UCI   Office of Information Technology

UCI OIT Resilience & Recovery
  1. Home
    2.  » Roles and Responsibilities

Roles and Responsibilities

Cyber-risk Responsible Executive

The Cyber-risk Responsible Executive (CRE) is the top-level executive for the Location’s overall IT Recovery lifecycle. This includes overseeing governance, funding, and establishing risk tolerances.   The CRE is responsible for appointing one or more Location-wide IT Recovery Leads (LITRL) and ensuring the creation of the Location IT Recovery Team. The Location Recovery Team coordinates with Units for IT Recovery planning.

 

The CRE:

  • Identifies a role (e.g., Location IT Recovery Lead, Risk Manager, Business Continuity Manager, or other suitable role) that will collect and share recovery team contact information with Units Location-wide.
  • Approves:
    • The Location IT Recovery Plan.
    • The Location process of approving IT Recovery Plans.
    • The exception processes.
    • Risk exceptions that impact the Location mission or IT Resources classified at RL4 and RL5.
    • Ensures the testing frequency of IT Recovery Plans is adequate to address risk
    • The storage location(s) for IT Recovery Plans.
    • The frequency of IT Recovery Plan testing.
    • The frequency of backup recovery testing.
  • Participates in Location Recovery Plan testing once every three (3) years.
  • Ensures testing the frequency of the IT Recovery Plans adequately addresses mission risk related to BCP.
  • Allocates funding to meet organization risk tolerances.
  • Approves the governance process and managing the overall Location risk tolerance related to IT Recovery.
  • Reviews and approves significant gaps and risks requiring mitigations and evaluating associated mission risks with Location officers/Unit Heads.
  • Reviews with the Chancellor or Laboratory Director the state of Location readiness to perform IT Recovery

Location IT Recovery Lead

One or more Location IT Recovery Leads (LITRL) can be appointed by CRE to over see location effort and coordinate with Location IT Recovery Team

 

The LITRL:

  • Oversees the development of assigned Location IT Recovery Plans in accordance with this policy.
  • Briefs Unit Heads on the progress of IT Recovery Planning.
  • Oversees the testing of assigned IT Recovery Plans.
  • Ensures IT Recovery Plan updates that result from testing or from use of the IT Recovery Plan (e.g., lessons learned) are made and presented for approval by the Unit Head within forty-five (45) calendar days of test completion.
  • Ensures an accurate inventory.
  • Oversees the execution of the IT Recovery Plan.
    • Monitors IT Recovery reporting progress.
    • Oversees the restoration of normal operations.
    • Reviews the IT Recovery Plan and participating in updates.
    • Briefs Unit Heads on the progress of IT Recovery.
    • Performs post-event analysis (i.e., actual use of the IT Recovery) after terminating the declared IT Recovery operation and updating the IT Recovery Plan based on the lessons learned.
  • At least annually and when major changes occur, reviews the Unit’s deployed IT Resources and Institutional Information for changes and ensures the IT Recovery Plan is up-to-date by requesting appropriate action to close any identified gaps.
  • Ensures proper storage, documentation, and access of IT Recovery Plans and sharing that information with the Location Business Continuity Planner.
  • Assigns Recovery Level (RL) Classification.
  • Reviews and updates the IT Recovery Plan.
  • Ensures protection of backups, including testing of backup and tool strategies.
  • Plan for and complies with IS-3 security related requirements.
  • Complies with requirements in this policy.
  • Completes assigned training.

 

Unit

A point of accountability and responsibility that results from creating/collecting or managing/possessing Institutional Information or installing/managing IT Resources. A Unit is typically a defined organization or set of departments.  (See also the UC IT Policy Glossary)

Unit Head

The Unit Head oversees the execution of IS-12 within the Unit. The Unit Head:

  • Oversees and allocates sufficient funding and planning for the Unit
  • Activates the Unit IT Recovery Plan in consultation with the Risk Manager.
  • Reviews and approves the Unit IT Recovery Plan.
  • Reviews and approves exceptions before they are presented to the Risk Manager or CRE for approval.
  • Identifies and establishes procedures to achieve Unit compliance with Location implementation of the BCP. This task can be delegated.
  • Appoints one or more IT Recovery Leads for the Unit.
  • Assigns, or designates a delegate to assign, IT Recovery related training.
  • Assigns one or more Workforce Members to develop the Unit IT Recovery Plan.

Unit IT Recovery Lead

The Unit IT Recovery Lead (UITRL) oversees the development of assigned Unit IT Recovery Plans in accordance with this policy and briefs Unit Heads on the progress of IT Recovery Planning.

