September 15, 2016
Business Continuity and IT Disaster Recovery
The university recognizes the need to prepare for unexpected events such as natural or human-caused disasters, as well as the need to return the university as quickly as possible to its normal operations should such events occur. This policy delineates the responsibilities to respond to emergencies at USC to ensure that critical functions are maintained or restored in a timely manner. All university community members should familiarize themselves with their department or school business continuity and disaster recovery plan, as well as the university emergency plan.
USC’s office of Fire Safety and Emergency Planning (FSEP) facilitates emergency and disaster planning and preparation, in conjunction with the university’s Crisis Management Team and the Business Continuity Steering Committee (BSC).
Central university service and administrative departments are expected to maintain a constant state of readiness for any likely emergency situation, including both natural and human-caused disasters, following the national standard all-hazards approach; those departments are also expected to maintain sufficient university emergency services capabilities to enable effective response to any situation, ensuring the safety and well-being of university students, faculty, staff, and visitors as the highest priority. Assisted by FSEP staff, departments must maintain campus-wide response plans, conduct emergency response training, and participate in periodic campus-wide emergency exercises. Central emergency operations centers will be maintained on both the University Park and Health Sciences campuses to coordinate emergency response. Emergency response organization will be maintained in compliance with the national Incident Command System (ICS) standard. FSEP staff will also assist university units in off-campus locations to maintain appropriate emergency plans and preparations.
The President or designee will activate USC emergency response plans when needed, with the support of campus emergency service departments. In a major emergency, only the President or designated representative may temporarily close offices or cancel classes. In order to maintain continuity of academic programs, classes will be cancelled only if necessary due to extreme circumstances that require a temporary closure.
Business Continuity and IT Disaster Recovery
The university-wide goal after a major emergency or disaster will be to restore teaching, research, patient care, and other mission-critical activities in a timely manner.
Business Continuity Planning
All schools and divisions are required to develop and maintain a Business Continuity Plan (BCP) that describes the critical functions of the unit and how each function will be continued or resumed rapidly after an emergency to enable the university to resume teaching and research within seven days, even following a major disaster. Coordinating with FSEP, schools and divisions will implement the following steps required to complete a BCP:
- Conduct a Business Impact Assessment (BIA) that describes the critical functions within the school/division that support teaching, research, and patient care, and prioritizes these functions, identifying both the Maximum Tolerable Downtime (MTD) and the Recovery Time Objective (RTO) of each. In addition to the MTD and RTO, the BIA must also establish the appropriate Recovery Point Objective (RPO) to reduce the impact of data loss. This assessment should be updated whenever a significant change occurs to any of the critical functions within the school/division.
- Strategies for restoring critical functions within the recovery times necessary;
- Continuity strategies to be implemented in the event of loss of facilities, disruption of IT systems, or lack of full staffing for a period of time;
- Names, responsibilities, and contact information for the school/division disaster recovery team, which should include the unit leader, Senior Business Officer, HR leader, IT leader, facilities coordinator, and any other leaders of key school/division functions; and
- Procedures and checklists to be followed to achieve timely program resumption after a disaster.
- Update the plan annually to ensure that continuity strategies are adjusted if necessary, and that contact information for the unit recovery team is up-to-date.
- Test the plan annually to ensure effectiveness and to ensure the recovery team members understand their roles and responsibilities.
IT Disaster Recovery Planning
All schools and divisions that operate IT systems, in support of university business operations, must develop and implement adequate Disaster Recovery Plans (DRPs) based upon a BIA. All DRPs must contain the following information:
- A comprehensive inventory of applications, servers, data and support infrastructure necessary to operate the line of business.
- Comprehensive system recovery procedures, which are in line with the MTD and RTO established in the BIA, for each system and or application identified as critical to the university. Recovery procedures should be documented with a level of detail that would allow a competent third-party IT professional to recover the system or application.
Each DRP must be tested annually to ensure that it is effective and up-to-date. Documentation of test details, results and executive acceptance must be retained for a minimum of one year.
Roles and Responsibilities
Crisis Management Team
Chaired by the Senior Vice President, Administration, this committee includes representatives from all major divisions of the university. It provides general oversight of the emergency management, business continuity, and disaster recovery program.
Business Continuity Steering Committee (BSC)
This specialized group of senior administrators provides oversight and support for the ongoing business continuity and disaster recovery planning program.
Fire Safety and Emergency Planning (FSEP)
This office, within Administrative Operations, coordinates annual emergency planning, business continuity and disaster recovery planning, university-wide updating and testing, as well as providing fire/life safety programs. FSEP provides policies, procedures, training and training templates, tools, and planning assistance to all units developing business continuity and disaster recovery plans, as well as training and educational programs in emergency management. The group also annually monitors the compliance of all units with this policy to ensure that disaster plans are developed, implemented, tested and maintained as required. Compliance issues will be escalated as necessary to the BSC and senior administration.
School and Division Leadership Teams
These teams are responsible for developing and maintaining required plans for their school/division, communicating these plans to other unit staff, and updating or testing plans annually. Leadership teams are also responsible for coordinating with FSEP to regularly communicate plans, updates, and plan revisions.
Deans and Vice Presidents
Deans and vice presidents are responsible for approving the plans developed by leaders within their school or division, approving annual updates, and maintaining overall awareness and readiness throughout their organizations.
Senior University Administration
When a unit is not in compliance and does not respond to input from internal administrators or steering committees, if necessary the Senior Vice President, Administration or the Provost will provide guidance to the unit involved.
Fire Safety and Emergency Planning
Michael Quick, Provost and Senior Vice President, Academic Affairs
Todd R. Dickey, Senior Vice President, Administration
University of Southern California