Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
9.3 Contingency Operations<br />
To facilitate contingency operations, The State <strong>of</strong> Kansas requires the assignment <strong>of</strong><br />
designated responsibility for contingency operations to a contingency response team.<br />
In the event that an incident occurs, the members <strong>of</strong> this team will be charged with<br />
executing the contingency plan. To ensure that this team is fully prepared for its<br />
responsibilities, all team members will be trained in contingency operations within 90<br />
days <strong>of</strong> appointment to the team and thereafter on an at least annual basis.<br />
Contingency response is to be tested annually through the use <strong>of</strong> table top exercises<br />
and at least every five years through the use <strong>of</strong> a full-scale test. The results <strong>of</strong> these<br />
tests will be documented, shared with the security, IT and senior management. These<br />
results will be used in the annual review and, where required, update <strong>of</strong> the<br />
contingency plan.<br />
As a component <strong>of</strong> the contingency plan, information system backups will be taken on<br />
a regular basis. At a minimum full system backups will be taken monthly. For critical<br />
systems, at a minimum, additional incremental weekly backups will also be taken. A<br />
copy <strong>of</strong> each backup will be kept on site while secondary copies will be transported to<br />
<strong>of</strong>fsite storage locations. These backups will be protected to ensure integrity and strict<br />
physical access controls. Further, to ensure that information systems are restorable,<br />
backups will be randomly tested such that a backup for each information system is<br />
tested at least annually. Random testing will be required for a minimum <strong>of</strong> a single<br />
tape from one complete back-up run.<br />
In the event that an information system must be restored from a backup, before it can<br />
be declared production operational, it must be returned to a known secure state as<br />
defined by the appropriate baseline. This known secure state must include the<br />
application <strong>of</strong> all patches, hot fixes and other security control mechanisms.<br />
30