Business Continuity and Disaster Recovery Policy
Columbia University requires adequate protections to be established to assure the continuity and recovery of the University’s business following the loss of Systems (as defined in the Columbia University Information Security Charter (the “Charter”)) that are critical to the operations of a business unit of the University (a “Key Business System”). This Policy defines acceptable methods for business continuity and disaster recovery planning, leveraging a risk-based analysis in order to prepare for and maintain the continuity of the University’s operations in case of the loss of a Key Business System.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
The effective date of this Policy is November 1, 2013. This Policy replaces the CUIMC Information Security: Disaster Contingency and Recovery Plan Policy, dated November 15, 2007.
III. Policy Text
A. Business Risk Assessment and Business Impact Analysis
Each Executive Manager is required to perform a Business Risk Assessment and Business Impact Analysis for each Key Business System that is used in his/her area of responsibility. The assessment should identify and define the criticality of Key Business Systems and the repositories that contain the relevant and necessary University Data for the Key Business System. The assessment should also define and document the Disaster Contingency and Recovery Plan (the “Contingency Plan”) for his/her area of responsibility. Such Plan shall include the following:
- Key business processes;
- Applicable risk to availability;
- Prioritization of recovery;
- Recovery Time Objectives; and
- Recovery Point Objectives.
For purposes of this Policy, a “Recovery Time Objective” is the duration of time and a service level within which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity and a “Recovery Point Objective” is the maximum tolerable period during which Data might be lost from an Information Resource.
B. Contingency Plans
Each Key Business System must have a Contingency Plan documented for when hardware, software or Networks become critically dysfunctional or cease to function (short term and long term outages). This Plan should include an explanation of the magnitude of information or System unavailability in the event of an outage and the process that would be implemented to continue operations during the outage. In addition, the feasibility of utilizing alternative off-site computer operations should be addressed. Specifically, the Contingency Plan must include:
- An Emergency Mode Operations Plan for continuing operations in the event of temporary hardware, software or Network outage. This Plan should contain information relating to the end user process for continuing operations.
- A Recovery Plan for returning functions and services to normal on-site operations when a disaster is over.
- A procedure for periodic testing, review and revision of the Contingency Plan for all affected Systems, as a group and individually as needed.
C. Data Backup Plans
Each System Owner and IT Custodian will implement a Data Backup Plan or document the decision to forgo a Plan with a risk-based analysis. Such Plan should define the following:
- Who is responsible for taking reasonable steps to ensure the backup of University Data, particularly Sensitive Data and Confidential Data;
- A backup schedule;
- The Key Business Systems that are to be backed up;
- Where backup media is to be stored and workforce members who may access the stored backup media;
- Where backup media is to be kept secure before it is moved to storage, if applicable;
- Who may remove the backup media and transfer it to storage;
- Restoration procedures to restore Key Business System Data from backup media to the appropriate System;
- Test restoration procedures and frequency of testing to confirm the effectiveness of the Plan;
- The retention period for backup media; and
- A method for restoring encrypted backup media, including encryption key management.
IV. Cross References to Related Policies
The Information Security Policies referred to in this Policy are listed in Appendix A hereto.