The UITRL:

  • Oversees the testing of assigned IT Recovery Plans.
  • Ensures IT Recovery Plan updates that result from testing or from use of the IT Recovery Plan (e.g., lessons learned) are made and presented for approval by the Unit Head within forty-five (45) calendar days of test completion.
  • Ensures an accurate inventory.
  • Oversees the execution of the IT Recovery Plan.
    • Monitors IT Recovery reporting progress.
    • Oversees the restoration of normal operations.
    • Reviews the IT Recovery Plan and participating in updates.
    • Briefs Unit Heads on the progress of IT Recovery.
    • Performs post-event analysis (i.e., actual use of the IT Recovery) after terminating the declared IT Recovery operation and updating the IT Recovery Plan based on the lessons learned.
  • At least annually and when major changes occur, reviews the Unit’s deployed IT Resources and Institutional Information for changes and ensures the IT Recovery Plan is up-to-date by requesting appropriate action to close any identified gaps.
  • Ensures proper storage, documentation, and access of IT Recovery Plans and sharing that information with the Location Business Continuity Planner.
  • Assigns Recovery Level (RL) Classification.
  • Reviews and updates the IT Recovery Plan.
  • Ensures protection of backups, including testing of backup and tool strategies.
  • Plans for and complies with IS-3 security related requirements.
  • Complies with requirements in this policy.
  • Completes assigned training.

Workforce Members

Workforce Members include all individuals who perform work for UCI in any capacity, including any employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, it owners, clinician, student intern, student volunteer.

Workforce Members:

  • Cooperate with Location emergency instructions.
  • Follows business continuity procedures.
  • Comply with Location procedures in support of this policy.
  • Exercise responsibility appropriate to their position and duties.
  • Complete assigned training.

Unit Information Security Lead (UISL)

The Unit Information Security Lead (UISL) is a defined role in IS-3.  In IS-12, The UISL ensures that the planning and execution of IT Recovery includes meeting security requirements.

The UISL:

  • Ensures security requirements are communicated to the Unit IT Recovery Lead.
  • Shares changes in IT Resources and Institutional Information with the Unit IT Recovery Lead.
  • Ensures security is maintained during a disaster or disruption.
  • Ensures backups are protected using IS-3 controls.
  • Ensures the isolation and protection of backups reflect and anticipate modern cyber risks.
  • Plans for and complying with IS-3 security related requirements.
  • Completes required training.

Service Provider

The Service Provider is a UC group or organization providing specific IT services to a Unit. The Service Provider:

  • Delivers information technology services that comply with IS-12.
  • Documents and delivers IT services in compliance with IS-12, other UC policies and applicable UCI policies.
  • Notifies the Unit Head of any policy provisions that are unmet or require additional controls by the Unit.
  • Supports Units in completing IS-12 Assessments related to the services provided.
  • Coordinates with Units to implement appropriate IT Recovery measures.

Supplier

A supplier is an external, third-party entity that provides goods or services to a UC. These goods and services can include consulting services, hardware, integration services, software, systems, software-as-a-service (SaaS) and cloud services. Non-UCI entities that operate IT Resources or handle Institutional Information are considered Suppliers for the purposes of this policy. A Vendor is also a Supplier for the purposes of this policy. All Suppliers that have access to UC systems or data or who collect UC data on our behalf must undergo a Supplier Security Review.

Business Continuity Planner

Business Continuity Planner documents procedures that guide organizations on how to respond, recover, resume, and restore business to a pre-defined level of operation following disruption. BCP is also known as a “continuity plan” in the UC Ready tool and, in other tools, Continuity of Operations (COOP).

  • Facilitating access to a UC-approved centralized repository for recovery plans or the CRE-approved alternative (e.g., UC Ready).
  • Facilitating communication and sharing BCP between stakeholders.
  • Facilitating communication and sharing BIA between stakeholders.
  • Training UISLs, IT Recovery Leads, and other Workforce Members on the Location BCP and procedures.

 

Risk Manager

  • Advises on the use of the Location Business Continuity Plan (BCP).
  • Approves and documents exceptions using the Location-approved process.
  • Consults in the decision to activate the Unit IT Recovery Plan(s).
  • Completes assigned training.

 

IT Owner

The IT Owner is a UCI-specific role used to identify the primary technical person responsible for an IT asset. An IT Owner:

  • Acts as the primary technical contact for an IT asset.
  • Ensures that an asset is managed in compliance with IS-12
print