3.02 – Business Continuity and Disaster Recovery Plan

Purpose of Document:

To establish adequate protections to assure the continuity and recovery of the Seminary’s business following the loss of systems that are critical to the operations of the Seminary. 

Policy:

Business Risk Assessment and Business Impact Analysis: 

LITS will routinely perform a Business Risk Assessment and Business Impact Analysis to identify and define critical systems and the repositories that contain the relevant and necessary data for those critical systems. The assessment should also define and document the Disaster Contingency and Recovery Plan. This plan should identify the following: 

  • Key processes/Critical systems
  • Applicable risk to availability of those processes/systems
  • Prioritization of recovery
  • Recovery time objectives
  • Recovery point objectives

For purposes of this Policy, a “Recovery Time Objective” is the duration of time and a service level within which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity. A “Recovery Point Objective” is the maximum tolerable period during which Data might be lost from an Information Resource.

IT Risk Management

On at least an annual basis, LITS will conduct a Risk Assessment of all data systems. This assessment will identify and define any risks associated with LITS electronic resources. 

Results of this assessment will be used to update Disaster Recovery Contingency, Data Backup, and Physical Resource Recovery Plans

The results of this assessment will not be publicly available; however, more information is available from LITS upon request. 

Contingency Plans

Each key system must have a contingency plan documented for when hardware, software, or networks cease to function properly, including both short and long term outages. This plan should include both an explanation of the critical importance of the information and a plan for continuing operations during an outage. Specifically, the contingency plan should include: 

  1. An Emergency Operations Plan for continuing operations during a temporary outage. This plan should contain information relating to the end user process for continuing operations. 
  2. A Recovery Plan for returning functions and services to normal operations when a disaster is over.
  3. A procedure for periodic testing, review, and revision of the Contingency Plan for all affected systems.

Data Backup Plans

LITS will implement a Data Backup Plan. Each plan should define the following: 

  1. The person(s) responsible for ensuring the backup of data, particularly sensitive and/or confidential data. 
  2. A backup schedule.
  3. The systems to be backed up.
  4. The location where backup media is to be secured, including any plans for long or short term storage.
  5. The person(s) authorized to access or move the backup media.
  6. The procedure for restoring data from backup media to the appropriate systems.
  7. The procedure for testing the effectiveness of backup and restoration procedures and the frequency of that testing.
  8. The length of time backup media will be retained.
  9. A method for restoring encrypted backup media, including encryption key management.

Physical Resources Plans

LITS will implement a Physical Resources Recovery Plan, which should define the following: 

  • Procedures for protecting and recovering electronic hardware (e.g. computers and servers).
  • Procedures for protecting and recovering media resources (e.g. books, journals, microfiche, etc.). 

See Disaster Recovery Contingency Plan, Data Backup Plan, and Physical Resource Recovery Plan for additional information.

Review/Update of Plans

LITS shall  review and update their Business Continuity and Disaster Recovery Plan on an annual basis. 

LITS Staff reserve the right to modify this policy at any time.

Approvals: 

  • LITS: October 11, 2019
  • Provost: February 2020