Category: Security Architecture
Applicability: Applies to all public entities and state government agencies, excluding higher education institutions
History: Adopted on August 4, 2006.
Each agency must have an Information Technology Disaster Recovery Plan that supports the resumption and continuity of computer systems and services in the event of a disaster. The plan will cover processes, procedures, and provide contingencies to restore operations of critical systems and services as prioritized by each agency. The Disaster Recovery Plan for Information Technology may be a subset of a comprehensive Agency Business Resumption Plan which should include catastrophic situations and long-term disruptions to agency operations.
The Information Technology Disaster Recovery Plan should be effective, yet commensurate with the risks involved for each agency. The following elements, at a minimum, must be included:
The purpose of this document is to define, clarify, and standardize Information Technology Disaster Recovery Planning of State government agencies.
Information Technology Disaster Recovery Plans are based on the following premises:
It has value to the organization and needs to be suitably protected.
Continuity of information resources and supporting critical systems and services must be ensured in the event of a disruption to business or a disaster.
Procedures required to ensure critical systems and services can be recovered and business continuity sustained must be cost effective and commensurate with the value of the assets being protected.
The primary objectives of this Standard are
To communicate responsibilities for the continuity of government operations;
To establish a plan for restoration of operations following a disaster.
To reduce the risk of loss of state information assets.
To provide a process for the recovery of critical systems and services.
Agency: Any governmental entity, including state government, local government, or third party entities under contract to the agency.
Agency Business Resumption Plan: Documents how an agency will continue to function during a disaster.
Note: Items found in an Agency Business Resumption Plan may include, but is not limited to:
Critical Systems and Services: Those systems, system components (hardware, data, or software), or services that if lost or compromised would jeopardize an agency's ability to continue agency operations.
Disaster: Any event that threatens or causes the destruction or availability of critical systems and services.
This standard applies to all state government agencies, except Higher Education and those agencies receiving an exemption under Section 4.1. Compliance with Nebraska Information Technology Commission (NITC) standards will be a requirement during consideration of funding for any projects requiring review by the NITC and may be used in audit reviews or budget reviews.
Exemptions may be granted by the NITC Technical Panel upon request by an agency.
Any agency may request an exemption from this standard by submitting a "Request for Exemption" to the NITC Technical Panel. Requests should state the reason for the exemption. Reasons for an exemption include, but are not limited to: statutory exclusion, federal government requirement; or financial hardship. Requests may be submitted to the Office of the NITC via e-mail or letter (Office of the NITC, 521 S 14th Street, Suite 301, Lincoln, NE 68508). The NITC Technical Panel will consider the request and grant or deny the exemption. A denial of an exemption by the Technical Panel may be appealed to the NITC.
The NITC shall be responsible for adopting minimum technical standards, guidelines, and architectures upon recommendation by the technical panel. (Neb. Rev. Stat. § 86-516(6))
The highest authority within an agency or institution is responsible for the protection of information resources, including developing and implementing information security programs, consistent with this standard. The authority may delegate this responsibility but delegation does not remove the accountability.