University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Business Continuity and Disaster Recovery

UPPM 87.70

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
- 4.1 General
- 4.2 Moderate- and High-Impact Systems
- 4.3 High-Impact Systems
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

Business continuity and disaster recovery planning is a critical part of ensuring the security and reliability of WSU’s information systems, as well as the protection of WSU data and information. This policy sets forth roles, responsibilities, and requirements for developing, maintaining, and testing contingency plans.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 General

WSU Information System Owners, or their delegates, must develop a contingency plan to maintain essential mission and business functions in the event of a system disruption, compromise, or failure.

The contingency plan must reflect the degree of restoration required for organizational systems.
Contingency planning activities are to be coordinated with incident handling activities and incorporate lessons learned.
Copies of the contingency plan are to be distributed to key personnel and protected from unauthorized disclosure and modification.
The plan is to be reviewed and updated regularly. Changes are to be communicated as needed.

Contingency plans are to be tested to determine effectiveness. Test results must be reviewed, and corrective actions are to be implemented.

Users with contingency plan responsibilities are to be trained for their role. Training content is to be updated as needed.

Backups are to be carried out of user-level information, system-level information, and system documentation. The confidentiality, integrity, and availability of backup information is to be protected.

Recovery and reconstitution of the system to a known state must reflect mission and business priorities.

4.2 Moderate- and High-Impact Systems

In addition to the above, the following requirements apply to all moderate- and high-impact systems.

Contingency plans for moderate- and high-impact systems are to be coordinated with other organizational plans (e.g., incident response plans).

Moderate- and high-impact system contingency plan testing is to be coordinated with related plans (e.g., incident response plans).

Moderate- and high-impact systems must identify the critical system assets that support mission and business functions.

Moderate- and high-impact systems must establish alternate storage sites that provide controls equivalent to that of the primary site.

The alternative storage site must be sufficiently separated from the primary storage site to reduce susceptibility to the same threats.
Accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster must be identified with explicit mitigation actions outlined.

Moderate- and high-impact systems must establish alternate processing sites to transfer or resume operations. The alternate processing site must provide controls that are equivalent to those at the primary site.

The alternate processing site is to be separated from the primary processing site to reduce susceptibility to the same threats.
Alternate processing sites must identify potential accessibility problems in the event of an area-wide disruption or disaster.
Alternate processing site agreements must contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

Moderate- and high-impact systems must establish alternate telecommunications services for essential mission and business functions.

Primary and alternate telecommunications service agreements must contain priority-of-service provisions in accordance with the unit established availability requirements.
Alternate telecommunications are to be selected to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

Moderate- and high-impact system backups must:

Be tested to verify information integrity; and
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification.

Moderate- and high-impact transaction-based systems must implement transaction recovery.

4.3 High-Impact Systems

In addition to the above, the following requirements apply to all high-impact systems.

High-impact systems contingency plans must:

Consider capacity during contingency operations;
Include considerations for continuance of mission and business functions with minimal or no loss of operational continuity;
Incorporate simulated events in the training; and
Include alternate processing site testing.

Alternate storage sites for high-impact system data are to be configured in accordance with the defined recovery time and recovery point objectives.

Alternate processing sites for high-impact systems are to be configured to serve as an operational site to support essential mission and business functions.

High-impact systems must obtain alternate telecommunications services from providers that are separate from primary service providers to reduce susceptibility to the same threats.

High-impact system telecommunications service providers must maintain contingency plans that meet unit contingency requirements. Evidence of the service provider contingency plan testing/training is to be obtained.

High-impact system backups must:

Use a sample of backup information to restore as part of contingency plan testing;
Store critical software and information in a separate facility or fire rated container that is not connected to the operational system; and
Be transferred to the alternate storage site in a period consistent with recovery time and point objectives.

High-impact systems must have the ability to restore system components to known, operational states within a specified time.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: March 2026 (NEW – Rev. 654).