Issuing Department: Administrative Computing
Responsible Officer: Chief Information Officer
I. Introduction
School of Visual Arts requires adequate protections to be established to assure the continuity and recovery of the University’s business following the loss of Systems that are critical to the operations of a business unit of the College (a “Mission Critical System”). This Policy defines acceptable methods for business continuity and disaster recovery planning, leveraging a risk-based analysis in order to prepare for and maintain the continuity of the University’s operations in case of the loss of a Mission Critical System.
II. Policy History
The effective date of this Policy is January 1, 2017. This Policy replaces any prior published Disaster Recovery and Business Continuity Plan.
III. Policy Text
A. Business Risk Assessment and Business Impact Analysis
Each Executive Manager is required to perform a Business Risk Assessment and Business Impact Analysis for each Mission Critical System that is used in his/her area of responsibility. The assessment should identify and define the criticality of Mission Critical Systems and the repositories that contain the relevant and necessary Data for the Mission Critical System. The assessment should also define and document the Disaster Recovery and Business Continuity Plan (the “BC/DR Plan”) for his/her area of responsibility. Such Plan shall include the following:
- Key business processes
- Applicable risk to availability
- Prioritization of recovery
- Recovery Time Objectives (RTO)
- Recovery Point Objectives (RPO)
For purposes of this Policy, a “Recovery Time Objective” is the duration of time and a service level within which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity and a “Recovery Point Objective” is the maximum tolerable period during which Data might be lost from an Information Resource.
B. BC/DR Plans
Each Mission Critical System must have a BC/DR Plan documented for when hardware, software or Networks become critically dysfunctional or cease to function (short term and long term outages). This Plan should include an explanation of the magnitude of information or System unavailability in the event of an outage and the process that would be implemented to continue operations during the outage. In addition, the feasibility of utilizing alternative off-site computer operations should be addressed. Specifically, the BC/DR Plan must include:
- An Emergency Operations Plan for continuing operations in the event of temporary hardware, software or Network outage. This Plan should contain information relating to the end user process for continuing operations
- A Recovery Plan for returning functions and services to normal on-site operations when a disaster is over
- A procedure for periodic testing, review and revision of the BC/DR Plan for all affected Systems, as a group and individually as needed
C. Data Backup Plans
Each System Owner and IT Custodian will implement a Data Backup Plan or document the decision to forgo a Plan with a risk-based analysis. Such Plan should define the following:
- Who is responsible for taking reasonable steps to ensure the backup of Data, particularly Sensitive Data and Confidential Data
- A backup schedule
- The Mission Critical Systems that are to be backed up
- Where backup media is to be stored and workforce members who may access the stored backup media
- Where backup media is to be kept secure before it is moved to storage, if applicable
- Who may remove the backup media and transfer it to storage
- Restoration procedures to restore Mission Critical System Data from backup media to the appropriate System
- Test restoration procedures and frequency of testing to confirm the effectiveness of the Plan
- The retention period for backup media
- A method for restoring encrypted backup media, including encryption key management