responsibilities and overall strategy relative to the plan.
- All team members understand that this plan is a dynamic, on-going activity which includes not just things which are done in anticipation of a problem; but also what is to be done when problems occur.
- This policy shall encompass only those systems/information that has been designated as critical by the Security Manager.
- A risk analysis shall be conducted on an Annual basis to ascertain the criticality of available systems. Modification of categories may be accomplished after the risk analysis has been discussed with Management.
- Preparatory Actions. Before an event occurs which impacts the data processing operations, the Security Manager or its designated representative shall identify the processing requirements and criticality of people, hardware, communications, supplies, transportation, space, environmental controls, and documentation.
- Testing of the plan and training of recovery team personnel shall be performed at random intervals (not to exceed one year between tests).
- Maintenance support agreements have been developed, as needed, to ensure timely responses to processing stoppages due to hardware/software failures.
- Response times and expectations have been stated in the Agreements.
- Spare equipment parts and operational systems may be used whenever possible to expedite recovery.
- Configurations of all systems have been documented for daily support and recovery purposes.
- Action Plans. The Security Manager shall coordinate the development of actions plans based on the threats identified on the risk analysis.
- Each plan consists of the "what to" actions to be performed.
- Plans shall consist of concise, short instructions of the specific actions to take in response to each of the problem scenarios that were identified.
- Action plans shall be reviewed and modify on an as needed basis.
- Testing the Contingency Plan. As indicated previously, the contingency plan shall be tested at random intervals not to exceed one year between intervals.
