Skip Main Navigation
Official Nebraska Government Website
NITC Logo
Skip Side Navigation
Standards and Guidelines Icon

NITC 8-201: Information Technology Disaster Recovery Plan Standard

Category: Security Architecture
Applicability: Applies to all public entities and state government agencies, excluding higher education institutions
History: Adopted on August 4, 2006.

1. Standard

Each agency must have an Information Technology Disaster Recovery Plan that supports the resumption and continuity of computer systems and services in the event of a disaster. The plan will cover processes, procedures, and provide contingencies to restore operations of critical systems and services as prioritized by each agency. The Disaster Recovery Plan for Information Technology may be a subset of a comprehensive Agency Business Resumption Plan which should include catastrophic situations and long-term disruptions to agency operations.

The Information Technology Disaster Recovery Plan should be effective, yet commensurate with the risks involved for each agency. The following elements, at a minimum, must be included:

  • Identification of critical computer systems and services to the agency's mission and business functions.
  • Critical systems and services preservation processes and offsite storage strategy and methods to protect storage media.
  • Documented dependencies upon other State agency's or entities that support critical systems and services.
  • Contingency plans for different types of disruptions to critical systems and services, i.e. hardware failure, etc.
  • Information technology responsibilities for implementation and disaster management.
  • Procedures for reporting events, as well as escalating an event within an agency.
  • Identification of copy distribution and multiple site storage of plan documents.
  • Multi-year training, exercising, and improvement plans.
  • Annual plan review, revision, and approval process.

2. Purpose and Objectives

The purpose of this document is to define, clarify, and standardize Information Technology Disaster Recovery Planning of State government agencies.

2.1 Background

Information Technology Disaster Recovery Plans are based on the following premises:

2.1.1 Information is an asset.

It has value to the organization and needs to be suitably protected.

2.1.2 Information resources must be available when needed.

Continuity of information resources and supporting critical systems and services must be ensured in the event of a disruption to business or a disaster.

2.1.3 Risks to information resources must be managed.

Procedures required to ensure critical systems and services can be recovered and business continuity sustained must be cost effective and commensurate with the value of the assets being protected.

2.2 Objectives

The primary objectives of this Standard are

2.2.1

To communicate responsibilities for the continuity of government operations;

2.2.2

To establish a plan for restoration of operations following a disaster.

2.2.3

To reduce the risk of loss of state information assets.

2.2.4

To provide a process for the recovery of critical systems and services.

3. Definitions

Agency: Any governmental entity, including state government, local government, or third party entities under contract to the agency.

Agency Business Resumption Plan: Documents how an agency will continue to function during a disaster.

Note: Items found in an Agency Business Resumption Plan may include, but is not limited to:

  • Business impact analysis, including risk assessment, asset classification, and potential disruption to stakeholders.
  • Mitigation strategies and safeguards to avoid disasters. Safeguards include, but are not limited to, protective measures such as redundancy, fire suppression, power source protection, and environmental issues.

Critical Systems and Services: Those systems, system components (hardware, data, or software), or services that if lost or compromised would jeopardize an agency's ability to continue agency operations.

Disaster: Any event that threatens or causes the destruction or availability of critical systems and services.

4. Applicability

This standard applies to all state government agencies, except Higher Education and those agencies receiving an exemption under Section 4.1. Compliance with Nebraska Information Technology Commission (NITC) standards will be a requirement during consideration of funding for any projects requiring review by the NITC and may be used in audit reviews or budget reviews.

4.1 Exemption

Exemptions may be granted by the NITC Technical Panel upon request by an agency.

4.1.1 Exception Process

Any agency may request an exemption from this standard by submitting a "Request for Exemption" to the NITC Technical Panel. Requests should state the reason for the exemption. Reasons for an exemption include, but are not limited to: statutory exclusion, federal government requirement; or financial hardship. Requests may be submitted to the Office of the NITC via e-mail or letter (Office of the NITC, 521 S 14th Street, Suite 301, Lincoln, NE 68508). The NITC Technical Panel will consider the request and grant or deny the exemption. A denial of an exemption by the Technical Panel may be appealed to the NITC.

5. Responsibility

5.1 NITC

The NITC shall be responsible for adopting minimum technical standards, guidelines, and architectures upon recommendation by the technical panel. (Neb. Rev. Stat. ยง 86-516(6))

5.2 Agency and Institutional Heads

The highest authority within an agency or institution is responsible for the protection of information resources, including developing and implementing information security programs, consistent with this standard. The authority may delegate this responsibility but delegation does not remove the accountability.