Business Continuity and Disaster Recovery

Administrative Regulation Title: Business Continuity and Disaster Recovery

Regulation Number: 7.0.2

_____________________________________________________________________________________

Purpose:

This Business Continuity and Disaster Recovery (“BC/DR”) Administrative Regulation (this “Admin Reg”) ensures the College is prepared to restore mission critical systems in the case of a disaster to minimize disruption to business operations. BC/DR planning ensures that system dependencies have been identified and accounted for when developing the recovery prioritization, establishing recovery time and recovery point objectives, and documenting the roles of supporting Personnel.

Definitions:

Capitalized terms not defined in this Admin Reg have the meaning set forth in the Information Security Policy.

“Business Continuity” means an organization’s ability to continue essential operations and services in the face of disruptive events by implementing measures such as viable backup and recovery procedures.

“Disaster Recovery” means the ability to restore an organization’s critical systems and services to return the entity to an acceptable operating condition following a catastrophic event by activating a Disaster Recovery Plan. Disaster recovery is a subset of business continuity planning.

“Recovery Point Objective” or “RPO” means the maximum amount of data loss acceptable due to a disaster, expressed as a period of time. RPOs for each confidentiality classification are listed in Table 1.

“Recovery Time Objective” or “RTO” means the maximum time period in which critical business operations must be restored in order to avoid unacceptable consequences associated with a break in service. RTOs for each confidentiality classification are listed in Table 1.

Scope:

This Admin Reg applies to all Institutional Resources and Personnel who have responsibilities related to the availability of Institutional Resources.

Roles and Responsibilities:

Preparation for, response to, and recovery from a disaster affecting administrative functions require the cooperative efforts of many functions of the College. In conjunction with functional leads of departments throughout the College, the Office of Information Technology (“OIT”) is responsible for maintenance of BC/DR plans. College leadership is accountable for ensuring plans are adequate and effectively carried out in the case of disaster.

Standards:

The College will develop and maintain a BC/DR process that identifies Institutional Resources and will implement, at minimum:

Documented BC/DR plans for Institutional Resources;
Storage of BC/DR plans in multiple secure and geographically diverse locations, when possible, ensuring their availability and resilience during disruptive disaster events;
Briefing of Personnel on their roles and responsibilities related to BC/DR plans, including developing, updating, and testing plans, conducted by team leads that maintain, and are responsible for, Institutional Resources; and
Requirements that team leads who manage Institutional Resources ensure sufficient financial, personnel, and other resources are available to maintain technological BC/DR plans.

The College will review the BC/DR process annually.

The following recovery maintenance activities must be conducted at minimum annually, when a significant change to Institutional Resources occurs, or when a new Institutional Resource is implemented:

Review the BC/DR objectives and strategy;
Update/create BC/DR plans;
Update/create the internal and external contacts lists;
Conduct recovery test(s);
Verify the alternate site(s), if applicable; and
Verify the hardware platform, applications, and operating system requirements, if applicable.
(Optional) Conduct BC/DR simulation/tabletop exercise(s).

BC/DR plans should reference and incorporate related College information security policies and administrative regulations, including, without limitation:

Data Backup: This Admin Reg ensures data that is lost or compromised can be restored.
Information Classification: This Admin Reg provides the framework used to classify information based on criticality. The classifications should be used to guide the development of related business continuity and disaster recovery plans.
Incident Response: This Admin Reg outlines how the College responds to security incidents and should work hand-in-hand with business continuity and disaster recovery plans.

Table 1: Disaster Recovery Performance Objectives by Information Confidentiality Classification

Level	RPO	RTO	Performance Objective
Highly Sensitive (Level 3)	24 hours	8 hours	Best possible performance, required robust real-time transaction speed monitoring
Confidential (Level 2)	24 hours	24–48 hours	Better performance, some transaction monitoring
Public (Level 1)	1–7 days	7–30 days	No performance targets, not monitored

References:

Information Security Policy

Data Backup Administrative Regulation

Information Classification Administrative Regulation

Incident Response Administrative Regulation

Revision History:

Original Adoption Date: 1/29/24

Revision Date(s):

Date Reviewed, no change:

Become a Lancer Today

Apply Now

Become a Lancer Today

Apply Now

Become a Lancer Today

Apply Now

Become A Lancer Today

Apply Now

Become a Lancer Today

Apply Now

Become a Lancer Today

GET IN TOUCH

Helpful Links