By Robert Smith. The University of California has a brand new IT Recovery Policy!
UC President Michael V. Drake signed the policy, BFB-IS-12: IT Recovery Policy, on June 11, 2021, and it took effect July 1, 2021.
In an increasingly collaborative world that depends on shared electronic information and resources, it is essential for any organization, especially one as large and complex as UC, to create and implement a policy to guide and prepare it for recovering systems and data in the event of a disaster or adverse event.
The basic premise of the policy is that the University of California’s Institutional Information and IT Resources should be recoverable in the event of an unavoidable or unforeseen disaster, whether natural or human-made. Further, the ability to recover Institutional Information and IT Resources requires appropriate governance, funding, design, development, testing, maintenance, protection, and procurement procedures.
UC began the process of rethinking, revising, and reviewing its IT Recovery Policy in 2019. A fourteen-person systemwide workgroup convened late in 2019 with representatives from seven academic campuses and three health centers.
The IT Recovery Policy is based on best practices from UC Health, and classifies Institutional Information and IT Resources according to five tiers, called “recovery levels.” The levels range from R1 (the lowest tier allowing up to thirty days to recover) to R5 (the highest tier requiring recovery in a few minutes).
Having recovery levels facilitates planning, easy communication, testing, and created a taxonomy to logically group systems based on the need to support key business processes. UC Health developed this tiering system and has been using it successfully for a couple of years, and so the policy workgroup adopted this useful approach.
The IT Recovery Policy would not have been possible without the support of an entire team, including experts in multiple fields across all UC locations and the Academic Senate’s University Committee on Academic Computing and Communications.
Important Policy Features
Having the IT Recovery Policy in place demonstrates UC’s leadership in cyber risk management. UC’s approach is novel because the policy provides two ways to comply. Compliance can be achieved (a) by following the policy’s requirements across all in-scope business processes or (b) by taking an iterative approach. These options provide the flexibility that a large research university like the University of California truly needs.
Other important features of the policy are:
- Built-in exception process
- Twelve-month soft start, July 1, 2021 – July 2, 2022
- Flexible approach to scope that relies on local governance and planning
- Iterative model based on the NIST Cyber Security Framework
The new policy calls for each UC location to use its own Business Continuity Plan (BCP) to determine the scope of IT recovery planning to undertake. This allows locations to use existing governance mechanisms to set priorities and adjust them over time so as to meet local operational needs.
During the twelve-month soft start, locations will need to work on the following activities towards full policy implementation at the end of July 2022:
- Use local governance and the location’s business continuity plan (BCP) to determine the current state of IT Recovery and then develop an understanding of what the future state should look like. Next, determine and plan the immediate next steps to move towards the future state and make sure gaps (or large risks) are approved by location leadership. This is the foundation of the iterative model.
- Identify key personnel for each required role (listed below) both for the location as a whole and for units that are in scope, based on priorities set by the location’s business continuity plan. Collect the appropriate contact information.
- At the location level, establish the processes for approving IT recovery plans and granting exceptions.
- Develop and approve IT recovery plans. IT recovery plans can be recorded using the systemwide tool, UC Ready, or another tool approved by the location’s cyber-risk responsible executive (CRE).
- The policy includes a 24-point outline for a basic recovery plan.
Ongoing requirements include:
- Completing inventories and setting recovery levels
- Testing and improving the IT recovery plans
- Adding new plans, keeping plans up-to-date and performing periodic reviews
- Testing restore processes
- Making sure suppliers can meet their obligations as required
- Incorporating IT recovery into project planning
- Evaluating the current state and planning for the desired future state of IT recovery capability
Roles and Responsibilities
The new policy clarifies the roles and responsibilities required for implementation:
- Cyber-risk Responsible Executive (CRE)
- Business continuity planners
- Risk manager
- Location IT Recovery Lead (LITRL)
- Location IT Recovery Team
Under the policy, when in scope, units play a key role in planning and managing their IT recovery plans.
- Unit Heads
- Unit IT Recovery Lead (UITRL)
- Unit IT Recovery Team
- Unit Information Security Leads (UISL)
A list of frequently asked questions is available for review. For questions concerning implementation, please contact your location’s risk manager. You can also ask questions on the UC Tech Slack workspace, #is-12-recovery. You may also reach out to your campus risk manager or your UC Health risk manager.
For more information, join the conversation in the UC Tech Slack channels #events, #is-12-it-recovery, and #bc-itdr. Also, the ITPS mail list will announce upcoming webinars and new resources related to IS-12. Contact me to join the ITPS list.
Robert Smith is systemwide IT policy director, University of California Office of the President.