Non-substantive change
In the Information Security Risk Management Standard and Procedure, under Purpose and Background, removed the phrase "which includes updating the department’s mission, business continuity, and disaster recovery plans."
In the University Data Protection Standard (UDPS): In the "Assessing and Managing Risk" table changed the phrase:
"The department must complete an IT security risk assessment, including updating the department’s mission, business continuity, and disaster recovery plans annually . . . "
to say : "and update". The phrase becomes: "The department must complete an IT security risk assessment and update the department’s mission, business continuity, and disaster recovery plans annually . . . "
All three of these changes were done to separate the requirement into two distinct requirements - completion of the IS-RM and update of the department’s mission, business continuity, and disaster recovery plans. This clarifies that collection of a department's mission, business continuity, and disaster recovery plans is not part of Information Security Risk Management tool or process.
The Office of Emergency Management is responsible for the departmental mission, business continuity, and disaster recovery plans. They plan to put this requirement in their policy sometime in 2021.
Printer-friendly version