Introduction and Overview
The intent of this document is to define preventative measures that the University of Colorado Denver, College of Liberal Arts and Science (CLAS) can take to ensure operational continuity and to define guidelines and procedures in case preventative measures fail and operational continuity is jeopardized or broken. This document may also be used as an educational tool to document measures CLAS staff are pursuing to prevent disaster, and to develop proactive responses to what if scenarios.
CLAS is a subset of the University of Colorado Denver, and cannot ensure operations outside of the CLAS domain, but can document, build, and plan to limit the effects of local and/or regional disaster, and to be organized accordingly in case of such an event. The development of a Business Continuity Plan and a Disaster Recovery Plan for CLAS is referenced in the Spring 2016 CLAS Security Audit and is in the CLAS Security Policy (DRAFT).
These documents are inter-related; the Disaster Recovery Plan being the section of the Business Continuity Plan which focuses on recovery after a disaster. The Business Continuity Plan describes preventative measures that the University of Colorado Denver, College of Liberal Arts and Science (CLAS) can take to ensure operational continuity and to define guidelines and procedures in case preventative measures fail and operational continuity is jeopardized or broken. The Business Continuity Plan attempts to provide mechanisms for risk assessment, business impact analysis and documentation of business workflows, and should be used as a tool to analyze and prioritize the business of CLAS.
The Security Policy and the Business Continuity Plan need periodic, or even constant revision and review, and because of this requirement the documents are available online.
Plan Design and Description
The plan attempts to identify and categorize the critical functions of CLAS and the resources required to support them, with the objective of CLAS being able to survive a disaster and resume normal business operations within a reasonable (tolerable) amount of time.
To meet this objective, it is logical that CLAS:
- Provide administration with a comprehensive understanding of the resources required to develop, maintain, and test a business continuity plan and obtain commitment from administration to support a business continuity plan effort
- Document or otherwise realize the impact of a sustained loss to operations
- Identify weaknesses and deploy preventative measures
- Define the business continuity team(s) and other key players in the business continuity process
- Minimize the duration of serious disruption
- Coordinate the planning and recovery process, including media relations and/or media spokesperson
- Designate hot site(s) and staff required at these locations
Scale and Scope of Plan
The College of Liberal Arts and Sciences is a subset of the University of Colorado Denver and does not have the capacity, knowledge or resources to make business continuity or disaster recovery plans beyond the CLAS domain. Therefore, the realm of this document is CLAS and the focus is limited to what CLAS staff can do internally to prevent and proactively plan for crisis scenarios. Interaction with the Office Information Technology (OIT) is encouraged and required, but should not be limited by OIT resources, strategies and planning. Regarding infrastructure, this document pertains to networks, servers, firewalls and other information technologies that CLAS manages.
Vulnerability Assessment
This section of the plan deals with definition and classification of resources and the security assessment of these resources. After the initial vulnerability assessment, resources will be evaluated and allocated placement in one of the following four categories:
- Category 1 -- Critical functions
- Category 2 -- Essential functions
- Category 3 -- Necessary functions
- Category 4 -- Desirable functions
Vulnerability Assessment should focus primarily on technology resources (including staff) and the communications environment. The Vulnerability Assessment should include (but not be limited to) scenarios like pandemic influenza strategies, local and regional disasters, network/server intrusion, operational procedures, vandalism and fire. Reasonable recommendations, plans and actions need to be developed and put in place to minimize risk to CLAS personnel, infrastructure and property to ensure operational continuity of the business and programs of CLAS.
A Security Assessment should include: personnel practices, physical security, system deployment and development, insurance, data and voice communications, security administration and personal computers. Once these assessments are completed and evaluated, results and recommendations should be presented to administration so corrective measures can be planned and implemented.
Insurance Note: (More work in this area)
Business Impact Analysis -- Disaster Recovery (Business Continuity) Plan - Version 1
The Business Impact Analysis needs to be developed to reflect the impact of disaster on business. CLAS needs to identify critical systems and functions, assess the economic impact that loss of systems and services would cause and assess the length of time CLAS can survive without said systems (downtime).
Once critical systems and functions are identified (Business Impact Analysis), CLAS can prioritize order and function to develop a Business Continuity/Disaster Recovery plan.
This information is critical to the development of preventative measures and recovery procedures outlined by this document. This assessment should be developed with and presented to the CLAS leadership for review and support of the activities outline in the Business Continuity plan.
The following graphics depict the path to developing a Business Impact Analysis, from http://www.ready.gov/business and the Department of Homeland Security:
Consider The Impact
The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes.
Impacts to consider include:
- Lost sales and income
- Delayed sales or income
- Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
- Regulatory fines
- Contractual penalties or loss of contractual bonuses
- Customer dissatisfaction or defection
- Delay of new business plans
Additionally impacts in higher education:
- Loss of reputation
- Student transfers
- Loss of grants, contracts
Consider The Timing
The point in time when a business function or process is disrupted can have a significant bearing on the loss sustained. A store damaged in the weeks prior to the holiday shopping season may lose a substantial amount of its yearly sales. A power outage lasting a few minutes would be a minor inconvenience for most businesses but one lasting for hours could result in significant business losses. A short duration disruption of production may be overcome by shipping finished goods from a warehouse but disruption of a product in high demand could have a significant impact. (from: https://www.ready.gov/business-impact-analysis)
Failure of CLAS Labs, webspace and other technical assets while classes are in session drastically reduces CLAS's ability to provide education, the business of CLAS. Detailed, thought out, orchestrated responses to failure can limit this impact, making this conversation critical to development of the CLAS Disaster Recovery Plan, as it determines the focus and allocation of resources to maintaining business continuity at CLAS.
Business Impact Analysis Worksheet - from FEMA.
Organization and Staff
Contact information for staff working and contributing to Business Continuity at CLAS include:
(Need org charts here to depict ITAG, CLAS SIRT and IT Advisory Group, and excerpt from By-laws establishing the IT Advisory Group.)
This committee should meet weekly with the active participants in the ITAG to discuss, recommend and implement changes to CLAS's technology infrastructure and to define and update staff and organizational contacts and protocols in case of a catastrophic event.
Maintenance and Testing
This document, procedures and related policy should be reviewed at a minimum every year to ensure that changes in CLAS's technology infrastructure do not supersede or outgrow business continuity capacity. An on-going testing program should be established, and tests scheduled and performed on all aspects of the business continuity plan (Fire Day).