Developing Business Continuity And Disaster Recovery Plans
REG 04.00.7
Authority: Chancellor
History: First Issued: May 23, 2006. Additional History Information.
Related Policies:
Crisis Communication Plan (REG04.00.1)
HIPAA Security Regulation (REG 01.25.10)
Additional References:
State of NC General Statutes 147-33.89 Business Continuity Planning
State of NC - ITS 18.05 Business Continuity Management Policy
Contact Info: Director of Business Continuity (919-515-5201)
1. INTRODUCTION
This regulation addresses the responsibilities of university business units to identify critical functions and to develop, maintain, and exercise business continuity and disaster recovery plans in coordination with the Department of Business Continuity and Disaster Recovery Planning and Cohort Coordinators.
2. DEFINITIONS
2.1 Emergency : a sudden or unexpected occurrence or combination of occurrences that may cause injury, loss of life, destruction of property or cause the interference, loss or disruption of a unit's normal business operations to such an extent that it poses a threat to the campus community. An emergency is something that may overwhelm the University's ability to resolve the situation.
2.2 Disaster : a sudden, unplanned event with a significant scope of impact involving many people if not an entire community and is based on the scope of the event, number of lives impacted, and the devastation of property ; 1) the disruption of critical business activities for some predetermined period of time. 2) The period when university management decides to divert from normal schedules and exercises its disaster recovery plan signified by the beginning of moving from primary to alternate processing.
2.3 Critical : functions or services offered that could not be interrupted or unavailable for several business days without significantly jeopardizing the university's ability to serve its students and the communities of North Carolina.
2.4 Business Unit : any academic or administrative department, unit, center, institute, division, or college.
2.5 Cohort : a term used by the Business Continuity and Disaster Recovery Oversight Committee to uniquely group all NC State University business units with a commonality of services to facilitate a more efficient way of planning. Nine (9) Cohorts have been identified to group departmental plans: Student Affairs, Teaching & Academic Programs, Extension & Engagement, Research Programs, Administrative IT, Academic IT, Business Administration, Environmental Health & Public Safety, and Space/Facilities.
3. GENERAL RESPONSIBILITY
3.1 Business Continuity and Disaster Recovery Oversight Committee
To continue broad oversight of NC State University Business Continuity and Disaster Recovery Planning, the Chancellor will appoint a Business Continuity and Disaster Recovery Oversight Committee. The committee is composed of a cross-section of academic and administrative leaders who have a working knowledge of business continuity and disaster recovery processes.
The Committee has the following goals:
a. Reviews annual work goals of the Department of Business Continuity
b. Reviews a representative number of risk assessments and tabletop drills to determine adequacy of recovery plans
c. Makes recommendations on how to enhance Business Continuity processes
d. Provides an annual written summary to the Chancellor
3.2 Department of Business Continuity and Disaster Recovery
The Department of Business Continuity and Disaster Recovery is responsible for:
a. Facilitating the completion of Risk Assessment and Business Impact Analyses and the development of Business Continuity/Disaster Recovery Plans with the Cohort Coordinators.
b. Providing guidance and recommending recovery strategies
c. Developing and maintaining a Business Continuity framework for business units that includes policies and procedures and, where applicable, templates for business continuity and disaster recovery plans, risk assessments, and exercises and testing.
d. Performing as Administrator of the business continuity planning software
e. Developing campus training and awareness programs for Business Continuity,
f. Providing independent reviews and validation of business unit business continuity plans.
3.3 Cohort Coordinator
The Cohort Coordinator is responsible for ensuring that each business unit within their cohort has completed a Risk Assessment, Business Impact Analysis, and has developed a Business Continuity Plan consistent with the framework and templates established by the Department of Business Continuity and Disaster Recovery. They are also responsible for identifying a departmental contact for each business unit within the Cohort and ensuring the plans, assessments, and analyses are tested, reviewed, and updated with the established time periods. The Cohort Coordinator or designee is responsible for coordinating the above activities with the Department of Business Continuity and Disaster Recovery and must sign off on all business unit Risk Assessments, Business Impact Analysis, Business Continuity Plans/Disaster Recovery Plans, and Test Plans. Members of the Business Continuity and Disaster Recovery Committee serve as Cohort Coordinators.
4. PROCEDURE
4.1 Business Impact Analysis and Risk Assessment
Each business unit that meets the committee criteria of ‘critical' will conduct a Business Impact Analysis and Risk Assessment annually as directed by the respective Cohort Coordinator with results reported to the Department of Business Continuity and Disaster Recovery. The Business Impact Analysis will identify critical business functions and workflow; determine the qualitative and quantitative impacts of a vulnerability/threat, and prioritize/establish recovery time objectives for the critical functions. The Risk Assessment will identify vulnerabilities and threats that may impact the business units ability to fulfill the mission of NC State University and define the controls in place to reduce the exposure to the vulnerabilities/threats as well as evaluate the probability of a particular event. The Business Impact Analysis and Risk Assessment must be approved/signed off by the Department Head/Director, Dean or Vice Chancellor (or designated vice provost or associate vice chancellor), and Cohort Coordinator.
4.2 Business Continuity and Disaster Recovery Plan
Each business unit will develop a business continuity and disaster recovery plan as directed by the respective Cohort Coordinator with results reported to the Department of Business Continuity and Disaster Recovery. The Plan provides for the continuance of critical functions in the event of a business disruption. The Business Continuity Plan will consist of advance arrangements and procedures for maintaining/continuing the unit's identified critical business functions in the event of an interruption or essential change such as the absence of the administrative IT environment. The Disaster Recovery Plan will define the unit's resources, actions, tasks and data required to assist in the recovery of the unit's identified critical business functions. The Department of Business Continuity and Disaster Recovery will maintain a campus-wide capability for business units to develop and maintain business continuity plans. The Business Continuity and Disaster Recovery Plans must be approved/signed off by the Department Head/Director and the appropriate Dean or Vice Chancellor (or designated vice provost or associate vice chancellor), and Cohort Coordinator.
4.3 Testing and Exercising Plans
Critical business units are required to test their Business Continuity Plan at least annually as directed by the Cohort Coordinator with results reported to the Department of Business Continuity and Disaster Recovery. Departmental exercises may be conducted more frequently at the discretion of management. Test and Exercise plans must be approved/signed off by the Department Head/Director and Cohort Coordinator.
4.4 Plan Maintenance
Business units are required to review their Business Continuity Plans at least quarterly and update the plans whenever changes occur in their operating procedures, processes, or key personnel. Plans must be updated to maintain accurate lists of key personnel, telephone number, call trees and plan elements that may be affected by changes in unit structure or functions. The respective Department Head/Director, Dean or Vice Chancellor (or designated vice provost or associate vice chancellor), and Cohort Coordinator must review and approve the updated plan on, at least, an annual basis.
