REG 04.00.07 – Developing University Continuity and IT Disaster Recovery Plans

Authority: Chancellor

History: First Issued: May 23, 2006. Last Revised: July 23, 2024.

Additional References:
State of NC – ITS 18.05 Business Continuity Management Policy

Contact Info: Senior Director, Emergency Preparedness and Strategic Initiatives, ncstateemmc@ncsu.edu (919-515-6655)

1. INTRODUCTION

This regulation addresses the responsibilities of university divisions, colleges, departments and units to identify critical services and processes and to develop, maintain, and exercise academic, business, mission and research continuity and IT disaster recovery plans in coordination with the Department of Emergency Management and Mission Continuity, and other supporting departments and units.

2. DEFINITIONS

2.1 Emergency or unplanned major event: a sudden or unexpected occurrence or combination of occurrences that may cause injury, loss of life, destruction of property or cause the interference, loss or disruption of a unit’s normal business operations to such an extent that it poses a threat to the university community. An emergency or unplanned major event is something that may inundate the university’s ability to resolve the situation, be of significant impact and require heightened response.

2.2 Disaster: an event with a significant scope of impact involving many people if not an entire community and is based on the scope of the event, number of lives impacted, and the devastation of property, a disruption of critical business activities for some predetermined period of time, or a period when university management decides to divert from normal schedules and exercises its IT disaster recovery plan signified by the beginning of moving from primary to alternate processing.

2.3 Critical: processes or services offered that, if interrupted or unavailable for several university business days, would significantly jeopardize the university’s ability to serve its students and the communities of North Carolina during an emergency.

2.4 Pack Ready Emergency Plans: university plans completed on the college, department, division and/or unit levels, reflecting information needed for resiliency and response planning.

3. AREAS OF PLAN RESPONSIBILITIES

3.1 Resiliency and Continuity Plans

Resiliency and continuity plans consist of four key elements: business, mission, academic and research continuity. Resiliency and continuity plan development is predicated on risk assessment and prioritization of continuity requirements. Each plan element will be guided by the following university stakeholders:

3.1.1 Business and mission continuity, IT– Emergency Management and Mission Continuity (EMMC) and Office of Information Technology (OIT)

3.1.2 Research continuity– Office of Research and Innovation

3.1.3 Academic continuity–Office of the Provost

4. DEPARTMENT OF EMERGENCY PREPAREDNESS AND STRATEGIC INITIATIVES

The Department of Emergency Preparedness and Strategic Initiatives is responsible for:

4.1 Providing guidance and recommending resiliency planning, continuity and recovery strategies for university divisions, colleges, units and departments.

4.2 Developing and maintaining a framework for university plans that includes policies and procedures and, where applicable, templates for preparedness/mitigation, response, continuity and recovery plans, (referred to as Pack Ready Preparedness Plans) and exercises. Planning frameworks and templates will be developed in collaboration with academic, research partners and business units and shared and maintained collectively with these units.

4.3 Facilitating a university-wide Risk Assessment and IT Business Impact Analysis every five (5) years.

4.4 Developing university training and awareness programs, including exercises and planning assessments.

4.5 Providing independent reviews and validation of unit plans as well as facilitating college and unit level approvals.

4.6 Guiding units in the development of business and mission continuity and IT disaster recovery planning that support critical business services/processes in partnership with the service owners. This planning is necessary for the continuity of critical services/processes, in the event of an unplanned interruption that impacts facility use, access to information technology or infrastructure, and a long-term power outage.

4.7 Ensuring all continuity plans are updated to maintain current information regarding emergency contacts, mandatory personnel, call trees and plan elements that may be affected by changes in unit structure or processes.

4.8 Identifying critical university business services/processes and assisting with resiliency and continuity planning via college and unit plans.

5. EMERGENCY PLANNING AND MISSION CONTINUITY STEERING COMMITTEE

To continue broad oversight of university resilience, continuity and recovery planning, the Chancellor will appoint an Emergency Planning and Mission Continuity Steering Committee. The committee is composed of a cross-section of academic and administrative leaders who have a working knowledge of resiliency, continuity and IT disaster recovery processes.

The Steering Committee is responsible for and advising on the following:

5.1 Reviewing

5.2 Reviewing a representative number of risk assessments and tabletop drills to determine adequacy of unit and college level continuity and recovery planning strategies, to align with local, state and federal requirements in preparedness plans.

