|(a) Business Continuity Planning covers all business functions of an institution of higher education. It is a business management responsibility. Institutions of higher education shall maintain written Business Continuity Plans that address information resources so that the effects of a disaster will be minimized, and the institution of higher education will be able to either maintain or quickly resume mission-critical functions. The institution of higher education head or his or her designated representative(s) shall approve the plan. The plan shall be distributed to key personnel and a copy stored offsite. Elements of the plan for information resources shall include: (1) Business Impact Analysis to systematically assess the potential impacts of a loss of business functionality due to an interruption of computing and/or infrastructure support services resulting from various events or incidents. The analysis shall identify the following elements: (A) Mission Critical Information Resources (specific system resources required to perform critical functions) to include: (i) Internal and external points of contact for personnel that provide or receive data, or support interconnected systems. (ii) Supporting infrastructure such as electric power, telecommunications connections, and environmental controls. (B) Disruption impacts and allowable outage times to include: (i) Effects of an outage over time to assess the maximum allowable time that a resource may be denied before it prevents or inhibits the performance of an essential function. (ii) Effects of an outage across related resources and dependent systems to assess cascading effects on associated systems or processes. (C) Recovery priorities that consider geographic areas, accessibility, security, environment, and cost and may include a combination of: (i) Preventive controls and processes such as backup power, excess capacity, environmental sensors and alarms. (ii) Recovery techniques and technologies such as backup methodologies, alternate sites, software and hardware equipment replacement, implementation roles and responsibilities. (2) Risk Assessment to weigh the cost of implementing preventative measures against the risk of loss from not taking action. (3) Implementation, testing, and maintenance management program addressing the initial and ongoing testing and maintenance activities of the plan. (4) Disaster Recovery Plan--Each institution of higher education shall maintain a written disaster recovery plan for major or catastrophic events that deny access to information resources for an extended period. Information learned from tests conducted since the plan was last updated will be used in updating the disaster recovery plan. The disaster recovery plan will: (A) Contain measures which address the impact and magnitude of loss or harm that will result from an interruption; (B) Identify recovery resources and a source for each; (C) Contain step-by-step implementation instructions; and (D) Include provisions for annual testing. (b) Mission critical information shall be backed up on a scheduled basis and stored off site in a secure, environmentally safe, locked facility accessible only to authorized institution of higher education representatives.