Backup and Business Continuity Policy
Policy Number: INFOSEC 1.3
Version Number: 1.0
Classification: Information Security
Effective Date: May 18, 2010
Responsible University Office: Information Technology Services (ITS) Quality Assurance
Saint Louis University and its member organizations (collectively, "Saint Louis University", the
“University”or "SLU") are committed to conducting business in compliance with all applicable
laws, regulations and SLU policies including Health Insurance Portability and Accountability Act
(HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), Gramm-Leach-Bliley Act
(GLBA), and the Family Educational Rights and Privacy Act (FERPA).
The purpose of this policy is to ensure that allcritical information resources, as defined by this
policy, that store, process or transmit confidential information are clearly identified and that
business continuity procedures to regularly test the functionality of backup or redundant
systems and emergency procedures on all such critical systems, as well as allow for exact
copies of data to be retrieved if necessary, are developed. Thepolicy was developed to provide
guidance and assistance to all members of the Saint Louis University community in the
development, implementation and maintenance of a business continuity plan that covers all
infrastructures that contain confidential information in all formats (electronic, paper, video, audio
Saint Louis University has adopted this policy to ensure all confidentialinformation is properly
backed up (either fully or incrementally) and all associated systems remain functional, reliable
and able to continue operations in the event of an emergency.
This policy applies to hardware, software, and/or procedural mechanisms implemented by Saint
Louis University to develop, implement and maintain a business continuity plan that covers all
information resourcesthat contain confidential information in all formats (electronic, paper,
video, audio etc.).
Confidential Information – For individuals, confidential information is a
combination of any information that identifies and describes an individual, including
his or her name in conjunction with social security number, protected health
information and financial accountinformation. From a business perspective,
confidential information refers to any type of information that may have a negative
impact if shared with others who do not need to know, including attorney/client
Effective Date: May 18, 2010
SAINT LOUIS UNIVERSITY
INFOSEC 1.3 Back Up and Business Continuity
Page 1 of 5
information, University financial information, researchinformation and business
proposals and contracts.
Protected Health Information (PHI) – Individually identifiable health information
transmitted or maintained in any form.
Electronic Protected Health Information (ePHI) – Individually identifiable health
information transmitted or maintained in electronic form.
Information Security Officer – The designated person who monitorsoverall
compliance with University information security policies and procedures, making
recommendations for improved security and for monitoring the occurrence of
security incidents. The Information Security Officer serves as the HIPAA Security
Workforce - Employees, volunteers, trainees, contractors, and other persons
under the direct control of the covered entity, whetheror not paid by the covered
entity, who have access to confidential information.
Business Associate - A person, or organization, who is not a member of the
covered entity's workforce, and who performs any function or activity on behalf of
the covered entity involving the use or disclosure of protected health information or
who provides services to a covered entity that involves the...