Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021
To specify the requirements for the development and maintenance of a plan for the District of Columbia Government (District”) to contain and recover from any emergencies, disasters, and other occurrences (for example fire, vandalism, system failure, natural disaster, etc.) that may affect the District information systems.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District workforce members performing official functions on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.
4.1 Contingency Plan
All the District agencies must:
- Develop a contingency plan for the information system that:
- Identify essential missions, business functions, and contingency requirements.
- Provides recovery objectives, restoration priorities, and metrics.
- Addresses contingency roles and responsibilities for assigned individuals and provides contact information.
- Addresses the maintenance of essential missions and business-critical functions during an information system disruption, compromise, or failure.
- Addresses the full restoration of information systems without the deterioration of security safeguards.
- Is reviewed and approved by Senior Management, ISOs, and ISCP (information system contingency plan) Coordinators.
- Distributes copies of the contingency plan to the ISO, Senior Management, and the appropriate teams (e.g., Network Operations, Security Operations) on an as-needed basis.
- Coordinates contingency planning activities with incident handling activities.
- Reviews the contingency plan on an annual basis.
- Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing.
- Communicates contingency plan changes to Senior Management, ISOs, ISSOs, and ISCP Coordinators.
- Protects the contingency plan from unauthorized disclosure and modification.
4.2 Contingency Training
All the District agencies must provide contingency training to information system users consistent with assigned roles and responsibilities:
- Within 30 days of assuming a contingency role or responsibility.
- When required by information system changes.
- Annually or frequently as needed thereafter.
4.3 Contingency Plan Testing
All the District agencies must coordinate contingency plan testing with District departments and groups responsible for related plans. A copy of the test report must be provided to District agencies.
Agencies must do the following:
- Tests the contingency plan for the information system annually using test methodologies like Tabletop Exercises to determine the effectiveness of the plan and the organizational readiness to execute the plan.
- Reviews the contingency plan test results.
- Initiates corrective actions, if needed.
4.4 Information System Backup
All the District agencies must:
- Conduct backups of user-level information contained in the information system on a daily (available for up to four (4) weeks), weekly, and monthly basis consistent with recovery time and recovery point objectives.
- Conduct backups of system-level information contained in the information system on a daily (available for up to four (4) weeks), weekly, and monthly basis consistent with recovery time and recovery point objectives.
- Conduct backups of information system documentation including security-related documentation on a monthly and annual basis, and/or when updates are required, consistent with recovery time and recovery point objectives.
- Protects the confidentiality, integrity, and availability of backup information at storage locations.
4.5 Information System Recovery and Reconstitution
All the District agencies must provide for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”).
The definition of the terms used in this document can be found in the Policy Definitions website.