Business Continuity and Disaster Recovery Procedure

A. Reason for Procedure

This procedure is intended to ensure continuity and recovery of Lamont’s business in the event of a loss of Key Systems.  The procedure includes identifying Key Systems and determining acceptable time frames for the resumption of business activities after loss of these Key Systems.

B. Responsible Office and / or Officer

The Project Owner / Project IT Custodian is responsible for selecting and implementing a Business Continuity / Disaster Recovery procedure for all key systems and key data under their control.

The Lamont IT Department is responsible for the maintenance of this procedure, and for responding to questions regarding it.

C. Procedure

  1. Complete an Information Asset Inventory.
  2. For each Key system, complete a Data Backup Procedure.
  3. For each Key system, do a business risk assessment and a business impact analysis.  Include:
    • Which business processes require the Key System
    • How critical is the Key system to the continued functioning of the project
    • The systems that contain the relevant Data for the Key system
  4. For each Key system, do a Contingency Plan which includes:
    • List Key business processes on the system
    • Applicable risk to availability
    • Prioritization of recovery
    • Recovery Time Objectives - the duration of time and a service level within which a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business
    • Recovery Point Objectives -  the maximum tolerable period where Data may be lost from an Information Resource.
    • Off-site data backup / duplication
    • List of requirements for replacement systems
    • Testing and validation of procedures, including periodic testing.

So for example a website might have a “Web Server” process, a “Database” process, and an “Authentication” process.  You don’t want to include things out of your control, like internet connectivity, because losing something like that is part of the “disaster” you’d be recovering from.

D. References

Refer to the CU Business Continuity and Disaster Recovery Policy for further information here: 
https://universitypolicies.columbia.edu/content/business-continuity-and-disaster-recovery-policy