Common use of SERVICE CONTINUITY MANAGEMENT POLICY STATEMENTS Clause in Contracts

SERVICE CONTINUITY MANAGEMENT POLICY STATEMENTS. 6.2.1 Backups of all essential electronically maintained County business data shall be routinely created and properly stored to ensure prompt restoration. 6.2.2 Each department shall implement and document a backup approach for ensuring the availability of critical application databases, system configuration files, and/or any other electronic information critical to maintaining normal business operations within the department. Docusign Envelope ID: 7489E300-8AF1-4335-9329-A29008757313 6.2.3 The frequency and extent of backups shall be in accordance with the importance of the information and the acceptable risk as determined by each department. 6.2.4 Departments shall ensure that locations where backup media are stored are safe, secure, and protected from environmental hazards. Access to backup media shall be commensurate with the highest level of information stored and physical access controls shall meet or exceed the physical access controls of the data’s source systems. 6.2.5 Backup media shall be labeled and handled in accordance with the highest sensitivity level of the information stored on the media. 6.2.6 Departments shall define and periodically test a formal procedure designed to verify the success of the backup process. 6.2.7 Restoration from backups shall be tested initially once the process is in place and periodically afterwards. Confirmation of business functionality after restoration shall also be tested in conjunction with the backup procedure test. 6.2.8 Departments shall retain backup information only as long as needed to carry out the purpose for which the data was collected, or for the minimum period required by law. 6.2.9 Alternate storage facilities shall be used to ensure confidentiality, integrity and availability of all County systems. 6.2.10 Each department shall develop, periodically update, and regularly test business continuity and disaster recovery plans in accordance with the County’s Business Continuity Management Policy. 6.2.11 Departments shall review and update their Risk Assessments (RAs) and Business Impact Analyses (BIAs) as necessary, determined by department management (annually is recommended). As detailed in Section 14: Risk Assessment and Treatment, RAs include department identification of risks that can cause interruptions to business processes along with the probability and impact of such interruptions and the consequences to information security. A BIA establishes the list of processes and systems that the department has deemed critical after performing a risk analysis. 6.2.12 Continuity plans shall be developed and implemented to provide for continuity of business operations in the event that critical IT assets become unavailable. Plans shall provide for the availability of information at the required level and within the established Recovery Time Objective (RTO) and their location, as alternate facilities shall be used to maintain continuity. 6.2.13 Each department shall maintain a comprehensive plan document containing its business continuity plans. Plans shall be consistent, address information security requirements, and identify priorities for testing and maintenance. Plans shall be prepared in accordance with the standards established by the County’s Business Continuity Management Policy.

SERVICE CONTINUITY MANAGEMENT POLICY STATEMENTS. 6.2.1 Backups of all essential electronically maintained County business data shall be routinely created and properly stored to ensure prompt restoration. 6.2.2 Each department shall implement and document a backup approach for ensuring the availability of critical application databases, system configuration files, and/or any other electronic information critical to maintaining normal business operations within the department. Docusign Envelope ID: 7489E300720A06B8-8AF10B1D-4BC0-433590D5-9329-A29008757313335032640F9D 6.2.3 The frequency and extent of backups shall be in accordance with the importance of the information and the acceptable risk as determined by each department. 6.2.4 Departments shall ensure that locations where backup media are stored are safe, secure, and protected from environmental hazards. Access to backup media shall be commensurate with the highest level of information stored and physical access controls shall meet or exceed the physical access controls of the data’s source systems. 6.2.5 Backup media shall be labeled and handled in accordance with the highest sensitivity level of the information stored on the media. 6.2.6 Departments shall define and periodically test a formal procedure designed to verify the success of the backup process. 6.2.7 Restoration from backups shall be tested initially once the process is in place and periodically afterwards. Confirmation of business functionality after restoration shall also be tested in conjunction with the backup procedure test. 6.2.8 Departments shall retain backup information only as long as needed to carry out the purpose for which the data was collected, or for the minimum period required by law. 6.2.9 Alternate storage facilities shall be used to ensure confidentiality, integrity and availability of all County systems. 6.2.10 Each department shall develop, periodically update, and regularly test business continuity and disaster recovery plans in accordance with the County’s Business Continuity Management Policy. 6.2.11 Departments shall review and update their Risk Assessments (RAs) and Business Impact Analyses (BIAs) as necessary, determined by department management (annually is recommended). As detailed in Section 14: Risk Assessment and Treatment, RAs include department identification of risks that can cause interruptions to business processes along with the probability and impact of such interruptions and the consequences to information security. A BIA establishes the list of processes and systems that the department has deemed critical after performing a risk analysis. 6.2.12 Continuity plans shall be developed and implemented to provide for continuity of business operations in the event that critical IT assets become unavailable. Plans shall provide for the availability of information at the required level and within the established Recovery Time Objective (RTO) and their location, as alternate facilities shall be used to maintain continuity. 6.2.13 Each department shall maintain a comprehensive plan document containing its business continuity plans. Plans shall be consistent, address information security requirements, and identify priorities for testing and maintenance. Plans shall be prepared in accordance with the standards established by the County’s Business Continuity Management Policy.