Chapter 4 – Information Technology

It is the policy of the Department that each element of the Department utilizing information technology shall establish disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets. See the DOMDepartment Operations Manual 49010 for additional details.

The purpose of disaster recovery planning is to ensure continuity in computer operations for the support of critical applications, provide the greatest possible benefit from remaining limited resources, and achieve a systematic and orderly migration toward the resumption of all automation activities within the affected segment of the Department.

The information assets of the Department are distributed over many geographically separated entities. However, any usage of computer resources in CDC will fall within one of four different types. The primary factors associated with each type represent the complexity and scope of operational use of the computer or system involved. In the context of this policy, “system” means a computer program and the computer resources necessary to achieve the objective of the program. It is possible for similar computers to be classified differently depending upon the program being used. This is especially true in the inmate education area. DOMDepartment Operations Manual 47000 contains information on each of the critical systems utilized by the Department.

• Type 1

  • Most of the large, Departmentwide computer systems are comprised of a computer at a central site, and a telecommunication network (phone lines) with terminals, printer, modems, and controllers located at a local site. Examples of this type of configuration include the OBISOffender Based Information System, the Inmate Trust System, and the Personnel and Leave Accounting System.

  • Each of these systems would be affected by any disaster occurring within the data center or any disaster that would disrupt part or all of the communication lines. While the operational recovery of these systems is the data center’s responsibility, each of the user sites shall have contingency plans ready to enable actions that minimize disruptions to business activities.

• Type 2

  • The computer-based system is approved for departmental use and is to be implemented at all appropriate sites. This type of system can be found at many sites. These systems are not connected electronically. Each site uses the same programs to support the same work. Examples of Type 2 systems are the Critical Case Factor System and the microcomputer-based Inmate Appeals System: both of these are examples of stand-alone departmental ITS.

• Type 3

  • This type of computer system is normally found at only one site. Type 3 systems are created because the multipurpose work station is available and there is an identified need.

• Type 4

  • Type 4 systems are found only in the academic or vocational education areas. These systems are intended to be used strictly for the education of inmates.

The CDC approach to risk management requires that active support and ongoing participation be obtained from individuals representing multiple disciplines and all management levels. This includes the support of executive, program, and technical management, as well as owners, custodians, and users of the information.

• Director

  • It is the responsibility of the Director to assure that the Department’s information assets are protected from the effects of damage, destruction, and unauthorized or accidental modification, access, or disclosure. Specifically, the Director is responsible for ensuring the following:

    • Enforcement of State-level operational recovery policies.

    • Establishment and maintenance of internal policies and procedures that provide for the security of information technology facilities, software, and equipment, and the integrity and security of the Department’s automated information.

    • Department compliance with reporting requirements related to operational recovery.

    • Preparation and maintenance of the Department’s operational recovery plan, and the continuation of vital information support services in case of a disaster.

    • Participation of management during the planning, development, modification, and implementation of operational recovery policies and procedures.

• Information Security Officer

  • GCGovernment Code 1171 requires that the director of each State agency designate an Information Security Officer (ISOInformation Security Officer). The ISOInformation Security Officer is responsible for overseeing agency policies and procedures designed to protect the Department’s information assets. In accordance with State policy, the ISOInformation Security Officer shall be responsible to the CDC Director for such responsibilities.

  • Additionally, to avoid conflicts of interest, the ISOInformation Security Officer shall not have direct responsibility for information processing, information access management functions, or any departmental computer based systems, or have a reporting relationship to an organization that has such responsibilities. The ISOInformation Security Officer shall not have any special allegiance or bias toward a particular program or organization.

  • The responsibilities of an ISOInformation Security Officer include overseeing the following:

    • Development and maintenance of an operational recovery plan to protect the Department against the potential effects of a disaster.

    • Establishment of procedures to comply with control agency reporting requirements relating to operational recovery.

• Technical Management

  • Department technical management has the following responsibility relative to the Department’s operational recovery program:

    • Ensuring the implementation and maintenance of an operational recovery plan in cooperation with Department management, the ISOInformation Security Officer, and the assigned owners, users, and custodians of information.

• Program Management

  • Department program managers have the following responsibilities in relation to the CDC security program:

    • Establishing procedures necessary to comply with operational recovery policy pertaining to ownership, user, and, if appropriate, custodian responsibilities.

    • Ensuring that operational recovery plans are in place for hardware, software, and files or data bases for which the program is assigned ownership responsibility.

    • Ensuring that custodians of program information are provided the appropriate direction to implement the operational recovery plans that have been defined.

    • Ensuring that procedures are established to comply with departmental operational recovery reporting requirements.

• Internal Auditors

  • Internal auditors have the following responsibilities in relation to the Department’s operational recovery planning efforts:

    • Examination of the Department’s policies and procedures for compliance with State policies.

