CP-2: Contingency Plan
NIST Baseline: Low
DIR Required By: 07/20/2023
Review Date: 07/09/2024
- Information resource owners or their designees, in coordination with the Tarleton Chief Information Security Officer (CISO), are responsible for developing and maintaining a contingency plan for High Impact Information Resources. The plan for each system will include:
- A plan for maintaining essential mission and business functions despite a system disruption, compromise, or failure to the extent feasible, in accordance with Section 412.054 of the Labor Code;
- A Business Impact Analysis including:
- An assessment of the impact and magnitude of loss or harm that will result if a major or catastrophic event happens;
- A listing of essential mission and business functions supported by the information resource and any associated contingency requirements.
- Recovery time objectives, recovery point objectives, and restoration priorities;
- Relevant contact information for organizations or individuals who provide or receive data and support the resource’s infrastructure;
- A listing of dependent information resources; and
- Recovery procedures for High Impact information if cryptographic keys are lost.
- A Disaster Recovery Plan as documented in Control CP-10, System Recovery and Reconstitution; and
- Steps to coordinate with the Tarleton ITS Security Team and CISO for handling information security incidents.
- Contingency plans must be:
- Reviewed and approved by the Tarleton CISO;
- Updated periodically by applicable information resource owners and/or their designees;
- Distributed to key personnel; and
- Protected from unauthorized disclosure and modification.