Original Issuance Date: August 4, 2021 

Last Revision Date: August 4, 2021 

Effective Date: August 1, 2022 

1. Policy Purpose 

This policy establishes the minimum requirements for an Information Technology (IT) Disaster Recovery (DR) Plan for University of Wisconsin (UW) institutions and is designed to assist in executing recovery processes in response to a disaster or significant IT disruption. 

2. Responsible UW System Officer 

Associate Vice President (AVP) for Information Security

3. Scope and Institutional Responsibilities 

This policy applies to all UW System institutions, including UW System Administration. 

4. Background 

The President of the University of Wisconsin System is empowered to establish information security policies under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The Importance of an IT DR plan cannot be overemphasized and is intended to minimize the disruption to UW System’s missions of scholarship, research, and administration. 

5. Definitions 

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Data classifications (high/moderate/low risk) are captured in SYS 1000. Additional terms and definitions found within this policy include: 

  • Disaster Recovery (DR) Plan: A written plan with detailed procedures to restore IT systems after a significant disruption of services that will let the organization operate at an acceptable level.  
  • Recovery Time Objective (RTO): The maximum length of time an information system’s components can be in the recovery phase before negatively impacting the UW institution’s mission or business processes. 
  • Recovery Point Objective (RPO): The point in time to which the UW institution’s data must be recovered after an outage. 
  • Data Backup: A copy of files and programs made to facilitate recovery of the data and service if necessary. 

6. Policy Statement 

IT Disaster Recovery (DR) plan(s) must exist at each UW institution which outline measures needed to restore the institution’s mission critical operations and/or business infrastructure.  

IT DR plan(s) must be included within or provide linkages to the institutional continuity of operations plan (COOP) and leverage the COOP’s internal and external communications plan. Additional elements of the IT DR plan(s) must include as a minimum: 

  • Plan assumptions and limitations 
  • Assigned roles and responsibilities 
  • Escalation procedures 
  • Logical and physical security considerations 
  • Recovery monitoring and validation procedures 
  • Data backup and restoration procedures, including: 
    • Identification of mission-critical and high-risk data systems 
    • Restoral priority of the identified mission-critical and high-risk data systems  
    • Documentation of and adherence to best practices for backups of the above systems including applicable archival, compliance, legal, or regulatory requirements  
    • Protection of data backups commensurate with the mission criticality of the system the data supports 
    • Identification of the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) of the above systems 
    • Development, documentation, and implementation of a schedule to regularly test the above backups in accordance with best practices for their system categorization and data classification 
  • Each UW institution must conduct annual training and/or exercises consistent with assigned roles and responsibilities outlined in the institution’s IT DR plan(s).

7. Related Documents 

Regent Policy Document 25-5, Information Technology: Information Security    

UW System Information Security Program    

UW System Administrative Policy 1031. Information Security: Data Classification and Protection 

UW System Administrative Policy 1033. Information Security: Incident Response 

UW System Administrative Policy 1039. Information Security: Risk Management 

8. Policy History 

First approved: August 4, 2021 

9. Scheduled Review  

August 2023