I would say that provided the tone of the regs emphasizing the need to put in feasible countermeasures that balance risks versus costs, you would be fine as long as: 1) you document the risk analysis supporting a manual approach given the risks your particular enterprise faces 2) and you test your procedures (whether manual or not) at acceptable intervals to make sure they would work
a. Albert Oriol, CHE, CISSP Privacy & Data Security Officer The Children's Hospital [EMAIL PROTECTED] (303) 861 6094 "All things should be as simple as possible, but no simpler" -- Albert Einstein -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 28, 2002 12:10 PM To: [EMAIL PROTECTED] Subject: Contingency Planning Procedures Requirements I work for a small MGU (Managing General Underwriter) in the Self-Insured market. Since we are small we generally are limited to operating costs of an avg of 10% of the premium that we underwrite. This 10% has to cover all company expenses, purchases, etc. Due to this the monthly expenditures of having an IT "hot site" and "30 day offsite work area" are somewhat prohibitive. If in our Contingency Plan we plan only for manual processes in case of Systems failure, until system recovery. Would there be a problem during auditing that we do not take into account an offsite business Continuation of Operations Plan? 43252, c. Contingency Plan states "The organization would be required to perform .... have available critical facilities for continuing operations in the event of an emergency and have disaster recovery procedures in place." Thanks for any input anyone has in regards to this matter. Sincerely, Steve Sklar IT Manager Majestic Underwriters, Inc. (p) 248.583.4488 x246 ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. CONFIDENTIALITY NOTICE: The information contained in this message is legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Thank you. ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request.