Information Security: IT Disaster Recovery

Original Issuance Date: August 4, 2021

Last Revision Date: March 8, 2022

1. Policy Purpose

This policy establishes the minimum requirements for an Information Technology (IT) Disaster Recovery (DR) Plan for University of Wisconsin (UW) institutions and is designed to assist in executing recovery processes in response to a disaster or significant IT disruption.

2. Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3. Scope and Institutional Responsibilities

This policy applies to all UW System institutions, including UW System Administration.

4. Background

The President of the University of Wisconsin System is empowered to establish information security policies under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The Importance of an IT DR plan cannot be overemphasized and is intended to minimize the disruption to UW System’s missions of scholarship, research, and administration.

5. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

Data Backup
Disaster Recovery Plan
Recovery Point Objective (RPO)
Recovery Time Objective (RTO)

6. Policy Statement

IT Disaster Recovery (DR) plan(s) must exist at each UW institution which outline measures needed to restore the institution’s mission critical operations and/or business infrastructure.

IT DR plan(s) must be included within or provide linkages to the institutional continuity of operations plan (COOP) and leverage the COOP’s internal and external communications plan. Additional elements of the IT DR plan(s) must include as a minimum:

Plan assumptions and limitations
Assigned roles and responsibilities

Escalation procedures
Logical and physical security considerations
Recovery monitoring and validation procedures
Data backup and restoration procedures, including:
- Identification of mission-critical and high-risk data systems
- Restoral priority of the identified mission-critical and high-risk data systems
- Documentation of and adherence to best practices for backups of the above systems including applicable archival, compliance, legal, or regulatory requirements
- Protection of data backups commensurate with the mission criticality of the system the data supports
- Identification of the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) of the above systems
- Development, documentation, and implementation of a schedule to regularly test the above backups in accordance with best practices for their system categorization and data classification

Each UW institution must conduct annual training and/or exercises consistent with assigned roles and responsibilities outlined in the institution’s IT DR plan(s).