Disaster Recovery Policy | Spalding University Policy Guide

1.4.10: Disaster Recovery Policy

Disaster Recovery Policy

Effective January 15, 2024

1. Introduction

This policy outlines the procedures and guidelines for the recovery of critical information systems, data, and operations in the event of a disaster or disruptive incident. The primary objective is to enable the restoration of essential services and minimize the adverse impacts on the university's operations, while ensuring compliance with the Gramm-Leach-Bliley Act (GLBA) and other applicable regulations.

 

2. Scope

This policy applies to all information systems, applications, databases, and infrastructure components that store, process, or transmit student financial aid information, bursar account details, or other sensitive data covered under the GLBA.

 

3. Roles and Responsibilities

3.1 Disaster Recovery Team: A cross-functional team responsible for coordinating and executing disaster recovery activities. The team will be led by the Director of Information Technology and comprise representatives from IT, Facilities, Campus Safety, and relevant business units.

 

3.2 Data Owners: Responsible for identifying and classifying sensitive data, defining recovery priorities, and ensuring compliance with data protection regulations. (See 1.4.6 Record Retention Policy)

 

3.3 IT Operations: Responsible for maintaining and implementing disaster recovery procedures, including system backups, off-site storage, and restoration processes.

 

4. Disaster Recovery Plan

4.1 Risk Assessment: Conduct periodic risk assessments to identify potential threats, vulnerabilities, and the impact on critical systems and data.

 

4.2 Data Backup and Storage: Implement secure backup solutions for all critical systems and data, including student financial aid information and bursar account details. Backups should be performed regularly and stored off-site in a secure location. (See 1.4.7 Electronic Backup Policy)

 

4.3 Recovery Strategies: Develop and document recovery strategies for various disaster scenarios, including data center failures, cyber-attacks, and natural disasters. These strategies should address the recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical systems and data. (See 1.4.7 Electronic Backup Policy)

 

4.4 Testing and Maintenance: Regularly test and validate the disaster recovery plan to ensure its effectiveness and identify any gaps or areas for improvement. Update the plan as necessary to reflect changes in the IT infrastructure, regulatory requirements, or business operations. (See 1.4.7 Electronic Backup Policy)

 

5. Data Security and Privacy

5.1 Encryption: Implement strong encryption mechanisms for data backups and during the transmission of sensitive data to storage locations.

 

5.2 Access Controls: Enforce strict access controls and authentication measures to ensure that only authorized personnel can access and retrieve backup data and recovery systems.

 

5.3 Incident Response: Establish an incident response plan to promptly address and mitigate any security breaches or unauthorized access to sensitive data during disaster recovery operations.

 

6. Training and Awareness

Provide regular training and awareness programs to ensure that all relevant personnel, including the Disaster Recovery Team, IT Operations, and Data Owners, are familiar with their roles and responsibilities, as well as the procedures outlined in the disaster recovery plan.

 

7. Review and Maintenance

This policy and the associated disaster recovery plan should be reviewed and updated at least annually, or whenever significant changes occur in the university's IT infrastructure, regulatory requirements, or business operations.

 

8. Compliance and Reporting

Regularly assess and document compliance with the GLBA and other applicable regulations related to the protection of student financial aid information and bursar account details. Report any incidents or breaches in accordance with the university's incident response plan and regulatory requirements.


10. This Policy and the related standards shall be reviewed and maintained regularly, but no less than once per year.