Download - HSC Contingency Plan Policy
-
8/2/2019 HSC Contingency Plan Policy
1/7
TheUniversityofIllinoisatChicagoHealthScienceColleges
Policies,Procedures,Forms,Guides
POLICYNUMBER:3ContingencyPlanPolicy Version3.0 Page1of7
POLICYNUMBER:
3
INFORMATIONSYSTEMSSECURITYPOLICYNAME:CONTINGENCYPLANCONTROLSResponsibleOffice HSCITGroup EffectiveDate 10/31/2011ResponsibleOfficial WilliamChamberlin LastRevision 10/31/2011
PolicySections3.0Purpose...................................................................................................................................... 23.1PolicyDelegation....................................................................................................................... 33.2Policy......................................................................................................................................... 33.2.1DataBackupPlan................................................................................................................ 33.2.2DisasterRecoveryPlan....................................................................................................... 33.2.3EmergencyModeOperationPlan...................................................................................... 43.2.4TestingandRevisionProcedure......................................................................................... 53.2.5ApplicationsandDataCriticalityAnalysis.......................................................................... 5
3.3PoliciesorProceduresRequiredbyorReferencingthisPolicy................................................. 53.4FormsRequiredbyorReferencingthisPolicy........................................................................... 53.5GuidelinesRequiredbyorReferencingthisPolicy.................................................................... 53.6StandardsRequiredbyorReferencingthisPolicy.................................................................... 53.7Violations................................................................................................................................... 53.8PolicyAuthority......................................................................................................................... 53.9ResponsibilityforProcessandProcedure................................................................................. 63.10ComplianceMonitor................................................................................................................ 63.11SpecialSituations/Exceptions.................................................................................................. 63.12Contacts................................................................................................................................... 63.13RevisionHistory....................................................................................................................... 7
-
8/2/2019 HSC Contingency Plan Policy
2/7
TheUniversityofIllinoisatChicagoHealthScienceColleges
Policies,Procedures,Forms,Guides
POLICYNUMBER:3ContingencyPlanPolicy Version3.0 Page2of7
3.0PurposeThe Health Science Colleges have adopted this policy to provide a framework for
contingency planningwithin the Colleges. This Policy covers the contingency planning
policy, application and data criticality, preventive measures, recovery strategy, data
backup and disaster recovery planning, development and implementation of an
emergency mode operation plan, and developing and testing revision procedures.
This Policy is a statement of the minimum requirements, responsibilities, and accepted
behaviors required to establish and maintain a secure technology environment withinthe Health Sciences Colleges, as well as to achieve the stated security objectives. This
information security Policy emphasizes the Health Sciences Colleges commitment to
strong information security; any individuals who use the information technology
resources of the Health Sciences Colleges or the University resources that they depend
upon are required to adhere to this Policy.
The Universitys Combined Covered Entity1, including the Health Sciences Colleges, is
committed to securing and protecting High Risk data2 including electronic Protected
Health Information (ePHI),3 in accordance with widely accepted information systems
security best practices and standards including those established by the InternationalOrganization for Standardization and the International Electrotechnical Commission
(IEC); the ISO/IEC 27000 series of Information Systems Security standards; the
National Institute of Standards and Technology (NIST) Information Security Standards
and Guides; and the Standards for Security and Privacy of individually identifiable
health information established by the Department of Health and Human Services under
the Health Insurance Portability and Accountability Act of 1996 (HIPAA) subject to later
modification by the Health Information Technology for Economic and Clinical Health
(HITECH) Act of 2009 as part of the American Recovery and Reinvestment Act (ARRA)
of 2009.
1,2,3SeeCoveredEntity,HighRiskdata,andelectronicProtectedHealthInformation(ePHI)
definitionsinHSCPolicyDefinitions
-
8/2/2019 HSC Contingency Plan Policy
3/7
TheUniversityofIllinoisatChicagoHealthScienceColleges
Policies,Procedures,Forms,Guides
POLICYNUMBER:3ContingencyPlanPolicy Version3.0 Page3of7
3.1PolicyDelegationAn individual Health Science College may delegate the duties herein to departments or
other units within the individual Health Science College, or to other campus units or
external vendors. If a duty is delegated, then a Service Agreement defining what is
delegated, to whom it is delegated, and the duties still required of the individual Health
Science College will be identified.
3.2Policy3.2.1DataBackupPlan
a. The business units will establish and implement a Data Backup Plan that willdetail all backups to be performed, media used for the backups, location used to
store the backups, and that will allow for retrieval of copies of all data and files on
systems in the event of an emergency, significant interruption, and/or disaster.
b. The Data Backup Plan will require that a copy of all media used for the backupsbe stored in a physically secure location off-site.
c. All individuals with specific responsibilities in the Data Backup Plan must betrained in those responsibilities.
d. The Data Backup Plan will be documented and available to key personnel.3.2.2DisasterRecoveryPlan
a. The individual Health Science Colleges and their business units will create aDisaster Recovery Plan with procedures to recover the Colleges systems and
data in a timely manner from an emergency, significant outage, or disaster such
as fire, vandalism, terrorism, system failure, or natural disaster.
b. The Disaster Recovery Plan will include procedures to restore data from backups,and the necessary steps and procedures to restore, recover, and resume Critical
-
8/2/2019 HSC Contingency Plan Policy
4/7
TheUniversityofIllinoisatChicagoHealthScienceColleges
Policies,Procedures,Forms,Guides
POLICYNUMBER:3ContingencyPlanPolicy Version3.0 Page4of7
Levels4 1, 2, and 3 processes, functions, and technology infrastructure
components of the College.
