UW System Administrative Policy 1037

Information Security: IT Disaster Recovery

Original Issuance Date: August 4, 2021 

Last Revision Date:  February 11, 2025

Effective Date: August 1, 2025 

1. Policy Purpose

This policy establishes the minimum requirements for Information Technology (IT) Disaster Recovery (DR) efforts for University of Wisconsin (UW) institutions and is designed to assist in executing recovery processes in response to a disaster or significant IT disruption. 

2. Responsible UW System Officer

Associate Vice President for Information Security 

3. Scope and Institutional Responsibilities

This policy applies to all UW System institutions, including UW System Administration and covers all High Impact Systems and mission-critical IT operations under the direct control of UW institutions. This policy does not apply to software-as-a-service (SaaS) solutions that are managed or operated entirely by external vendors and are not under UW operational control. 

4. Background 

The President of the University of Wisconsin System is empowered to establish information security policies under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. 

The IT DR requirements outlined in this policy are designed to ensure that necessary measures are in place to minimize the impact of unforeseen events on High Impact Systems, protect the integrity of the institution’s business infrastructure, and enable the rapid restoration of essential IT services to support the ongoing missions of scholarship, research, and administration. 

5. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include: 

  • Disaster Recovery Plan 
  • High Impact System 
  • Recovery Point Objectives (RPO) 
  • Recovery Time Objectives (RTO) 

6. Policy Statement 

A. IT DR Plans

All UW institutions must maintain comprehensive IT DR plan(s) that detail the necessary actions to restore the institution’s High Impact Systems and mission critical IT operations in the event of a disruption. Minimum DR plan elements are outlined in SYS 1037.A, IT Disaster Recovery Plan Standard. 

  1. When feasible, IT DR plan(s) should be integrated with, or directly linked to, institutional Emergency Operations Plans, Incident Response Plans, and departmental Continuity of Operations Plans (COOP) to ensure a coordinated approach to recovery. IT DR Plan(s) should utilize the COOP’s established internal and external communications strategies. 
  2. IT DR plan(s) must be reviewed and updated annually to reflect changes in technology and business requirements. 

B. Backups and Testing

Robust IT backup and testing processes must be implemented to ensure High Impact Systems are recoverable. 

  1. All High Impact Systems, including associated data and configurations, must be backed up according to a predefined schedule as outlined by the institution’s IT DR plan. Backup frequency for High Impact Systems must align with the institution’s operational needs and Recovery Point Objectives, not to exceed 28 days. 
  2. Regular verification and testing of backups must be conducted to ensure that they can be successfully restored within the institution’s Recovery Time Objectives. 
    1. Verification of backups for High Impact Systems must be conducted on a quarterly basis or after any significant changes to the IT environment, such as major software updates, infrastructure changes, or the introduction of new systems. Verifications should ensure that backups are compatible with the current environment and that no data has been missed during the backup process. 
    2. At least once a year, institutions should perform a full recovery test for each identified High Impact System to verify the entire backup and recovery process works as intended. 
  3. Backups for High Impact Systems must be stored securely using methods to protect against data loss due to physical or cyber incidents, such as by using an offsite location or cloud-based service. Offsite locations should be geographically separate from the primary location to mitigate the risk of a regional disaster. 
  4. All backup and testing activities must be documented, including the results of backup tests and any issues identified during the process.

C. Training and Continuous Improvement

  1. Each UW institution must conduct annual training and/or exercises to: 
    1. Ensure staff are familiar with their roles and responsibilities in recovery operations; and 
    2. Identify potential challenges that could impact the institution’s ability to effectively recover from a disaster. 
  2. After a disaster or incident where IT DR plan(s) are activated, institutions should evaluate the effectiveness of their recovery efforts and make necessary improvements to their IT DR plan(s). This involves conducting post-incident reviews, learning from the incident, and updating IT DR plans to address any gaps or weaknesses identified. 

7. Related Documents 

Regent Policy Document 25-5, Information Technology: Information Security  

UW System Information Security Program    

UW System Administrative Policy 1033, Information Security: Incident Response 

UW System Administrative Procedure 1037.A, Information Security: IT Disaster Recovery Plan Standard 

8. Policy History

Revision 2: February 11, 2025

Revision 1: March 8, 2022 

First approved: August 4, 2021 

9. Scheduled Review  

February 2030