5.22 Disaster Recovery

Background

SCSU has procedures in place to provide backup and recovery of major data sets such as e-mail and files stored on major file servers. In addition, SCSU has detailed inventory records of technology components and campus locations for those components. These concepts form the basis for plans and procedures to recover from events that disrupt the normal flow of activity on campus. SCSU, however, does not have an up-to-date, full disaster recovery or business continuity plan that manages the risks associated with major disasters that potentially could have a significant negative impact on SCSU’s long-term success.

SCSU has become increasingly dependent upon multiple technologies for day-to-day operations. The disruption of the normal functioning of these technologies, due to a disaster of any size, would have a profound impact on SCSU’s mission. Disaster recovery plans and business continuity plans attempt to prepare for such a disruption of service, to put in place a strategy to deal with the disruption, to recover in a prioritized and well-planned manner, and to minimize the risks posed by such service disruption.

The scope of a disaster may be large or small and originate from a number of possibilities. A small disaster might consist of a fire or flood in a single workspace. A large disaster might consist of the physical loss of one or more buildings due to a storm, explosion, or terrorist attack. These are just examples of possible disasters. The uncertainty of future events makes planning for possible disasters a difficult and fuzzy exercise. However, this uncertainty does not diminish the necessity for such planning.

Disaster recovery planning usually takes the form of

  • getting administration buy-in and developing broad campus support
  • forming a team charged with developing the plan
  • adopting a methodology for developing the plan
  • using the methodology to develop the plan
  • training the support staff in the use of the plan
  • testing the plan to gain confidence in the plan
  • updating the plan on a regular, fixed schedule
  • using the plan in the event of a disaster

While such plans are often overlooked or pushed to the bottom of the priority lists, it is critical to have such a plan for the university.

Goals

The primary goal is to develop a comprehensive technology disaster recovery plan for SCSU that speaks to the orderly and planned continuing of the university’s mission in the event of a disaster. The plan will

  • identify and classify the technology components (hardware, software, data, networks, telecommunications, discipline-specific equipment, and facilities) that support SCSU’s mission
  • identify the important business relationships that would be required to support disaster recovery
  • establish a priority of recovery activities in the event of a disaster
  • identify those people responsible for maintaining the plan
  • identify those people responsible for responding to a disaster and the roles to be played
  • follow generally accepted conventions and parameters associated with plans designed to continue business in the event of a disaster.

Specific Actions and Timeline

TLTR will establish a security committee comprised of people from LR&TS, CIS-AdC, and Facilities to develop a comprehensive technology disaster recovery plan for SCSU.

  • The committee will follow the standard timeline (see 5.0) for carrying out and reporting on specific actions.
  • The committee will be charged with accomplishing the goals of this section of the plan; detailed actions and timelines need to flow from the committee.
  • During 2007/2008, the committee will submit a final report and recommendations for the next cycle of technology planning.

Resources

One-time costs estimated at $5,000 will be required to arrange for the services of a professional disaster recovery consultant to provide initial structure and direction for this initiative. This cost includes selecting the methodology and the technology (software) to support the plan content.

Substantial time and effort will be invested in this initiative by those charged with planning, compiling, and maintaining the required information.

Costs may be associated with providing service-level agreements with vendors and/or other MnSCU institutions or State agencies to arrange for backup facilities, equipment, and network connectivity.

On-going costs will be needed to maintain the plan and to do the required testing of the plan to ensure viability of the plan over time.

Evaluation

  • Is the disaster recovery plan in place, and has it been tested to assure that it can be utilized?
  • Have important relationships and agreements been implemented to provide for facilities and technology component replacement in the event of a disaster?
  • Have recovery priorities been identified and approved?
  • Have individuals and roles been identified and assigned?
  • Is the plan updated regularly and tested annually?
  • Has the committee submitted a final report in Spring 2008?
  • Has the committee made recommendations for the next cycle of technology planning?

Revised: May 2003