Administration & Finance

A&F SERVICES

Campus Administrative Policies

CHAPTER 300: ADMINISTRATION AND FINANCE



380 Administrative Compliance Services

Administrative Compliance Services (ACS) shall be responsible for the following major areas: Campus Administrative Policy, Emergency Management Planning, Business Continuity Planning, Public Records Act administration, and the Records Retention program.

Back to top

382 Request for Public Records

The California Public Records Act requires government agencies to provide the public with access to public records, subject to limited exceptions. Public records are defined by statutes as “any writing containing information relating to the conduct of the public’s business prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics.”

Public records are open to inspection by the public at all times during office hours. Requests to inspect public records may not interfere with Cal Poly’s business operations. Requests may be made verbally or in writing. If a verbal request cannot be responded to immediately, the requestor shall be asked to submit his or her request in writing so that it is clear what is being requested. Alternatively, a member of the public may submit a written request for public records. The following policy applies to either verbal or written requests for public records.

The campus must respond whether records will or will not be disclosed within ten days after receipt of the request. There is no charge for inspecting records; however, a charge of $.20 per page shall be imposed for all copies of records provided as either hard copies or electronically.

Back to top

382.1 Policy

A campus department that receives a request for public records shall immediately notify and, if written, provide a copy of the request to the Public Records Act (PRA) officer. The department which receives a request for public records shall respond to and comply with the request, unless the requested documents are housed in a different department. A written request should immediately be forwarded to the other department for handling and the PRA officer notified of the transfer.

The director of Administrative Compliance Services serves as the campus PRA officer. The campus PRA officer assures that appropriate campus entities, including University Legal Counsel, are notified of the request and for maintaining an inventory of all such requests. University Legal Counsel shall notify the CSU Office of General Counsel of each request and is available to respond to questions and advise campus administrators regarding requests.

Back to top

References for CAP 382

  1. Date approved by the President: January 19, 2014
  2. Effective Date: January 19, 2014
  3. Responsible Department/Office: Administrative Compliance Services
  4. Revision History: March 7, 2007; January 19, 2014
  5. Related University Policies, Procedures, Manuals and/or Documents: None cited
  6. Laws, Regulations and/or codes of practice referred to herein or related to this policy:
    1. Government Code Section 6250; Article I, Section 3, California Constitution

383 Business Continuity

It is the policy of the University to maintain normal or modified operations at all times. However, impacted business units may modify their operations as necessary. Anticipated hazards and threats, or exigent circumstances may be consideration for the University to intentionally modify operations/services for a period of time. These intentional modifications to normal operations/services will be supported by the University’s Business Continuity Planning Program.

In alignment with the State of California Executive Order S-04-06, the campus is required to develop and maintain a Business Continuity Program to sustain Mission Essential Functions to increase resiliency to disastrous events. Each of these Mission Essential Functions are blended derivatives of normal business operations undertaken by campus colleges or business units, and their respective Critical Functions.

California State University Systemwide’s Executive Order 1014 stipulates that campus business units are responsible for developing, maintaining, reviewing, exercising, and updating their own business continuity plans, with support from Cal Poly’s Department of Emergency Management’s Continuity Coordinator.

The Business Continuity Program is supported by the campus’ Hazard Vulnerability Assessment and Business Impact Analysis, college, division, and unit-level business continuity plans, testing and exercise plans, and communication strategies. The documentation will follow structured plan maintenance, approval and record retention standards.

Back to top

383.1 Business Continuity Program Committee

The University President has delegated responsibility for developing and maintaining the Business Continuity Program to the Business Continuity Planning Committee (BCPC). The BCPC will consist of a Chair, Co-Chair, and senior administrative leaders who have a working knowledge of business continuity processes and are from units identified as key to essential operations. Campus Business Continuity Plans require review and approval by the BCPC. The below colleges, divisions, and units have been identified as key to essential operations and shall appoint a representative to serve as a member of the BCPC:

