The unit provides for the recovery and reconstitution of an information resource with documented recovery procedures to a known secure state after a disruption, compromise, or failure.


  • This Control applies to university information resources that are considered mission critical to the unit or an Essential IT Service to the university, and additional resources as noted. Based on risk management considerations, the university‚Äôs Chief Information Security Officer may determine, in consultation with the CIO, that it would be appropriate to apply the requirements of this Control to information resources not meeting the Glossary definition of mission critical.


  • 1

    Documented recovery and reconstitution procedures shall be maintained for all mission critical information resources and Essential IT Services. The documented procedures will contain:

    • 1.1

      Recovery resources and any needed contact information;

    • 1.2

      Step-by-step instructions for implementing the recovery; and

    • 1.3

      Processes for validating the successful recovery of the information resource prior to returning operations to its normal state.

  • 2

    For information resources not meeting the definition of mission critical, the capability to restore the information resource to a desired operational state shall be established to the extent deemed necessary, based on documented risk management decisions.

  • 3

    The recovery and reconstitution procedures shall be tested as described in CP-4 Contingency Plan Testing.