Business Continuity & Disaster Recovery Plan Standard
Date of Current Revision or Creation:泭January 1, 2023
The purpose of an Information Technology Standard is to specify requirements for compliance with 圖朸厙 Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to outline the Business Continuity and Disaster Recovery Planning requirements for IT systems and data.
Definitions
Business Continuity Plan (BCP/COOP) is 圖朸厙's documented plan and set of procedures created to assure that the capability exists to continue essential University functions across a wide range of potential emergencies.
IT Disaster Recovery Plan (DRP) is a documented process and set of procedures used to safeguard and recover IT resources in the event of a disaster.
Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.
Virginia Department of Emergency Management (VDEM) is the State agency that works with local government, state and federal agencies and voluntary organizations to provide resources and expertise in emergency management.
Standards Statement
IT Systems and Data Requirements for Business Continuity
Commonwealth of Virginia Continuity of Operations Planning requirements are defined by Virginia Department of Emergency Management (VDEM.) The Continuity of Operations Planning Manual published by VDEM will be consulted for IT related requirements. IT requirements will be included as a part of the University's Business Continuity of Operations Plan (COOP.)
COOP & DR Liaison Designee
The University has designated the Information Security Officer (ISO) as the employee assigned to collaborate with the agency Continuity of Operations Plan (COOP) coordinator on the IT aspects of COOP and related Disaster Recovery planning activities.
Business Impact Analysis
Based on Business Impact Analysis (BIA) and Risk Assessment (RA) results, 圖朸厙 will develop COOP IT-related documentation which identifies:
- Essential Essential business functions that require restoration and the Recovery Time Objective (RTO) for each;
- Recovery requirements for IT systems and data needed to support the essential business functions; and
- Personnel contact information and incident notification procedures.
Disaster Recovery Plan (DRP)
The documentation on the continuity of IT business operations is provided in the IT Disaster Recovery Plan (DRP). The DRP is to be protected as sensitive data and stored at a secure off-site location.
The DRP will be maintained, reviewed and updated with each review and change documented, minimally at 12 month intervals.
The DRP will include manual process procedures for designated ITS staff to reference as part of restoration of essential university services. Departments are responsible for the manual processes and procedures used to accomplish their primary business.
The DRP will, where possible, address the sequence of essential function restoration. The plan recognizes that many services are dependent upon Banner Administrative System restoration yields and related access. Essential functions that must be restored will be factored into the entire restoration sequence and documented accordingly. Such technical instruction and restoration procedures are included in the DRP for reference.
The DRP will document the identified support teams, their specific responsibilities and names and contact information of team members and alternate team members. Contact information will be maintained in the DRP but marked as restricted.
The DRP will address the utilization of equipment residing in a remote location used to house computer storage and tape media.
The DRP will include information regarding the creation, use and control of backups, such as frequency and related server names. IT is responsible for the execution and maintenance of backups to essential servers and databases.
The Disaster Recovery Plan works in conjunction with the University Business Continuity Plan (BCP/COOP). Changes made to the DRP will be coordinated to ensure that the changes are in agreement with the University BCP/COOP. Issues which appear to be in conflict are to be directed to IT management for resolution.
Disaster Recovery Testing
IT will conduct an annual exercise (or more often as necessary) to assess the adequacy and effectiveness of the remote backup site and the selected essential IT services. Testing will include the work groups designated to support the restoration of essential services. Effective preplanning is expected and proper notification is to be given to the campus regarding the test schedule and possible disruption of services.
Results from any Disaster Recovery Test will be reviewed by IT management. Participants will meet post-test to discuss actions, activities and obstacles experienced during the test. Discussions should address ways of accomplishing goals with pre-stage solutions and amending the test objectives as needed.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 3505 - Information Technology Security
- ITS Standard 7.1.0 - Business Impact Analysis
- ITS Standard 8.1.0 - Risk Assessment
History
Date |
Responsible Party |
Action |
October 2008 |
ITAC/CIO |
Created |
October 2009 |
ITAC/CIO |
Reaffirmed |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 |
ITAC/CIO |
Reaffirmed |
October 2012 |
ITAC/CIO |
Reaffirmed |
December 2012 |
IT Policy Office |
Rewording for clarity Numbering revision |
December 2016 | IT Policy Office | Reviewed; links revised |
September 2019 | IT Policy Office | Reviewed; live links added |
January 2023 | IT Policy Office | Reviewed; no changes |