5.3 Making recommendations on how to enhance university preparedness, resilience and continuity planning.

5.4 Reviewing Business Impact Analysis and Risk Assessments, and advising on prioritization of the findings for planning paradigms.

5.4.1 The Business Impact Analysis will identify critical business services/processes and workflow; determine the qualitative and quantitative impacts of a vulnerability/threat and help prioritize and establish best estimate recovery time frame objectives and resources (funding, people and technology) for the critical services/processes.

5.4.2 The Risk Assessment will identify vulnerabilities and threats that may impact the university’s ability to fulfill its mission and define the controls in place to reduce the exposure to the vulnerabilities/threats as well as evaluate the probability of a particular event.

6. RESEARCH CONTINUITY AND RECOVERY COMMITTEE

6.1 To continue broad oversight of university research continuity and recovery planning, the Vice Chancellor for Research and Innovation will annually appoint a Research Continuity and Recovery Committee. The Committee should be composed of representatives from the Office of Research and Innovation, Provost’s Office, Office of General Counsel, Office of Information Technology, Office of Partnership and Environmental Health and Public Safety Division. These central offices will guide appropriate expectations of research continuity and the research review process.

6.2 The Committee has the following responsibilities:

6.2.1 Reviewing a representative number of risk assessments to determine the adequacy of the research review process and resources.

6.2.2 Reviewing essential research criterion requirements regularly.

6.2.3 Reviewing college and faculty research continuity plan templates and making enhancement recommendations. Templates and supporting documents will be made available from the Office of Research and Innovation website.

6.2.4 Making recommendations for improvements to the research continuity process, in collaboration with Emergency Management and Mission Continuity and appropriate service units, for streamlined planning elements.

7. ACADEMIC CONTINUITY PLANNING

7.1 Purpose

Academic continuity plans (“ACP”) assist faculty in developing plans for academic courses impacted if a university crisis significantly disrupts instruction.

7.2 Plan Contents and Requirements

7.2.1 Each college and department must create and maintain an ACP. The ACP should accomplish the following:

7.2.1.1 ACPs should identify personnel and essential functions that may be needed during or immediately following a disaster and how essential functions will be continued during a disaster. Continuing to conduct classes is an essential function for all academic departments/units.

7.2.1.2 Information technology and other key resources the department/academic unit depends upon must be addressed. Examples include, but are not limited to: cybersecurity, networking, library databases, cloud storage, specialized application, learning management system access, classroom and laboratory access, etc.

7.2.1.3 ACPs should describe how the college/department/academic unit will address issues including power and internet outages, cloud application outages, etc. (eg: remote classes could be recorded for future viewing).

7.2.2 Each department/academic unit should complete its ACP as thoroughly as possible with input from all internal stakeholders. ACP’s should be incorporated into the unit’s Pack Plan. There should be one plan per college and one plan per department and/or academic unit. Academic centers, programs and institutes should also maintain a plan. Instructors of record are encouraged to develop a continuity plan for their individual courses.

7.2.3 The Office for Faculty Excellence (OFE) may be consulted when developing the college/department/unit ACP. OFE can provide examples of ACPs for individual courses that instructors may use to develop their own course-specific ACPs. Resources and templates are available on the OFE website.

7.2.4 The dean, or their designee, is responsible for ensuring that each department and academic unit within the college maintains the plan. Plans should be reviewed and updated no less than every 3 years.

7.2.5 ACPs should be retained at the college level for college-wide plans and at the department level for departmental plans. ACPs should also be made available to all faculty within the college/department/academic unit. Faculty members are responsible for reviewing their academic unit’s ACP and any related attachments and for assuring that the continuity plans for their assigned courses are consistent with their departmental and/or college ACPs.

8. TESTING AND PLAN MAINTENANCE

8.1 Testing Plans

8.1.1 Divisions and colleges that have identified critical business services/processes are required to test their Pack Ready Emergency Preparedness and Continuity Plans at least annually.

8.1.2 Departmental exercises may be conducted more frequently at the discretion of department or unit leadership

8.2 Plan Approval

All continuity plans must be annually approved by the applicable College, department, or unit supervisor.