UMGC Policy X-1.09 UMGC Policy on IT Disaster Recovery

Purpose

The purpose of this Disaster Recovery Policy is to ensure the continuity and recovery of University of Maryland Global Campus ("UMGC" or University) Critical Information Systems in the event of an emergency or disaster.

Scope and Applicability

This policy applies to all University Information Systems and Information Resources. All Users are responsible for adhering to this policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

1. A Disaster Recovery Plan must be developed and implemented for centralized Information Technology Resources to ensure sufficient response and remediation of critical IT functions in the event of an unscheduled interruption.
2. Business units that own and administer University Information Technology Resources must have documented Disaster Recovery Plans and are responsible for ensuring sufficient financial, personnel, and other resources are available as necessary.
3. At a minimum the plan should identify and protect against risks to Critical Information Systems and Confidential Data consistent with the USM IT Security Standards, provide for contingencies to restore Information and Information Resources in the event of a disaster, and include:
   1. Resource Contact List
   2. Succession plan
   3. Restoration Priority List
   4. Description of current back-up and restoration procedures
   5. Description of the back-up storage location(s) and services
   6. Equipment replacement plan
   7. Communications plan
4. The Disaster Recovery Plan must be updated and tested annually or when new Critical Information Systems are installed, if technically feasible.

1. Critical Information Systems shall be periodically backed up and copies maintained at reasonably distant locations not prone to similar catastrophic events.
2. Backup and restore requirements for Critical Information Systems shall be defined by the Data Stewards to include:
   1. Data and Files to be backed up
   2. Recovery Time Objective (RTO) – the length of time by which the system must be returned to an acceptable level of service
   3. Recovery Point Objective (RPO) – the point in time to which processing must be returned
   4. Retention period for backup media defined by the Data Owner and according to the University Data Retention Policy
3. All back-up media containing Confidential Data must be encrypted.

Exceptions

Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested, a compensating control should be documented and approved.

Enforcement

UMGC Employees who violate this Policy may be subject to disciplinary action, up to and including termination of employment.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” dated February 2020.
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, December, 2021

1. UMGC Policy X-1.02 Data Classification
2. UMGC Policy X-1.04 Information Security
3. UMGC Policy X-1.05 Information Security Awareness and Training
4. UMGC Policy X-1.06 Information Security Incident Response
5. UMGC Policy X-1.12 Acceptable Use
6. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
7. UMGC Policy X-1.19B Account Management (UMGC Workforce)