Here’s A Business Continuity Plan Template for Higher Education
The Need for Business Continuity Planning in Schools
Colleges, universities, and schools at all levels are deeply invested in the digital age. The COVID-19 pandemic has added another layer of complexity and challenges. We have seen how campus outbreaks of COVID-19 can disrupt semesters and require schools to switch to remote learning. As such, the pandemic has resulted in an increased dependency on IT.
The increased use and dependency, in turn, have resulted in a new vulnerability. Higher education and its students face a wide variety of dangers and threats. Those threats are common to all educational institutions and government agencies, and breaches have already resulted in disruption of operations and extortion payments to cyber criminals.
Business continuity in higher education today requires a recognition of those dangers to ensure that schools can continue operating after an unexpected disaster. Likewise, disaster recovery planning relies on a realistic assessment of risks, an understanding of the impact of the service disruption, and the vital role of data backup as the final line of defense against IT disruption—i.e., viruses and ransomware.
The following business continuity plan template for higher education provides a basic guide for administrators to outline their continuity strategy and systems.
Sample Business Continuity Plan Template for Higher Education
I. Objectives of the BCP
Purpose: To outline the goals and scope of the plan.
Use this section to describe the overall goals of the plan. Set forth the scope of the planning, what it aims to achieve and why the planning is necessary. This section ensures that all parties understand what is (and what isn’t) covered by the plan, and it also helps to keep the planning on track.
For example, if the plan will only focus on information technology-related disasters as they relate to school operations, rather than the human element of crisis management (i.e. safeguarding staff and students from natural disasters, active-shooter situations, etc.), then this should be spelled out within the Objectives.
II. Stakeholder Contacts
Purpose: To identify who is responsible for the business continuity plan, which school administrators or stakeholders need to be contacted in a disaster and/or the priority of that communication.
This section of the education continuity plan identifies key stakeholders, principals, disaster recovery teams or those who oversee the planning. Usually, this list is relatively short, as it is intended to identify only those who are critical to the continuity planning, response and recovery. In the Communication section of this template, you’ll outline how to communicate critical messages to other personnel during an active incident.
Here’s an example format of what to include for each contact on this initial list:
- Name of individual
- Job title or role at the college
- Locations (Office & home addresses)
- Phone numbers (work, mobile, home & alternative)
- Email (work, home & alternative)
- Messaging handles (i.e. Slack, Skype, etc.)
III. Comprehensive Risk Assessment
Purpose: To identify and describe the types of incidents that are most likely to disrupt the university’s operations or ability to maintain continuity.
This vital section should outline the myriad disaster scenarios (large and small) that pose a threat to your school and/or your critical IT systems. Some schools may opt for combining this section into a matrix with information from the following section, IV. Business Impact Analysis. Regardless of what format is used for the template, it is most important that each risk is clearly defined.
- Identify the risk / disruption type (e.g., a ransomware attack on the college’s computer systems)
- Description of the event (data encryption on devices and/or servers)
- Impact of event (loss of access to data and computer systems; inability to access email or network files; disruption to all web-based services as well as classes)
IV. Business Impact Analysis
Purpose: To assess the specific impact of each disaster, in terms of costs and consequences in the immediate and long-term. This could include costs due to data loss, hardware replacement, loss of school revenue, etc.
In many business continuity plans for higher education (as well as for other organizations), it makes sense to rate the severity of each possible incident on a scale of 1 to 5, based on its likelihood of occurring. This provides a quick and easy-to-understand format for planners to evaluate when determining where to prioritize disaster-recovery resources.
|Risk||Probability Rating||Impact Rating||Impact / Consequences|
|Ransomware (IT): |
Loss of data encrypted by the ransomware virus across the university’s devices, servers, data centers
• Prolonged disruption to critical information systems, Internet access, network connection
• 2-8 week full data recovery process, depending on severity of infection
Purpose: To identify steps and systems that have been implemented (or will be) to prevent the identified incidents from occurring (or to minimize their impact).
