Date: Thu, 28 Mar 2024 18:31:39 -0400 (EDT)
Message-ID: <419218297.13050.1711665099552@confluence05.rowan.edu>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_13049_1469005632.1711665099548"
------=_Part_13049_1469005632.1711665099548
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
ROWAN UNIVERSITY POLICY
Title: Business Continuity Management =
Policy
Subject:=
strong> Information Security
Policy No: ISO:2013:09 =
em>
Applies:&=
nbsp;University-Wide
Issuing Authority: SeniorVice President for Informa=
tion Resources and Technology and Chief Information Officer
Responsible Officer: Director of Information Security
=
Adopted: 07/01/2013
Last Revision: 07/02/2018
Last Reviewed: =
07/02/2018
I. PURPOSE
A.This=
policy describes the Rowan University Business Continuity Management progr=
am, which is proactive and iterative in its approach to assess potential th=
reats and ensure appropriate and resilient arrangements are in place. The P=
rogram is required to support the safety of our employees and secure critic=
al resources (people, systems and locations) required to continue key busin=
ess processes and minimize impacts in a timely, structured, and cost-effect=
ive manner, in the event of a business interruption incident. <=
/p>
B. Bus=
iness Continuity Management's primary objective is to enable the executive =
and senior management to continue to manage and operate their business unde=
r adverse conditions, by leveraging appropriate resilience strategies, reco=
very objectives, and business continuity and crisis management plans.
II. ACCOUNTABILIT=
Y
Under =
the direction of the President, the Chief Information Officer, Director of =
Information Security, schools and business units, the Information Security =
Office (ISO) shall implement and ensure compliance with this policy.=
III. APPLICABILIT=
Y
This p=
olicy applies specifically to all employees, deans, officers and directors =
of the University. Furthermore, management's accountability extends to ensu=
ring all aspects of its Business Continuity Management's activity incorpora=
te third party service providers and vendors.
IV. DEFINITIONS
Bu=
siness Interruption - an event, w=
hether anticipated or unanticipated, which disrupts the normal course of bu=
siness operations within the university.
V. POLICY
A. Bus=
iness Continuity Management Framework
Manage=
ment will apply a consistent, University-wide approach to business continui=
ty management through:
-
-
- Governance
- Education and Awareness
- Analysis
- Recovery Strategy and Plan
- Maintenance
- Outsourcing and Third Party Service =
Providers
- Testing and Quality Assurance=
- Monitoring and Control
- Governance
Management will maintain an organiz=
ational structure that allows for the appropriate oversight and ownership o=
f The University's Business Continuity Management activities at University-=
wide and business unit levels. The Information Security Office (ISO) will s=
et University-wide strategy, policy, tools, guidelines, and standards, revi=
ew business continuity activities, and co-ordinate University-wide threat/r=
isk assessments, strategy and readiness reporting. Ultimate responsibility =
for implementing Business Continuity Management practices and developing bu=
siness-specific policies and protocols rests with the executive and senior =
management of each business area. All lines of businesses must ensure that =
their policies address any unique regulatory or business requirements withi=
n their jurisdiction.
- Education and Awareness
The Information Security Office will commu=
nicate Business Continuity Management policies and processes to all busines=
s units and implement appropriate employee awareness and training programs =
to promote the understanding of all related policies, standards and guideli=
nes.
Analysis
On an annual basis, each school and all business unit =
must assess their risk tolerance and sensitivity to an interruption by comp=
leting the Business Impact Analysis ("BIA") process to establish a Universi=
ty-wide criticality ranking. This criticality ranking must be submitted to =
the Information Security Office for independent validation and approval. Th=
e criticality ranking establishes recovery targets and the rigor of busines=
s continuity activities. The following criteria (high, medium, low) are use=
d for criticality ranking:
Ra=
nking |
Cr=
iteria |
High |
=E2=80=A2 =
Business functions are critical and must be recovered quickly (0- 6hrs Maxim=
um Downtime Tolerance). =E2=80=A2 Failure of business functions would have =
a significant operational, financial and/or reputational impact on The Unive=
rsity. =E2=80=A2 Business functions are sensitive to interruptions and conta=
in intricate and complex procedures and processes with multiple points of fai=
lure. =E2=80=A2 Heavy reliance on systems and/or external service providers.=
|
Medium |
=E2=80=A2 =
Business functions are moderately critical and recovery requirements are les=
s demanding (7-48hrs Maximum Downtime Tolerance). =E2=80=A2 Failure of busine=
ss functions would have a moderate operational, financial and/or reputationa=
l impact on The University. =E2=80=A2 Business functions are less sensitive =
to interruptions and experience changes less frequently. =E2=80=A2 Moderate=
reliance on systems and/or external service providers. |
Low=
|
=E2=80=A2 =
Business functions are of low complexity and recovery timeframes could be le=
ngthy (>48hrs Maximum Downtime Tolerance). =E2=80=A2 Outages would have =
a minimal operational, financial and/or reputational impact on The Universit=
y. =E2=80=A2 Business functions have minimal dependency on systems and/or ext=
ernal service providers.
