| Policy Category | Policy Owner | Version Effective Date | Review Cycle | Last Reviewed | Policy Contact |
|---|---|---|---|---|---|
| X. Information Governance, Security & Technology | SVP, General Counsel, and Chief People Officer | May 15, 2026 | Annual | May 15, 2026 | Info. Gov. |
- Purpose
The purpose of this Disaster Recovery Policy is to ensure the continuity and recovery of University of Maryland Global Campus Critical Information Systems and Information Resources in the event of an emergency or disaster. - Scope and Applicability
This policy applies to all University Information Systems and Information Resources. Information System Stewards and Technical System Leads are responsible for adhering to this policy. - Definitions
Defined terms are capitalized throughout this policy and can be found in the Information Governance Glossary. - Disaster Recovery Plan
- A Disaster Recovery Plan must be developed and implemented for Critical Information Systems and Information Resources to ensure sufficient response and remediation of critical IT functions in the event of an unscheduled interruption.
- Business units that own and administer University Information Technology Resources must have documented Disaster Recovery Plans and are responsible for ensuring sufficient financial, personnel, and other resources are available as necessary.
- At a minimum the plan should identify and protect against risks to Critical Information Systems and Confidential Data consistent with the USM IT Security Standards, provide for contingencies to restore Information and Information Resources in the event of a disaster, and include:
- Resource Contact List
- Succession plan
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
- Restoration Priority List
- Description of current back-up and restoration procedures
- Description of the back-up storage location(s) and services
- Equipment replacement plan
- Communications plan
- Vital records management
- The Disaster Recovery Plan must be updated and tested annually or when new Critical Information Systems are installed, if technically feasible.
- Backup and Restore
- Critical Information Systems shall be periodically backed up and copies maintained at reasonably distant locations not prone to similar catastrophic events.
- Backup and restore requirements for Critical Information Systems shall be defined by the Data Stewards to include:
- Data and Files to be backed up;
- RTO;
- RPO;
- Retention period for backup media defined by the Data Owner and according to the UMGC Policy on Records and Information Management;
- Integrity verification of backups before use, including malware and intrusion detection scanning;
- Integrity verification of recovered assets for normal operating status; and
- A review of mission essential functions and cybersecurity risk during post-disruption analysis.
- All back-up media containing Confidential Data must be encrypted.
- Exceptions
Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested, a compensating control should be documented and approved. - Enforcement
UMGC Employees who violate this Policy may be subject to disciplinary action, up to and including termination of employment. - Standards Referenced
- Most recent versions:
- USM IT Security Standards
- NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
- Cybersecurity Maturity Model Certification (CMMC)
- Most recent versions:
- Related Policies, Procedures, and References
- MD-POL-210-01 State of Maryland DoIT Continuity of Operations Policy
- UMGC Policy X-1.02 Data Classification
- UMGC Policy X-1.03 Records and Information Management
- UMGC Policy X-1.04 Information Security
- UMGC Policy X-1.05 Information Security Awareness and Training
- UMGC Policy X-1.06 Information Security Incident Response
- UMGC Policy X-1.12 Acceptable Use
- UMGC Policy X-1.19A Account Management (UMGC Learner Community)
- UMGC Policy X-1.19B Account Management (UMGC Workforce)