6.25 DISASTER RECOVERY AND BUSINESS CONTINUITY
Effective: August 15, 2024
Purpose: Emporia State University is committed to maintaining the confidentiality, integrity, and availability of the information assets it owns or controls. This policy sets out to ensure the University has the means to continue operations in the event of a loss of critical systems.
Scope: This policy applies to all information systems created by or used within the University. This policy does not include any device on the University’s premises not owned or maintained by the University.
Responsible Office: Information Technology
Policy Statement: It is the responsibility of the Information Custodian and Responsible Offices to classify their information and applications that manage information into the following categories:
Critical: A University system, or subset of supporting systems, that are necessary to sustain safety and welfare of University employees, students and visitors (fire safety, HVAC, emergency notifications, communications systems, University website, etc.) and must be restored within twenty-four (24) hours of unavailability.
Essential: A system or service that hinders the University’s ability to deliver academic programs, preserve critical research, or to conduct University business, finance, and infrastructure operations (ERP, LMS, etc.) and must be restored with seventy-two (72) hours of unavailability.
Non-Essential: A system or service that does not immediately hinder University business or classes (e.g., test systems, individual department systems, individual workstations, etc.).
It is the responsibility of Information Technology (IT) staff to:
- Backup ESU information assets as per Backup Standards.
- Develop, implement, and maintain a Power Protection Plan for infrastructure devices (e.g., network equipment, servers) supporting systems classified as critical or serious.
- Develop procedures to be followed for various disaster scenarios that may affect any system deemed critical or serious to the function to the University.
It is the responsibility of the Unit Support Personnel for non-campus wide applications to:
- Classify information assets as Critical, Essential, or Non-Essential.
- Backup information assets as per Backup Standards.
It is the responsibility of the Information Security Officer (ISO) to do perform periodic risk assessments of technology assets. The ISO is responsible for monitoring and reporting compliance with this policy. The ISO is responsible for reviewing this policy annually.
The University is responsible for funding disaster recovery and business continuity to the best of its ability.
The President or designee must approve any exceptions to this policy.
Definitions: All words and phrases shall be interpreted utilizing their plain meanings unless otherwise defined in another University or Board of Regents policy or by statute or regulation.
Procedures: All procedures linked and related to the policies above shall have the full force and effect of policy if said procedures have first been properly approved by the University’s administrator in charge of Information Technology.
[Information Technology procedures - coming soon]
Related Policy Information: [coming soon]