UW System Administrative Procedure 1037.A

Information Security: IT Disaster Recovery Standard

Original Issuance Date:  February 11, 2025

Last Revision Date:  February 11, 2025

Effective Date: August 1, 2025 

1. Purpose of Procedures 
1. Purpose of Procedures  Bookmark Anchor

The standard establishes the minimum required elements for Information Technology (IT) Disaster Recovery (DR) plan(s) for University of Wisconsin (UW) institutions. 

Top

2. Responsible UW System Officer 
2. Responsible UW System Officer  Bookmark Anchor

Associate Vice President for Information Security 

Top

3. Definitions 
3. Definitions  Bookmark Anchor

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include: 

  • Data Backup 
  • Disaster Recovery Plan 
  • High Impact System  

Top

4. Procedures 
4. Procedures  Bookmark Anchor

A. Standard 
A. Standard  Bookmark Anchor

IT DR plan(s) must include the following elements: 

I.  Purpose and Scope 
I.  Purpose and Scope  Bookmark Anchor

    1. Clearly define the objectives of the IT DR plan. 
    2. Specify the general scope of the IT DR plan, including the types of categories of systems, applications, and business functions it addresses. 

II.  Roles and Responsibilities 
II.  Roles and Responsibilities  Bookmark Anchor

    1. Specify each role on the IT DR team, along with a clear hierarchy of command. 
    2. Maintain or reference a resource (e.g., a call tree or directory) for up-to-date contact information of the individuals currently occupying these roles. 
    3. Outline the specific tasks responsibilities for each IT DR team role, including but not limited to executing the recovery plan, communicating with stakeholders, and coordinating with external parties. 

  2. III.  Critical Business Functions and Prioritization 
    III.  Critical Business Functions and Prioritization  Bookmark Anchor

    1. Clearly define mission-critical functions and processes that must be restored in the event of a disaster. 
    2. Identify the High Impact Systems and other mission critical IT operations that support these functions, and establish an order of restoration based on the impact to institutional operations, dependencies, and stakeholder needs. 

  3. IV.  Recovery Strategies 
    IV.  Recovery Strategies  Bookmark Anchor

    1. For each High Impact System identified, outline backup procedures, including frequency, storage locations, and methods for restoring data. 
    2. Outline a schedule to regularly verify and test the above backups. 
    3. Outline the steps for restoring IT systems, including servers, networks, and applications. 
    4. Identify alternative work locations or remote work options if the primary site is unavailable. 

V.  IT Disaster Recovery Procedures 
V.  IT Disaster Recovery Procedures  Bookmark Anchor

    1. Detail procedures for recovering systems and restoring operations, including monitoring and validation of recovery efforts. 
    2. Establish or reference internal and external communication protocols, including how and when to notify employees, customers, suppliers and regulators. 
    3. Define criteria for escalating incidents and the process for decision-making during a disaster. 

VI.  Vendor and Third-Party Coordination 
VI.  Vendor and Third-Party Coordination  Bookmark Anchor

    1. Maintain up-to-date contact information for critical vendors and service providers. 
    2. Ensure Service Level Agreements with vendors include provisions for disaster recovery support and clearly define their responsibilities during a disaster. 

Top

5. Related Documents 
5. Related Documents  Bookmark Anchor

UW System Administrative Policy 1033, Information Security: Incident Response
UW System Administrative Policy 1037, Information Security: IT Disaster Recovery 

Top

6. History 
6. History  Bookmark Anchor

First approved: February 11, 2025