Policies and Procedures

Disaster Recovery policies and procedures allow the university to quickly maintain, resume, or restore mission-critical  functions and operations following a disruption of information technology services. 

Disaster Recovery (DR) collaborates with information technology (IT), business continuity, and emergency management professionals from across the university to develop standards and policies. The following policies and procedures will help you understand how to protect your information and the university’s institutional data.

Related University Policies 

• Business Continuity Policy 

• Information Technology Security

• Asset Management

• Incident Response Management 

• Disaster Preparedness and University State of Emergency

• Furloughs 

• Disaster Leave

Disaster Recovery in External Controls  

• Gramm-Leach-Bliley Act – Has requirements related to having an Incident Response and Business Continuity plan. 

• PCI - Standard 12.10.1 highlights the need for an incident response plan in the event of a data breach and mandates that a data backup, business continuity and disaster recovery process must be implemented. PCI standard 9.5.1 states that any backup data should be stored securely in an offsite location. 

• General Data Protection Regulation – The GDPR emphasizes the importance of ensuring confidentiality, integrity, availability, and resiliency for processing systems. To remain GDPR-compliant: Encrypt client data and ensure processing systems are confidential, have high integrity and are always available and resilient. 

• Health Insurance Portability and Accountability Act – Requires a contingency plan to ensure continued availability for electronic protected health information (ePHI) in case of a disaster. Two key HIPAA requirements to consider: secure access and a contingency plan. 

Disaster Recovery in Contracts with Vendors 

• Third Party Security Risk Assessments – Third Party Risk Assessments require vendors to respond to disaster recovery-related questions designed to manage vendor risk. 

• Data Security and Privacy Addendum (DSPA) – When completed as an alternative to performing a third-party security risk assessment, a DSPA ensures vendors and their subcontractors agree to maintain appropriate and effective business continuity and disaster recovery plans to ensure resiliency of data and business operations.   

Disaster Recovery Procedures 

• Information Security Control Requirements, specifically but not limited to: 

  • IT1 Disaster-related Risk - To limit the negative impact of a disruptive event upon IT operations and to ensure timely access to information assets. 

  • IT17.1 Asset inventory – An inventory must be maintained of all university-owned network devices, server and client systems, and mobile devices.  

  • DAT1.1.2 Critical System Registry – Organizations must develop and maintain a critical system registry.  

• Continue Planning – Plan for unexpected downtime by following documented steps and strategies.

• Keep Testing – Test plans to ensure people and IT systems are ready to quickly recovery from unexpected downtime. 

• Prepare for Recovery– Know how to reach key contacts and keep a list of important information for your recovery plans. Our Recover page has resources and a checklist you can build on.

• DR CARE - Increase resiliency through in-depth DR assessments on critical university systems.