Original Issuance Date: August 4, 2021
Last Revision Date: August 4, 2021
Effective Date: August 1, 2022
1. Policy Purpose
This policy establishes the minimum requirements for an Information Technology (IT) Disaster Recovery (DR) Plan for University of Wisconsin (UW) institutions and is designed to assist in executing recovery processes in response to a disaster or significant IT disruption.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System institutions, including UW System Administration.
The President of the University of Wisconsin System is empowered to establish information security policies under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The Importance of an IT DR plan cannot be overemphasized and is intended to minimize the disruption to UW System’s missions of scholarship, research, and administration.
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Data classifications (high/moderate/low risk) are captured in SYS 1000. Additional terms and definitions found within this policy include:
- Disaster Recovery (DR) Plan: A written plan with detailed procedures to restore IT systems after a significant disruption of services that will let the organization operate at an acceptable level.
- Recovery Time Objective (RTO): The maximum length of time an information system’s components can be in the recovery phase before negatively impacting the UW institution’s mission or business processes.
- Recovery Point Objective (RPO): The point in time to which the UW institution’s data must be recovered after an outage.
- Data Backup: A copy of files and programs made to facilitate recovery of the data and service if necessary.
6. Policy Statement
IT Disaster Recovery (DR) plan(s) must exist at each UW institution which outline measures needed to restore the institution’s mission critical operations and/or business infrastructure.
IT DR plan(s) must be included within or provide linkages to the institutional continuity of operations plan (COOP) and leverage the COOP’s internal and external communications plan. Additional elements of the IT DR plan(s) must include as a minimum:
- Plan assumptions and limitations
- Assigned roles and responsibilities
- Escalation procedures
- Logical and physical security considerations
- Recovery monitoring and validation procedures
- Data backup and restoration procedures, including:
- Identification of mission-critical and high-risk data systems
- Restoral priority of the identified mission-critical and high-risk data systems
- Documentation of and adherence to best practices for backups of the above systems including applicable archival, compliance, legal, or regulatory requirements
- Protection of data backups commensurate with the mission criticality of the system the data supports
- Identification of the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) of the above systems
- Development, documentation, and implementation of a schedule to regularly test the above backups in accordance with best practices for their system categorization and data classification
- Each UW institution must conduct annual training and/or exercises consistent with assigned roles and responsibilities outlined in the institution’s IT DR plan(s).
7. Related Documents
8. Policy History
First approved: August 4, 2021
9. Scheduled Review