c. The Disaster Recovery Plan will include a set of procedures, plans, and details tobe used for all identified contingencies, including emergency-mode operations
planning. The recovery site, recovery responsibilities, and service levels, along
with Recovery Point Objectives and Recovery Time Objectives, will be identified.
d. All individuals with specific responsibilities in the Disaster Recovery Plan mustbe trained in those responsibilities.
e. The Disaster Recovery Plan will be documented and available to key personnel. Acomplete copy of the current Disaster Recovery Plan, or copy of the portion
pertinent to personnel performing recovery efforts, will be retained off-site in a
reliably retrievable form by the relevant personnel as identified in the Plan.
3.2.3EmergencyModeOperationPlana. Each business unit will establish procedures to enable continuation of business
processes in Critical Levels5 1, 2, and 3 to ensure protection of the security of
ePHIwhile operating in an Emergency Mode.
b. Additionally, a business unit may establish a Emergency Operation Plan toaddress matters beside ePHI such as continuing critical business operations
requiring secure access to the more generic data class, High Risk Data.
c. All individuals with specific responsibilities in the Emergency Mode OperationPlan must be trained in those responsibilities.
d. The Emergency Mode Operation Plan will be documented and available to keypersonnel.
4 See Critical Level definition in HSC Policy Definitions
5 See Critical Level definition in HSC Policy Definitions
-
8/2/2019 HSC Contingency Plan Policy
5/7
TheUniversityofIllinoisatChicagoHealthScienceColleges
Policies,Procedures,Forms,Guides
POLICYNUMBER:3ContingencyPlanPolicy Version3.0 Page5of7
3.2.4TestingandRevisionProcedureThe Health Science College and the business units will establish a process to test theData Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan.
Testing should occur after all individuals with specific responsibilities have been trained
in their respective roles and duties.
3.2.5ApplicationsandDataCriticalityAnalysisThe individual Health Science Colleges and their business units will assess the relative
criticality of their specific applications and data in support of other Contingency Plan
components.
3.3PoliciesorProceduresRequiredbyorReferencingthisPolicyThis: References:
HSC Policy 4.2.4, Develop Data Backup and Storage Procedures 3.2.1
3.4FormsRequiredbyorReferencingthisPolicyNone
3.5GuidelinesRequiredbyorReferencingthisPolicyNone
3.6StandardsRequiredbyorReferencingthisPolicyNone
3.7ViolationsAny individual found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment, regardless of tenure status.
3.8PolicyAuthorityHealth Science Colleges Information Technology Group
-
8/2/2019 HSC Contingency Plan Policy
6/7
TheUniversityofIllinoisatChicagoHealthScienceColleges
Policies,Procedures,Forms,Guides
POLICYNUMBER:3ContingencyPlanPolicy Version3.0 Page6of7
3.9ResponsibilityforProcessandProcedureThe Individual Health Science College Information Security Officer
3.10ComplianceMonitorThe Individual Health Science College Information Security Officer
3.11SpecialSituations/ExceptionsAny exceptions to this policy must be approved by the College Information Security
Officer or delegate.
3.12ContactsS u b j ec t Co n t a c t P h o n e
Interpretation of
Policy
Applied Health
Sciences
Mike Kirda
Dr. Annette Valenta
312-996-8236
312-996-1452
Dentistry Jay Dean 312-996-7495
Medicine Andre Pavkovic 312-413-1154
Nursing Ursula Brozek
Bala Ramaraju
312-996-8883
312-355-3651
Pharmacy Philip J. Reiter 312-996-4682
Public Health Faith Davis
Dr. Sylvia Furner
La Don Reed
312-996-5019
312-996-5013
312-996-3891
-
8/2/2019 HSC Contingency Plan Policy
7/7
TheUniversityofIllinoisatChicagoHealthScienceColleges
Policies,Procedures,Forms,Guides
POLICYNUMBER:3ContingencyPlanPolicy Version3.0 Page7of7
3.13RevisionHistory12/10/2007 Initial draft composed by College of Medicine: Ian Huggins,
Robert McAuley, Andre Pavkovic
3/25/2009 Reviewed and Approved by HSC IT Group
College of Medicine: Robert McAuley, Andre Pavkovic, Ian
Huggins.
College of Applied Health Sciences: Mike Kirda, Dr. Annette
Valenta.
College of Dentistry: Jay Dean.
College of Nursing: Bala Ramaraju.
College of Pharmacy: Philip Reiter.
School of Public Health: La Don Reed
(with input by Academic Computing and Communications Center
and University of Illinois Medical Center)
3/03/2010 Updated 1.12 Contacts, completed first annual review of HSC
Policies
7/07/2011 10/2010 through 6/2011 HSC IT Group Review of Policies -
Edited by Judith Grobe Sachs; Groups following consensus
revisions summarized by Ian Huggins
7/21/2011 Updated language by Mike Kirda, Judith Grobe Sachs, and Doug
McCarthy
8/19/2011 Updated language, added numbering and automatic table of
contents, added cross-references by Doug McCarthy.
10/31/2011 HSC IT Group approval of 10/2010 through 8/2011 Policy
revisions, this completes the second annual review of the Policies.