Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 68 – Technology Recovery Planning Policy

Effective March 18, 2024

View All Sections >

49250.4 Policy Directives

  • The department shall:

    • Ensure recovery capabilities and requirements are considered during the earlier stages of solution planning and the recovery strategies and plans are developed and implemented for all information technology systems supporting the organization’s business services.

    • Ensure that Business Impact Analyses (BIAs) identify mission and state critical processes, and regularly review critical infrastructure and associated contingency requirements (e.g., systems supporting essential state, organizational missions, and business functions). BIAs shall include acceptable periods of non-availability of the system, restoration time requirements and acceptable data loss. The department’s business divisions are responsible for conducting and updating BIAs. The Owners of Information Assets and Information Asset Custodians shall be closely engaged throughout the BIA process. BIAs shall be reviewed and updated according to the organization’s defined standard, or sooner if there is a major change in the department’s business process or technical environment.

  • Ensure that state critical ITInformation Technology systems supporting department mission critical business functions, essential state functions, and critical infrastructure (if applicable) are identified and included in the TRP.

  • Ensure that the department’s technology recovery program incorporates change management and quality assurance processes.

  • Ensure that the TRP is developed, documented, regularly tested, maintained, and continually improved in order to resume the department and State’s essential mission and business functions under adverse or disruptive conditions. Ensure the TRP is reviewed annually and updated as needed.

  • Ensure that a department recovery strategy is defined, documented and implemented. The strategy shall describe how recovery will be accomplished based on levels of incident impact. The recovery strategy shall consider department relevant technology and security risks in determining the most appropriate recovery option.

  • Ensure that alternate technology backup and recovery sites are provisioned as required to support essential mission and business functions.

  • Ensure that TRPs contain detailed resource requirements for each ITInformation Technology system to support recovery efforts, including information assets and personnel.

  • Ensure that roles and responsibilities for members of department technology recovery teams are defined and documented, and that they are suitably trained according to their roles. This includes, but is not limited to, maintaining the security of technology recovery assets.

  • Ensure that TRPs integrate appropriate communication strategies and information to collaborate with other teams and plans, including disaster incident management, security incident response teams and plans, procedures for notification, reporting in California Compliance and Security Incident Reporting System (Cal-CSIRS), and collaboration and communication with internal teams and external entities as needed. TRPs and other plans shall include roles and responsibilities, decision-making protocols, staff assignment, and guidance on activities to be performed during disaster response and recovery phases.

  • Ensure that TRPs are coordinated with other state entities’ contingency, emergency management plans, incident management plans, and teams as appropriate.

  • Ensure that components of the TRP are exercised annually and the staff are trained for their roles during the recovery and response phases. Lessons learned shall be documented and addressed as part of the annual update and maintenance plan.

  • Ensure the department’s gaps between current and required capabilities for system recovery are identified, reported to the organization’s management, as well as the state Office of Information Security (OIS) along with the plans to remediate the gaps as identified in the Plan of Action and Milestones (POAM).

  • Ensure that department TRPs are submitted to the state Office of Information Security, in accordance with the Information Security Compliance Reporting submission schedule.