Standard 6: Backup and Disaster Recovery
Revision Number: | 1 |
|
Effective Date: | 2/24/2020 | |
Revised Date: | 2/24/2020 | |
Review Date: | 2/24/2020 | |
Responsible Division/Department:
Office of the CIO / Information Technology Services |
- Backup Plan Requirement. All 海角社区data, including data associated with research, must be backed up in accordance with risk management decisions implemented by the Data Owner. The University's Office of Internal Audit periodically reviews backup plans for campus units. Each backup plan must incorporate procedures for:
- recovering data and applications in case of events such as natural disasters, system disk drive failures, espionage, data entry errors, human error, or system operations errors;
- assigning operational responsibility for backing up of all servers;
- scheduling data backups and establishing requirements for off-site storage;
- securing on-site / off-site storage and media in transit, as necessary; and
- periodically testing backup and recovery procedures.
- Disaster Recovery Plan. Owners of mission critical information resources and of information resources containing confidential data must adopt a disaster recovery plan commensurate with the risk and value of the information resource and a completed Business Impact Analysis. The University's Office of Internal Audit periodically reviews disaster recovery plans for campus units. The disaster recovery plan must incorporate procedures for:
- recovering data and applications in the case of events that deny access to information resources for an extended period (e.g., natural disasters, terrorism);
- assigning operational responsibility for recovery tasks and communicating step-by-step implementation instructions;
- at a minimum, testing the disaster recovery plan and procedures every two years (example: tabletop or scenario testing, leveraging major scheduled upgrades, activating actual service outages in a controlled scenario); and
- making the disaster recovery plan available to the Chief Information Security Officer and other stakeholders.