Statutes, codes, and regulations
Ohio Administrative Code
Title 3364 - University of Toledo
Chapter 3364-65 - Technology Security and Safeguarding
Section 3364-65-09 - Technology backup, disaster, readiness, and recovery policy

Ohio Admin. Code 3364-65-09

Download
PDF
Current through all regulations passed and filed through August 12, 2024
Section 3364-65-09 - Technology backup, disaster, readiness, and recovery policy
(A) Policy statement

Information technology is an integral part of how the university carries out its mission. The university is committed to ensuring that vital technology resources and information stores are appropriately prepared to support recovery and business resumption efforts following accidental deletion, system corruption, and/or physical loss or damage.

(B) Purpose

To ensure that the university's technology procurement and development life-cycle incorporates disaster recovery and back-up methodologies that will enable recovery and subsequent business resumption following accidental or malicious deletion, system corruption, and/or physical loss or damage.

(C) Scope

Compliance with this policy is mandatory for all university organizational units that create, store, process, transmit, or receive data vital to the university's mission, and for all university organizational units which procure, develop, operate, maintain, or dispose of technology assets vital to the university's mission, including telecommunications and network infrastructure, data center environmental controls, servers, data storage systems, workstations, and other devices.

(D) Backups

Reasonable backups of data and technology assets vital to the university mission must be prepared at appropriate intervals and be reasonably available for restoration for an appropriate retention period. Except as otherwise determined by the vice president, chief information officer/chief technology officer "CIO/CTO" or delegate, a full or incremental system backup prepared daily is considered reasonable if the backup is available for at least two weeks (fourteen calendar days) from the time taken and stored not less than three miles from the site of the original data or technology asset.

(1) All data and technology assets sited within the university's main campus university computing center "UC" or health science campus dowling hall "DOW" datacenters are backed up by information technology via an appropriate mechanism at reasonable intervals and retained for reasonable periods of time.
(2) Data and technology assets owned, operated, or maintained under a contractual arrangement, including cloud service providers of infrastructure, platforms, or software are backed up subject to the terms of the service provider's contractual agreements with the university.
(3) Except as directed by the vice president, CIO/CTO or delegate, data and all other technology assets, including servers, workstations and other device assets not sited within the UC or DOW datacenters are not backed up by information technology. Until directed otherwise by the vice president, CIO/CTO or delegate, backup of data or technology assets vital to the university mission must be accomplished by an operator or other user of the asset. In such cases, information technology is not responsible for the loss of data saved to a workstation or device. To minimize risk of loss of vital data, such data should be saved to network shares provided by information technology.

In addition to the requirements set forth in this policy, the conduct of backup activities must comply with all other university policies and applicable privacy, security, and compliance obligations, including those university policies concerning the encryption and secure destruction and sanitization of data and electronic storage media.

(E) Disaster readiness

Data and technology assets vital to the university mission must be made reasonably prepared to respond to an accidental or malicious deletion, system corruption, and/or physical loss or damage event. Except as otherwise determined by the vice president, CIO/CTO or delegate, reasonable preparations include system backups as described in this policy, current hardware and software support contracts, and reasonable availability of personnel versed in operation and restoration of the asset or data.

(F) Disaster recovery

Data and technology assets vital to the university mission must be recovered within a reasonable time in the event of accidental or malicious deletion, system corruption, and/or physical loss or damage. Except as otherwise determined by the vice president, CIO/CTO or delegate, a reasonable recovery is initiated within one business day of discovery of an accidental deletion, system corruption, and/or physical loss or damage event.

(G) Applicable guidance

Consult the following authorities for specific requirements for backup, disaster readiness, and recovery of data and technology assets within the university's clinical environments:

(1) C.F.R. section 164.308, section 164.310, and section 164.312 for the university's Health Insurance Portability and Accountability Act of 1996 "HIPAA" covered entity components;
(2) joint commission standard I.M.. 2.30 for continuity of information

Ohio Admin. Code 3364-65-09

Effective: 5/21/2018
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364