XClose

Information Security

Menu

Business Continuity

This page supports policy statement 6.8 in the new Information Security Policy

Summary of Policy Requirements 

  • Make sure your systems are backed up, and that you have a plan to restore normal operation after a major incident. 
  • Adopt IT service management and system architecture best practice. 

How to Comply 

Controls 

The most effective way to comply with the policy statement on business continuity is to implement Appropriate Security Controls, especially baseline security controls in the following categories: 

  • Cyber Resilience 
  • Physical and Environmental Security 
  • Configuration and Change Management 

Good practice in ISD 

Several of the IT service management practices used by UCL’s Information Services Division (ISD) are focused on maintaining or restoring the availability of IT services, and the data they store and process.  The following practices, in particular, should be followed by System Custodians in ISD and may provide helpful guidance outside ISD. 

  • IT Service Continuity Management 
    • The purpose of IT Service Continuity Management (ITSCM) is to support UCL’s business continuity management processes, by ensuring that the most important services can be resumed within required business timescales following major incidents. 
    • ISD’s ITSCM provision includes a Response and Contingency Plan (RCP), which is maintained in alignment with the UCL Critical Incident Plan, and various other UCL business continuity planning processes that are listed in the document. 
  • Service Design & Transition 
    • The purpose of this practice is to ensure that IT services are well designed and supported before going live.  It covers many aspects of IT service design, including those relevant to business continuity such as security, resiliency, availability and capacity management and monitoring. 
  • Service Health Review 
    • Every ISD service is subject to an annual review, where they are scored against twelve health indicators, several of which are relevant to business continuity such as change, availability and capacity management, monitoring, security and resilience. 
  • Incident Management 
    • This practice minimises the impact of service availability incidents, by facilitating the restoration of normal service operation as quickly as possible. 
  • Problem Management 
    • ​​​​​​​The purpose of this practice is to reduce the likelihood and impact of service related incidents, by identifying actual and potential causes of incidents and managing workarounds and known errors 

ISD’s IT Architecture function provides various guides, patterns, standards and guardrails, which may help System Custodians to design IT services in a way that minimises the likelihood and impact of service interruption and data loss. 

Note that some staff outside ISD might need to request access to the documentation referred to above, which can be done via SharePoint when access to a particular page or site has been denied. 

Roles, responsibilities and further questions 

Data Owners should seek assurances from System Custodians that the appropriate IT service designs, security controls and operational practices have been implemented.   

If you have any questions that haven't been answered by the information on this page, please don’t hesitate to ask the Information Security Group

Policy statement 

Data Owners must ensure backup and disaster recovery plans, processes, and technology are in place to mitigate the risk of data and service loss or destruction.   System Custodians must ensure the availability of information and services is maintained.