WEB INFRASTRUCTURE CONTINUITY PLAN // UNA

University of North Alabama // Internal Planning Document

WEB INFRASTRUCTURE
CONTINUITY PLAN

// OPERATIONAL RISK ASSESSMENT + MITIGATION FRAMEWORK — UNA WEB SERVICES //

PREPARED_BYHeath Matlock

TEAMWeb Services :: ITS

DATE_STAMP2026.02.28

VERSIONv1.0 :: DRAFT FOR CIO REVIEW

01Summary

UNA's public-facing digital infrastructure supports enrollment, student communications, and federal accessibility compliance. It is managed by Web Services, operating within IT, without a formal continuity framework, shared documentation repository, or automated failsafes for several critical functions.

This plan identifies the specific gaps, names the shared risks that span both teams, and proposes a practical mitigation framework. The goal is to open a structured conversation with IT before a gap becomes an incident.

02System Inventory & Ownership

Current operational ownership mapped below. Several Tier 1 systems involve both Web Services and IT — continuity is a shared concern, not a departmental one.

Tier	System	Platform / Host	Operational Owner
Tier 1	una.edu (main site)	Cascade CMS — Hannon Hill	Beacon + Web Services
Tier 1	apps.una.edu	WordPress — American Cloud	Web Services
Tier 1	SSL certs (una.edu)	—	CIO
Tier 1	DNS (una.edu)	—	CIO / IT
Tier 1	Banner API integration	IT-managed endpoint	ERP (endpoint) + Web Services (consumer)
Tier 1	Slate integration	—	Enrollment Management
Tier 2	WCAG compliance monitoring	—	Web Services
Tier 3	Vendor / agency relationships	Beacon, Hannon Hill, American Cloud	Web Services

03Risk Findings

Finding 01 — Manual SSL Provisioning

SSL certificates for una.edu are generated manually by the CIO. No automated renewal, no advance alerting, no documented coverage procedure if the CIO is unavailable at renewal time. A missed renewal triggers browser security warnings across all UNA domains — a high-visibility failure at any point in the enrollment cycle.

Finding 02 — Documentation Has No Institutional Home

Operational documentation for Web Services systems is actively being developed but remains incomplete. Architecture decisions, configurations, and procedural knowledge are not yet fully documented in an institutionally-accessible form. Credentials are managed in 1Password with a shared vault and shared email, ensuring system access is not tied to any single team member — though the structure has not been formally aligned with an IT-wide credential standard.

Finding 03 — Split Ownership, No Handoff Protocol

Several Tier 1 systems have split ownership within IT — Web Services manages the consumer side, while the Banner API endpoint is maintained by a separate IT function — with no documented protocol for what happens when either side is unavailable. The Banner API endpoint is IT-managed; Web Services consumes it. If the endpoint changes or fails, there is no established escalation path or named point of contact.

Shared Risk Vector

SSL and Banner integration risks span multiple functions within IT. Addressing them requires cross-functional coordination and shared documentation — not siloed internal processes on either side.

04Proposed Mitigation

// Web Services will own

System inventory published to
Runbooks for Tier 1 functions: WordPress admin, Slate integration, Banner API consumer-side procedures
1Password vault audit — formalize structure by tier, confirm all three team members hold access, align with any IT-wide credential standard
Uptime monitoring for apps.una.edu and all Tier 1 properties with alert routing independent of any single team member
Cross-training record documenting which team members can perform which Tier 1 functions

// Requesting IT coordination on

SSL automation — move una.edu cert renewal to an automated process, eliminating the manual single-point dependency
DNS documentation — documented procedure and secondary contact for DNS changes
Banner API protocol — documented escalation and notification process for endpoint changes or outages affecting web systems
Annual review cadence — brief annual check-in to review system inventory and flag risk profile changes

05Implementation Timeline

DAYS_001–030 // 1Password vault audited and restructured by tier. All three team members confirmed with access. System inventory drafted and published to. Uptime monitoring configured for all Tier 1 properties.

DAYS_031–060 // Tier 1 runbooks written and peer-reviewed. Cross-training gaps formally identified. Banner API escalation protocol drafted in coordination with IT.

DAYS_061–090 // SSL automation implemented in coordination with IT. DNS documentation finalized. All Tier 1 single points of failure addressed or formally acknowledged with a named mitigation plan.

ONGOING // Quarterly system inventory review. Credential and access audit triggered on any personnel change event. Annual review session with IT leadership.