Disaster Recovery and Business Continuity Planning


Action Item. An action item is something that could be done now (or anytime before disaster strikes) to make your department/ org. unit more prepared. Action items can be big or small, costly or costless, within the scope of your department/ org. unit to perform, or outside your scope. Taken together, a department’s action items comprise a to-do list for readiness.

The typical Action Item begins with a verb and can be stated in one sentence. Some examples:

  1. Develop a plan for secure storage of critical research materials.
  2. Develop a plan for redeploying nursing staff to critical areas.
  3. Cross-train two staff members to handle payroll & purchasing.
  4. Make an emergency contact list and ask all staff to keep a copy at home.

Broadband Connection. Broadband describes an internet connection that is faster than dial-up i.e. in excess of 128 kilobits per second. The usual at-home broadband connections are DSL (telephone), cable, and wireless.

Centrally-Supported Application. A centrally-supported application means that ITS is the custodian or provides the technical support for the application. (The functional owner could be any department.)

Clustered Departments. Departments that share administrative staff. < -- how do we refer to these people here?

Consequences. For the purposes of the this tool, harmful consequences of slow recovery may impact the Critical Functions of a department, such as disruption of teaching and departure of faculty and students.

Continuity Plan. Continuity planning addresses the question: how can we prepare to continue operations despite those adverse events that we call disasters – or if we can’t continue, how can we resume our operations rapidly and gracefully.
The University of Iowa is a major national research university and known for its achievements in the arts, sciences, and humanities. Teaching, research, public service, and patient care are four enterprises, along with the infrastructure that supports them, that are the focus of our continuity planning.

Your departmental continuity plan:

  1. Identifies your department’s critical functions.
  2. Describes how you might carry on these functions under conditions of diminished resources (diminished staff, space, equipment, or IT infrastructure).
  3. Contains various information that will be needed during and after the disaster event.
  4. Describes how we can prepare. This is most important of all, because "a stitch in time does indeed save nine." A good continuity plan will identify action items: things that we can do now to lessen the impact of disaster events and make it easier to recover.

Critical Function. A Critical Function is an activity that is essential to the core mission of the department or organization. For disaster planning, a Critical Function is one that must be continued through disaster, or resumed soon after a disaster-event, to ensure either the viability of the organization, or its ability to serve its customers.
The UC Ready methodology defines four levels of criticality:

Critical 1: Must be continued at normal or increased service load. Cannot pause. Necessary to life, health, security. (Examples: inpatient care, police services, generation of power).
Critical 2: function must be continued if at all possible, perhaps in reduced mode. Pausing completely will have grave consequences. (Examples: provision of care to at-risk outpatients, functioning of data networks, at-risk research)
Critical 3: function may pause if forced to do so, but must resume in 30 days or sooner. (Examples: classroom instruction, research, payroll, student advising)
Deferrable: function may pause if necessary; and resume when conditions permit. (Examples: elective surgery, routine building maintenance, training, marketing).
Custodian: the unit that has system administrator or programming access and implements any modifications.

Data-Gathering Form. A data-gathering form is typically a paper form that is used to collect information for later entry into a database. Examples are :

  1. Templates for taking hand-written notes while interviewing a subject
  2. Paper survey instruments
  3. Substitute paper forms that are kept available for use during periods when a computer system is down.

Departmentally-Owned Application. A departmentally-owned application is a computer application or system whose technical owner is your department or another department (but not ITS).  

Documents. For continuity planning, you will identify any documents that are very important to a particular Critical Function. They can be individual documents (such as policy manuals) or sets of records (such as patient files, research files, vendor invoices, etc.). The documents listed under Critical Functions may be paper or electronic. Do not include records that are stored within a database application such as financial system, an HR system, a medical records system, etc. These will be treated elsewhere.

Downstream Dependency. A downstream dependency is a department that depends on your department. If your department fails to perform, the ability of the downstream department to carry out its mission will be seriously impaired. If, for example, your department does scheduling of nursing staff, the inpatient and/or clinical units will be among your downstream dependencies.

Emergency Contact List. List of all people in your unit, and perhaps some outside your unit, whom you might want to contact during and after a disaster-event. The list should include home address, home phone, personal & work cell phones, personal & work email addresses, plus any other available means of contact. The list should be kept on paper, and stored in multiple locations by multiple people. It should be updated at appropriate intervals. Some emergency contact lists are organized as “calling trees”, but except in very large units that is not usually necessary.

  1. Function (normal). These are functions that you normally perform. Here are some typical examples:
  2. laboratory research
  3. classroom instruction
  4. non-elective surgery
  5. purchasing
  6. paying employees
  7. inpatient care
  8. course scheduling
  9. providing meals
  10. facilities repair
  11. pharmacy services
  12. grant accounting

Business Owner. A “Business Owner” is typically the senior official within an administrative unit or college who is accountable for managing the information assets. The business owner is ultimately responsible to ensure the collection and use of institutional data is in compliance with applicable law and with University policy.

Offsite Storage. Offsite storage refers to the storage of tapes, disks, paper documents and other materials at a location far enough from an organization’s operating location that a disaster-event at one location is not likely to impact the other location.

Onsite Storage. Onsite storage refers to the storage of tapes, disks, paper documents and other materials at an organization’s operating location, rather than elsewhere. Onsite storage of backups is adequate for protection against some types of disasters, and is less expensive and more-quickly-accessed than offsite storage. For more valuable and less-replaceable items, offsite storage becomes desirable.

Peak Periods. These are months when you would expect there to be especially high activity involved in accomplishing a Critical Function. This might be a peak workload period such as the annual fiscal closing for accounting functions; or it might denote activities that happen only at certain times - such as course-registration that happens once per semester.

Sponsor. Sponsor refers to an agency or organization that provides grant funding for research projects.

Technical Owner. The technical owner of an IT application is the unit that has top-level administrator and programming access, implements any modifications, and troubleshoots and fixes any technical problems.

Upstream Dependency. An upstream dependency is a department that your department depends on. If the upstream department fails to perform, the ability of your department to carry out its mission will be seriously impaired. For example, ITS is typically an upstream dependency of most other departments. The food and nutrition services department is an upstream dependency of inpatient units.

Virtual Private Network (VPN). VPN (UI Anywhere) is a technology that enables a user to establish a secure connection with a remote network. For example, a VPN connection allows a user at home to connect to the campus network, access files and applications, and work from home. An advantage of the VPN connection is that one’s office computer need not be running. A disadvantage of the VPN connection is that files stored on the user’s office computer (i.e., on the office computer’s local hard drive) will not be accessible; and client-server applications will function only if the user has pre-installed the “client” software on her home computer. As a strategy to enable working-from-home (or from any remote location) during times of crisis, UI Anywhere connection is considered superior to a Windows Remote Desktop connection (because the office computer need not be running).

Windows Remote Desktop. Windows Remote Desktop is a technology that enables Windows computer users to log into and operate their computer, via the internet, from a remote location. It is commonly used by employees to operate their office computers either from home sitting at their home computer, or from any other location sitting at a laptop or desktop machine. A limitation of the windows remote desktop technology (for disaster recovery) is that the office computer must be powered and running.

| Disaster Recovery & Business Continuity Planning Home | Filedrbc-planner.xlsx | PDF iconenterprise-it-disaster-plan.pdf | Pandemic Plan | Critical Incident Management Plan (CIMP) | PDF icondrbc-workshop.pdf |