Title: Relocation Expenses
Subject: Finance
Policy No: FA: 2014: XX
Applies: University-wide
Issuing Authority: President (signature)
Responsible Officer: Senior Vice President for Finance and CFO
Adopted: 10/2003
Last Revision: 8/2013
Last Reviewed: Dec 29, 2014
BUSINESS CONTINUITY MANAGEMENT POLICY
...
The Business Continuity Management Policy
...
Subject: Information Security
Policy No: ISO:2013:08
Applies: University-wide
Issuing Authority: Information Security Office - Chief Information Security Officer
Responsible Officer: Vice President for Information Resources and Chief Information Officer
Date Adopted: 07-01-2013
Last Revision: 08-01-2014
Last Review: 09-01-2014
____________________________________________________________________________________________
I. PURPOSE
...
II. ACCOUNTABILITY
...
Ill. APPLICABILITY
...
IV. DEFINITION(S)
- Business Interruption - an event, whether anticipated or unanticipated, which disrupts the normal course of business operations within the university.
V. POLICY
Business Continuity Management Framework
Management will apply a consistent, university-wide approach to business continuity management through:
- Governance
- Education and Awareness
- Analysis
- Recovery Strategy and Plan
- Maintenance
- Outsourcing and Third Party Service Providers
- Testing and Quality Assurance
- Monitoring and Control
Governance
Management will maintain an organizational structure that allows for the appropriate oversight and ownership of The University's Business Continuity Management activities at university-wide and business unit levels. The Information Security Office (ISO) will set university-wide strategy, policy, tools, guidelines, and standards, review business continuity activities, and co-ordinate university-wide threat/risk assessments, strategy and readiness reporting. Ultimate responsibility for implementing Business Continuity Management practices and developing business-specific policies and protocols rests with the executive and senior management of each business area. All lines of businesses must ensure that their policies address any unique regulatory or business requirements within their jurisdiction.
Education and Awareness
The Information Security Office will communicate Business Continuity Management policies and processes to all business units and implement appropriate employee awareness and training programs to promote the understanding of all related policies, standards and guidelines.
Analysis
On an annual basis, each school and all business unit must assess their risk tolerance and sensitivity to an interruption by completing the Business Impact Analysis ("BIA") process to establish a university-wide criticality ranking. This criticality ranking must be submitted to the Information Security Office for independent validation and approval. The criticality ranking establishes recovery targets and the rigor of business continuity activities. The following criteria (high, medium, low) are used for criticality ranking:
Ranking | Criteria |
High | • Business functions are critical and must be recovered quickly (0- |
Medium | • Business functions are moderately critical and recovery |
Low | • Business functions are of low complexity and recovery timeframes |
Recovery Strategy and Plan
All schools and business units must develop an appropriate and resilient recovery strategy and continuity plan. The plan must address the loss or failure of critical people (workforce), systems, locations, processes and suppliers to continue key business processes and must be supported by appropriate arrangements whether in-sourced or outsourced. The level of continuity and recovery capability shall be appropriate to the criticality ranking of the business, considering cost and risk mitigation as part of the strategy. The strategy must consider the nature, scale and complexity of the business to ensure it can reasonably continue to function and meet its various obligations in the event of an interruption.
Maintenance
Deans and Executive Management must review Business Continuity Management plans annually or when a major change to critical people, systems, processes, suppliers or locations occurs. All schools and business units will have appropriate change management processes in place to ensure the plan is current, credible and practical.
Outsourcing – Third Party Service Providers
All continuity and recovery plans are to incorporate appropriate arrangements for the potential failure of third party service providers to meet their obligations. This includes each school and business unit taking reasonable steps to ensuring that it has access to records or resources to allow it to sustain business operations and statutory obligations.
Each school and business unit will ensure the recovery plans, testing results and contracts of external service providers, including any significant subcontractors, are sufficient to meet the university's business continuity and recovery requirements.
The University's sponsoring school or business unit must ensure that arrangements comply with the Vendor Risk Management Practices established by the Information Security Office.
Testing
Business management and IRT must test Business Continuity and Disaster Recovery Plans annually to ensure arrangements are sufficient to meet required continuity and recovery objectives. The criterion for test success is based on pre-established test objectives and must meet the minimum Business Continuity Management testing standards established by the Information Security Office. The extent of review and testing will be commensurate with the criticality of the business unit.
Quality Assurance
Each school and business unit must implement a quality assurance process to ensure the required continuity, recovery and testing objectives are achieved. All business continuity plans and tests are subject to independent review by the Information Security Office. The Information Security Office along with each school and business unit must ensure appropriate employee education and awareness programs are in place, and staff is familiar with them to support overall resilience of the University.
Monitoring and Control
The Information Security Office (ISO) will monitor and report on the status of university-wide business continuity management activities, plans, protocols and testing to each Dean and the Executive for each business unit on a periodic basis.
Additionally, the ISO will provide regular reporting to the Board Risk Committee regarding the state of the University's Business Continuity Management Program and preparedness.
V. Roles and Responsibilities
...
- Annually review and approve this any substantial changes to this policy.
- Maintain a general understanding of the scope of the policy and where required make inquiries of a responsible senior officer with respect to this policy.
- Review reports, as and when presented to the Board Risk Committee by executive management of the University, with respect to the outcome of significant business continuity events and the resulting action plans for mitigating recurrence.
...
, or ISO:2013:09, was removed from this site on September 4, 2024. If you believe you require access to this content, please contact the Technology Support Center at 856-256-4400.