Academic Affairs, Division Corporate Engagement and Innovation, Academic Affairs Public Safety, Unit
Academic Personnel, University Personnel Dean of Students, Unit Real Estate and Development, Cal Poly Partners Unit
Administration and Finance, Division Disability Resource Center, Unit Research and Economic Development, Academic Affairs
Admissions and Recruitment, Academic Affairs External Relations, Unit Research Compliance, Academic Affairs
Agricultural Operations, Academic Affairs Financial Aid, Academic Affairs Strategic Business Services, Unit
ASI Children's Center, Unit Financial Services, Unit Strategic Enrollment Management, Division
Associated Students, Inc., Division Graduate Education, Academic Affairs Student Academic Services, Unit
Bailey College of Science and Mathematics Grants Development Office, Academic Affairs Student Affairs, Division
Business Services, Cal Poly Partners Unit Human Resources, Unit Student Diversity and Belonging, Unit
Campus Health and Wellbeing, Unit Information and Technology Services, Division University Communications and Marketing, Division
Career Services, Unit Leadership and Service, Unit University Development and Alumni Engagement, Division
College of Agriculture, Food and Environmental Sciences New Student Transition Programs, Unit University Housing, Unit
College of Architecture and Environmental Design Office of Student Research, Academic Affairs University Office of Diversity and Inclusion, Division
College of Engineering Office of the Registrar, Academic Affairs University Personnel, Division
College of Liberal Arts Orfalea College of Business University President, Division
Commercial Services, Cal Poly Partners Unit Corporate Engagement and Innovation, Academic Affairs Public Safety, Unit
Academic Affairs, Division Dean of Students, Unit Real Estate and Development, Cal Poly Partners Unit
Academic Personnel, Academic Affairs Disability Resource Center, Unit Research and Economic Development, Academic Affairs
Administration and Finance, Division Research, Division
Facilities Management and Development, Unit Sponsored Programs Office, Academic Affairs
Back to top

383.2 Mission Essential Functions (MEF)

The Federal Continuity Directive (FCD-2) defines MEF as functions of an organization that are directly related to accomplishing the organization's stated mission.

The below functions have been designated Cal Poly MEFs by executive leadership:

  1. Teach
  2. Research
  3. Provide Housing
  4. Emergency Services
  5. Provide and Maintain Facilities and Infrastructure
  6. IT Services and Communications
  7. Payroll
  8. Procurement/Contracts
  9. Provide agricultural care and facilities
  10. Provide healthcare and counseling
  11. Academic recruiting and admission
  12. Fiscal Services
  13. Seek and administer grants and donations
  14. Manage the University's Reputation
  15. Provide food services
  16. Provide leadership

All Business Continuity Plans and respective college, division, and unit-level Critical Functions shall support these MEF.

Back to top

383.3 Business Impact Analysis

FCD-2 recommends developing Business Impact Analysis (BIA) by ascribing four (4) Continuity Criticality Levels (CCL) to MEF that are foundational in accomplishing an organization's stated mission. Cal Poly will utilize the below Continuity Criticality Levels in Business Continuity planning efforts.

Continuity Criticality Levels

Continuity Criticality Level 4
Very high consequence: Loss or disruption of the MEF, required resources, or critical assets have exceptionally grave consequences, such as extensive loss of life, widespread severe injuries, and total loss of primary mission, core functions, and processes.

Continuity Criticality Level 3
High consequence: Loss or disruption of the MEF, required resources, or critical assets have grave consequences, such as loss of life, severe injuries, and significant loss of primary mission, core processes, and functions for an extended period of time.

Continuity Criticality Level 2
Medium consequence: Loss or disruption of the MEF, required resources, or critical assets have moderate to serious consequences, such as injuries or impairment of core functions and processes.

Continuity Criticality Level 1
Low consequence: Loss or disruption of the MEF, required resources, or critical assets have minor consequences or impact, such as a slight impact on core functions and processes for a short period of time.

Cal Poly's Business Continuity program will utilize the planning assumption that the below Criticality Levels are established for each MEF; Cal Poly ascribes the following CCL to MEF:

  • CCL4 Emergency Services
  • CCL4 Teach
  • CCL3 Manage the University's Reputation
  • CCL3 Provide and Maintain Facilities and Infrastructure
  • CCL3 IT Services & Communications
  • CCL3 Provide Housing
  • CCL3 Research
  • CCL2 Provide food services
  • CCL2 Provide healthcare and counseling
  • CCL2 Provide leadership
  • CCL2 Academic Recruiting and admission
  • CCL2 Payroll
  • CCL2 Fiscal Services
  • CCL2 Provide Agricultural care and facilities
  • CCL1 Procurement/Contracts
  • CCL1 Seek and administer grants and donations

Colleges, divisions, and units whose roles and responsibilities are foundational or supportive in maintaining the campus' stated MEF are required to identify Critical Functions and workflows, prioritize and establish recovery time objectives and, if appropriate, establish recovery point objectives.

Back to top

383.4 Hazard Vulnerability Assessment

Hazard Vulnerability Assessment (HVA) systematically evaluates the damage that could be caused by potential disasters alongside projected disaster frequencies, in conjunction with the maximal severity of the respective impacts on MEF.

