Wave pattern

Guide: UC Information Technology Recovery Policy (IS-12)

The University of California Information Technology Recovery Policy (IS-12) establishes requirements and role-based responsibilities for creating an IT recovery plan for UC Santa Cruz institutional information and IT resources in the event of an emergency.

Learn how to report a compromise of the privacy, integrity, or availability of UC Santa Cruz data and systems.

Green dash

The UC Information Technology Recovery Policy (IS-12) requires:

  • Alignment with UCSC’s Business Continuity Plan (BCP)
  • Oversight by a cyber-risk responsible executive
  • Adoption of a risk-based approach
  • Maintaining an inventory of institutional information and IT resources
  • Recovery Level Classification of institutional information and IT resources
Structure established in the IS-12 policy
Structure established in the IS-12 policy showing a Cyber-Risk Responsible Executive overseeing a Unit Head, who oversees an Unit IT Recovery Lead
Green dash

Cyber-Risk Responsible Executive (CRE)

Responsible for approving the IT recovery plan. CREs appoint an IT Recovery Lead for the university. 


Unit Heads

Responsible for Unit IT Recovery Planning, appointing Unit IT Recovery Leads, and ensuring the creation of Unit IT Recovery Teams. Unit Heads appoint Unit IT Recovery Leads (UITRLs).


Unit IT Recovery Leads (UITRL)

Works to ensure that IT Recovery planning and testing take place. They communicate requirements to key parties and coordinate the execution of the plan in the event of an emergency


Unit Information Security Leads (UISL)

Works to ensure that the planning and execution of IT recovery includes meeting security requirements. 

Green dash

In accordance with UC’s IS-12 Information Technology Recovery Policy, university data and IT resources essential to UC Santa Cruz’s Business Continuity Plan (BCP) must be classified into one of five Recovery Levels that indicate optimal timelines for recovery based on the importance of data and IT resources to the BCP. Learn more about UCSC’s Data and IT Resource Classifications.

UC Santa Cruz recovery level classifications

Recovery Level (RL)Description of IT Resources and institutional informationRecovery Time Objective (RTO)
RL5Core university technology and infrastructure components15 Minutes
RL4Critical 1 IT resources: Life, safety, alternatives not sustainableUp to 6 hours
RL3Critical 2 IT resources: Alternatives sustainable up to 24 hoursUp to 24 hours
RL2Necessary IT resources or university dataUp to 5 days
RL1DeferrableUp to 30 days
Green dash

Compliance with IS-12 is achieved when CREs and Unit Heads meet all the requirements of this policy, or iterative compliance, a multi-phased model of compliance that must:

  • Assess the initial state of IT recovery readiness 
  • Review risks and compliances
  • Plan and implement improvements
  • Assess progress (annually, at minimum)
Green dash

While exceptions to an IT recovery policy or standard may weaken UCSC’s ability to withstand a disaster, they are occasionally necessary and permitted. Units must follow a risk-based approach when requesting an exception to the controls specified in parts IV, V, and VI of the IS-12 policy. Exception requests must follow the UCSC-approved exception process. 

Last modified: Apr 29, 2025