Disaster Recovery

The Disaster Recovery Standard provides information for critical process and function owners and support personnel about what they should do to prepare for a disaster to ensure that RIT as a whole can restore and continue operations. 

Scope

This standard applies to:

  • Process/function owners who use RIT Information Resources to perform their processes/functions.
  • Organizations that provide RIT Information Resources to support critical processes/functions.
  • The standard does not apply to non RIT Information Resource restoration.

Continuity Classifications

Critical—Information or a process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a significant life, safety, financial, reputation, or other risk to RIT.

Non-Critical—Information or process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a minimal risk to RIT. The information or process/function could be supplied through alternate means during the disruption or delayed until after the disruption.

Requirements for Process Owners

The following security controls are required to be implemented:

  • Every RIT organizational unit should identify all critical processes/functions for which they are the process/function owner. Departments may use the continuity system for this purpose by coordinating with the Business Continuity Office.
  • For each critical process/function, departments will assign a Recovery Time Objective (RTO). An RTO is the minimum acceptable time a technology resource that is used to complete a process/function can be unavailable. Alternate methods of performing the process/function may be employed while the technology resource is being recovered.
  • Departments are responsible for identifying the technology resources that support each critical process/function. These resources include applications, software, hardware, and network (voice and data).
  • Departments should identify IT and other organizations supporting critical processes/functions.

Departments should identify RIT electronic and non-electronic information created, used, and/or stored for each critical process/function.

Departments may use the recovery planning system for documenting critical processes/functions, RTOs, technology, IT Departments, RIT information, and RPOs by coordinating with the Business Continuity Office, or may use the form located at http://www.rit.edu/fa/buscont/. Forms should be provided to the Business Continuity Office for entry into the recovery planning system.

To the extent possible, departments should establish contingency plans to continue critical business functions/processes to be used when normal mechanisms are unavailable.

  •  Process/function owners should identify training requirements and determine appropriate training procedures.
  • Training will include restoration and recovery procedures to return the process/function to its pre-disaster state.
  • Departments should cooperate with supporting IT and other organizations to test restoration and recovery procedures on a periodic basis determined by the Divisional VP or Provost (Information Trustee).
  • Process/function owners should review all processes/functions and evaluate their criticality annually.
  • Process/function owners should incorporate all new critical processes/functions into the Disaster Recovery Plan.

Requirements for IT Organizations

The following security controls are required be implemented:

 IT organizations will retain an inventory of services in the Recovery Planning System that support critical processes/functions.

IT organizations and business process owners will develop, maintain, and test backup and recovery/ restoration procedures services (frequency of testing to be determined by process owner, IT organization, and contractual obligations) that support critical processes/functions to support academic/business unit recovery and disaster recovery.

  • IT organizations should determine an alternate site for back-up and recovery/restoration activities.
  • Back-up and recovery/restoration activities should occur in a physically, environmentally, and logically secure location in compliance with RIT information security policies and standards.

Who does the standard apply to?

RIT process/function owners and organizations who use RIT Information Resources.

Key Concepts

  • Provides critical vs. non-critical business continuity classifications.
  • Requires the establishment of recovery point objectives, creation of appropriate documentation, and contingency planning for disaster recovery and business continuity.
  • Provides disaster recovery and restoration requirements for IT support organizations.