107 Information Technology Business Continuity and Disaster Recovery Planning
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
Requirement | All Users | System Owners | System Custodians/ Administrators | Departments, Schools, Units |
---|---|---|---|---|
Business Impact Analysis (BIA) will be performed for each critical and important process requiring information assets (p. 2). | ✔ | |||
Business Impact Analyses will include all necessary information (e.g., risk analysis, Recovery Time Objectives, Recovery Point Objectives) (p. 2). | ✔ | |||
Information Technology Business Continuity (ITBC) and Information Technology Disaster Recovery (ITDR) plans must consider potential impacts of security incidents (p. 3). | ✔ | |||
ITBC and ITDR plans will reference appropriate security controls and will be consistent with university directives, policies, regulations, standards, and associated guidance (p. 3). | ✔ | |||
Information Technology Business Continuity (ITBC) plans enable continuous operations in the event of disruption to asset availability (p. 3). | ✔ | |||
ITDR plans must include all necessary information (e.g., processes for recovery, back-up procedures, etc.) (p. 3). | ✔ | |||
Disaster recovery plans for vended systems and co-managed/shared responsibility systems will be communicated in a contract or a statement of work (p. 4). | ✔ | |||
WashU Community members will be trained to ensure awareness and understanding of ITBC and ITDR plans, contingency roles, responsibilities, and processes (p. 4). | ✔ | ✔ | ✔ | |
ITBC and ITDR plans will be identified, designed, and tested (p. 4). | ✔ | |||
Backup needs will be identified, documented, designed, and tested (p. 4). | ✔ | |||
Requirements for applications will be identified, documented, designed, and tested (p. 4). | ✔ | |||
University unit leaders must develop, test, and maintain ITBC plans for the unit (p. 4). | ✔ | |||
Unit leaders will work with IT managers and administrators to ensure ITDR plans are adequate for the unit’s applications, systems, and/or infrastructure (p. 4). | ✔ |
Summary of Policy
Introduction (107.00)
ITBC and ITDR plans prepare WashU for scenarios in which information systems are unavailable or unusable, and address two main issues:
- The ITBC plan addresses how a unit will continue operations while systems are unavailable and being recovered.
- The ITDR plan addresses how a unit will recover their systems and restore them to full functionality.
Business Impact Analysis (107.01)
As a starting point for ITBC and ITDR planning, the OIS will coordinate with departments, schools, and units to conduct a Business Impact Analysis (BIA) for each critical and important process requiring information assets.
Information Technology Business Continuity (ITBC) and Information Technology Disaster Recovery (ITDR) Plans (107.02)
ITBC and ITDR plans must consider the potential impacts of security incidents for our organization and stakeholders. The OIS will review the ITBC and ITDR plans to ensure business requirements, specifically RTOs and RPOs, are supported by technologies and processes.
Full Text of Policy
Policy 107 Information Technology Business Continuity and Disaster Recovery Planning
The policy communicates the expectations for developing, maintaining, and practicing risk-based plans for Information Technology Business Continuity (ITBC) and Information Technology Disaster Recovery (ITDR).
Related Information
Policy 100 Information Security Program
The Information Security Program Policy is the foundation of the policy library and provides a rationale for the directives communicated in all other information security policies.
207 Information Technology Business Continuity and Disaster Recovery Planning
This standard provides a basis for funding decisions for incident response and recovery at Washington University in St. Louis (WashU).