Policy 905 - Business Continuity Policy

Section: Information Technology
Policy Number: 905
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19; 6/11/20

Policy Statement

This policy defines St. John’s University’s (St. John’s) overall contingency goals and establishes the agenda and responsibilities for the institution’s Business Continuity.  The risk of network vulnerabilities and natural disasters impacting critical hosts is a constantly evolving concern.    

Scope and Applicability

This policy applies to the University Community.  Adherence to this policy helps safeguard the confidentiality, integrity, and availability of St. John’s information assets, and protects the interest of St. John’s, its customers, personnel, and business partners.


St. John’s implements formal contingency plans to counteract interruptions to business activities and to protect critical business processes from the effects of major failures, disasters, or security breaches.  Contingency plans are developed, implemented, and tested to ensure that essential business processes can be restored in a timely manner while always maintaining an appropriate level of security control. 

  • Business Impact Assessment planning focuses on and identifies the criticality and continuity of the business processes and information, and information resources to ensure controls are applied commensurate with those levels of availability requirements, sensitivity, and criticality.   
  • Disaster recovery plans are developed and tested for St. John’s systems to ensure that the IT systems security controls continue essential functions if IT support is interrupted.  St. John’s Disaster Recovery Plan (DRP) and IT contingency plans follow established standards.  Disaster recovery plans are updated on an annual basis, at a minimum.
  • All staff involved in disaster recovery efforts are trained in specific procedures and the logistics of their respective plans.  Training takes place annually or as significant changes to the plan are made.
  • Business Impact Assessments are reviewed annually with business stakeholders. Disaster recovery plans are tested and exercised at least annually, with the results documented and used to update the plans.  IT Disaster recovery plan test results may be included as an Appendix in the IT disaster recovery plan.


The following are definitions relevant to the policy:

  • Computing Resources: All St. John’s information processing resources including all St. John’s owned, licensed, or managed computing services, hardware, software, and use of St. John’s network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
  • Institutional Data: All data owned or licensed by St. John’s.
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing St. John’s network services, and other authorized users.


St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed, and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Information Security Director. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by St. John’s.

Related Policies, Standards or Regulations