L&I, Office of Information Technology Policy SYM-001

(PDF)

1. Purpose

This policy defines the requirement for contingency planning to be developed and implemented by the Department of Labor & Industry (L&I). These contingency plans describe the processes to recover Information Technology (IT) Systems, Applications and Data from any type of disruption or disaster. This policy also provides directions and identifies guidelines regarding Disaster Recovery(DR), fulfilling the requirements of the Internal Revenue Service (IRS) Publication 1075, and requirements defined by the Social Security Administration (SSA). This policy documents the implementation of the National Institute of Standards and Technology (NIST) Security Controls: CP-1, CP-2, CP-3 CP-4, CP-5, CP-6, CP-7 & CP-10 Per SP 800-53 R4.

2. Background

This policy is published under the general authority of the Governor’s Office of Administration / Office of Information Technology (OA/OIT) in conjunction with IRS Publication 1075 in that it identifies key roles and responsibilities regarding contingency planning and training. IRS Publication 1075 provides direction regarding acceptable contingency planning and training standards to help ensure that the agency is prepared and equipped to handle future events or circumstances.

All Federal Tax Information (FTI) that is transmitted to L&I is backed up and protected within IRS facilities ensuring availability in the event of a disruption or disaster, including cyberattack. L&I’s contingency planning controls for FTI will be focused on the confidentiality and integrity of FTI stored in backup media or used at alternative facilities. L&I will develop applicable contingencies for ensuring that FTI is available based upon L&I’s risk-based approach. L&I will also develop contingencies for the restoration of other services as quickly as possible.

3. Scope

This policy applies to all employees, contractors, temporary personnel, members of boards, commissions and councils, agents, and vendors in the service of L&I (hereinafter referred to collectively as “L&I Users”).

4. Policy

1. Contingency Plans
   
   L&I Office of Information Technology (OIT) and L&I business area management shall develop a Contingency Plan (CP) for each system.
   
   OIT shall coordinate with the business areas within L&I to rate each application according to a Business Impact Analysis (BIA) annually. The BIA will be conducted for each business area application to evaluate the business critical function, Maximum Tolerable Downtime (MTD), Return to Operation (RTO) timeline, Recovery Point Objective (RPO), capacity requirements, and current DR plan. The BIA will determine systems and their order on the Mission Critical Applications (MCA) list.
   
   OIT shall work with the Continuity of Operations Planning (COOP) coordinator to develop communications plans for an MCA outage and cyberattack, and review these annually.
   
   OIT shall develop an order of succession plan for each bureau, division and section in support of the MCAs, and will review these annually with the COOP coordinator.
   
   OIT shall work with the business areas within L&I to categorize data per ITP-SEC019.
   
   OIT shall develop internal DR procedures for the recovery of all MCAs based on agreed upon RTO and RPO standards. These DR procedures will be reviewed annually or when there is a significant change in the architecture or infrastructure supporting the MCA.
   
   OIT shall plan for the transfer of all essential mission critical functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustain that continuity through restoration to primary processing and/or storage sites.
   
   OIT shall configure the alternate processing site so that it is ready to be used as the operational site supporting essential missions and business functions.
   
   OIT shall ensure that the alternate processing site provides equivalent information security controls to that of the primary site.
   
   OIT shall certify that the security controls are adequate for security needs.
   
   
2. Contingency Training
   
   All CP and DR plans must be tested annually to validate the plan and train staff.
   
   Training exercises can consist of tabletop exercises, DR tests, up to partial or full transition of production services to the DR site. The business area and OIT will jointly determine the schedule and extent of the training exercise.
   
   All contingency plans and DR training exercises will include an After Action Review (AAR), which will be recorded with the results of the training. Failures or unsuccessful tests must be documented and be part of the next successive CP or DR test.
   
   Documentation of all tests including a synopsis of the exercise and AAR will be saved with each MCA contingency plan for review by the COOP coordinator.

5. Responsibilities

1. L&I User responsibilities:
   
   
   • Comply with all L&I policies, management directives, and laws; and
     
     
   • Adhere to all established CP policies and procedures; and
     
     
   • Participate in CP and DR testing and training exercises as required; and
     
     
   • Report any violations of policies promptly to the L&I Information Security Officer at LI, OIT-DLICISO.
     
     
2. L&I management responsibilities:
   
   
   • Comply with all L&I policies and ensure L&I users comply with the policies; and
     
     
   • Follow this policy and any procedures regarding contingency planning or training; and
     
     
   • Adhere to this policy and any published procedures regarding contingency planning.

6. References

L&I Policy Definitions Document

ITP-SEC019 Policy and Procedures for Protecting Commonwealth Electronic Data

MD 205.41 Commonwealth of Pennsylvania Continuity of Operations (COOP) Program

Executive Order 2012-05 Commonwealth Continuity of Government

IRS Publication 1075

SP 800-53 R4 Security Controls and Assessment Procedures for Federal Information Systems and Organizations

7. Version Control