This Control applies to high or moderate impact university information resources within the unit or an Essential IT Service to the university, and additional resources as noted. Based on risk management considerations, the university’s Chief Information Security Officer may determine, in consultation with the CIO, that it would be appropriate to apply the requirements of this Control to information resources not meeting the Glossary definition of high or moderate impact.

Documented recovery and reconstitution procedures shall be maintained for all high or moderate impact information resources and Essential IT Services. The documented procedures will contain:

• 1.1

  Recovery resources and any needed contact information;

• 1.2

  Step-by-step instructions for implementing the recovery; and

• 1.3

  Processes for validating the successful recovery of the information resource prior to returning operations to its normal state.

For information resources not meeting the definition of high or moderate impact, the capability to restore the information resource to a desired operational state shall be established to the extent deemed necessary, based on documented risk management decisions.

The recovery and reconstitution procedures shall be tested as described in CP-4 Contingency Plan Testing.