InfoSec Resources

Business Continuity Management

Vulnerabilities to natural, man-made, and technology-driven disasters require University business units to plan and prepare for system disruptions. Business continuity planning includes the identification of vulnerabilities, priorities, dependencies, and measures required to facilitate continuity and recovery before, during, and after a crisis.

The overall goal of the Division of IT’s Business Continuity Management (BCM) program is to provide a framework and a set of tools which University departments can utilize as they prepare for a disruption affecting the IT services they offer. Through these efforts, the best planning will be in place to keep University business processes and academic services functioning, with minimal interruption, in the event of a system outage or failure. 

System Business Continuity Classification 

TheSystem Business Continuity Classification (SBCC)is used to assess the criticality level of an IT system. The criticalness of an IT system is in relationship to the business processes and services it provides to the University. The SBCC provides service owners with a matrix and associated definitions to determine which business continuity measures should be in place for their IT systems and applications. The necessary business continuity procedures, methods, and testing requirements are all dependent upon the classification level selected. 

Business Continuity Procedures 

Continuity planning represents a broad scope of activities designed to sustain and recover the business processes and critical systems of an organization. The extent of business continuity procedures necessary for an IT system depends on the assigned criticality level. The range of procedures for continuity planning includes the following: The information system contingency plan, the business impact analysis, and system recovery procedures. 

Information System Contingency Plan 

An Information System Contingency Plan (ISCP) provides established procedures for the assessment and recovery of a system following a system disruption. The following items are addressed in an ISCP: Assessment and notification processes, roles and responsibilities of individuals tasked with recovering the system, system inventory information, detailed recovery procedures, and testing procedures for the system. 

Business Impact Analysis 

A Business Impact Analysis (BIA) identifies a system’s critical business processes, assigns estimates for maximum tolerable downtime, and designates priorities for a system’s rebuild or restoration in the event of a disaster. 

System Recovery Procedures 

System recovery procedures (SRP) provide general procedures for the recovery of a system from backup media or other sources. 

Business Continuity Methods 

Business continuity methods define system availability and data recovery strategies. How a system is architected, especially in regards to downtime, is dependent on the criticality level assigned to the system. The various options for availability include: Continuous availability, high availability, recoverable, and reliable. Likewise, data recovery and backup strategies also differ depending on the criticalness of a system and the business processes it provides. Recovery strategy options include: Continuous backups, full backups, incremental backups, and differential backups. 

Business Continuity Testing and Exercises 

The purpose of testing is to confirm the business continuity solution satisfies the organization’s recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws, or solution implementation errors. By conducting a plan exercise, weaknesses can be identified and adjustments made accordingly. The type of business continuity testing required and the frequency for conducting system tests are dependent on the criticality level assigned to the system. 

Business Continuity Assistance 

The Information Security and Access Management (ISAM) team can assist University departments with their IT business continuity planning initiatives. ISAM staff will provide the necessary education and resources needed to develop and coordinate IT business continuity documentation. Information will be provided to University business units in an effective and understandable manner. The intent is for each department’s plan to be beneficial and to allow for further development, testing, and maintenance by key personnel. If you have any questions regarding BCM, please contact ISAM at