OUHSC Information Technology Department

Home  |  Online Help  |  Policies  |  Tier Ones

Resource and Data Recovery:

Supporting documents: Full policy Adobe PDF File

Information system resource and data owners must establish, test and revise, and implement as needed resource and data recovery plans and procedures to ensure business continuity and the ability to restore any loss of sensitive information system resources or data. 

At a minimum, these recovery plans must include:

  • The conditions for activating the plan or procedure.
  • Business, infrastructure, and resource requirements.
  • Identification and definition of employee roles and responsibilities (primary and secondary) and contact information.
  • Identification of dependencies on external entities for restoration and any requirements and/or agreements for/with these entities.
  • Procedures (manual and automated) which identify recovery locations and describe the actions to be taken to resume normal operations within required time frames.
  • The order in which information systems or data must be recovered.
  • Allowable outage times.
  • Notification and reporting procedures.
  • Procedures for allowing appropriate physical access to the facilities and information systems.
  • Procedures for obtaining sensitive data when normal access is unavailable for business continuity.

Information system resource and data owners must create and document a disaster recovery plan and procedures to recover its information systems, resources, and data in the event of a disaster.

Information system resource and data owners must create and document contingency plans and procedures for responding to an emergency or other incident which may occur (for example: vandalism, theft, system or power failure) during a disaster or as a random event. 

Information system resource and data owners must create and document an emergency operations plan and procedures for the protection of sensitive data during a disaster, emergency or other occurrence which may impact the protection of sensitive data.  The emergency operations plan must reasonably ensure all sensitive data is protected prior to, during, and after the implementation/completion of any recovery plan or procedure.

Information system resource and data owners must establish a data backup plan and procedures to ensure exact copies of sensitive data are created, maintained, and available for the restoration of any loss.

A testing and revision plan must be established and implemented to ensure the periodic testing of recovery plans and related procedures. This plan should define the cycle and scope of the tests, training of those involved, and the type of tests performed (exercise or real operational scenario) based on acceptable business impact for testing.

Employees must receive regular training on these plans and procedures and have access to a current copy at all times. An appropriate number of copies of the plans and procedures must be kept off-site.