Effective Date: October, 2013
Columbia University requires adequate protections to be established to assure the continuity and recovery of the University’s business following the loss of Systems (as defined in the Columbia University Information Security Charter (the “Charter”)[http://policylibrary.columbia.edu/information-security-charter]) that are critical to the operations of a business unit of the University (a “Key Business System”). This Policy defines acceptable methods for business continuity and disaster recovery planning, leveraging a risk-based analysis in order to prepare for and maintain the continuity of the University’s operations in case of the loss of a Key Business System.
A PDF of this policy is also available to the right.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
The effective date of this Policy is November 1, 2013. This Policy replaces the CUMC Information Security: Disaster Contingency and Recovery Plan Policy, dated November 15, 2007.
III. Policy Text
A. Business Risk Assessment and Business Impact Analysis
Each Executive Manager is required to perform a Business Risk Assessment and Business Impact Analysis for each Key Business System that is used in his/her area of responsibility. The assessment should identify and define the criticality of Key Business Systems and the repositories that contain the relevant and necessary Data for the Key Business System. The assessment should also define and document the Disaster Contingency and Recovery Plan (the “Contingency Plan”) for his/her area of responsibility. Such Plan shall include the following:
For purposes of this Policy, a “Recovery Time Objective” is the duration of time and a service level within which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity and a “Recovery Point Objective” is the maximum tolerable period during which Data might be lost from an Information Resource.
B. Contingency Plans
Each Key Business System must have a Contingency Plan documented for when hardware, software or Networks become critically dysfunctional or cease to function (short term and long term outages). This Plan should include an explanation of the magnitude of information or System unavailability in the event of an outage and the process that would be implemented to continue operations during the outage. In addition, the feasibility of utilizing alternative off-site computer operations should be addressed. Specifically, the Contingency Plan must include:
C. Data Backup Plans
Each System Owner and IT Custodian will implement a Data Backup Plan or document the decision to forgo a Plan with a risk-based analysis. Such Plan should define the following:
IV. Cross References to Related Policies
The Information Security Policies referred to in this Policy are listed in Appendix A hereto.
Information Security Charter