Data Classification, Risk Assessment, Business Impact Analysis, Continuity of Operations, and Disaster Recovery
PPD-0357
Purpose - This document serves as the policy guideline for data classification and risk/business impact assessment for VIMS IT systems. It also establishes the policy for incorporating the findings into the overall VIMS Continuity of Operations Plan developed under Executive Order 44, Establishing Preparedness Initiatives in State Government (§ 44-146.17 of the Code of Virginia).
- Data Classification
The VIMS Data Classification section of this Policy is superseded by the W&M Policy on the W&M website:
https://www.wm.edu/offices/ce/policies/it-security/data-classification.php .
- Business Impact Analysis and Risk Assessment
ITNS will maintain a Business Impact Analysis (BIA) and Risk Assessment (RA) for the operation of the network, telephone system and related systems. In 2007 VIMS established a procedure for developing an Institution wide Continuity of Operations Plan under Executive Order 44, Establishing Preparedness Initiatives in State Government (§ 44-146.17 of the Code of Virginia).
The VIMS CIO is a participant in the disaster recovery planning that is ongoing as part of this initiative at VIMS. Therefore, the findings of this Risk Assessment (above) will be incorporated into that planning process, rather than addressed here.
- Disaster Recovery Planning
ITNS will maintain a Disaster Recovery Plan for the operation of the network, telephone system and related systems. This plan will detail the steps necessary to restore essential agency IT functions.
This plan will be reviewed annually as part of the regular IT Security review (see PPD-0350), and approved by the VIMS CIO and the VIMS Chief Operations Officer (COO).