Vulnerabilities to natural, man-made and technology-driven disasters require University of Missouri System business units to plan and prepare for system disruptions. Business continuity planning includes the identification of vulnerabilities, priorities, dependencies and measures required to facilitate continuity and recovery before, during and after a crisis.
The goal of the initiative is to develop system-specific documentation to establish a customized continuity plan to prepare for IT disruptions. Through these efforts, the planning will be in place to keep the University’s business processes and academic services functioning with minimal interruption.
Emergency Mass Notification System
Emergency Mass Notification System
System Business Continuity Classification
The system business continuity classification is used as a guide to assess and classify the criticality level of an IT system. The criticality of an IT system is in relationship to the business processes and services it provides to the University. The necessary business continuity plans and testing requirements depend on the classification level assigned by the ISAM and BCM team.
| Business Continuity Procedures | Criticality Level: Enterprise Essential Systems | Criticality Level: Campus Essential Systems | Criticality Level: Moderate | Criticality Level: Low |
|---|---|---|---|---|
| Business Impact Analysis (BIA) | Required | Required | Required | Required |
| Information System Contingency Plan (ISCP) | Required | Required | Required | Recommended |
| System Security Plan (SSP) | Required | Required | Recommended | Recommended |
| System Specific Cyber Incident Response Plan | Required | Required | Recommended | Recommended |
| System Specific Communication Plan | Required | Required | Recommended | Recommended |
| Criticality Level | Definition |
|---|---|
| Enterprise Essential Systems | Enterprise essential systems are any IT component (software, hardware, database, application, etc.) that performs a function essential to system-wide business operations. Failure or disruption of an enterprise essential system adversely affects the mission or activity of multiple campuses or business units. |
| Campus Essential Systems | Campus essential systems are any IT component (software, hardware, database, application, etc.) that performs a function essential to campus-wide business operations. Failure or disruption of a campus essential system adversely affects the mission or activity of a single campus. Each campus may identify different campus essential systems based on their business operations. |
| Moderate | Moderate critical systems are those that the loss of confidentiality, integrity or availability could be expected to have a serious adverse effect on organizational operations, organizational assets or individuals. |
| Low | Low critical systems are those that the loss of confidentiality, integrity or availability could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals. |
Business Continuity Plans
Continuity planning represents a broad scope of activities designed to sustain and recover the business processes and critical systems of an organization. The extent of business continuity procedures necessary for an IT system depends on the criticality and risk assessment evaluation. The range of procedures for continuity planning includes the following, at minimum, Business Impact Analysis (BIA) and Information System Contingency Plan (ISCP).
| Business Impact Analysis (BIA) | The BIA enables the ISCP Coordinator to characterize the system components, supported mission/business processes and interdependencies. The BIA purpose is to correlate the system with the critical mission/business processes and services provided and based on that information, characterize the consequences of a disruption. |
|---|---|
| Information System Contingency Plan (ISCP) | An ISCP provides recovery and resumption procedures for a single information system resulting from disruptions that do not necessarily require relocation to an alternate site. |
| System Security Plan (SSP) | Provides an overview of the security requirements of the system and describes the controls in place or planned for meeting those requirements. The SSP also delineates responsibilities and expected behavior of all individuals who access the system. |
| System Specific Cyber Incident Response Plan | A Cyber Incident Response Plan establishes procedures to enable security personnel to identify, mitigate and recover from cyber-attacks against an organization's information system(s). |
| System Specific Communications Plan | A communication plan addresses internal communication flows to personnel and management. |
Business Continuity Testing, Training and Exercises (TT&E)
The purpose of testing and carrying out exercises is to confirm the business continuity solution satisfies the organization's recovery requirements. The type of TT&E activities required and the frequency for conducting system tests are driven by the criticality level assigned to the system. A customized TT&E plan will be established prior to the completion of the business continuity plan(s).
| Criticality Levels | Testing Objectives |
|---|---|
| Enterprise Essential Systems | The full-scale functional exercise should include a system failover to the alternate location. This could include additional activities such as full notification and response of key personnel to the recovery location, recovery of a server or database from backup media or setup and processing from a server at an alternate location. The test should also include a full recovery and reconstitution of the information system to a known state. |
| Campus Essential Systems | |
| Moderate | The functional exercise should include all ISCP points of contact and be facilitated by the system owner or responsible authority. Exercise procedures should be developed to include an element of system recovery from backup media. |
| Low | The tabletop should simulate a disruption, include all main ISCP points of contact and be conducted by the system owner or responsible authority. |
Assistance and References
Assistance and References
The Information Security and Access Management (ISAM) BCM team will coordinate with University departments regarding their IT business continuity planning initiatives. The BCM staff will provide the necessary education and resources needed throughout. If you have any questions regarding the business continuity procedures or your system, please contact IT Business Continuity Management at bcmit@umsystem.edu.
Network infrastructure devices do not create or store data. Review the standards for management access and configuration of the network infrastructure hardware that transports data and adjacent systems that may be employed in support of that infrastructure.