University Policy Details
Title: Contingency Planning for Business Continuity
Author: University Information Technology Services
Effective Date: 08/31/2008
Applies To: Employees
Last Reviewed Date: 03/13/2009
Description: Contingency Planning for Business Continuity
For More Information Contact: Director of IT Security, Policy and Quality Assurance
Contact Telephone Number: 860-486-4357

 

 Contingency Planning for Business Continuity

 

Background and Reasons for the Policy:  The University of Connecticut views University Data, in all its forms and throughout its life cycle, as an asset of the University.  University Data must be protected to comply with the policies of the University and to meet requirements of Federal and State laws such as the:

  •   Family Rights and Privacy Act (FERPA)
  •    Health Insurance Portability and Accountability Act (HIPAA)
  •    Electronic Communications Privacy Act (ECPA)
  •   Gramm-Leach-Bliley Act (GLBA)
  •  Children's Online Privacy Protection Act (COPPA)
  •   Freedom of Information Action (FOIA)
  •   Connecticut Personal Data Act

Purpose of Policy: The purpose of this policy is to ensure that the University has developed plans for continuing critical operations during periods when normal computing functions are not available and has instituted the safeguards needed to protect its information technology resources during those periods.

Expected Institutional Outcome: This policy will: improve the University's ability to continue critical operations when there are interruptions to normal access to data resources; assure ongoing safeguards for protection of electronic data stored, used, and transmitted using the University's computing resources during those periods of interruption.

Applicability of Policy: This policy applies to any department within the University that stores, uses, or transmits University Data or electronic data that is subject to State or Federal regulations that require security protections for data covered by those regulations.  The policy is also recommended for all departments that have other data that should be protected from unauthorized disclosure, interrupted availability, or damage.

Definitions:

Data Steward: The entity/entities or office/offices that are delegated by the President and/or his designee(s) with the policy-level responsibility for establishing definitions of the data assigned to him/her (i.e. defined portions of University Data) and developing general procedures and guidelines for the management, security and access to those data sets, as appropriate.

 

University Data: Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to or limited by any overriding contractual or statutory regulations. University Data may be stored either electronically or on paper and may be of many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally identifiable information or other data protected by law or University policy are not covered by this policy.

Policy Statement: Each impacted department within the University will implement processes and controls for developing and maintaining plans for maintaining departmental operations that should continue even when there are unexpected interruptions to availability of computing resources.  At a minimum, these plans will address:

  1. Resource Criticality: Each department will inventory the information technology resources (including the facility, equipment, software and data) used in the department and identify the resources needed to support critical functions.   
  2. Data Backup. Data Stewards will develop process(es) for creating and storing backup copies of critical data under its management.  Custodians and users will use those processes.  These process(es) should be based on the sensitivity, volatility, and value of the data as well as the difficulty of reproducing it if/when needed.    
  3. Disaster Recovery:  Each department will develop and implement process(es) for recovering any data or functional capabilities that may have been lost as the result of a security incident or other disastrous event.  Execution of disaster recovery plans may include activities performed by University staff or third-party resources from outside of the department.  These resources should be involved in disaster recovery planning.  The actions described in disaster recovery plans should support disaster response and return to normal operations in a timeframe that is acceptable to the department. 
  4. Emergency Operations:  Each department will develop and implement operational procedures for critical priority business functions that must continue during emergency situations.  The plans should address access to data and equipment during the emergency.  They should identify the functions that should be available and the people who will be involved in providing them.  The plans should also include the activities needed to return from "emergency mode" to normal operations. 
  5. Plan Testing and Revision: Each department will periodically test and review the contingency plans for critical functions and verify that the plans are adequate.  When departmental requirements change, the plans should be reviewed to make sure that they respond adequately to the new requirements.
  6. Responsibility for 3rd Party Providers: If technology resources and/or data storage are provided by another University entity or a non-University entity, the primary responsibility for contingency planning and disaster recovery remains with the department. Department heads are expected to work with their technology providers to ensure that such 3rd parties have appropriate facilities, resources and processes in place to adequately support the department's requirements to meet "emergency operational needs."

Responsibilities:
Department Heads and Directors must ensure that plans are in place for continuation of critical departmental functions during emergency situations and for the plans needed for disaster recovery activities.   

Data Stewards, as defined in the Policy on Roles and Responsibilities with Respect to University Data, are responsible for the security of the information technology resources (including the facility, equipment, software and data) that are within their control and/or protection.  Data Stewards responsible for major systems used at the University will define the contingency activities for those systems and departments will use the contingency procedures provided by those Data Stewards.  Data Stewards are also responsible for ensuring that they remain knowledgeable about regulatory and University security requirements impacting their data. As a result, Data Stewards will provide critical input to the development of departmental disaster recovery and business continuity plans.

Departments may need contingency procedures that address departmental functions that are not supported by other Data Stewards.  They may delegate the contingency planning processes for those functions to the administrators who they may appoint to manage the processes for them.  They should ensure that all parties expected to participate in a recovery event have participated in planning activities and are able to provide the expected services.

Departments and units must adhere to the Responsibilities of Individual Departments and Units policy when developing required processes.  The University's security policies set a minimum level of protection for information technology resources.  The processes and technologies instituted by departments must achieve that level of protection.  They may provide additional protections as needed when stricter requirements apply to the departments or operating units.  When designing or implementing security policies, procedures, or technical solutions that respond to unique departmental needs, the departments should ensure that they are in compliance with the Physical Network Access policy.

Enforcement and Review:

The Chief Information Officer has overall responsibility for this policy.

The Chief Information Officer will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.

Any individual who suspects a violation of this policy may report it to the Compliance Office in the Office of Audit, Compliance and Ethics at (860) 486-4526, or anonymously through the Reportline (https://www.compliance-helpline.com/uconncares.jsp). Violations of this policy may result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

Policy Implementation Guidelines: Departments required to implement these security management processes should also refer to http://itpolicy.uconn.edu/ , where UITS maintains a set of documents for policies, procedures, guidelines, and standards that provide additional detail.

 


Last updated: August  2008