Business Continuity / Disaster Recovery

The University of Connecticut is that state's flagship institution for higher education and one of the leading public research universities in the United States. UConn ranked among the Top 20 public universities in the nation by U.S. News & World Report in their 2014 America’s Best Colleges report. With such a standing, UConn's leadership determined that they must possess the ability to withstand all hazards and sustain its mission through environmental changes. These changes can be gradual, such as economic or mission changes, or sudden, as in a disaster event. Rather than just working to identify and mitigate threats, vulnerabilities, and risks, UConn brought me in as their first ever Business Continuity and Disaster Recovery Coordinator to consult with the University Information Technology Services team to work towards building a resilient enterprise infrastructure, minimizing the impact of any disruption on mission-essential functions.

Information systems are vital elements in most University mission/business functions. Because information system resources are so essential to UConn’s success, it is critical that identified services provided by these systems are able to operate effectively without excessive interruption. Contingency planning supports this requirement by establishing thorough policies, plans, procedures, and technical measures that can enable a system to be recovered as quickly and effectively as possible following a service disruption.

Information systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction, fire). Much vulnerability may be minimized or eliminated through management, operational, or technical controls as part of the University’s resiliency effort; however, it is virtually impossible to completely eliminate all risks. Contingency planning is designed to mitigate the risk of system and service unavailability by providing effective and efficient solutions to enhance system availability.

Information system contingency planning is a coordinated strategy involving policies, plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a disruption. Contingency planning is unique to each system, providing preventive measures, recovery strategies, and technical considerations appropriate to the system’s information confidentiality, integrity, and availability requirements and the system impact level. Contingency planning generally includes one or more of the following approaches to restore disrupted services:

• Restoring information systems using alternate equipment;
• Performing some or all of the affected business processes using alternate processing (manual) means (typically acceptable for only short-term disruptions);
• Recovering information systems operations at an alternate location (typically acceptable for only long–term disruptions or those physically impacting the facility); and
• Implementing of appropriate contingency planning controls based on the information system’s security impact level.

When I arrived at UConn, UITS had barely more than a basic BCP/DR Policy written by the Information Security Office that essentially says:

Each University department will maintain a current, written and tested Business Continuity Plan (BCP) that addresses the department’s response to unexpected events that disrupt normal business (for example, fire, vandalism, system failure, and natural disaster).

Apart from the policy, there was nothing else except a basic Microsoft Word business continuity template that didn't even come close to meeting the University's needs. There were no IT contingency plans, no training materials, no instructions, no definitions, no other templates…nothing!

As a consultant, I reported into Jason Pufahl, Chief Information Security Officer. Jason shared his vision of what needed to be done and I was off to the races. At some point during the first couple of weeks, Jason commented, "I've never seen anyone hit the ground running so fast. Every time I talk to someone on campus about the need to meet and talk to you, you've already met with them!" For me it was no big deal. I was just doing my job. But what I accomplished for UConn over the next 8 months provided a foundation for a Business Continuity and Disaster Recovery program that rivals any other campus based resilience program in the United States. The work product I delivered for UConn includes:

• BCP/DR Governance Teams Established
• UITS Emergency Operation Plan
• BCP/DR Toolkit & Document Library
• BCP/DR Integration Into New Project Process
• Critical Infrastructure Protection (CIP) Site in Chemistry
• Negotiated with University of Connecticut Health Center for CIP Remote Site
• IT Capital Investment Funds Requested
• Business Partner Training Program Established

Since UConn is a public University, the document library I produced for them is in the public domain and available on this site to download and adapt for your own use without restriction. Please get in touch with me to discuss how I can help with your Business Continuity / Disaster Recovery needs.