SP 6-10o – Information Technology Continuity
Colorado Community College System / System Procedure
SP 6-10o
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCES:
Board Policy (BP) 6-10, Cyber Security Policy
System Procedure (SP) 6-10f, Backup and Recovery
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
BASIS
This procedure documents the roles and responsibilities regarding Colorado Community College System and its Colleges’ (“CCCS”) Information Technology (“IT”) Continuity Program.
APPLICATION
This procedure applies to System and Colleges and Information Systems that process and/or store CCCS information, regardless of where the systems reside and whether they are maintained directly by the System’s IT Department (“System IT”), the College IT Department (“College IT”) or maintained/provided by a third-party vendor.
DEFINITIONS
Disaster
Situation where widespread human, material, economic or environmental losses have occurred which exceeded the ability of the affected organization, community or society to respond and recover using its own resources.
Disruption
An event that interrupts normal business, functions, operations, or processes, whether anticipated (e.g., hurricane, political unrest) or unanticipated (e.g., a blackout, terror attack, technology failure, or earthquake).
Recovery Time Objective (RTO)
Recovery Time Objective (RTO) is defined as the amount of time required for recovery and restoration of business function.
Recovery Point Objective (RPO)
Recovery Point Objective (RPO) is defined as the point in time to which data must be recovered after a disaster.
PROCEDURE
The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
CCCS shall maintain a System-wide and Colleges will maintain a College-wide IT Continuity Program to ensure recovery from an unplanned event that renders System’s IT services or College’s IT services unable to conduct operations in the normal manner.
This includes Disruption of Information Systems or a Disaster. The IT Continuity Program shall use a framework of industry best practices that include:
- Program Governance
- Technology Impact Analysis
- IT Continuity and Recovery Planning
- Recovery Plan Testing
Program Governance
There are two (2) levels of program governance: Strategic, and Tactical and Operational. Strategic governance shall be provided by the IT Executive Governance Committee that provides funding and leadership direction.
Tactical and Operational governance shall be provided by the IT Continuity Team. The IT Continuity Team shall be comprised of System Office and/or the Colleges from both operations and IT experts and is tasked with implementing, creating, maintaining and testing the recovery plans for their respective areas of responsibility.
Technology Impact Analysis
Processes, applications and Information Systems shall be assessed to determine their relative criticality to CCCS and the individual Colleges. The IT Continuity Program shall define operations and IT recovery priorities by performing a Technology Impact Analysis (“TIA”). The TIA documents recovery requirements for both functional (business) and technical components RTO and RPO. The TIA shall be updated annually, and as significant IT changes occur, the resulting priorities approved by the IT Continuity Team.
IT Continuity and Recovery Planning
The IT Continuity Program shall ensure that critical processes, people, applications and Information Systems have recovery plans in place to reduce the risk and minimize the impact of any Disruption or Disaster. This is to include procedures to recover or restart critical functions, whether the function is performed internally or by third-party vendors.
The IT Continuity Program is responsible for ensuring an annual review of IT Continuity and Disaster Recovery plans (IT-DRP). IT-DRPs shall be reviewed and approved annually by the IT Continuity Team at the System Office and/or the Colleges.
The IT Emergency Response Plan (IT-ERP) documents procedures to ensure that CCCS can effectively respond to emergency situations at its facilities. The IT-ERP addresses the following events as it relates to impacts to IT:
- Human Error
- Natural Disaster
- Power Outage
- Facilities Damage
- Pandemic Incident
- Catastrophic Hardware Failure
- Cyber Attacks
The IT-ERP shall be reviewed and approved annually by the IT Continuity Team, Manager of Information Security, and IT Directors for CCCS Colleges. The IT Continuity Program shall document and store continuity plans in a designated central repository that is backed up to an alternate location.
Recovery Plan Testing
The IT Continuity Program shall ensure that recovery plans are tested. The type of test, scope and frequency shall be determined by CCCS and individual College leadership. Exercise results shall be documented and reported to CCCS’s Manager of Information Security, Director of Emergency Management, and IT Executive Governance Committee.
REVISING THIS PROCEDURE
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.