IT Contingency Planning IT Disaster Recovery Planning

Information Security Standard

IT Contingency Planning - IT Disaster Recovery Planning

Version: 1.0
Status: Approved: 02/21/07
Contact: Director, Technology Services

PURPOSE

To provide contingency planning and business recovery considerations to support the preparation of a comprehensive security plan.

SCOPE

IT Contingency Planning includes developing plans to minimize the disruptions of critical functions and the capability to recover critical IT systems in accordance with COV ITRM 501-01. The outcome may contribute to various plans that properly organize the response, recovery, and continuity activities for disruptions affecting the relationship between IT systems and business processes supported by the IT systems.

APPLICABILITY

The IT Disaster Recovery Planning Standard is applicable to the System Office and all Colleges.

STANDARD

Once the Business Impact Analysis and Risk Assessment processes are complete, the business processes and supporting IT systems have been identified along with system vulnerabilities, threats, and current controls. The order of restoration has also been identified in these processes. This step involves using this information to ensure the contingency plan is able to address the risks completely and effectively.

Requirements:

The following requirements must be addressed in the plan. The recommendations outlined at the end of this document define a minimum set of expectations. The VCCS and individual college may follow their own format as long as the requirements are met.

Requirement: Develop and maintain an IT Disaster Recovery Plan that supports restoration of essential business processes.

Requirement: Perform a periodic review, reassessment, testing and revision of the plan to reflect changes in business processes, services, IT systems, and personnel. "Periodic" must be defined in the System Office or College security plan but should be as a minimum on an annual basis.

Requirement: Provide training of all team members as part of the Security Awareness and Training Program.

Requirement: Establish alternate communication methods to support IT system user local and remote access to systems.

Recommended Processes

Definitions

A disaster can be defined as a total or partial loss of any or all of the following: physical space, servers, workstations, network infrastructure equipment, personnel, software eradication, or hostile intrusion of the IT system resources resulting in an interruption of services.

A recovery plan is a manual with procedures, responsibilities, and critical information required to execute a recovery of IT systems that support critical and essential business functions.

Assumptions

List and describe the things that could be assumed from the plan. The list of assumptions will not be all-inclusive. Some assumptions may include:

All resources and staff can be made available as soon as possible.

All members of the disaster recovery teams have the most current copies of the disaster recovery plan.

Users will continue to operate via a manual mode until IT services can be restored.

Backups will be made available as soon as possible.

Service agreements with outside entities have been maintained.

Information Technology Environment

Provide a general description of system architecture and functionality. Indicate the operating environment, physical location of all campuses, building plans indicating general location of users, and partnerships with external organizations/systems. Include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures (reference IT System and Data Backup and Restoration). Provide a diagram of the architecture, including security controls and telecommunications connections.

When an IT Disaster is Recognized

State the course of actions that should occur when a disaster is recognized. The following is an example of the initial flow once a disaster has been recognized:

In the event of an IT disaster or as notified following a business-wide disaster, the IT disaster planning coordinator <Name and Title> will initiate IT disaster recovery procedures. If <Name and Title> is not available the order of responsibility for initiating IT disaster recovery procedures is as follows: <list all names and titles in order of succession>. The IT disaster planning coordinator or substitute will secure a copy of the current disaster recovery plan. Current copies of the disaster recovery plan reside <list physical locations>. The IT disaster planning coordinator or substitute will perform a quick analysis of the situation and notify administrative staff at the VCCS and/or individual college as applicable, and computer customers and will call and place into service the appropriate IT disaster teams (description of possible IT disaster teams listed below). The IT disaster planning coordinator or substitute will work with other disaster recovery teams to facilitate communication and coordination of efforts.

IT Disaster Recovery Teams

Disaster recovery teams will be utilized to restore automated IT system services. The recovery teams will be lead by the IT disaster planning coordinator and will participate in recovery activities based on the level of severity of the loss, recovery deemed necessary, and restoration order as deemed in the Business Impact Analysis and Risk Assessment processes. Depending on the size of the agency, employees may be assigned to various teams and assigned multiple roles and responsibilities.