|
- Recovery Strategy and Plan
All schools and business units must dev=
elop an appropriate and resilient recovery strategy and continuity plan. Th=
e plan must address the loss or failure of critical people (workforce), sys=
tems, locations, processes and suppliers to continue key business processes=
and must be supported by appropriate arrangements whether in-sourced or ou=
tsourced. The level of continuity and recovery capability shall be appropri=
ate to the criticality ranking of the business, considering cost and risk m=
itigation as part of the strategy. The strategy must consider the nature, s=
cale and complexity of the business to ensure it can reasonably continue to=
function and meet its various obligations in the event of an interruption.=
- Maintenance
Deans and Executive Management must review Business Co=
ntinuity Management plans annually or when a major change to critical peopl=
e, systems, processes, suppliers or locations occurs. All schools and busin=
ess units will have appropriate change management processes in place to ens=
ure the plan is current, credible and practical.
- Outsourcing =E2=80=93 Third Party Se=
rvice Providers
All continuity=
and recovery plans are to incorporate appropriate arrangements for the pot=
ential failure of third party service providers to meet their obligations. =
This includes each school and business unit taking reasonable steps to ensu=
ring that it has access to records or resources to allow it to sustain busi=
ness operations and statutory obligations. Each school and business un=
it will ensure the recovery plans, testing results and contracts of externa=
l service providers, including any significant subcontractors, are sufficie=
nt to meet the University's business continuity and recovery requirements.&=
nbsp;The University's sponsoring school or business unit must ensure that a=
rrangements comply with the Vendor Risk Management Practices established by=
the Information Security Office.
- Testing
Business management and IRT must test Business Continuity =
and Disaster Recovery Plans annually to ensure arrangements are sufficient =
to meet required continuity and recovery objectives. The criterion for test=
success is based on pre-established test objectives and must meet the mini=
mum Business Continuity Management testing standards established by the Inf=
ormation Security Office. The extent of review and testing will be commensu=
rate with the criticality of the business unit.
- Quality Assurance
Each school and business unit must implement a q=
uality assurance process to ensure the required continuity, recovery and te=
sting objectives are achieved. All business continuity plans and tests are =
subject to independent review by the Information Security Office. The Infor=
mation Security Office along with each school and business unit must ensure=
appropriate employee education and awareness programs are in place, and st=
aff is familiar with them to support overall resilience of the University.<=
/span>
- Monitoring and Control
The In=
formation Security Office (ISO) will monitor and report on the status of Un=
iversity-wide business continuity management activities, plans, protocols a=
nd testing to each Dean and the Executive for each business unit on a perio=
dic basis. Additionally, the ISO will provide regular reporting to the=
Board Risk Committee regarding the state of the University's Business Cont=
inuity Management Program and preparedness.
VI. ATTACHMENTS
A. Attachment 1, Roles and Responsibiliti=
es
B. Attachment 2, Non-Compliance=
and Sanctions
By Direction of the CIO:
Mira Lalovic-Hand,
SVP and Chief Information Officer
ATTACHMENT 1
ROLES and RESPONSIBI=
LITIES
- A. Board of Directors
The Board Risk Committee will:
- Annually review and approve this any=
substantial changes to this policy.
- Maintain a general understanding of =
the scope of the policy and make inquiries of a responsible senior officer =
with respect to this policy.
- Review reports, as and when presente=
d to the Board Risk Committee by executive management of the University, wi=
th respect to the outcome of significant business continuity events and the=
resulting action plans for mitigating recurrence.
- Deans and Business Units
<=
span style=3D"color: rgb(0,0,0);">All areas are to ensure that faculty, sta=
ff, and management are familiar with incident protocols for emergencies and=
business disruptions. Deans and Executive management is to ensure complian=
ce to this Business Continuity Management Policy and its supporting standar=
ds and guidelines.
- Information Resources and Technology=
(IRT)
IRT is responsible for =
supporting the information systems and technology requirements of business =
management's Business Continuity Management activities. This includes suppo=
rting the development and implementation of appropriate strategies to recov=
er infrastructure platforms and restore critical applications consistent wi=
th business management's continuity and recovery objectives. IRT is also responsible for overseeing=
the creation, execution, and testing of a formal Disaster Recovery (DR) Pl=
an and activities related to the systems and infrastructure it supports on =
behalf of the businesses. &n=
bsp;
- Information Security Office (ISO)
The ISO is responsible for the o=
versight of university-wide Business Continuity Management and for making a=
ppropriate recommendations to the Board Risk Committee regarding BCP and DR=
strategies and activities.
- Legal
Upon engagement by the sponsoring business, legal supports t=
he risk management objectives of this policy by providing advice and suppor=
t with contracts impacted by this policy
ATTACHMENT 2
NON-COMPLIANCE AND SANCTIONS
Violations of this policy may subject=
the violator to disciplinary actions, up to or including termination of em=
ployment or dismissal from a school, and may subject the violator to penalt=
ies stipulated in applicable state and federal statutes. Sanctions shall be=
applied consistently to all violators regardless of job titles or level in=
the organization.
------=_Part_13049_1469005632.1711665099548--