This section aims to define the existing solutions that help to prevent or mitigate an operational disruption at the university. This section is vital because school administrators and stakeholders must have knowledge on what’s being done to prevent disruptions from occurring. This section should thus describe each preventative system in detail, and any new measures should be added to the business continuity plan over time.
Structure this section into categories when applicable. For example:
- Information systems, such as data backup & disaster recovery solutions, anti-malware software, network firewalls, etc.
- Preventative alarms and equipment, such as smoke detectors, fire suppression systems in server rooms, etc.
- Physical security and surveillance measures—e.g., campus police patrols and spot checks
VI. Immediate Response
Purpose: To instruct personnel on how to respond to the various disaster incidents, step by step.
This section defines the crucial first steps that should follow a disruptive incident, as they apply to each type of event outlined above. Keep in mind that these crucial moments after a disaster will largely influence how effective the overall recovery will be.
Depending on plan objectives, this section could apply to all school personnel or be limited to the response of a school’s designated recovery team. Include the specific protocols for each type of incident that you included in the risk assessment section:
- Identify the specific scenarios that must occur for these response protocols to be activated.
- Don’t be vague. Outline the parameters for each disaster, along with the desired response. For example, an employee compromising a batch of student records obviously does not warrant the same response as a campus-wide ransomware infection.
VII. Full Recovery
Purpose: To outline the additional step-by-step procedures for full recovery of IT systems and/or operations that have been disrupted by the incident.
Recovery protocols are different from the immediate response. These protocols help to outline the steps that will fully restore affected operations, which could take days, weeks, months or even years, depending on the severity of the incident.
Specify the steps for each type of disaster scenario. For example:
- Give clear procedures for recovery, assigned to the specific teams or personnel who must follow them.
- For IT systems, identify objectives for how and when those systems must be recovered to avoid further damage, i.e. a recovery time objective (RTO) for restoring a failed server or a recovery point objective (RPO) for restoring the most recent data backup.
VIII. Secondary Assets, Equipment, Locations
Purpose: To identify critical backup assets that can be used to maintain operations if primary assets are destroyed or inaccessible.
This section is the essential “Plan B” for your school’s most critical operations. It outlines the secondary equipment and processes that must be in place in order for the college to continue operating in the event that primary assets are no longer an option.
- Secondary locations for critical operations or classes
- Remote learning systems that can be used if in-person classes are not possible
- Availability of replacement or mobility of current computers, devices and other equipment
- Utility redundancy, such as backup power generators or telecommunications / ISP lines
Purpose: To ensure that communication can continue during a disruptive event.
This section outlines the systems and methods that the school will use to continue communication to all affected parties, whether it’s staff, the student body or the entire campus. How will recovery teams communicate with each other? How will students stay informed of updates if classes are moved or postponed? How will professors communicate updates to students if primary systems such as email are down?
Identify all relevant communications systems, methods and protocols:
- Emergency alert systems, i.e. SMS, school website, email network, etc.
- Procedures for communication between recovery personnel
- Processes for communicating with external parties, such as authorities, board members, vendors, media, etc.
X. Ongoing Review
Purpose: To define how and when the college’s business continuity plan should be reviewed and updated over time.
In our business continuity plan template for higher education, we’ve included this section at the end – but it can also be incorporated into the Objectives at the beginning. The key goal of this section is ensuring that the document doesn’t become out of date. It ensures that the plan is always accurate and that any new or outstanding vulnerabilities are addressed in a timely manner.
Stronger data protection for colleges and universities
Get more guidance on implementing stronger continuity planning and systems for your college, university or K-12 school system. Request a free demo of advanced data backup solutions that can protect against data loss, ransomware and downtime. Or for more information, contact our business continuity experts at Invenio IT: call (646) 395-1170 or email at success@invenioIT.com.