5. Emergency management and disaster recovery planning
As outlined in the Emergency and Critical Incident Management Planning policy, schools must plan to securely continue operations during disruptions impacting ICT systems and be able to recover information and systems in the event of a disaster.
Schools are recommended to:
- incorporate information security into their Emergency Management , which includes their Business Continuity Plan, and describe:
- how they will respond to potential disruptions to school critical ICT systems and data access
- specific contingencies and disaster recovery processes for securing school information stored on-site (both digital and hard copies) and managing school information shared with third parties (such as Compass for student data)
- complete testing of the Business Continuity Plan with the support of the TSSP resource
- obtain reports from any locally engaged contracted service providers, confirming that the providers’ business continuity measures are in place, to prevent interruption to school operations, including:
- automated backup systems
- data backups sufficiently isolated from production systems to enable data recovery in the event of a ransomware attack which may seek to destroy or maliciously encrypt the backup data
- data retention requirements (including a confirmation of minimum data retention – all backups must be retained for at least 3 months)
- documented disaster recovery strategies that are tested at least annually.
For additional details on annual planning requirements and processes, refer to the Technologies and ICT Services and Emergency and Critical Incident Management Planning policies.
Includes information on what schools must do to plan to securely continue operations during disruptions impacting ICT systems and be able to recover information and systems in the event of a disaster
Reviewed 28 January 2025