This standard defines the university’s requirements for inventorying, classifying and documenting supported IT systems and applications and the associated requirements for the documentation and verification of Risk Assessment Plans and Disaster Recovery Plans.
All enterprise systems/applications must be identified in the System/Application Inventory and Classification Documentation.
The university documents all enterprise systems/applications in the System/Application Inventory and Classification Documentation.
For each system/application, the university will establish whether or not the system should be flagged as containing highly sensitive data, whether or not the system has a critical high availability or integrity requirements.
Maintenance of accurate System/Application Inventory and Classification Documentation is the responsibility of the ISO.
Systems Storing Highly Sensitive Data
Any application storing highly sensitive data, as defined in the University’s Data Classification Standard, must be flagged as such. All applications containing highly sensitive data must have a documented Risk Assessment plan that is reviewed and updated at least once annually. Further, a formal Risk Assessment, per the documented Risk Assessment plan, must be performed and documented at least once per year. The responsibility for maintaining the Risk Assessment plans and for conducting and documenting the annual Risk Assessment activities are the responsibility of the ISO.
Systems With Critical Availability/Integrity Requirements
Systems are categorized in terms of high availability/integrity requirements.
Any application that has a high availability or integrity requirement must be flagged as such.
Each enterprise system listed in the System/Application Inventory and Classification Documentation has an availability/recovery requirement category of Tier 1 (highest priority availability requirement); Tier 2 (to be restored after recovering all applicable Tier 1 systems); or Tier 3 (lowest priority; to be restored after recovering all applicable Tier 2 systems).
Tier 1 priority system restoration order is included in the System/Application Inventory and Classification Documentation.
All applications flagged as having a critical availability/integrity requirement (Tier 1) must have a documented Disaster Recovery plan that is reviewed and updated at least once annually. Further, evidence of formal Disaster Recovery testing, as documented in the Disaster Recovery Plan, must also be documented and maintained. The responsibility for maintaining the Disaster Recovery plans and for verifying the completion of Disaster Recovery testing is the responsibility of the ISO.
The detailed System/Application Inventory and Classification Documentation serves as an Appendix to this standard and is stored in a secured SharePoint site.
APPROVALS AND REVISIONS
Approved February 25, 2011 by Vice President for Information Technologies & CIO