8.2.1.7 IT Disaster Recovery Policy

Summary

Disaster recovery planning ensures that system dependencies have been identified and accounted for when developing the order of recovery, establishing recovery time and recovery point objectives, and documenting the roles of supporting Information Technology (IT) personnel.

Body

Purpose

Disaster recovery planning is about preparing for and recovering from a disaster.  Any event that has a negative impact on OU’s business continuity could be termed a disaster.  This includes hardware or software failures, a network or power outage, physical damage to a building such as from fire or flooding, human error, or some other significant event. 

Disaster recovery planning ensures that system dependencies have been identified and accounted for when developing the order of recovery, establishing recovery time and recovery point objectives, and documenting the roles of supporting Information Technology (IT) personnel.

Scope

This Disaster Recovery Policy applies to:

  • IT infrastructure and other services which facilitate Information Systems. 
  • Cloud or Third-Party hosted infrastructure and other services which facilitate Information Systems.
  • Information Systems that process or store OU data; this specifically excludes desktop devices and workstations which do not require disaster recovery plans but may require data backup.
  • The processes, policies, and procedures related to preparing for recovery or continuation of technology infrastructure, systems and applications which are vital to OU after a disaster or outage.
  • College(s), department(s), unit(s), or research projects that maintain or is responsible for a Unit-Critical system or data.

Definitions

https://itsupport.ou.edu/TDClient/30/Unified/KB/ArticleDet?ID=3018

Information Technology Disaster Recovery (IT DR) Plan

Maintaining an IT DR plan as part of Continuity of Operations Program (COOP) is of key importance to minimize the effects of a manmade or natural disruptive event or disaster.  An IT DR plan kept up-to-date and tested on a regular basis allows OU to resume critical functions in a timely and predictable manner.

  1. The Office of Information Technology must maintain a written IT DR Plan that address the Office of Information Technology’s IT systems so that the effects of a disaster will be minimized, and OU IT will be able either to maintain or quickly resume essential functions. 
  2. Each College, Department, Unit, or Research Project independently operating or maintaining Information Systems shall maintain a written disaster recovery plan for major or catastrophic events that deny access to department and Cloud or Third-Party hosted Information Systems, for an extended period. 
  3. Elements of all IT DR Plan(s) will contain:
    1. Elements derived from a COOP, BCP, IT Risk Assessment, or Business Impact Analysis, where available, to systematically assess the potential impact of a loss of business functionality due to an interruption of computing and/or infrastructure support services resulting from a disruptive event or incident. 
    2. Critical internal and external points of contact for personnel who provide or receive data.
    3. Supporting infrastructure such as electric power, telecommunications connections, and environmental controls.
    4. A determination of the Recovery Time Objectives and Recovery Point Objectives.
    5. Dependent information technology systems or services to assess the impact on associated systems or processes.
    6. Existing controls and processes such as backup power, excess capacity, environmental sensors, and alarms.
    7. Recovery techniques and technologies such as backup methodologies, alternate sites, software and hardware equipment replacement, implementation roles and responsibilities.
    8. Disaster recovery procedures for major or catastrophic events that deny access to Essential and Mission-Critical IT systems or services for an extend period.
    9. Non-critical IT systems must be listed in department/unit-level IT DR Plans and shall have minimal requirements for backup validation testing.
  4. IT DR Plans and Procedures must be reviewed and updated at least annually, and more often as necessary, by the Information System Owner. 

IT Disaster Recovery Plan Testing

Periodic testing of the IT DR procedures shall be performed to determine the effectiveness of the procedures and organizational readiness to execute the IT DR Plan.  IT DR procedures shall:

  1. Be tested following the matrix below:
    1. Essential IT Systems: Every two (2) years
    2. Mission-Critical IT Systems:  Every three (3) years
    3. Non-Critical IT Systems:  Every five (5) years
  2. Tests of the IT DR procedures may include a range of testing methods from virtual (e.g., tabletop) tests to actual events.  The tests shall be documented and the results shall be used to update the procedures if necessary.  The Information System Owner shall approve the results of the tests and any resulting actions.
  3. Provide for testing of backup and/or recovery media to ensure the validity of the recovery media and process.

Alternate Site

An alternate site is an integral part of an IT DR plan.  Alternate sites:

  1. Should be implemented based on business impact analysis results.
  2. Must be geographically separated from the primary storage site to reduce susceptibility to the same disruptive vent.
  3. Must be configured to facilitate timely and effective recovery operations.

IT Disaster Recovery Training and Awareness

The University must train personnel in their IT DR roles and responsibilities and must provide periodic refresher training. 

  1. All participants who are required to execute the IT Disaster Recovery Plan must participate in annual IT Disaster Recovery Planning workshops and/or tabletop exercises.

References

  • National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.IP-9
  • National Institute of Standards and Technology Special Publication 800-171, Controlled Unclassified Information, 3.6.1, 3.6.2
  • General Data Protection Regulation (GDPR)
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule, §164.308(a)(6), §164.308(a)(7), §164.308(a)(7)(ii)(D), §164.310(a)(2)(i), §164.312(a)(2)(ii)
  • Payment Card Industry (PCI) Data Security Standards
  • Gramm-Leach-Bliley Act (GLBA) Safeguards Title 16 I, Subchapter C, Part 314.4(h)
  • U.S. Department of Education, Protecting Student Privacy, Data Governance Checklist
  • OU HIPAA Policy – Documentation Requirements

Details

Details

Article ID: 3125
Created
Tue 11/14/23 10:40 AM
Modified
Tue 11/14/23 10:42 AM