3.8.9 Business Continuity Planning Policy
Each academic department or administrative unit that provides critical services based on information technology will document, develop, implement, and periodically test continuity plans.
Continuity plans, also known as Business Continuity Plans, enable the critical academic and administrative functions of the University to continue in the event a local disaster renders a facility unusable or inaccessible for an extended period. This policy is intended to ensure that plans are in place that will, in turn, ensure that University Computing and Communications Resources are appropriately prepared to enable the University to continue to fulfill its mission and commitments. This policy applies to central systems and systems in the various units, including desktop computers that support key University functions.
Disaster recovery planning for Computing and Communications Resources is a part of overall business continuity planning. Business continuity may also involve alternative facilities, personnel or processes and may or may not involve information technology. In some cases, where information technology is not a critical part of ongoing activities, the loss of Computing and Communications Resources may involve only slight changes to the way academic or administrative functions are performed. In other cases, the University may have no practical alternative but total and rapid restoration of affected information technology resources.
Disaster recovery for Computing and Communications Resources involves, in part, making appropriate system and data backups, storing copies of critical information off site, and arranging for alternative and/or replacement resources, including systems and their associated operating facilities. It is expected that all University members, especially, Information Administrators and/or their designated Security Administrator, will ensure that systems under their stewardship are appropriately backed up and that back-up copies are appropriately stored in alternative locations. Recovery from backups must be tested from time to time, but at least annually. Critical information, as identified by the Information Administrators, should be backed up in such a manner as to be recoverable in a timely manner at an alternate operational facility. Business continuity plans ensure that mission critical activities, in this case, that use information technology, can continue. These plans should be tested at least annually.
It is recognized that rapid and simultaneous recovery of all systems and services may not be economically feasible, especially for all classes of disasters. Schools and major administrative departments will therefore provide for disaster recovery and business continuity within a given scope and duration, on a system-by-system basis, by priority; all determined jointly by the Information Administrators and, if appropriate, the ISPC. It is recognized that business continuity and disaster recovery plans and procedures are contingent on identifying specific requirements, receiving appropriate University resource prioritization and adequate funding. Those units that need assistance in developing continuity plans can work with OISR and/or their School’s technology organization.
The unavailability of critical information and systems would harm the University’s ability to fulfill its mission.