IT Disaster Planning Coordinator

Determine the IT disaster planning coordinator and the backup coordinators in order of succession. List the name, position, and contact information of each coordinator. List the responsibilities of the coordinator. Some responsibilities may include:

Manage and coordinate all IT disaster plan activities.
Contact all IT disaster recovery team members involved in the recovery effort.
Ensure all IT disaster recovery team members have a copy of the plan.
Appoint replacement staff if necessary.
Initiate tasks as delegated by IT disaster recovery team responsibilities.
Provide IT disaster recovery status via communication with College and/or VCCS administrators and other disaster recovery teams.
If necessary, assist planning for returning to normal conditions (renovations, new construction, etc.).

IT Emergency Management Team

Determine the members of the IT Emergency Management Team and list the appropriate responsibilities.

The team may consist of any or all of the following personnel:

IT Disaster Planning Coordinator
Network Administrator
Information Security Officer
Telecommunications Coordinator
Programmer Analysis
Computer Technician
Exchange Administrator
Lab Manager
Media Services Technician
Help Desk Manager
Any other personnel deemed necessary for this team

Responsibilities of the IT Emergency Management Team may include:

Assessment of the damage.
Provide a detail status of the disaster to the disaster planning coordinator as soon as possible.
Contact all vendors, contractors or external resources necessary to restore services to the damaged areas.
Provide a general status of the disaster to college personnel.
Determine the priorities. There should be a minimal accepted time frame the college will function with degraded operations before the backup plan is implemented.
Ensure all needed support staff is contacted to provide assistance.
Determine a general time frame for when all services will be restored.

IT Technical Support Team

Determine the members of the IT Technical Support Team and list the appropriate responsibilities.

The team may consist of any or all of the following personnel:

IT Disaster Planning Coordinator
Network Administrator
Information Security Officer
Telecommunications Coordinator
Programmer Analysis
Computer Technician
Exchange Administrator
Lab Manager
Media Services Technician
Help Desk Manager
Any other personnel deemed necessary for this team

Responsibilities of the IT Technical Support Team may include:

Working with the IT Emergency Management Team to conduct an on-site assessment of the damaged area to determine the condition of IT resources.
Determine what computer hardware/software has been damaged.
Review the risk assessment analysis and business impact analysis and determine what the critical/non-critical applications are and to determine whom is responsible for each application.
List procedures to create a new environment for the hardware or for the purchase of new hardware (give actual procedures).
List procedures to restore critical software/applications (give actual procedures).
List procedures to restore non-critical software/applications (give actual procedures).
Contact application owners to determine their role in the recovery process.

Special Projects Team

Determine the members of the Special Projects Team and list the appropriate responsibilities.

The team may consist of any or all of the following personnel:

IT Staff
IT Lab Assistants
Web Master
Procurement Staff
Accounting Staff
Fixed Asset Coordinator
Facilities Staff
Security Services Staff
Secretarial Support Staff
Any other personnel deemed necessary for this team

Responsibilities of the Special Projects Team may include:

Providing transportation to and from backup facilities, external vendors or other off-site locations.
Assisting in making telephone calls as needed.
Coordinating packing and moving supplies as needed.
Acquiring emergency purchasing means (i.e. assigning purchasing charge card or delegated purchasing authority) or being available to purchase goods or services as needed.
Providing clerical support as needed.

Customer Support Team

Determine the members of the Customer Support Team and list the appropriate responsibilities.

The team may consist of any or all of the following personnel:

IT Disaster Planning Coordinator
Network Administrator
Information Security Officer
Telecommunications Coordinator
Programmer Analysis
Computer Technician
Exchange Administrator
Lab Manager
Media Services Technician
Help Desk Manager
Secretarial Support Staff
Departmental personnel
Work Study students
Any other personnel deemed necessary for this team

Responsibilities of the Customer Support Team may include:

Notifying IT customers of the disaster and giving them a time frame for recovery.
Assisting customers in developing manual procedures to accomplish work if resources are unavailable for a long period of time.
Assisting users with hardware and software restoration or relocation to an alternate office site.

