Guide: UC Information Technology Recovery Policy (IS-12)
The University of California Information Technology Recovery Policy (IS-12) establishes requirements and role-based responsibilities for creating an IT recovery plan for UC Santa Cruz institutional information and IT resources in the event of an emergency.
Report an information security incident
Learn how to report a compromise of the privacy, integrity, or availability of UC Santa Cruz data and systems.
Requirements
The UC Information Technology Recovery Policy (IS-12) requires:
- Alignment with UCSC’s Business Continuity Plan (BCP)
- Oversight by a cyber-risk responsible executive
- Adoption of a risk-based approach
- Maintaining an inventory of institutional information and IT resources
- Recovery Level Classification of institutional information and IT resources

Roles and responsibilities
Cyber-Risk Responsible Executive (CRE)
Responsible for approving the IT recovery plan. CREs appoint an IT Recovery Lead for the university.
Unit Heads
Responsible for Unit IT Recovery Planning, appointing Unit IT Recovery Leads, and ensuring the creation of Unit IT Recovery Teams. Unit Heads appoint Unit IT Recovery Leads (UITRLs).
Unit IT Recovery Leads (UITRL)
Works to ensure that IT Recovery planning and testing take place. They communicate requirements to key parties and coordinate the execution of the plan in the event of an emergency
Unit Information Security Leads (UISL)
Works to ensure that the planning and execution of IT recovery includes meeting security requirements.
IT resource recovery levels
In accordance with UC’s IS-12 Information Technology Recovery Policy, university data and IT resources essential to UC Santa Cruz’s Business Continuity Plan (BCP) must be classified into one of five Recovery Levels that indicate optimal timelines for recovery based on the importance of data and IT resources to the BCP. Learn more about UCSC’s Data and IT Resource Classifications.
UC Santa Cruz recovery level classifications
Recovery Level (RL) | Description of IT Resources and institutional information | Recovery Time Objective (RTO) |
RL5 | Core university technology and infrastructure components | 15 Minutes |
RL4 | Critical 1 IT resources: Life, safety, alternatives not sustainable | Up to 6 hours |
RL3 | Critical 2 IT resources: Alternatives sustainable up to 24 hours | Up to 24 hours |
RL2 | Necessary IT resources or university data | Up to 5 days |
RL1 | Deferrable | Up to 30 days |
Compliance
Compliance with IS-12 is achieved when CREs and Unit Heads meet all the requirements of this policy, or iterative compliance, a multi-phased model of compliance that must:
- Assess the initial state of IT recovery readiness
- Review risks and compliances
- Plan and implement improvements
- Assess progress (annually, at minimum)
Exceptions and risk acceptance
While exceptions to an IT recovery policy or standard may weaken UCSC’s ability to withstand a disaster, they are occasionally necessary and permitted. Units must follow a risk-based approach when requesting an exception to the controls specified in parts IV, V, and VI of the IS-12 policy. Exception requests must follow the UCSC-approved exception process.