Back to Main Site

Business Continuity Policy

Fact box

  • Policy owner: Director IT
  • Policy category: Management: IT
  • Policy status: Approved
  • Approval body: Council
  • Endorsement body: Executive
  • Related policies:
  • Last amended: 19th Aug. 2025
  • Relevant HESF:

Purpose

The purpose of this Business Continuity (BC) Policy is to ensure that Alphacrucis University College (AC) can quickly and effectively restore critical IT systems and services following a disruption or disaster. This includes natural disasters, cyber incidents, power outages, equipment failures, or other major events that impact operations.

Scope

This policy applies to:
• All critical IT systems and digital services (e.g., M365, Moodle, Salesforce, Student Management Systems, Email, etc.)
• Cloud and on-premise infrastructure
• Data storage, backups, and recovery processes
• All IT staff, contractors, and managed service providers

Policy

Key Principles

  • Protect critical digital services and data from loss or extended downtime
  • Minimise disruption to teaching, learning, administration, and student services
  • Ensure compliance with TEQSA standards and relevant Australian data and risk management laws
  • Define roles and processes for restoration and communication during a crisis

Governance & Roles

  • The IT Director Team owns the Business Continuity and recovery program
  • A Business Continuity (BC) Team (led by the IT Director) will coordinate the response
  • Departmental heads must identify critical services used by their teams
  • Vendors and MSPs must comply with recovery SLAs and participate in BC testing

Recovery Metrics

Metric

Definition

Standard

RTO (Recovery Time Objective)

Maximum acceptable downtime for systems

4–48 hours (depending on criticality)

RPO (Recovery Point Objective)

Maximum acceptable data loss (time-based)

0–24 hours (depending on system)

Critical systems such as Moodle, Email, and SMS require RTO and RPO of less than 24 hours.

 

Backup Strategy

  • All critical data is backed up daily and retained for at least 90 days
  • Backups are encrypted and stored in geographically separate locations where possible
  • Periodic restore testing is conducted quarterly or annually depending on system criticality
  • Backup logs are reviewed weekly

Business Continuity Process

Activation

  • The IT Director or delegate declares a Disaster Event
  • The Business Continuity Team is activated within 1 business day
  • Communication is initiated with the Executive and Business Continuity Teams
  • Council is notified

Recovery Steps

  1. Assess impact and identify affected systems
  2. Notify stakeholders and communicate estimated downtime
  3. Activate backups or implement workarounds
  4. Verify restored services and data integrity
  5. Resume operations and monitor performance
  6. Conduct a post-incident review and update documentation

Testing and Maintenance

  • Annual BC tests will be conducted for all critical systems
  • Testing must simulate real-world outage scenarios
  • Lessons learned must be used to drive improvements
  • Any infrastructure or application changes must trigger a BC plan review

Communication Plan

  • Communications during an event will follow a predefined matrix:
    • Staff notified via Teams and email alerts
    • Students updated via Moodle and email
    • Executive Leadership briefed directly by the IT Director
  • A status page or alternate communication channel will be used if core systems are unavailable

Compliance and Audit

  • BC procedures must align with ACSC Essential Eight and higher education compliance standards
  • Internal audits will be conducted annually
  • Audit reports must be presented to the executive governance board

Review and Updates

This policy will be reviewed annually or following any significant security incident, regulatory change, or audit recommendation.

Responsible for implementation

Director IT

Alphacrucis University College Ltd | ABN: 13072747187
RTO: 90525 | TEQSA: PRV12006 ‘University College’ | CRICOS: 00958A