Emergency Response Procedures

List the emergency response procedures appropriate to any incident or activity, which may endanger lives, property or the capability to perform essential functions. This may include:

The detailed technical procedures for installing and configuring systems at an alternate site.
The detailed technical procedures for restoring systems from backup media.
The procedures for returning to normal operations once on-site facilities are under normal operations.
Copies of all Memorandum of Understanding (MOU) or Service Level Agreements (SLA) between the VCCS or individual college and outside entity that provides alternate storage facilities.
Documented procedures for emergency access authorization to VCCS or individual college facilities in the event of an emergency of disaster.

Emergency Telephone List

Maintain a list of all emergency service telephone numbers in your area. This may include fire, police, rescue squad, and applicable State and Local Government entities.

Maintain a list of all IT disaster recovery teams. The list should contain all work location numbers, cellular or pager numbers, email addresses, home numbers, etc. Update the list as employees enter or depart the VCCS or college.

Maintain a list of all IT related vendors (hardware and software vendors, various IT state contract vendors, telecommunications vendors, other state agencies, etc.)

Maintaining the Plan

To be effective, the plan must be maintained in a prepared state that accurately reflects the current VCCS or individual college IT environment and current policies and procedures. It is essential that the plan be reviewed and updated regularly. The plan should be reviewed for accuracy and completeness at least annually or whenever significant changes occur to any part of the plan. Certain elements may require more frequent reviews (contact lists for example).

The plan should be maintained at various locations and partial or complete copies provided to all appropriate team personnel. Because confidential and sensitive information may be contained in the plan, all team members should be instructed to house copies the plan in a secure manner. The IT planning coordinator should maintain a list of all employees who have copies of the plan and where the partial or complete plan is housed.

The plan should reference specialized training for all disaster recovery team members. Training may include the purpose of the plan, cross team coordination and communication procedures, reporting procedures, security requirements, and team specific and individual processes during each phase of the disaster.

The plan should reference annual training for general staff members when responding to an emergency situation such as fire, inclement weather, and other incidents requiring a shut down of IT operations and relocation to an alternate site.

Plan Testing

Plan testing is a critical element of the IT disaster recovery plan. Testing should be done at least once a year and more often as necessary. Testing assists in identifying and addressing deficiencies. Testing also helps evaluate the ability of recovery teams to implement the plan quickly and efficiently. The following components may be addressed during an IT disaster plan test:

Testing backup media on an alternate equipment
Testing coordination among recovery teams
Testing notification procedures

The purpose of testing is to demonstrate to both management and recovery teams the ability of one or more vital business processes to continue functioning inside the identified timeframe post a business interruption event. An exercise is not a pass/fail work effort but an opportunity to identify vulnerabilities and gaps in your recovery plan.

Testing may be in performed in various formats.

Tabletop Exercises

A tabletop exercise simulates an emergency situation in an informal, stress-free environment. The participants gather around a table to discuss general problems and procedures in the context of an emergency scenario. The focus is on training and familiarization with roles, procedures, or responsibilities.

Functional Exercise

The functional exercise simulates an emergency in the most realistic manner possible, short of moving real people and equipment to an actual site. As the name suggests, its goal is to test or evaluate the capability of one or more functions in the context of an actual disaster.

Full Scale Exercise

A full-scale exercise is as close to the real thing as possible. It is a lengthy exercise which involves numerous groups participating and using the equipment and personnel that would be called upon in a real event. The full-scale exercise may be held at several locations. A full scale exercise may not be feasible since the risk of bringing down current systems exists.

All testing formats should involve a question and answer session and a review session. Information collected during an exercise, and discussed during a review of the exercise, that improves plan effectiveness should be incorporated into a revised version of the IT disaster plan.

Return to Information Security Program