Business Continuity and Disaster Recovery Policy
Version 1.1
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure the continuity and recovery of the University’s business following the loss of IT Resources.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Users managing University's IT Resources must have documented Business Continuity (BC) and Disaster Recovery (DR) plans for Fordham-managed IT Resources.
- DR Plans should be stored in multiple secure (e.g., Recovery Planner managed by Information Security and Assurance, third-party cloud service provider) and geographically diverse locations, when possible, ensuring their availability and resilience during disruptive disaster events.
- At a minimum, DR Plans must be stored on-premises, off-premises, or in separate physical locations.
- Managers or persons responsible for IT Resources must brief staff on their roles and responsibilities related to DR planning, including developing, updating, and testing plans.
- Users managing University's IT Resources must ensure sufficient financial, personnel, and other resources are available to maintain technological BC and DR plans.
- The following recovery maintenance activities must be conducted at minimum annually when a significant change to IT Resources occurs or a new IT Resource is implemented:
- Review the BC and DR objectives and strategy,
- Update/create BC and DR plans,
- Update/create the internal and external contacts lists,
- Conduct DR simulation/tabletop exercise(s),
- Conduct recovery test(s) in partnership with the Office of Information Technology,
- Verify the alternate site(s), if applicable, and
- Verify the hardware platform, applications, and operating system requirements if applicable.
Definitions
Business Continuity refers to an organization's ability to continue essential operations and services in the face of disruptive events by implementing measures such as viable backup and recovery procedures.
Disaster Recovery is the ability to restore an organization's critical systems and services to return the entity to an acceptable operating condition following a catastrophic event by activating a Disaster Recovery Plan. Disaster recovery is a subset of business continuity planning.
Disaster Recovery Plan is procedural documentation to reestablish an organization's critical business applications and services following a disaster or significant impacting event.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | March 30, 2020 |
Revision History
| Version: | Date: |
Description:
|
| 1.0 | 03/30/2020 | Initial document |
| 1.1 | 04/04/2023 | Updated policy statement, definitions, links |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.