Business continuity and disaster recovery (BC/DR) planning enables organizations to ensure continued function in the face of disruptive events and to recover from disruptions. Colleges and universities are vulnerable to a variety of natural and man-made emergencies, disasters, and hazards. Part of risk management is determining which risks will be accepted and tolerated, and not all disruptive events can be prevented. Proper planning is essential to maintaining or restoring services when an unexpected or unavoidable event disrupts normal operations.

Disruptive events may include:

• Natural disasters
• Power outages
• Equipment failures
• Downtime or security incidents due to vendors and/or third parties
• Security breaches
• Sudden staff departure
• Picketing or boycotts

When any of these incidents occurs, it poses risks to the institution, testing its ability to maintain continuity of operations. Organizations that are prepared have a plan to handle disruptive events and return to normal business operation as soon as possible, while maintaining the security and privacy of the data they protect. These plans must be documented, tested, and adjusted to account for changing circumstances.

Building a BC/DR plan includes the following steps, which apply to each business unit or department (drawn from Information Security Aspects of Business Continuity Management Standard):

1. Identifying the team that will coordinate the work and getting management approval
2. Performing business impact, risk analysis, and threat analysis to identify key systems, places, people, and assets whose disruption could affect normal business operation
3. Determining a strategy to mitigate the disruption and restore normal operations while maintaining security and privacy
4. Documenting the plans
5. Training faculty, staff, and students to execute the plan
6. Testing and updating the plan based on the tests and changing circumstances

BC/DR is the A in the information security C-I-A triad of confidentiality, integrity, and availability. BC/DR plans are thus an integral part of all organized information security planning. Such plans constitute a well-reasoned, step-by-step approach to determine the "how, when, where, who, and what" should a disruption of normal operations occur. Recent history has demonstrated that plans are a necessity regardless of the size, location, or mission of an organization. The plan must address the continuity of security and privacy under less than ideal circumstances. The following two examples further describe the intent of such plans.

The U.S. Homeland Security Presidential Directive 5 (HSPD-5), Management of Domestic Incidents, states, as its purpose, "To enhance the ability of the United States to manage domestic incidents by establishing a single, comprehensive national incident management system." Its policy says, "To prevent, prepare for, respond to, and recover from terrorist attacks, major disasters, and other emergencies, the United States Government shall establish a single, comprehensive approach to domestic incident management." While not all reasons for BC/DR involve homeland security, this is an acknowledgment—at the highest governmental level—of the need to establish BC/DR plans.

A mandate from the U.S. Department of Education, Education Facilities Sector-Specific Plan, states that "all schools and higher education institutions are prepared to prevent-mitigate, respond to, and recover from all hazards, natural or manmade, by having a comprehensive, all-hazards plan based on the key principles of emergency management to enhance school safety, to minimize disruption, and to ensure continuity of the learning environment."