1

Implementing a Continuity Program at an Institution of Higher Education – A Look at Texas A&M University’s Approach to Continuity Planning

Monica Weintraub

Texas A&M University

2Objectives

• Discuss one approach to continuity planning in higher education.

• Identify lessons learned and discuss special considerations pertaining to higher education.

3Background – Mid 2000s

• TAC 202.24 – Information Security Standards• “State agencies shall maintain written Business

Continuity Plans that address information resources so that the effects of a disaster will be minimized, and the state agency will be able either to maintain or quickly resume mission-critical functions.”

4Background – Mid 2000s (continued)

• Pandemic Flu (H1N5 Avian Flu) Planning• Focused on workforce reduction• Departments started independent plans• Reoccurring questions

• What is the University’s Plan?• How will the University deal with working from

home, etc?

5Internal Audit - 2008

• Findings• Departments had individual plans• Lacked coordination among plans• Needed a university-wide program to

implement and manage continuity planning

6Initial Steps

• Training • IS-546: COOP Awareness Course• FEMA COOP Program Manager’s Train-the-

Trainer Course

• Proposal• Defined program elements• Identified implementation strategy/timeline

7

Create Continuity Framework

8Define Essential Functions

• Critical Infrastructure (CI) – Uninterrupted or resumed within a few hours• A special subset of essential functions with university-

wide implications that address:• Emergency Response Services• Utilities, to include electricity, water, and reasonable climate

control • Communications with internal and external audiences to

include students, faculty, staff and media. • Internet, authentication, and voice communications• Hazardous materials spill response and control, to include

safety handling and proper disposal of toxic substances, biologically hazardous materials, and radioactive materials.

9Define Essential Functions (continued)

• Tier I: 0-12 Hours• Must be restored to minimum level of service

within 12 hours of incident• Functions with direct and immediate effect on

the jurisdiction to preserve life, safety and protect property

• Functions that preserve the University through command and control

10Define Essential Functions (continued)

• Tier II: 12 hours to Two Weeks• Must reach an operations status within 12

hours to two weeks of activation• Must sustain operations for a minimum of 30

days

• Tier III: Two Weeks to 30 Days• Functions that support Tier I and Tier II • Do not need to reach full operation within the

first two weeks following an incident

11

Identify Departments responsible for Critical Infrastructure

• Examples• Facilities Services• Information Technology• Environmental Health and Safety• University Police• University EMS• Division of Finance – Payroll, HR, Contracting

and Procurement, Controller• Transportation Services

12Develop Planning Scenarios

• Single or Multiple Facilities Affected• Fire, loss of utilities, explosion, & severe weather

• Loss of Personnel• Infectious disease outbreak

• Loss of IT or Data• Power outage or equipment failure

13

Identify the Continuity and Recovery Group

• President• Provost and Executive Vice President for Academic

Affairs• Vice President for Research• Vice President for Administration• Vice President for Marketing & Communications• Vice President for Finance• Vice President for Information Technology• Vice President for Student Affairs

14Brief University Administration

• President and Chief of Staff

• Provost

• Members of the Continuity and Recover Group

15

Develop the Institutional Plan

16Write the Plan

• Outlines roles and responsibilities of CRG

• Guidance document for university departments

17Review and Approval

• Sent through chain of command for approval

• Signed by the President

18

Develop the Departmental Plans

19

Modify Institutional Plan into a Departmental Template

• Based off of the Institutional Plan

• Includes Excel worksheets for filling out specifics• Essential Functions• Recovery Time Objectives• Responsible Parties• Alternate Facility Requirements• Etc

20Create Departmental Workshops

• 4-5 hour training

• Review the Institutional Plan

• Introduce COOP Planning Concepts

• Includes activities to walk departments through planning process

21Administer Training

• 1 workshop a week

• Trained critical infrastructure groups together

• Next focused on non-academic departments

• Asked for draft plans within 60 days of training

22

Review Plans / Program Improvement

23

Lessons Learned / Special Considerations

24Lessons Learned

• Set realistic timeframes

• University rule or directive

• Continuity and Recovery Group Model

• Dependency modeling

• Provide relatable and scalable examples

25Special Considerations

• Academics

• Research

• Essential functions vs. essential departments

• Alternate location requirements vs. alternate locations

• IT – ownership of services

26

Questions?

Monica Weintraub

Phone: 979-821-1041

mweintraub@tamu.edu