Policy 107 Information Technology Business Continuity and Disaster Recovery Planning

Print this page

• Purpose
• Applicability and Audience
• Information Security Roles and Responsibilities (100.01)
• Policy
  • 107.00 Introduction
  • 107.01 Business Impact Analysis
  • 107.02 Information Technology Business Continuity (ITBC) and Information Technology Disaster
  • Recovery (ITDR) Plans
    • Information Technology Business Continuity (ITBC) Plans
    • Information Technology Disaster Recovery (ITDR) Plans
    • ITBC and ITDR Roles and Responsibilities
• Policy Compliance
• Related Policies, Standards, and Guidelines 
• References
• Policy Review

Purpose 

The Information Technology Business Continuity and Disaster Recovery Planning Policy requires administrative, clinical, academic, and research units of Washington University in St. Louis (WashU) to develop, maintain, and practice risk-based plans for Information Technology Business Continuity (ITBC) and Information Technology Disaster Recovery (ITDR). These plans serve to protect the confidentiality, integrity, and availability (CIA) of WashU information systems and services in the wake of a security event. 

This policy does not cover the WashU Continuity Program managed by The Office of Emergency Management or the All-Hazards Emergency Operations Plan for WashU IT and other WashU IT departments and teams.

Applicability and Audience 

This policy applies to all critical and important information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data. 

All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. 

Information Security Roles and Responsibilities (100.01) 

Policy 

107.00 Introduction

ITBC and ITDR plans prepare WashU for scenarios in which information systems are unavailable or unusable, and address two main issues: 

1. The ITBC plan addresses how a unit will continue operations while systems are unavailable and being recovered 
2. The ITDR plan addresses how a unit will recover their systems and restore them to full functionality 

107.01 Business Impact Analysis

As a starting point for ITBC and ITDR planning, the OIS will coordinate with departments, schools, and units to conduct a Business Impact Analysis (BIA) for each critical and important process requiring information assets. The purpose of the BIA is to identify the following:  

• Critical and important processes, functions, and interdependencies for university operations that involve information assets, including clinical care, research, teaching, and administration; 
• Possible impacts of unplanned interruptions or loss of access to information assets for various lengths of time; 
• Possible impacts of unplanned permanent loss of data; and 
• Internal or external resources required to maintain operational processes in case of an interruption or disaster.

The BIA must include: 

• The following information about a department, school, or unit’s critical and important computer functions, applications, systems, and network infrastructure:  
  • Inventory  
  • System and information classification 
  • Analysis and summary of times of year in which these assets are urgently in demand (e.g., graduation, registration, and enrollment)  
• Risk Analysis: a qualitative assessment of residual risk (i.e., risk remaining after the application of mitigating controls and processes); 
• Recovery Time Objectives (RTO): the target period for restoration of the asset’s operational functionality; and 
• Recovery Point Objectives (RPO): the target state for restoration of the asset’s data and information, noting that some data and information may be lost, e.g., since the most recent backup. 

Regulatory requirements and the classification of data and systems (Policy 100, Section 100.04: Information and System Classification) will guide the impact analysis process. Periodic revisions to the BIA are necessary according to the criticality of the asset or changes to the asset, systems, or areas of operation that the asset supports.  

107.02 Information Technology Business Continuity (ITBC) and Information Technology Disaster Recovery (ITDR) Plans

ITBC and ITDR plans must consider the potential impacts of security incidents for our organization and stakeholders. Plans must define recovery objectives and strategies for protecting ongoing CIA of WashU information assets, including all critical and important computer functions, applications, systems, and network infrastructure as defined by the leadership of all university administrative, clinical, academic, and research units (hereafter “units”).  

ITBC and ITDR plans will reference appropriate security controls and must be consistent with university directives, policies, regulations, standards, and associated guidance.  

The OIS will review the ITBC and ITDR plans to ensure business requirements, specifically RTOs and RPOs, are supported by technologies and processes. Refer to Standard 207: Information Technology Business Continuity and Disaster Recovery Planning for specific information about review timelines, which are based on the criticality of the business processes and supporting information assets.

Information Technology Business Continuity (ITBC) Plans

All WashU departments, schools, and units that use information assets in their critical and important operational processes must develop ITBC plans that enable continuous operations in the event of disruptions to the availability of those information assets.   

ITBC Plans will include the following:  

• Processes for different operating states (e.g., under duress/attack, during recovery, and during normal operations); 
• Documented procedures for protecting data accumulated during the system outage and restoring the data within systems after systems are recovered; 
• Alternative facilities or manual processes for the continuation of operations; 
• Necessary functions and processes for hybrid activities, on-premises activities, and use of third-party systems; and  
• Communication strategies for executing the business continuity plan from start to finish.  

Information Technology Disaster Recovery (ITDR) Plans

All WashU departments, schools, and units that use information assets in their critical and important operational processes must develop and implement ITDR plans to ensure confidentiality, integrity, and availability of WashU information and systems.  

ITDR Plans will include the following:

• Processes for recovering from business disruptions resulting from the unavailability of critical IT services 
• Documented procedures for backing up data and restoring assets, including routinely testing the backup and restore processes; 
• Necessary functions and processes for hybrid activities, on-premises activities, and use of third-party systems; and 
• Communication strategies for executing the business continuity plan from start to finish. 

Disaster recovery plans for vended systems and co-managed/shared-responsibility systems will be communicated in a contract or a statement of work.

ITBC and ITDR Roles and Responsibilities

Departments and schools will train their WashU community members to ensure awareness and understanding of the ITBC and ITDR plans, contingency roles, responsibilities, and processes.  

System owners must coordinate with the OIS and WashU IT or department IT to identify, document, design, and test ITBC and ITDR plans, backup needs, and requirements as applications are developed, contracted, or purchased for WashU.  

Leaders or authorized designees of university units must develop, test, and maintain ITBC plans for how the unit will continue operational processes if or when information systems are unavailable. 

Leaders must also work with Information Technology managers and administrators to ensure adequate ITDR Plans are developed, tested, and maintained for the unit’s applications, systems, and/or infrastructure. 

Policy Compliance 

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct. 

Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees.

Related Policies, Standards, and Guidelines 

Policy 100: Information Security Program  

Standard 207: Information Technology Business Continuity and Disaster Recovery Planning 

References 

National Institute of Standards and Technology Contingency Planning for Federal Information Systems (NIST SP 800-34)  

National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 

National Institute of Standards and Technology Special Publication 800-53 Revision 5 (NIST SP 800-53 Rev. 5)  

Policy Review 

This policy will be reviewed by the OIS at a minimum of every three years.   

Policy Number and Title: 107 Information Technology Business Continuity and Disaster Recovery Planning 

Owner: Office of Information Security 

Approved By: Cyber Security Executive Advisory Committee
Original Approval Date: November 17, 2023

Current Version Publication Date: April 18, 2024