Per Hazards and Vulnerability Assessments standards set by FEMA, Cal Poly will utilize the three levels of frequency are Low, Moderate, and High.

Severity categories are defined by:

  • Severe: Extensive loss of life and property
  • Serious: Disruption to infrastructure over an extended period of time
  • Significant: Notable disruption
  • Limited: Some impact to select personnel or supporting infrastructure over a brief period of time
  • Minor: Impact to select personnel over a brief period of time
  • No impact

Cal Poly shall conduct a detailed HVA every five years and must provide public access to the document on the Cal Poly Department of Emergency Management Website.

Campus divisions and units that support MEF are required to plan, train, and exercise in consideration of the HVA in order to prepare for and respond to such disasters that may impact their ability to fulfill their Critical Functions and the mission of the University.

Back to top

383.5 Critical Functions

Critical Functions are services, or a collection of services, that are normally performed by a college, division, or unit that must continue at sufficient levels without interruption or restart within the first 30 days following a disruption to the service.

Back to top

383.6 Essential Employee

An essential employee is designated by their respective supervisor and serves to fulfill a college’s, division’s, or unit’s identified Critical Functions. Essential employees may be required to report to work during modified operations.

Back to top

383.7 Non-Essential Employee

A non-essential employee is any employee that is not identified by their respective supervisor as an essential employee and does not serve to fulfill a college’s, division’s, or unit’s Critical Functions. This designation may change if the supervisor changes an employee’s designation. Non-essential employees may not be required to not report for work during modified operations.

Back to top

383.8 Business Continuity Plan (BCP)

The colleges, divisions, and units whom are component to the Business Continuity Planning Committee are required to develop and maintain a BCP. Each BCP will be reviewed annually by the BCPC and are posted on the Cal Poly's Department of Emergency Management Business Continuity website.

The BCP shall consist of:

  • a directory of onsite essential personnel, offsite essential personnel, non-essential personnel, and business contacts,
  • a prioritized list of Critical Functions together with the essential staff, equipment and support activities identified for each function,
  • lines of succession and delegations of authority,
  • alternate operating facilities,
  • procedures for safeguarding vital records, and
  • testing and training exercises.

All campus colleges and business units are required to develop individual BCP to support the continuity of MEF. These BCP will include Critical Functions specific to the college or business unit, required for continuity of operations.

383.8.1 Communication

Every campus college or business unit shall appoint Plan Editors and coordinate with the BCPC for plan development, annual reviews and updates, and the conduct of periodic tabletop exercises.

383.8.2 Training

BCPC members are encouraged to take FEMA Emergency Management Institute’s “Independent Study 1300 (IS-1300): Introduction to Continuity of Operations,” alongside reviewing continuity planning software-specific documentation, in the interest of maintaining awareness-level knowledge and proficiency to navigate the planning processes.

In coordination or with support of other campus college, division, or units, supplementary trainings will be provided as necessary to ensure the validity of the BCP.

383.8.3 Exercise and Evaluation Methodology

Completed BCP will be validated periodically through Homeland Security Exercise and Evaluation Program (HSEEP) methodology through coordination with the BCPC. The recommended modality for validating BCP is to test the capabilities highlighted therein through the conduct of a tabletop exercise. A Hot Wash will be conducted at the end of the tabletop exercise, which will provide the basis for the development of an “After-Action Review” analysis and an “Improvement Plan” (AAR/IP) that will be actioned to improve the BCP or related capabilities and resources.

Back to top

383.9 Decision Authority

The decision to move to modified operations shall be made by the President or their designee. The University President will be advised by individuals with appropriate background and experience given each unique set of circumstances that may arise, always to include the Executive Director of Public Safety and Emergency Management.

Colleges, divisions, and units will not move to modified operations on their own. Deans, Directors and other heads of operations must receive authorization from the University President or their designee before moving to modified operations under the terms of this Campus Administrative Policy.

383.9.1 Modified Operations

Devolving to modified operations signifies a sanctioned temporary suspension or delay of some or all MEF, normal university operations and events due to severe weather, major utility failure, or other unusual circumstances which may endanger students and/or employees or are otherwise unsuitable for the continuation of normal operations. The identified Critical Functions within BCPs will resume and essential employees must report to work. It is their supervisor’s responsibility to communicate to their employees when questions arise regarding their status as an essential employee.

383.9.2 Summary of Operation Statuses

While it is the policy of the University to remain open during periods of adverse conditions, supervisors may alter work schedules to make allowances for unique travel problems. Employees are advised to use discretion and caution regarding their health and safety. Employees must still account for their normal workday by working or taking vacation leave.

