This technical standard defines the College’s requirements for:
Maintenance of an accurate Enterprise Systems Inventory is the responsibility of IT Services.
Documentation for each inventoried application includes:
Systems Storing Highly Sensitive Data
Any enterprise system storing highly sensitive data, as defined in the college’s Data Classification Standard within the Administrative Data Management and Access Policy, must be flagged as such.
All internally hosted enterprise systems containing highly sensitive data should have a documented
Risk Assessment plan, with a formal risk assessment completed annually.
All externally hosted enterprise systems containing highly sensitive data should include additional vendor contractual terms and conditions, including a requirement for annual copies of vendor SSAE-16 audit compliance reports.
Systems With Critical Availability Requirements
Enterprise systems are categorized in terms of high availability requirements, or restoration
Each enterprise system listed in the Enterprise Systems Inventory will be classified per restoration priority, as follows:
All internally hosted systems classified with a Tier 1 restoration priority will have a documented Disaster Recovery plan in place; DR Plans should be reviewed and updated annually, including verification of annual disaster recovery testing activities.
All externally hosted Tier 1 systems should have special vendor contractual terms and conditions regarding system availability and disaster recovery.
Enterprise Systems Inventory
APPROVALS AND REVISIONS
Approved by Chief Technology Officer, May 21, 2012
10/8/12 – Revised to include more specific restoration/recovery “Tier” definitions
For a printable version of this policy, click here.