Business Continuity and Disaster Recovery Policy
Version 1.2
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure the continuity and recovery of the University’s business following the loss of IT Resources.
Scope
This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Users accountable for the University's IT Resources must have documented Business Continuity (BC) and Disaster Recovery (DR) plans.
- BC/DR plans should be stored in accessible, secure locations (e.g., a recovery planning tool managed by Information Security and Assurance or a third-party cloud service provider) and, when possible, in geographically diverse locations to ensure immediate availability and resilience during disruptive events.
- At a minimum, BC/DR plans must be stored on-premises, off-premises, and in separate physical locations.
- A documented, tested secondary authentication method approved by Information Security and Assurance must operate independently of the centrally managed identity provider to be used during authentication service outages.
- Users accountable for IT Resources must brief staff on their roles and responsibilities related to BC/DR planning, including developing, updating, and testing plans.
- Users accountable for IT Resources must ensure sufficient financial, personnel, and other resources are available to maintain technological BC/DR plans.
- The following recovery maintenance activities must be conducted at a minimum annually when a significant change to IT Resources occurs, or when new IT Resources are implemented:
- Review the BC/DR objectives and strategy,
- Update/create BC/DR plans,
- Update/create the internal and external contacts lists,
- Conduct BC/DR simulation/tabletop exercise(s),
- Verify the alternate site(s), if applicable, and
Definitions
Business Continuity refers to an organization's ability to continue essential processes in the face of disruptive events.
Disaster Recovery is the ability to restore an organization's critical systems and services to return the entity to an acceptable operating condition following a catastrophic event by activating a Disaster Recovery Plan. Disaster recovery is a subset of business continuity planning.
Disaster Recovery Plan is procedural documentation to reestablish an organization's critical business applications and services following a disaster or significant event.
IT Resources include computing, networking, communications, applications, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | March 30, 2020 |
Revision History
| Version: | Date: |
Description:
|
|---|---|---|
| 1.0 | 03/30/2020 | Initial document |
| 1.1 | 04/04/2023 | Updated policy statement, definitions, links |
| 1.2 | 04/27/2026 | Updated policy statement |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.