Classes & Campus
Operations
Conducted as Usual		 All employees expected to report to work as usual.
Classes Cancelled All employees expected to report to work as usual.
Modified Operations Classes are canceled and operations not associated with a college's, division's, or unit's Critical Functions are suspended. Only essential employees who fulfill Critical Functions as designated by their supervisor and/or as defined in the associated BCP should report to work.

383.9.3 Notification Procedures

If a decision is made to devolve into modified operations, University Communications and Marketing may consider notifying local news outlets and may consider messaging on the University’s homepage and on various social media networks. The Department of Emergency Management may consider issuing a Poly Alert message. In the absence of a specific direction by way of Poly Alert, all classes, operations, and other functions continue as normally scheduled.

383.9.4 Reporting for Work

Essential Employees: employees who contribute to the performance of Critical Functions under a BCP must report to work during modified operations. Supervisors may also designate additional employees as essential due to the needs of the college, division, or unit; for example, the need to complete a specific project or address other important matters. Designations may be made before, at the start of, or during modified operations. Additionally:

  • Supervisors are responsible for informing employees that they have been designated as essential in a timely manner. Supervisors should establish reliable means of communication with employees as part of their BCP. Depending on the nature of their work, essential employees may be required to report to work at their designated work location or may be allowed to work remotely. Working remotely must be approved or pre-approved by the essential employee's supervisor or authorized designee.
  • Non-Essential Employees: it may not be appropriate for non-essential employees to work during a period of modified operations. Employees who work despite being designated as non-essential, and/or despite instructions to the contrary from their supervisors, may be subject to discipline.
  • Non-Essential Employees are responsible for monitoring communication for return-to-work notifications and any information concerning changes to their designation as essential or non-essential.
Back to top

References for CAP 383

  1. Date approved by the President: January 19, 2014
  2. Effective Date: January 19, 2014
  3. Responsible Department/Office: Administrative Compliance Services
  4. Revision History: None
  5. Related University Policies, Procedures, Manuals and/or Documents:
    1. Continuity of Operations Plan
    2. Executive Order 1014, California State University Business Continuity Program
    3. Cal Poly Information Security Risk Self-Assessment
  6. Laws, Regulations and/or codes of practice referred to herein or related to this policy:
    1. California Executive Order S-04-06

384 Records/Information Retention and Disposition

The campus is required to implement Records and Information Retention and Disposition schedules to ensure efficient and effective compliance with legal and regulatory disposition and retention requirements while implementing appropriate operational best practices.

Back to top

384.1 Records/Information Custodians

The President has delegated campus custodians for each type of record requiring retention and disposition schedules. These custodians are responsible for assuring that the campus is operating in compliance with the California State University (CSU) Records/Information Retention and Disposition schedules, secure records and information in accordance with applicable campus and CSU policy and ensure the appropriate and timely disposition schedule timeframes.

Back to top

384.2 Records/Information Schedules

Each custodian defines schedules for the documents/information they are responsible for based on CSU and legal requirements. These schedules are published on the Cal Poly website and are available to the Office of the Chancellor upon request. Schedules are required to be reviewed and approved on an annual basis by the assigned data custodian.

Back to top

384.3 Records/Information Disposal

Every unit on campus is required to dispose of all records/information in accordance with retention and disposition schedule timeframes. The campus has implemented compliance procedures via the annual Information Technology SelfAssessment whereby departments verify they are following retention and disposition schedules.

Back to top

References for CAP 384

  1. Date approved by the President: January 19, 2014
  2. Effective Date: January 19, 2014
  3. Responsible Department/Office: Administrative Compliance Services
  4. Revision History: None
  5. Related University Policies, Procedures, Manuals and/or Documents:
    1. Revision to Executive Order No. 1027, Systemwide Records/Information Retention and Disposition Schedules Implementation & Executive Order No. 1031
    2. Cal Poly Information Security Risk Self-Assessment and Inventory Standard
    3. Cal Poly Record Retention and Disposition Standards
  6. Laws, Regulations and/or Codes of practice referred to herein or related to this policy: None cited.
Back to top

References for CAP 380

  1. Date approved by the President: October 24, 2014
  2. Effective Date: October 24, 2014
  3. Responsible Department/Office: Administrative Compliance Services
  4. Revision History: Not applicable
  5. Related University Policies, Procedures, Manuals and/or Documents:
    1. Cal Poly ACS website
    2. CSU Executive Order 1014
    3. CSU Executive Order 1031
    4. CSU Executive Order 1056
  6. Laws, Regulations and/or codes of practice referred to herein or related to this policy:
    1. California Public Records Act