REG 04.00.07 - Developing Business Continuity and IT Disaster Recovery Plans

Authority: Chancellor

History: First Issued: May 23, 2006. Last Revised: December 20, 2010.

Related Policies:
NCSU REG04.00.01 - Standard Operating Procedures for Crisis Communications 
NCSU REG01.25.10 - HIPAA Security Regulation

Additional References: 
State of NC General Statutes 147-33.89 Business Continuity Planning 

State of NC - ITS 18.05 Business Continuity Management Policy

Contact Info: Director of Business Continuity (919-515-5201)


1. INTRODUCTION

This regulation addresses the responsibilities of university Business Units to identify critical processes and to develop, maintain, and exercise business continuity and IT Disaster Recovery plans in coordination with the Department of Business Continuity and Cohort Coordinators.

2.  DEFINITIONS

2.1  Emergency:  a sudden or unexpected occurrence or combination of occurrences that may cause injury, loss of life, destruction of property or cause the interference, loss or disruption of a unit's normal business operations to such an extent that it poses a threat to the campus community.  An emergency is something that may overwhelm the University's ability to resolve the situation.

2.2  Disaster:  a sudden, unplanned event with a significant scope of impact involving many people if not an entire community and is based on the scope of the event, number of lives impacted, and the devastation of property;  1) the disruption of critical business activities for some predetermined period of time.  2) The period when university management decides to divert from normal schedules and exercises its IT Disaster Recovery plan signified by the beginning of moving from primary to alternate processing.

2.3  Critical:  processes or services offered that could not be interrupted or unavailable for several business days without significantly jeopardizing the university's ability to serve its students and the communities of North Carolina during an emergency.

2.4  Business Unit:  any academic or administrative department, unit, center, institute, division, or college.

2.5  Cohort:  a term used by the Business Continuity and Disaster Recovery Oversight Committee to uniquely group all NC State University Business Units with a commonality of services to facilitate a more efficient way of planning.  The following Cohorts have been identified to group departmental plans:  Academic and Student Affairs (DASA), Teaching & Academic Programs, Extension & Engagement, Research Programs, Information Technology, Business Administration, Environmental Health & Public Safety, and Space/Facilities.

3.  GENERAL RESPONSIBILITY

3.1  Business Continuity and Disaster Recovery Oversight Committee

3.1.1  To continue broad oversight of NC State University business continuity and disaster recovery planning, the Chancellor will appoint a Business Continuity and Disaster Recovery Oversight Committee.  The committee is composed of a cross-section of academic and administrative leaders who have a working knowledge of business continuity and IT disaster recovery processes.

The Committee has the following goals:

3.1a  Reviews annual work goals of the Department of Business Continuity.

3.1b  Reviews a representative number of risk assessments and tabletop drills to determine adequacy of recovery plans.

3.1c  Makes recommendations on how to enhance Business Continuity processes.

3.1d  Provides an annual written summary to the Chancellor. 

3.2  Department of Business Continuity

The Department of Business Continuity is responsible for:

3.2a  Providing guidance and recommending recovery strategies for Business Units.

3.2b  Developing and maintaining a Business Continuity framework for Business Units that includes policies and procedures and, where applicable, templates for business continuity and IT Disaster Recovery plans, and Exercises.

3.2c  Facilitating a campus-wide Risk Assessment and Business Impact Analyses every other year.

3.2d  Performing as Administrator of the business continuity planning software.

3.2e  Developing campus training and awareness programs for Business Continuity.

3.2f  Providing independent reviews and validation of Business Unit Business Continuity Plans.

3.3  Cohort Coordinator

3.3a  Members of the Business Continuity and Disaster Recovery Committee serve as Cohort Coordinators.  Cohort Coordinators have the following responsibilities:

3.3b  Obtain assurance from the Department of Business Continuity that a university-wide Risk Assessment and Business Impact Analysis have been completed every two years.

3.3c  Identify critical business processes of the university and obtain assurance from University Department Heads that Business Continuity and IT Disaster Recovery Plans have been developed, tested and maintained consistent with the framework established by the Department of Business Continuity.

3.3d  Aid in identifying a departmental contact for the Department of Business Continuity to work with on plan development, maintenance and exercises.

3.3e  Randomly audit a select number of Plans on an annual basis.

4.  PROCEDURE

4.1  Business Impact Analysis and Risk Assessment

4.1.1  The Department of Business Continuity will complete a Business Impact Analysis and Risk Assessment every two years as directed by Cohort Coordinators.  The Department of Business Continuity will develop a report of the findings and present the results to the Cohort Coordinators.

4.1.2  The Business Impact Analysis will identify critical business processes and workflow; determine the qualitative and quantitative impacts of a vulnerability/threat, and prioritize/establish recovery time objectives for the critical processes.

4.1.3  The Risk Assessment will identify vulnerabilities and threats that may impact the university‚Äôs ability to fulfill its mission and define the controls in place to reduce the exposure to the vulnerabilities/threats as well as evaluate the probability of a particular event.

4.2  Business Continuity and IT Disaster Recovery Plans

4.2.1  Business Units will develop a Business Continuity and IT Disaster Recovery Plan that supports critical business processes.  These Plans provide for the continuance of critical processes in the event of an emergency that impacts their ability to use their facility, access information technology resources or infrastructure, and a long-term power outage.

4.3  Exercising Plans

4.3.1  Business Units that have identified critical business process are required to exercise their Business Continuity and IT Disaster Recovery Plans at least annually as directed by the Department of Business Continuity with results reported to the Cohort Coordinators. Departmental exercises may be conducted more frequently at the discretion of Management. 

4.4  Plan Maintenance

4.4.1  Business Units are required to review Plans at least quarterly and update Plans whenever changes occur in their operating procedures, processes, or key personnel.

4.4.2  Plans must be updated to maintain accurate lists of key personnel, telephone number, call trees and plan elements that may be affected by changes in unit structure or processes.

4.5  Plan Approval

4.5.1  Business Continuity and IT Disaster Recovery Plans are subject to annual approval by a Department Head/Director, Vice Chancellor level, Vice Provost level, or Dean.

4.5.2  The Department of Business Continuity will facilitate the method for Plan Approval.

4.5.3  Plans must be approved annually no later than the end of the first quarter.  The Department of Business Continuity will develop a procedure for unapproved plans by the deadline.