Description

Periodic testing of the recovery and reconstitution procedures shall be performed to determine the effectiveness of the procedures and organizational readiness to execute the contingency plan.
Guidance

Tests of the recovery procedures may include a range of testing methods from virtual (e.g., table-top) tests to actual events. The tests shall be documented and the results shall be used to update the procedures if necessary. The information resource owner or designee shall approve the results of the tests and any resulting actions.

Applicability

  • This Control applies to all high and moderate impact information resources, Essential IT Services, and additional resources as noted.

  • The information resource owner or designee is responsible for ensuring the recovery and reconstitution procedures are tested.

  • Based on risk management considerations, the university’s Chief Information Security Officer may determine, in consultation with the CIO, that it would be appropriate to apply the requirements of this Control to information resources not meeting the Glossary definition of high or moderate impact.

Implementation

  • The recovery and reconstitution procedures shall:

  • 1

    be tested at least annually. Tests of the recovery procedures may include a range of testing methods from virtual (e.g., tabletop) tests to actual events. The tests shall be documented and the results shall be used to update the procedures, if necessary. The information resource owner or designee shall approve the results of the tests and any resulting actions.

  • 2

    provide for testing on a regular basis of backup and/or recovery media to ensure the validity of the recovery media and process.