Disaster Recovery UI Backup Recovery Policy by wxr16887

VIEWS: 8 PAGES: 16

									  Disaster Recovery
UI Backup & Recovery
        Policy
      Jane Drews
    December 8, 2005
 What is Disaster Recovery?
• Knowing how to react properly in an
  emergency is critical to making the right
  decisions to minimize damage and quickly
  restore operations.
• A disaster recovery plan provides concrete
  information and procedures to guide
  decisions and operations in times of crisis.
• A disaster recovery plan should be tailored
  to fit your operation and exposure to risk.
       Incident vs. Disaster
• An incident typically impacts a specific
  service or server. Examples of incidents
  include a compromised service resulting
  from a hacking attack, or the loss of a server
  due to an electrical problem isolated to that
  server.
• A disaster event is a significant or unusual
  incident that has long-term implications. An
  example of a disaster event would be the
  loss of a data center or server room due to a
  catastrophic fire.
     Unit DR Requirements
• Each unit has an obligation to the
  University to ensure it can continue to
  function, or restore function at a basic
  level, in the event of a disaster.
• Therefore, each unit is required to have
  a disaster recovery plan.
    Unit Expectations Prior to
            Incidents
• Identified an alternate server in the
  case of the loss of a server
• Ability to perform a restoration from the
  ground up
• Ability to restore service to operational
  status which is fully patched and
  compliant with IT policy
     Unit Expectations Prior to
             Disasters
• Services prioritized as to importance and
  order of restoration.
• Identify persons with the authority to declare
  a disaster.
• Estimated number of days for service
  restoration and have identified and
  documented alternative service plans for that
  length of time
• Identify all resources needed (people and
  equipment) for restoration.
      Unit Expectations Prior to
           Disasters, Cont.
• Location and process for retrieving backup media
  from remote site.
• Identification of a source for the quick acquisition of
  IT servers and workstations, including, if necessary,
  written or contractual agreements with outside
  entities.
• Procedure for the annual review of the unit plan,
  including education of all staff to ensure they are
  aware of and understand the plan.
• Identified multiple staff capable of restoring IT
  services.
     Decision-Making Process
•   Identification of Threat
•   Notification of Authority
•   Declaration of Disaster
•   Determination of Response
              Who Does What
• Each Department should identify a primary and
  secondary person for each of the following roles
   – Coordination: coordinates activities and makes command
     decisions, as related to the disaster, within the scope of the
     area. This person is essentially in charge of the disaster
     recovery.
   – Restoration: works with other staff and/or outside vendors
     to restore computers, or other technical systems, to a
     functionality needed for the area to operate, at a minimum,
     it’s critical services. This person may coordinate efforts of
     other technical staff.
   – Communication: handles communication with
     departmental staff and outside entities.
Disaster Communication Plan
• The IT Disaster Communication Plan is
  designed to provide an orderly flow of
  accurate, effective and timely information to
  the campus through colleges and
  departments during the onset of a crisis
  situation, or a situation of potential crisis
  affecting the University of Iowa campus
  telephone, data network and, computer and
  information systems.
      Incident Escalation and
          Communications
• The entity responsible for support of a
  system or network which is under attack, or
  which is experiencing a natural or
  technological problem, is expected to:
  – Report the problem to the University IT Security
    Officer
  – Block or prevent escalation of the attack, if
    possible
  – Repair the resulting damage
  – Restore service to its former level, if possible
  – Preserve evidence, where appropriate
        Disaster Prevention

•   Physical Protections
•   Technical Redundancies
•   Monitoring and Reviews
•   Off-Site Backups
Unit Disaster Recovery Planning

http://cio.uiowa.edu/itsecurity/documents/
  Enterprise-IT-Disaster-Plan.pdf

Detailed Unit Planning Guide in Part 6,
 and links to sample planning forms.
 Backup and Recovery Policy
• Version 1 requirements (prior to November 2005)

   – Backups of Institutional data required; system must be fully
     recoverable
   – Retain backups for minimum 30 days
   – Three versions of data
   – One fully recoverable backup at secure off-site location
   – Workstation data on networked file server drive for backup
   – Backup and Recovery process must be documented
   – Recovery process tested at least annually
 Backup and Recovery Policy
• Version 2 Refinements (after November 2005)

   – “Institutional data” replaced by “UI Records” (from UI RMP)
     to provide specificity and clarity
   – “Secure off-site location” is defined and must be approved
       •   A separate university building location
       •   Off-Site storage vendor
       •   Prohibits employees from taking backups home
       •   References new ITS service for media storage
   – Reinforces options for backup of UI Records data on
     workstations, laptops, portables
       • Backup of local data to network file server drive
       • Store data directly on network file server drive
       • Use approved 3rd party vendor for desktop data backups
Backup and Recovery Policy

http://cio.uiowa.edu/Policy/policy-backup-
  recovery.htm

Revised policy, with link to UI Records
 Management Program.

								
To top