/policies/,/policies/administrative/,/policies/administrative/uwhc/,/policies/administrative/uwhc/department-specific/,/policies/administrative/uwhc/department-specific/information-services/,

/policies/administrative/uwhc/department-specific/information-services/ad-pol-006.policy

201504119

page

100

UWHC,UWMF,

Policies,Administrative,UWHC,Department Specific,Information Services

Business Continuity and Risk Management (AD-POL-006)

Business Continuity and Risk Management (AD-POL-006) - Policies, Administrative, UWHC, Department Specific, Information Services

AD-POL-006

POLICY




Information Services
Effective Date:
06/20/2014
Administrative Manual

X Other: Information Services
Policy #: AD-
POL-006
X Original

Total #
Pages: 3
Title: Business Continuity and Risk
Management Policy


I. PURPOSE

This policy describes the required controls implemented by UW Health Information
Services (IS) to prevent or minimize disaster events from adversely affecting critical
business functions of UW Health and its facilities. These controls guard data integrity,
confidentiality, and availability to maintain business continuity following a disaster event.
It is the responsibility of IS to evaluate the importance of information systems to
business operations, and the relative risk of potential threats to those systems.

A formal risk assessment is used to prioritize potential threats in order of their impact on
critical systems needed to maintain business continuity, and to plan for the management
and mitigation of such threats when they occur so that there is minimal impact on critical
business data and systems.

II. DEFINITIONS

Application Priority Scores: Scores developed to rate the importance of each
application based on hours of use, data sensitivity, and operational criticality.

Data Sensitivity: Refers to the content of the data and the need to protect it from
unauthorized disclosure, fraud, waste, or abuse.

Hazard Vulnerability Analysis: Mechanism used to evaluate potential threats.

Operational Criticality: The relative importance of a system to the organization’s
mission.

Recovery Time Objectives: The expected time it takes to fully recover an affected
system following a disaster event. Each system is assigned a recovery time objective in
the Disaster Recovery Plan.

III. POLICY

In the event of a disaster that compromises UW Health’s data integrity and services, it is
the responsibility of UW Health IS to ensure the timely restoration of data integrity and
services by meeting the Recovery Time Objectives. UW Health IS maintains a Disaster
Recovery Plan with specific information and actions to accomplish this goal.




Page 2 of 3

UW Health IS takes all reasonable measures to guard data integrity and confidentiality,
and to maintain appropriate availability of UW Health computer systems, network
infrastructure, network servers and components, power distribution systems for
computer equipment, and workstations.

UW Health IS evaluates all information systems, and the data they contain, to determine
their importance to the continued business operations of UW Health. Threats to systems
are assessed and prioritized based on the importance of the affected system to business
operations and the likelihood of the threat occurring. Potential threats evaluated in the
Hazard Vulnerability Analysis include, but are not limited to:
ξ Hardware issues\failure
ξ Software bugs\vulnerabilities
ξ Employee activity (malicious or accidental)
ξ External threats from individuals or organizations
ξ Theft
ξ Fire
ξ Natural disasters (snow\ice, tornadoes, flooding, lightning)
ξ Facility issues (power, cooling, water damage)

Once a threat has been prioritized, the necessary steps to eliminate, reduce, or mitigate
the impact on information systems and data are documented in the Disaster Recovery
Plan. Mitigation is prioritized based on the threat level and the Application Priority Score.

IS Security Consultants periodically tests and evaluates the security level of systems to
determine:
ξ What threats may affect the availability of the system.
ξ If the security posture has changed since the previous test.

These tests are conducted by internal staff, alone or in conjunction with an external
organization hired specifically for this task. Penetration testing and vulnerability
assessments are examples of tests that may occur.

IV. PROCEDURE

The following procedures support this policy:

Disaster Recovery Plan




Page 3 of 3

V. OTHER

UW Health is not a legal entity. UW Health comprises three separate entities. This policy
applies to facilities and programs operated by the University of Wisconsin Hospitals and
Clinics Authority and the University of Wisconsin Medical Foundation, Inc., and to clinical
facilities and programs administered by the University of Wisconsin School of Medicine
and Public Health.

Each entity is responsible for enforcement of this policy in relation to the facilities and
programs that it operates.

VI. COORDINATION

The details of Coordination of UWHC, UWMF and UWSMPH are shown below. Approval
and coordination of this policy by those entities occurs per their individual processes.

UWHC Sr. Management Sponsor: UW Health IS CTO
UWHC Author: UW Health IS CTO
UWHC Reviewers: UW Health IS Directors
UWHC Approval committee(s): UWHC Internal Auditor

UWMF Sr. Management Sponsor: UW Health IS CAO
UWMF Author: UW Health IS Director - Infrastructure
UWMF Reviewers: UW Health IS Directors
UWMF Approval: UWMF COO

UWSMPH Approval: UW Administrative Legal Services

VII. SIGNED BY


[Insert Signature Block(s) for Appropriate Signer] Date


[Insert Signature Block(s) for Appropriate Signer] Date