|| OFFICIAL |
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates
Business Continuity and Disaster Recovery
July 23, 2007
Effective business continuity and disaster recovery plans are required in all areas of the University. Each academic unit and administrative division must develop plans that will allow it to perform its core-required operations in an alternative fashion as well as an appropriate disaster recovery policy for their working environment.
REASON FOR POLICY
The purpose of this policy is to define planning and related activities to ensure that the University’s core, critical or regulatory required functions will either continue or be recovered to an operational state within a reasonable amount of time in the event of an incident or disaster that would otherwise impact the University’s ability to conduct operations.
Business Continuity Plan (BCP)
Perform Gap Analysis
Conduct Risk Assessment
Perform Business Impact Analysis
Determine Continuity/Recovery Strategy
Implement Continuity/Recovery Strategy
Establish BCP and Disaster Recovery Maintenance and Awareness Program
A process where the current state vs. the desired state for a process, system or organization is prepared. The differences between the current state and the desired state are called gaps. These gaps then become the basis for prioritization, planning and basis for action to move to the desired state.
In disaster recovery or business continuity planning, a risk assessment will typically include:
Identification and classification of primary risks and exposures including external and environmental risks as well as inherent business risks.
Probability (likelihood) of occurrence.
Impact of occurrence including cost and reputation.
Strength of existing controls.
Consideration of senior management risk tolerance and level of acceptance of identified risks vs. cost of various mitigation plans.
Business Impact Analysis
In business continuity planning, a business impact analysis includes:
Identification of critical business processes at departmental/unit level.
Risk Assessment including quantification of impact of an event.
Identification of points of failure and process interdependencies.
Development of recovery time objective (RTO) and recovery point objective (RPO). See definitions of these terms in this document.
Degree of criticality and supporting prioritization of processes for recovery.
Review and update annually.
In disaster recovery or business continuity planning, a continuity and recovery strategy includes these steps:
Assess alternate continuity/recovery strategies.
Select continuity/recovery strategy.
Develop and document continuity/recovery strategy plans.
Disaster Recovery Plans as part of a broader Business Continuity Plan should include:
a. Classification of critical systems and records to ensure priority of recovery.
b. Mitigation strategies and safeguards to avoid disasters.
c. Support of RPO and RTO objectives.
d. Necessary electronic files backup and off-site storage strategy (see IS PS015 Backup of Data).
e. Security controls equal to those of day-to-day operations.
Define organizational responsibilities and critical functions for implementing plans, document, communicate to all involved parties and implement.
Off-site storage - which meets University security requirements - for at least one copy of the planning documents.
Sufficient and secure off-site facilities for continuation of business, if necessary (see IS PS009 Data Facilities).
Annual training and testing of plans to include documented procedures, results and correcting of noted deficiencies.
Annual review and revision of the plans.
Coordination with central IT disaster recovery strategy, if applicable.
Disaster Recovery Maintenance and Awareness Program
Conduct education and awareness training with personnel.
Perform periodic BCP plan walkthrough and testing.
Review and update plans and documentation annually or per testing deficiencies.
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
1.0 / July 23, 2007/ Original Publication
1.1 / January 29, 2013 / Content Update
2.0 / March 3, 2016 / Content review/update removing reference to IT Ops as DR assistance and update to new template
Reviewed Date(s): September 24, 2014; March 3, 2016; June 12, 2017; May 18, 2018
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
Information Security Office
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.