Page History

...

1. Governance
   Management will maintain an organizational structure that allows for the appropriate oversight and ownership of The University's Business Continuity Management activities at University-wide and business unit levels. The Information Security Office (ISO) will set University-wide strategy, policy, tools, guidelines, and standards, review business continuity activities, and co-ordinate University-wide threat/risk assessments, strategy and readiness reporting. Ultimate responsibility for implementing Business Continuity Management practices and developing business-specific policies and protocols rests with the executive and senior management of each business area. All lines of businesses must ensure that their policies address any unique regulatory or business requirements within their jurisdiction.
   
   
2. Education and Awareness
   The Information Security Office will communicate Business Continuity Management policies and processes to all business units and implement appropriate employee awareness and training programs to promote the understanding of all related policies, standards and guidelines.
   
   

3. Analysis
   On an annual basis, each school and all business unit must assess their risk tolerance and sensitivity to an interruption by completing the Business Impact Analysis ("BIA") process to establish a University-wide criticality ranking. This criticality ranking must be submitted to the Information Security Office for independent validation and approval. The criticality ranking establishes recovery targets and the rigor of business continuity activities. The following criteria (high, medium, low) are used for criticality ranking:

    

   Ranking	Criteria
   High	• Business functions are critical and must be recovered quickly (0- 6hrs Maximum Downtime Tolerance). • Failure of business functions would have a significant operational, financial and/or reputational impact on The University. • Business functions are sensitive to interruptions and contain intricate and complex procedures and processes with multiple points of failure. • Heavy reliance on systems and/or external service providers.
   Medium	• Business functions are moderately critical and recovery requirements are less demanding (7-48hrs Maximum Downtime Tolerance). • Failure of business functions would have a moderate operational, financial and/or reputational impact on The University. • Business functions are less sensitive to interruptions and experience changes less frequently. • Moderate reliance on systems and/or external service providers.
   Low	• Business functions are of low complexity and recovery timeframes could be lengthy (>48hrs Maximum Downtime Tolerance). • Outages would have a minimal operational, financial and/or reputational impact on The University. • Business functions have minimal dependency on systems and/or external service providers.

4. Recovery Strategy and Plan
   All schools and business units must develop an appropriate and resilient recovery strategy and continuity plan. The plan must address the loss or failure of critical people (workforce), systems, locations, processes and suppliers to continue key business processes and must be supported by appropriate arrangements whether in-sourced or outsourced. The level of continuity and recovery capability shall be appropriate to the criticality ranking of the business, considering cost and risk mitigation as part of the strategy. The strategy must consider the nature, scale and complexity of the business to ensure it can reasonably continue to function and meet its various obligations in the event of an interruption.
   
   
5. Maintenance
   Deans and Executive Management must review Business Continuity Management plans annually or when a major change to critical people, systems, processes, suppliers or locations occurs. All schools and business units will have appropriate change management processes in place to ensure the plan is current, credible and practical.
   
   
6. Outsourcing – Third Party Service Providers
   All continuity and recovery plans are to incorporate appropriate arrangements for the potential failure of third party service providers to meet their obligations. This includes each school and business unit taking reasonable steps to ensuring that it has access to records or resources to allow it to sustain business operations and statutory obligations. Each school and business unit will ensure the recovery plans, testing results and contracts of external service providers, including any significant subcontractors, are sufficient to meet the University's business continuity and recovery requirements. The University's sponsoring school or business unit must ensure that arrangements comply with the Vendor Risk Management Practices established by the Information Security Office.
   
   
7. Testing
   Business management and IRT must test Business Continuity and Disaster Recovery Plans annually to ensure arrangements are sufficient to meet required continuity and recovery objectives. The criterion for test success is based on pre-established test objectives and must meet the minimum Business Continuity Management testing standards established by the Information Security Office. The extent of review and testing will be commensurate with the criticality of the business unit.
   
   
8. Quality Assurance
   Each school and business unit must implement a quality assurance process to ensure the required continuity, recovery and testing objectives are achieved. All business continuity plans and tests are subject to independent review by the Information Security Office. The Information Security Office along with each school and business unit must ensure appropriate employee education and awareness programs are in place, and staff is familiar with them to support overall resilience of the University.
   
   
9. Monitoring and Control

...