TECHNOLOGY RECOVERY PLAN - 5325.1
Introduction: The Technology Recovery Plan (TRP) is a sub-set of the Agency/state entity’s Business Continuity Plan. The TRP is activated immediately after a disaster strikes and focuses on getting critical systems back online.
Policy: Each Agency/state entity shall develop a TRP in support of the Agency/state entity’s Business Impact Assessment (BIA), Business Continuity Plan, and the business need to protect critical information assets to ensure their availability following an interruption or disaster. Each Agency/state entity must keep its BIA, Business Continuity Plan and TRP up to date and provide updated versions of those documents to the Office of Information Security (OIS) as changes occur. The annual requirements are:
- Each Agency/state entity must file a copy of its BIA, Business Continuity Plan, TRP and the Technology Recovery Program Compliance Certification (SIMM 5325-B) with the OIS, in accordance with the Information Security Compliance Reporting Schedule - SIMM 5330-C.
- If the Agency/state entity contracts the services of a data center, it must work with the data center to establish and document TRP coordination procedures. This includes, but is not limited to, any state data center providing data center services to another Agency/state entity and cloud service providers.
- Each Agency/state entity TRP must cover, at a minimum, the program areas which are listed and described in the Technology Recovery Plan Instructions (SIMM 5325-A). If the TRP does not follow the format in SIMM 5325-A, the Technology Recovery Plan Cross Reference Tool located in SIMM 5325-B, must be included with the update to indicate where required information is located.
- The TRP must outline a planned approach to managing risks to the Agency/state entity’s mission, including risk and potential impact to critical information technology assets. The TRP must be derived from the Agency/state entity’s business impact assessment and Business Continuity Plan. Instructions for preparing the TRP are described in SIMM 5325-A.
- Hosted entities (as defined in SIMM Section 5330-E) still need to ensure their mission and business critical needs for technology are addressed in their own technology recovery plan documentation. Refer to the SIMM 5325-A instructions.
Implementation Controls: NIST SP 800-34; NIST SP 800-53: Contingency Planning (CP).