The Disaster Recovery Standard provides information for critical process and function owners and support personnel about what they should do to prepare for a disaster to ensure that RIT as a whole can restore and continue operations.
Critical—Information or a process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a significant life, safety, financial, reputation, or other risk to RIT.
Non-Critical—Information or process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a minimal risk to RIT. The information or process/function could be supplied through alternate means during the disruption or delayed until after the disruption.
Requirements for Process Owners
The following security controls are required to be implemented:
- Every RIT organizational unit should identify all critical processes/functions for which they are the process/function owner. Departments may use the continuity system for this purpose by coordinating with the Business Continuity Office.
- For each critical process/function, departments will assign a Recovery Time Objective (RTO). An RTO is the minimum acceptable time a technology resource that is used to complete a process/function can be unavailable. Alternate methods of performing the process/function may be employed while the technology resource is being recovered.
- Departments are responsible for identifying the technology resources that support each critical process/function. These resources include applications, software, hardware, and network (voice and data).
- Departments should identify IT and other organizations supporting critical processes/functions.
Departments should identify RIT electronic and non-electronic information created, used, and/or stored for each critical process/function.
Departments may use the recovery planning system for documenting critical processes/functions, RTOs, technology, IT Departments, RIT information, and RPOs by coordinating with the Business Continuity Office, or may use the form located at http://www.rit.edu/fa/buscont/. Forms should be provided to the Business Continuity Office for entry into the recovery planning system.
To the extent possible, departments should establish contingency plans to continue critical business functions/processes to be used when normal mechanisms are unavailable.
- Process/function owners should identify training requirements and determine appropriate training procedures.
- Training will include restoration and recovery procedures to return the process/function to its pre-disaster state.
- Departments should cooperate with supporting IT and other organizations to test restoration and recovery procedures on a periodic basis determined by the Divisional VP or Provost (Information Trustee).
- Process/function owners should review all processes/functions and evaluate their criticality annually.
- Process/function owners should incorporate all new critical processes/functions into the Disaster Recovery Plan.
Requirements for IT Organizations
The following security controls are required be implemented:
IT organizations will retain an inventory of services in the Recovery Planning System that support critical processes/functions.
IT organizations and business process owners will develop, maintain, and test backup and recovery/ restoration procedures services (frequency of testing to be determined by process owner, IT organization, and contractual obligations) that support critical processes/functions to support academic/business unit recovery and disaster recovery.
- IT organizations should determine an alternate site for back-up and recovery/restoration activities.
- Back-up and recovery/restoration activities should occur in a physically, environmentally, and logically secure location in compliance with RIT information security policies and standards.
- Provides critical vs. non-critical business continuity classifications.
- Requires the establishment of recovery point objectives, creation of appropriate documentation, and contingency planning for disaster recovery and business continuity.
- Provides disaster recovery and restoration requirements for IT support organizations.