Technical Standard for IT Enterprise System Classification, Risk Management and Disaster Recovery
This technical standard defines the College’s requirements for:
- inventorying, classifying and documenting supported IT systems and applications;
- the requirements for documenting Risk Assessment Plans and Disaster Recovery Plans
for internally hosted systems;
- the requirements for vendors that host sensitive or critical systems.
Maintenance of an accurate Enterprise Systems Inventory is the responsibility of IT Services.
Documentation for each inventoried application includes:
- Highly Sensitive Data Indicator
- System Restoration Priority Tier
- Externally Hosted System Indicator
Systems Storing Highly Sensitive Data
Any enterprise system storing highly sensitive data, as defined in the college’s Data Classification Standard within the Administrative Data Management and Access Policy, must be flagged as such.
All internally hosted enterprise systems containing highly sensitive data should have a documented
Risk Assessment plan, with a formal risk assessment completed annually.
All externally hosted enterprise systems containing highly sensitive data should include additional vendor contractual terms and conditions, including a requirement for annual copies of vendor SSAE-16 audit compliance reports.
Systems With Critical Availability Requirements
Enterprise systems are categorized in terms of high availability requirements, or restoration
Each enterprise system listed in the Enterprise Systems Inventory will be classified per restoration priority, as follows:
- Tier 1 – Highest availability and highest restoration priority requirement; recovery begins immediately upon identification of issue, including after hours.
- Tier 2 – Medium restoration priority; to be restored after recovering all applicable Tier 1 systems. If problem is identified after working hours, recovery begins at 7:30 am the following business day, or
at 9:00 am on Saturday/Sunday.
- Tier 3 – lowest priority; to be restored after recovering all applicable Tier 2 systems. If problem is identified after working hours, recovery begins at 8:00 am on the next business day (Monday
All internally hosted systems classified with a Tier 1 restoration priority will have a documented Disaster Recovery plan in place; DR Plans should be reviewed and updated annually, including verification of annual disaster recovery testing activities.
All externally hosted Tier 1 systems should have special vendor contractual terms and conditions regarding system availability and disaster recovery.
Enterprise Systems Inventory
APPROVALS AND REVISIONS
Approved by Chief Technology Officer, May 21, 2012
10/8/12 – Revised to include more specific restoration/recovery “Tier” definitions
For a printable version of this policy, click here.