You are on page 1of 7

TheUniversityofIllinoisatChicago HealthScienceColleges

Policies,Procedures,Forms,Guides
POLICYNUMBER:3 INFORMATIONSYSTEMSSECURITYPOLICYNAME:CONTINGENCYPLANCONTROLS ResponsibleOffice HSCITGroup EffectiveDate LastRevision 10/31/2011 10/31/2011

ResponsibleOfficial WilliamChamberlin

PolicySections
3.0Purpose......................................................................................................................................2 3.1PolicyDelegation.......................................................................................................................3 3.2Policy.........................................................................................................................................3 3.2.1DataBackupPlan................................................................................................................3 3.2.2DisasterRecoveryPlan.......................................................................................................3 3.2.3EmergencyModeOperationPlan......................................................................................4 3.2.4TestingandRevisionProcedure.........................................................................................5 3.2.5ApplicationsandDataCriticalityAnalysis..........................................................................5 3.3PoliciesorProceduresRequiredbyorReferencingthisPolicy.................................................5 3.4FormsRequiredbyorReferencingthisPolicy...........................................................................5 3.5GuidelinesRequiredbyorReferencingthisPolicy....................................................................5 3.6StandardsRequiredbyorReferencingthisPolicy....................................................................5 3.7Violations...................................................................................................................................5 3.8PolicyAuthority.........................................................................................................................5 3.9ResponsibilityforProcessandProcedure.................................................................................6 3.10ComplianceMonitor................................................................................................................6 3.11SpecialSituations/Exceptions..................................................................................................6 3.12Contacts...................................................................................................................................6 3.13RevisionHistory.......................................................................................................................7

POLICYNUMBER:3ContingencyPlanPolicyVersion3.0

Page1of7

TheUniversityofIllinoisatChicago HealthScienceColleges
Policies,Procedures,Forms,Guides

3.0 Purpose
The Health Science Colleges have adopted this policy to provide a framework for contingency planning within the Colleges. This Policy covers the contingency planning policy, application and data criticality, preventive measures, recovery strategy, data backup and disaster recovery planning, development and implementation of an emergency mode operation plan, and developing and testing revision procedures.

This Policy is a statement of the minimum requirements, responsibilities, and accepted behaviors required to establish and maintain a secure technology environment within the Health Sciences Colleges, as well as to achieve the stated security objectives. This information security Policy emphasizes the Health Sciences Colleges commitment to strong information security; any individuals who use the information technology resources of the Health Sciences Colleges or the University resources that they depend upon are required to adhere to this Policy. The Universitys Combined Covered Entity1, including the Health Sciences Colleges, is committed to securing and protecting High Risk data2 including electronic Protected Health Information (ePHI),3 in accordance with widely accepted information systems security best practices and standards including those established by the International Organization for Standardization and the International Electrotechnical Commission (IEC); the ISO/IEC 27000 series of Information Systems Security standards; the National Institute of Standards and Technology (NIST) Information Security Standards and Guides; and the Standards for Security and Privacy of individually identifiable health information established by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) subject to later modification by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 as part of the American Recovery and Reinvestment Act (ARRA) of 2009.

1, 2, 3 See Covered Entity, High Risk data, and electronic Protected Health Information (ePHI)

definitions in HSC Policy Definitions

POLICYNUMBER:3ContingencyPlanPolicyVersion3.0

Page2of7

TheUniversityofIllinoisatChicago HealthScienceColleges
Policies,Procedures,Forms,Guides

3.1 PolicyDelegation
An individual Health Science College may delegate the duties herein to departments or other units within the individual Health Science College, or to other campus units or external vendors. If a duty is delegated, then a Service Agreement defining what is delegated, to whom it is delegated, and the duties still required of the individual Health Science College will be identified.

3.2 Policy 3.2.1 DataBackupPlan


a. The business units will establish and implement a Data Backup Plan that will detail all backups to be performed, media used for the backups, location used to store the backups, and that will allow for retrieval of copies of all data and files on systems in the event of an emergency, significant interruption, and/or disaster. b. The Data Backup Plan will require that a copy of all media used for the backups be stored in a physically secure location off-site. c. All individuals with specific responsibilities in the Data Backup Plan must be trained in those responsibilities. d. The Data Backup Plan will be documented and available to key personnel.

3.2.2 DisasterRecoveryPlan
a. The individual Health Science Colleges and their business units will create a Disaster Recovery Plan with procedures to recover the Colleges systems and data in a timely manner from an emergency, significant outage, or disaster such as fire, vandalism, terrorism, system failure, or natural disaster. b. The Disaster Recovery Plan will include procedures to restore data from backups, and the necessary steps and procedures to restore, recover, and resume Critical

POLICYNUMBER:3ContingencyPlanPolicyVersion3.0

Page3of7

TheUniversityofIllinoisatChicago HealthScienceColleges
Policies,Procedures,Forms,Guides
Levels4 1, 2, and 3 processes, functions, and technology infrastructure components of the College. c. The Disaster Recovery Plan will include a set of procedures, plans, and details to be used for all identified contingencies, including emergency-mode operations planning. The recovery site, recovery responsibilities, and service levels, along with Recovery Point Objectives and Recovery Time Objectives, will be identified. d. All individuals with specific responsibilities in the Disaster Recovery Plan must be trained in those responsibilities. e. The Disaster Recovery Plan will be documented and available to key personnel. A complete copy of the current Disaster Recovery Plan, or copy of the portion pertinent to personnel performing recovery efforts, will be retained off-site in a reliably retrievable form by the relevant personnel as identified in the Plan.

