UW System Administrative Procedure 1037.A

Information Security: IT Disaster Recovery Standard

Original Issuance Date:  February 11, 2025

Last Revision Date:  February 11, 2025

Effective Date: August 1, 2025 

1. Purpose of Procedures 

The standard establishes the minimum required elements for Information Technology (IT) Disaster Recovery (DR) plan(s) for University of Wisconsin (UW) institutions. 

2. Responsible UW System Officer 

Associate Vice President for Information Security 

3. Definitions 

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include: 

  • Data Backup 
  • Disaster Recovery Plan 
  • High Impact System  

4. Procedures 

A. Standard 

IT DR plan(s) must include the following elements: 

I.  Purpose and Scope 

    1. Clearly define the objectives of the IT DR plan. 
    2. Specify the general scope of the IT DR plan, including the types of categories of systems, applications, and business functions it addresses. 

II.  Roles and Responsibilities 

    1. Specify each role on the IT DR team, along with a clear hierarchy of command. 
    2. Maintain or reference a resource (e.g., a call tree or directory) for up-to-date contact information of the individuals currently occupying these roles. 
    3. Outline the specific tasks responsibilities for each IT DR team role, including but not limited to executing the recovery plan, communicating with stakeholders, and coordinating with external parties. 

  2. III.  Critical Business Functions and Prioritization 

    1. Clearly define mission-critical functions and processes that must be restored in the event of a disaster. 
    2. Identify the High Impact Systems and other mission critical IT operations that support these functions, and establish an order of restoration based on the impact to institutional operations, dependencies, and stakeholder needs. 

  3. IV.  Recovery Strategies 

    1. For each High Impact System identified, outline backup procedures, including frequency, storage locations, and methods for restoring data. 
    2. Outline a schedule to regularly verify and test the above backups. 
    3. Outline the steps for restoring IT systems, including servers, networks, and applications. 
    4. Identify alternative work locations or remote work options if the primary site is unavailable. 

V.  IT Disaster Recovery Procedures 

    1. Detail procedures for recovering systems and restoring operations, including monitoring and validation of recovery efforts. 
    2. Establish or reference internal and external communication protocols, including how and when to notify employees, customers, suppliers and regulators. 
    3. Define criteria for escalating incidents and the process for decision-making during a disaster. 

VI.  Vendor and Third-Party Coordination 

    1. Maintain up-to-date contact information for critical vendors and service providers. 
    2. Ensure Service Level Agreements with vendors include provisions for disaster recovery support and clearly define their responsibilities during a disaster. 

5. Related Documents 

UW System Administrative Policy 1033, Information Security: Incident Response
UW System Administrative Policy 1037, Information Security: IT Disaster Recovery 

6. History 

First approved: February 11, 2025