LAC Department of Mental Health Public Portal

	LOS ANGELES COUNTY DEPARTMENT OF MENTAL HEALTH
	Policy 550.03 Information Technology Contingency Plan

Policy Category: Administrative

Distribution Level: Directly Operated and Contractors

Review and Approved by: Chief Information Office Bureau

Approved by Edgar M. Soto, MBA, CSP, Administrative Deputy III, on January 21, 2020

I. POLICY STATEMENT

The purpose of this policy is to define the Los Angeles County Department of Mental Health (DMH/Department) Information Technology (IT) Contingency Plan.

Contracted agencies shall develop an internal policy and associated procedures that are consistent with their organizational practices and meet the requirements set forth in this policy.

II. DEFINITIONS

Information Technology and Security Glossary

III. POLICY

The Department Information Security Officer (DISO) must ensure the security (confidentiality, integrity, and availability) of Protected Health Information (PHI) and other confidential information in the event of any disruption, disaster, or other emergency by planning for the recovery and continued operation of electronic information systems.

The DMH Chief Information Officer (CIO) must develop and implement an IT Contingency Plan for responding to IT system emergencies (e.g., fire, vandalism, system failure, and natural disaster)and ensuring continuity of operations during an emergency and recovery from a disaster. The IT Contingency Plan shall include:

Procedures that address electronically maintained or transmitted PHI and other information.
Applications and Data Criticality Analysis - an assessment of the relative criticality of specific electronic information systems and data.
Data Backup Plan - a process for saving exact copies of data into a secondary site so it may be retrieved and used for restoring original data after data loss.
Disaster Recovery Plan - procedures for restoring any lost data.
Emergency Mode Operation Plan - procedures to enable business continuity and protect the security of electronic IT information during and immediately after an emergency.
Command and Control Plan - the provision of IT administrative direction in the event of an emergency.
Testing and Revision of IT Contingency Plan - procedures for performing periodic testing and revision of the IT Contingency Plan.
Workforce IT Contingency Plan Training - training and preparation of designated workforce members regarding the IT Contingency Plan.

The DISO is responsible for reviewing and updating the IT Contingency Plan. IT Contingency Plans may be periodically enhanced as appropriate to further DMH's business purposes. All IT Contingency Plans including the components identified above and any revisions must be provided to the CIO for review and approval. The IT Contingency Plan will be tested as set forth in the Testing and Revision procedures at least once every year and updated as necessary.

IV. PROCEDURES

The following procedures will be performed by individuals in the Chief Information Office Bureau (CIOB) under the direction and review of the CIO and DISO:

The DMH Director or his/her designee shall approve prioritization of critical information systems to ensure ranking accurately reflects the relative criticality of the Department's business functions.

V. AUTHORITIES

Code of Federal Regulations Title 45 Section 164.308(a)(7)(i), Standard: Contingency plan
Code of Federal Regulations Title 45 Section 164.308(a)(7)(ii), Implementation specifications
Los Angeles County Board of Supervisors Policy No. 6.100, Information Security Policy
Los Angeles County Board of Supervisors Policy No. 6.103, Information Security Incident Reporting and Response