Policy Number: 12-007

Backup and Recovery

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer


The purpose of this policy is to protect University Data from loss or destruction by specifying reliable backups that are based upon the availability needs of each unit and its data.


This policy applies to all University of Florida Data and the Information Systems used with it.


Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

Recovery Point Objective: the point in time to which systems and data must be recovered after a disaster has occurred. Can also be referred to as ‘maximum data loss’.

Recovery Time Objective: the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization. This is the maximum agreed time for the resumption of the critical business functions.

Unit: A part of the University of Florida that has administrative and financial duties to comply with the university’s information security policies.

University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.


  • University Data is backed up in a manner sufficient to restore any or all of an Information System in the event of a data loss, according to Recovery Time Objectives and Recovery Point Objectives.
  • Backups are periodically tested to ensure that backups are sufficient and reliable.
  • Backup systems and media protect the confidentiality, integrity and availability of stored data.
  • Written procedures are maintained to allow unit personnel to recover data in the event of an emergency.


  1. Information Security Administrators (ISAs) are responsible for establishing Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), in conjunction with data users and owners, for all University Data collected, stored or maintained by the unit. ISAs should verify that Data used by the unit, but collected, stored or maintained by others, have appropriate backup plans.
  2. Information Security Managers (ISMs) are responsible for implementing backup systems and processes to ensure that RTO and RPO can be met for all data collected, stored or maintained on unit Information Systems. ISMs document backup system operation and test recovery capability.
  3. The Vice President and CIO is responsible for implementing systems and specifications to facilitate unit compliance with this policy.


Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated