Original Issuance Date: August 4, 2021
Last Revision Date: March 8, 2022
1. Policy Purpose
This policy establishes the minimum requirements for an Information Technology (IT) Disaster Recovery (DR) Plan for University of Wisconsin (UW) institutions and is designed to assist in executing recovery processes in response to a disaster or significant IT disruption.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System institutions, including UW System Administration.
4. Background
The President of the University of Wisconsin System is empowered to establish information security policies under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The Importance of an IT DR plan cannot be overemphasized and is intended to minimize the disruption to UW System’s missions of scholarship, research, and administration.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Data Backup
- Disaster Recovery Plan
- Recovery Point Objective (RPO)
- Recovery Time Objective (RTO)
6. Policy Statement
IT Disaster Recovery (DR) plan(s) must exist at each UW institution which outline measures needed to restore the institution’s mission critical operations and/or business infrastructure.
IT DR plan(s) must be included within or provide linkages to the institutional continuity of operations plan (COOP) and leverage the COOP’s internal and external communications plan. Additional elements of the IT DR plan(s) must include as a minimum:
- Plan assumptions and limitations
- Assigned roles and responsibilities
- Escalation procedures
- Logical and physical security considerations
- Recovery monitoring and validation procedures
- Data backup and restoration procedures, including:
- Identification of mission-critical and high-risk data systems
- Restoral priority of the identified mission-critical and high-risk data systems
- Documentation of and adherence to best practices for backups of the above systems including applicable archival, compliance, legal, or regulatory requirements
- Protection of data backups commensurate with the mission criticality of the system the data supports
- Identification of the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) of the above systems
- Development, documentation, and implementation of a schedule to regularly test the above backups in accordance with best practices for their system categorization and data classification
- Each UW institution must conduct annual training and/or exercises consistent with assigned roles and responsibilities outlined in the institution’s IT DR plan(s).
7. Related Documents
Regent Policy Document 25-5, Information Technology: Information Security
UW System Information Security Program
UW System Administrative Policy 1031. Information Security: Data Classification and Protection
UW System Administrative Policy 1033. Information Security: Incident Response
UW System Administrative Policy 1039. Information Security: Risk Management
8. Policy History
Revision 1: March 8, 2022
First approved: August 4, 2021
9. Scheduled Review
August 2023