University Policies

Continuity of Operations and Disaster Recovery Policy

Information Technology Services
Information Technology Services

Business operations continuity is essential to protect competitive position, preserve public confidence, and protect against litigation.

Worcester State must institute and practice an information systems disaster recovery plan that will prevent catastrophic data loss and ensure timely restoration of network and computing services in the event of system failure or destruction.

  • The College and Information Technologies will determine the criticality of specific systems and the potential impact of their loss. Such determinations will be system and application specific.
  • The CIO and the Data Security Officer will identify mechanisms that maximize availability and prevent information loss, such as fault-tolerant hardware, automatic fail-over hardware, non-interruptible power supply, and fire protection and prevention systems.
  • The Data Security Officer must designate responsible individuals to perform specific duties related to plan development, plan maintenance, plan testing, and disaster recovery. The duties must be clearly defined, documented, and should include authority levels. These duties must be reviewed and or revised annually.
  • All documentation related to system design, configuration, and administration will be continuously maintained.
  • A backup policy should stipulate all requirements and processes for the preservation and restoration of data, and define a process to ensure data integrity upon system recovery.
  • Under no circumstance can personnel charged with disaster recovery tasks enter into a potentially unsafe environment without the express permission of public health and safety officials.
  • Annually, disaster recover processes should be tested; the test plan should
    A test plan and periodic schedule should be proposed.
    • Account for necessary equipment and personnel resources.
    • Indicate regular intervals for re-testing.
  • Disaster recovery plans must be updated whenever system changes that would cause it to become invalid are made. Regardless of system changes, disaster recovery plans must be reviewed annually.

Additional Information:
This policy presents guidance on minimum content for a disaster recovery plan and is not the plan itself. Furthermore, it is not meant to be comprehensive and all encompassing in the area of business continuity management. It focuses on the information systems aspects of disaster recovery and does not cover the related areas of contingency planning, crisis management, and emergency management. Therefore, expansion of this policy, as appropriate, is permitted and encouraged.