Policy 905 - Business Continuity Policy

Section: Information Technology
Policy Number: 905
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

This policy defines St. John’s University’s (St. John’s) overall contingency goals and establishes the agenda and responsibilities for the institution’s Business Continuity. The risk of network vulnerabilities and natural disasters impacting critical hosts is a constantly evolving concern.  

Scope and Applicability

This policy applies to the University Community.  Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners.


The University implements formal contingency plans to counteract interruptions to business activities and to protect critical business processes from the effects of major failures, disasters, or security breaches.  Contingency plans are developed, implemented, and tested to ensure that essential business processes can be restored in a timely manner while always maintaining an appropriate level of security control. 

  • Disaster recovery planning focuses on and identifies the criticality and sensitivity of the information and information resource to ensure controls are applied commensurate with those levels of sensitivity and criticality.   
  • Disaster recovery plans are developed and tested for St. John’s systems to ensure that the IT systems security controls continue essential functions if IT support is interrupted.  St. John’s Disaster Recovery Plan (DRP) and IT contingency plans follow established standards.  Disaster recovery plans are updated on an annual basis, at a minimum.
  • All staff involved in disaster recovery efforts are trained in specific procedures and the logistics of their respective plans. Training takes place annually or as significant changes to the plan are made.
  • Disaster recovery plans are tested and exercised at least annually, with results being documented and used to update the plans. Disaster recovery plan test results may be included as an Appendix in the disaster recovery plan.
  • After creating the plans, it is important to practice them to the extent possible. Management sets aside time to test implementation of the disaster recovery plan. Table top exercises are conducted annually. During these tests, issues that may cause the plan to fail can be discovered and corrected in an environment that has few consequences. 


The following are the definitions relevant to the policy:

  • Computing Resources: All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
  • Institutional Data: All data owned or licensed by the University
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.


The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Information Security Director. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.

Related Policies, Standards or Regulations

  • STD-BC-001 Business Continuity Disaster Recovery Standard