Administrative Departmental Policy
This department-specific policy applies to the operations and staff of the Information Services
Department of the University of Wisconsin Hospitals and Clinics Authority as integrated effective July 1,
Policy Title: UW Health IS Business Continuity and Risk Management Policy
Policy Number: AD-POL-006
Effective Date: 2/23/2016
This policy describes the required controls implemented by UW Health Information Services (IS)
to prevent or minimize disaster events from adversely affecting critical business functions of UW
Health and its facilities. These controls guard data integrity, confidentiality, and availability to
maintain business continuity following a disaster event. It is the responsibility of IS to evaluate
the importance of information systems to business operations, and the relative risk of potential
threats to those systems.
A formal risk assessment is used to prioritize potential threats in order of their impact on critical
systems needed to maintain business continuity, and to plan for the management and mitigation
of such threats when they occur so that there is minimal impact on critical business data and
Application Priority Scores: Scores developed to rate the importance of each application based
on hours of use, data sensitivity, and operational criticality.
Data Sensitivity: Refers to the content of the data and the need to protect it from unauthorized
disclosure, fraud, waste, or abuse.
Hazard Vulnerability Analysis: Mechanism used to evaluate potential threats.
Operational Criticality: The relative importance of a system to the organization’s mission.
Recovery Time Objectives: The expected time it takes to fully recover an affected system
following a disaster event. Each system is assigned a recovery time objective in the Disaster
III. POLICY ELEMENTS
In the event of a disaster that compromises UW Health’s data integrity and services, it is the
responsibility of UW Health IS to ensure the timely restoration of data integrity and services by
meeting the Recovery Time Objectives. UW Health IS maintains a Disaster Recovery Plan with
specific information and actions to accomplish this goal.
UW Health IS takes all reasonable measures to guard data integrity and confidentiality, and to
maintain appropriate availability of UW Health computer systems, network infrastructure,
network servers and components, power distribution systems for computer equipment, and
UW Health IS evaluates all information systems, and the data they contain, to determine their
importance to the continued business operations of UW Health. Threats to systems are assessed
and prioritized based on the importance of the affected system to business operations and the
likelihood of the threat occurring. Potential threats evaluated in the Hazard Vulnerability Analysis
include, but are not limited to:
Employee activity (malicious or accidental)
External threats from individuals or organizations
Natural disasters (snow\ice, tornadoes, flooding, lightning)
Facility issues (power, cooling, water damage)
Once a threat has been prioritized, the necessary steps to eliminate, reduce, or mitigate the impact
on information systems and data are documented in the Disaster Recovery Plan. Mitigation is
prioritized based on the threat level and the Application Priority Score.
IS Security Consultants periodically test and evaluate the security level of systems to determine:
What threats may affect the availability of the system.
If the security posture has changed since the previous test.
These tests are conducted by internal staff, alone or in conjunction with an external organization
hired specifically for this task. Penetration testing and vulnerability assessments are examples of
tests that may occur.
IV. RELATED DOCUMENTS
UW Health IS Disaster Recovery Plan
Sr. Management Sponsor: UW Health IS CIO
Author: UW Health IS CIO
Reviewer(s): UW Health IS Directors
Approval Committee: UW Health IS Directors
UW Health CIO
Previous revision: 6/20/2014
Next revision: 2/23/2017