MENU
L3Harris Commons

IT Disaster Recovery Policy

Applies to:Original Policy Date:Date of Last Review:Approved by:
Florida Tech Campus August 2024 August 2024 Dr. John Nicklow, President

Policy Owner: Chief Information Officer (CIO)

Policy Purpose

The purpose of the IT Disaster Recovery Policy at Florida Institute of Technology (Florida Tech) is to ensure preparedness for and recovery from any event that disrupts Florida Tech’s business continuity. Such events may include hardware or software failures, network or power outages, physical damage to facilities (e.g., fire, flooding), human errors, or other significant incidents. Disaster recovery planning aims to minimize the impact on IT infrastructure and services critical to Florida Tech’s operations by identifying dependencies, establishing recovery objectives, and documenting roles and responsibilities of IT personnel involved in recovery efforts.

Policy Scope

This IT Disaster Recovery Policy applies to:

  • IT infrastructure and services supporting Information Systems (IS) at Florida Tech.
  • Cloud or Third-Party hosted infrastructure and services supporting Information Systems.
  • Information Systems processing or storing Florida Tech data. This excludes desktop devices and workstations not requiring disaster recovery plans but necessitating data backup.
  • Processes, policies, and procedures related to preparing for the recovery or continuation of technology infrastructure, systems, and applications crucial to Florida Tech post-disaster or outage.
  • Colleges, departments, units, or research projects maintaining or responsible for Unit-Critical systems or data.

Definitions

Alternate Site: A geographically distant location used to resume critical IT operations in the event the primary site becomes unavailable due to a disaster. The site must be configured to support prompt and efficient recovery operations.

Business Continuity Plan (BCP): A strategic plan that outlines procedures and guidelines to ensure that essential business functions can continue during and after a disaster.

Business Impact Analysis (BIA): A process used to assess the potential effects of an interruption to critical business operations due to an IT disruption. The BIA helps in determining the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

Continuity of Operations Program (COOP): A program designed to ensure that essential functions can continue during and after a disaster, incorporating elements such as IT Disaster Recovery, BCP, and emergency management.

Critical IT Systems: Systems that are essential to the daily operations of the university. These systems require regular testing and must be restored promptly in the event of a disruption.

Disaster Recovery Plan (DRP): A documented process or set of procedures to recover and protect IT infrastructure and services in the event of a disaster.

Information System Owner: The individual or department responsible for the overall operation and security of an information system, including its disaster recovery planning and implementation.

IT Disaster Recovery (IT DR) Plan: A plan developed and maintained to ensure the recovery and continuation of IT systems and services in the event of a disaster. This plan is part of the larger COOP and BCP.

Mission-Critical IT Systems: IT systems and services that are vital to the university's mission and must be restored as quickly as possible following a disruption.

Non-Critical IT Systems: Systems that support the university’s operations but are not essential for immediate recovery after a disaster. These systems have less stringent backup and testing requirements.

Recovery Point Objective (RPO): The maximum tolerable period in which data might be lost due to a major incident. It indicates the amount of data that can be restored from backup in the event of a system failure.

Recovery Time Objective (RTO): The maximum allowable downtime for an IT system following a disruption before it impacts business operations. It defines the target time to restore services after a disaster.

Tabletop Exercise: A discussion-based exercise where personnel simulate the response to a disaster scenario to evaluate the effectiveness of the IT DR plan and enhance readiness.

Virtual Security Operations Center (SOC): A remote team responsible for monitoring and managing the security of the university’s IT infrastructure, including overseeing the IT DR plan’s implementation.

IT Disaster Recovery (IT DR) Plan

Maintaining an IT DR plan as part of the Continuity of Operations Program (COOP) is essential to mitigate the effects of disruptive events or disasters—both natural and manmade. The IT DR plan, regularly updated and tested, ensures Florida Tech can resume critical functions promptly and predictably.

  • The Office of Information Technology (OIT) must maintain a comprehensive written IT DR Plan covering Florida Tech’s IT systems to minimize disaster impact and facilitate swift restoration.
  • Each college, department, unit, or research project managing Information Systems must independently maintain a disaster recovery plan for major or catastrophic events affecting departmental or Third-Party hosted Information Systems.

Elements of IT DR Plans include:

  • Derived elements from COOP, Business Continuity Plan (BCP), IT Risk Assessment, or Business Impact Analysis to assess potential impacts on business functionality due to IT interruptions.
  • Critical internal and external points of contact for personnel involved in data provision or receipt.
  • Supporting infrastructure like power supply, telecommunications, and environmental controls.
  • Determination of Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
  • Identification of dependent IT systems or services and their associated impacts.
  • Existing controls and processes such as backup power, environmental sensors, and alarms.
  • Recovery techniques and technologies, including backup methods, alternate sites, and hardware/software replacements.
  • Disaster recovery procedures for events denying access to Essential and Mission-Critical IT systems or services for extended periods.
  • Non-critical IT systems listed in department/unit-level IT DR Plans with minimal backup validation testing requirements.
  • Annual review and update of IT DR Plans and Procedures by the Information System Owner, with more frequent updates as necessary.

IT Disaster Recovery Plan Testing

Periodic testing of IT DR procedures evaluates their effectiveness and the organization's readiness to execute the plan. Testing frequency is based on the criticality of systems:

  • Essential IT Systems: Every two (1) years
  • Mission-Critical IT Systems: Every three (3) years
  • Non-Critical IT Systems: Every five (5) years

Tests may range from virtual (e.g., tabletop exercises) to actual events, with documented results used to update procedures as needed. Results are approved by the Information System Owner, who oversees any resulting actions.

Alternate Site

An alternate site is integral to the IT DR plan, chosen based on results from a Business Impact Analysis (BIA):

  • It must be geographically distant from the primary site to reduce vulnerability to the same disruptive events.
  • Configuration must facilitate prompt and efficient recovery operations.

IT Disaster Recovery Training and Awareness

Florida Tech ensures personnel are trained in IT DR roles and responsibilities, with periodic refresher training:

  • Annual participation in IT Disaster Recovery Planning workshops and tabletop exercises is mandatory for all personnel expected to execute the IT Disaster Recovery Plan.

References

  • National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.IP-9
  • National Institute of Standards and Technology Special Publication 800-171, Controlled Unclassified Information, 3.6.1, 3.6.2
  • General Data Protection Regulation (GDPR)
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule, §164.308(a)(6), §164.308(a)(7), §164.308(a)(7)(ii)(D), §164.310(a)(2)(i), §164.312(a)(2)(ii)
  • Payment Card Industry Data Security Standards (PCI DSS)
  • Gramm-Leach-Bliley Act (GLBA) Safeguards Title 16 I, Subchapter C, Part 314.4(h)
  • U.S. Department of Education, Protecting Student Privacy, Data Governance Checklist

Enforcement and Compliance

Failure to comply with this policy or related laws, policies, and regulations may result in the restriction, suspension, or revocation of user privileges, and may lead to disciplinary actions as outlined in Florida Tech policies and applicable laws. This policy is enforced by the Florida Tech Chief Information Officer, with periodic compliance assessments conducted through internal audits.

IT Exceptions

Exceptions to this policy require careful consideration through the Florida Tech Information Protection Policy exception process, involving the Information Owner, Information System Owner, Florida Tech IT Security Advisory Council, and the Florida Tech Chief Information Officer. Refer to the Florida Tech IT Disaster Recovery Policy Exception Standard for detailed procedures.

This policy ensures Florida Tech’s readiness to recover from IT disasters, safeguarding critical operations and aligning with regulatory requirements for data protection and business continuity.

 

Edit Page