Microsoft Word - CODAC Business Continuity Plan 2024.docx

 Business impact analysis  CODAC personnel receive ongoing cybersecurity training.

Dependent upon the gravity of the system issue, critical services will be restored anywhere between a few minutes but no later than 24 hours. All stakeholders will be alerted and given an estimate for recovery time as soon as possible. Levels of disruption are detailed below  Level 1 : minimal interruption of system that is resolved without any need for additional communication.  Level 2 : minor system outage; affecting one site or system with minimal disruption; communication and intervention limited to site and stakeholders affected.  Level 3 : more than one site or system affected with some disruption; communication limited to those affected.  Level 4 : Several sites or systems affected with major disruption in services; communication to all personnel affected; and consider various stakeholder communications.  Level 5 : complete disruption of systems and/or services; communication to all personnel and appropriate stakeholders. Planned Updates/Outages to the System From time to time, CODAC’s network needs updates or upgrades to occur. Planned updates/upgrades could affect various systems (telephone, EHR, email, etc.). During planned updates which will result in disruption of normal operations, the following will occur: 1. Chief information officer will coordinate a quick meeting with appropriate leadership to discuss expectations, outage updates, etc. 2. As appropriate, CODAC’s Business Continuity Communication Plan will be initiated. (Refer to communication plan). 3. Appropriate personnel and stakeholders will be given details related to the outage, including how long the outage will occur, what systems will be interrupted, when systems expect to be and are restored, and how to access vital information or contact appropriate personnel during the outage. Updates on any changes to these details will be communicated as soon as the information is known. Unplanned Outages including but not limited to Cybersecurity Threat/Ransomware/Viruses When an unplanned outage occurs, the following should be initiated: 1. The helpdesk should be alerted immediately, including when they occur after-hours. Unplanned outages may vary in scope and volume; however, all outages should be reported. 2. Helpdesk and the chief information officer will assess the situation and address any potential issues (viruses, equipment failure, etc.).

Page 13 of 21