3.2.3 EmergencyModeOperationPlan
a. Each business unit will establish procedures to enable continuation of business processes in Critical Levels5 1, 2, and 3 to ensure protection of the security of ePHI while operating in an Emergency Mode. b. Additionally, a business unit may establish a Emergency Operation Plan to address matters beside ePHI such as continuing critical business operations requiring secure access to the more generic data class, High Risk Data. c. All individuals with specific responsibilities in the Emergency Mode Operation Plan must be trained in those responsibilities. d. The Emergency Mode Operation Plan will be documented and available to key personnel.

4 5

See Critical Level definition in HSC Policy Definitions See Critical Level definition in HSC Policy Definitions

POLICYNUMBER:3ContingencyPlanPolicyVersion3.0

Page4of7

TheUniversityofIllinoisatChicago HealthScienceColleges
Policies,Procedures,Forms,Guides
3.2.4 TestingandRevisionProcedure
The Health Science College and the business units will establish a process to test the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan. Testing should occur after all individuals with specific responsibilities have been trained in their respective roles and duties.

3.2.5 ApplicationsandDataCriticalityAnalysis
The individual Health Science Colleges and their business units will assess the relative criticality of their specific applications and data in support of other Contingency Plan components.

3.3 PoliciesorProceduresRequiredbyorReferencingthisPolicy
This: References:

HSC Policy 4.2.4, Develop Data Backup and Storage Procedures 3.2.1

3.4 FormsRequiredbyorReferencingthisPolicy
None

3.5 GuidelinesRequiredbyorReferencingthisPolicy
None

3.6 StandardsRequiredbyorReferencingthisPolicy
None

3.7 Violations
Any individual found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, regardless of tenure status.

3.8 PolicyAuthority
Health Science Colleges Information Technology Group POLICYNUMBER:3ContingencyPlanPolicyVersion3.0 Page5of7

TheUniversityofIllinoisatChicago HealthScienceColleges
Policies,Procedures,Forms,Guides
3.9 ResponsibilityforProcessandProcedure
The Individual Health Science College Information Security Officer

3.10 ComplianceMonitor
The Individual Health Science College Information Security Officer

3.11 SpecialSituations/Exceptions
Any exceptions to this policy must be approved by the College Information Security Officer or delegate.

3.12 Contacts
Subject Contact Applied Health Sciences Dentistry Medicine Interpretation of Policy Pharmacy Public Health Nursing Mike Kirda Dr. Annette Valenta Jay Dean Andre Pavkovic Ursula Brozek Bala Ramaraju Philip J. Reiter Faith Davis Dr. Sylvia Furner La Don Reed Phone 312-996-8236 312-996-1452 312-996-7495 312-413-1154 312-996-8883 312-355-3651 312-996-4682 312-996-5019 312-996-5013 312-996-3891

POLICYNUMBER:3ContingencyPlanPolicyVersion3.0

Page6of7

TheUniversityofIllinoisatChicago HealthScienceColleges
Policies,Procedures,Forms,Guides
3.13 RevisionHistory
12/10/2007 Initial draft composed by College of Medicine: Ian Huggins, Robert McAuley, Andre Pavkovic 3/25/2009 Reviewed and Approved by HSC IT Group College of Medicine: Robert McAuley, Andre Pavkovic, Ian Huggins. College of Applied Health Sciences: Mike Kirda, Dr. Annette Valenta. College of Dentistry: Jay Dean. College of Nursing: Bala Ramaraju. College of Pharmacy: Philip Reiter. School of Public Health: La Don Reed (with input by Academic Computing and Communications Center and University of Illinois Medical Center) 3/03/2010 Updated 1.12 Contacts, completed first annual review of HSC Policies 7/07/2011 10/2010 through 6/2011 HSC IT Group Review of Policies Edited by Judith Grobe Sachs; Groups following consensus revisions summarized by Ian Huggins 7/21/2011 Updated language by Mike Kirda, Judith Grobe Sachs, and Doug McCarthy 8/19/2011 Updated language, added numbering and automatic table of contents, added cross-references by Doug McCarthy. 10/31/2011 HSC IT Group approval of 10/2010 through 8/2011 Policy revisions, this completes the second annual review of the Policies.

POLICYNUMBER:3ContingencyPlanPolicyVersion3.0

Page7of7