Educate the university community that business continuity goes far beyond a disaster recovery plan and is significantly different. Key business processes and recovery time objectives must be identified.
Ensure that enough centralized, redundant backup data center capability, equipment, and power are in place to meet the IT needs of both central and colleges / departments.
Establish building-by-building, horizontal priority planning for business continuity, not just within organizational silos.
Encourage academic areas that have not yet begun business continuity plans to start by identifying business processes and securing and storing data off site. Ensure that the plans are accessible for non-IT specialists and that they address human needs by establishing a first point of outreach and a global notification hierarchy and involve multiple communication processes.
Develop an enterprise data center strategic plan.
Identify the systems in the universityÕs IT environment, prioritize the top ten systems to reestablish in disaster recovery, and test the recovery process twice per year.
Standardize storage, tape drives, and platforms for the university departmentÕs hot and warm site backup. Set up an infrastructure to support a warm site assisted by the use of virtual technology.
Strike a balance between acceptable risk and research / instructional goals in complying with the universityÕs new computer security standards. Review all the technology policies and standards as an iterative process.
Recognize that only Windows operating systems comply with all of the Minimum Computer Security Standard (MCSS). Identify security options for UNIX, Linux, and Macintosh
computers, which are often key in research, content, and multimedia creation and are used for different objectives.
Provide more central support, or at least a partnership model for ensuring security; consolidate the number of people running networks; empower and establish more direct contact with departmental staff; and raise security awareness through training.
Expand the use of a Network Access Control (NAC) solution upon completion of an OIT pilot. Solicit colleges and departments to be the first adopters. Consider reducing the number of NAC-supported platforms; seek solutions to the mandate of enforcing the MCSS on a continuing basis.
Clarify the policy on FERPA compliance for faculty and create a dedicated training module as the university now has for other restricted data.
Encourage participation on and feedback to the risk advisory committee, coordinated by Business and FinanceÕs Office of Risk Management. The committee addresses standards, policies, and procedures for a safer environment and risk assessment issues such as computer safety, networking, and protecting data.