    • Examination of the Department’s policies and procedures for compliance with control agency audit requirements.

    • Examination of the effectiveness of the Department’s policies and procedures; identification of inadequacies within the existing operational recovery programs, and identification of possible corrective actions.

    • Provision of applicable findings to management, the ISOInformation Security Officer, and the owners, custodians, and users of information.

• QCQuality Control

  • The designated responsible QCQuality Control person/program has the following responsibilities in relation to the Department’s operational recovery program:

    • Review and evaluation of the effectiveness of operational recovery plans for automated ITS, whether under development or operational, and with particular emphasis on major systems.

• Information Owners

  • The owners of information are responsible for classifying the information, defining precautions for controlling access, disposing of the information, authorizing/denying access to the information, filing security incident reports, securing the signed security agreements and storing them for reference, and identifying (for the ISOInformation Security Officer) the level of acceptable risk.

  • The owners of CDC information are identified in the system library document maintained by the MISManagement Information Systems-SU.

• Information Users

  • It is the responsibility of all users to protect CDC resources, to note variances from established procedures, and to report such variances to the appropriate manager.

• Information Custodians

  • The custodians of information are responsible for complying with applicable laws and policies, complying with policies and procedures established by the owner and the ISOInformation Security Officer, advising the owner and the ISOInformation Security Officer of any threats to the information, and notifying the owners and the ISOInformation Security Officer of any violations of security policies, practices, or procedures.

Application Disaster Recovery Plan

• A plan devised to process an application after it has been disrupted for some period of time.

Back-up Procedures

• Methods used to recover computer programs and files after a disaster or system failure.

Contingency Planning

• The procedure of developing a back-up plan to restore business and data center operations in the event of a disaster or interruption. Also called “disaster recovery planning” or “business resumption planning.” Contingency Program The everyday work activities and procedures (e.g., backing-up critical data files) that fulfill the requirements of recoverability.

Disaster

• A human or natural occurrence causing destruction and distress, after which a business is deemed unable to function.

Disaster Recovery Operation

• The act of recovering from the effects of disruption to a computer facility, and the pre-planned restoration of facility capabilities.

Disaster Recovery Plan

• The preplanned steps that make possible the recovery of a business computer facility or the applications processed therein. Also called a “contingency plan” or “business resumption plan.”

Emergency Response

• The immediate action taken to protect hardware and sensitive magnetic media in the event of natural disasters, fire, power failures, equipment breakdown, theft, vandalism, or tampering.

Department Operational Recovery Plan

• The Department operational recovery plan shall cover a minimum of four topic areas:

  • Summary of the strategy for managing disaster situations.

  • Distinct management and staff assignment of responsibilities immediately following a disaster and continuing through the period of normal operations re-establishment.

  • Priorities for the recovery of critical applications.

  • Operational procedures documented in systematic fashion that shall allow recovery to be achieved in a timely and orderly way.

Type 1 and Type 2 Operational Recovery Plans

• All Type 1 and Type 2 systems shall require an operational recovery plan that answers the following questions:

  • Identification and evaluation of alternative recovery strategies.

  • Selection of the alternative that best responds to the organization’s requirements for disaster recovery.

  • Assessment of the resource requirements (space, equipment, communications, data, software, personnel, and time) required for operational recovery of the critical application.

The ITS Disaster Recovery Coordinator (ISDRC) for CDC is the computer operations section manager from ISDInformation Services Division (see EIS).

The ISDRC is responsible for maintaining a Department operational recovery plan that identifies computer applications deemed critical to the Department’s operations, the information assets that are necessary for those applications, and the Department’s plans for resuming operations following a disaster affecting those applications. The ISDRC shall coordinate the preparation of the operational recovery plan with the disaster recovery coordinator of the Institutions Division and with the CDC Data Center. The ISDRC is responsible for ensuring that periodic testing of the Department operational recovery plan is carried out.

The CDC Disaster Recovery Coordinator shall file an informational copy of the Department operational recovery plan with the Office of Information Technology, DOFDepartment Of Finance, no later than January 31 of each year. A copy of this plan shall be sent to the Teale Data Center.

Each request for approval to proceed with the development of a critical Department information system shall address the issue of the operational recovery of the system to be developed. All resource requirements associated with the operational recovery methods shall be identified as part of the critical ITS’ cost.

Prior to the implementation of any critical system, project management shall submit to ISDInformation Services Division (see EIS) a copy of the critical system’s operational recovery plan for inclusion in the annual submittal to the control agency.

The Chief, ISDInformation Services Division (see EIS), or designee shall be responsible for ensuring that the contents of this article are kept current and accurate.

GCGovernment Code § 1171.

DOMDepartment Operations Manual § 47000.

DOMDepartment Operations Manual § 49010.