Hong Kong Baptist University

Transcription

1 Hong Kong Baptist University Disaster Recovery Standard FOR INTERNAL USE ONLY Date of Issue: JULY 2012

2 Revision History Version Author Date Revision 1.0 Information Security Subcommittee (ISSC) July 2012 Initial Version Copyright Statement All materials in this document are, unless otherwise stated, the property of Hong Kong Baptist University ( HKBU or the University ), and protected by the copyright and other intellectual property laws. Reproduction or retransmission of the materials, in whole or in part and in any manner, without the prior written consent of HKBU, is an offence under the relevant laws. FOR INTERNAL USE ONLY - 2 -

3 1. Policy Statement HKBU shall develop a comprehensive Disaster Recovery Plan ( DRP ) to enable the sustained execution of centralised while mission-critical information technology ( IT ) services against any disasters, such as fire, vandalism, natural disaster, or system failure, etc. 2. Objective The objective of this document is to provide guidelines for the development of a comprehensive DRP. 3. Disaster Recovery Process The University shall develop a disaster recovery process, defining the rules, processes, and disciplines, to ensure that the critical IT services will continue to function if there is a failure of any kind. The main elements of the process should include: Identification of critical information resources contributing to the provision of the services, determination of the interdependencies among them and how the University business would be affected by their outage; Identification and rating of areas of vulnerability based on risk assessment; Mitigation of risks by developing system resilience; and Developing, documenting and testing DRPs; The Office of Information Technology ( ITO ) and respective departmental IT units should conduct a risk and business impact analysis on their information resources, including but not limited to IT infrastructure, hardware and software, data and information, and application systems. After analysing the potential risks, priority levels for the recovery should be assigned to each identified resource area on the basis of their importance and criticality to the University. FOR INTERNAL USE ONLY - 3 -

4 The following table can be used to classify the severity level of the resource areas involved: Classification Description a Mission Critical Critical for accomplishing the vision and mission of the University Can be performed only by computer processing No alternative manual processing capability exists Must be restored within 36 hours (Remarks: If need to be performed by computers only (automatic), the disaster recovery cost will be very high Assume the disaster recovery site is ready Department query about the disaster recovery site (provided by ITO or not) b Critical Critical for accomplishing the work of the University Primarily performed by computer processing Can be performed manually for a limited time Restoration process must start no later than 36 hours, and be completed within 5 days after the disaster has happened c Essential Essential in completing the work of the University Performed by computer processing Can be performed manually for an extended time period Can be restored as early as 5 days after the disaster has happened, but can afford to take a longer time d Non-critical Non-critical for accomplishing the work of the University Can be delayed until the damaged site is restored and/or a new computer system is purchased Can be performed manually ITO and respective departmental IT unit should produce a complete list of equipment, locations, vendors, and points of contact that are necessary for recovery of the Mission Critical and Critical resource areas after the disaster. A DRP should be developed thereafter by related units. FOR INTERNAL USE ONLY - 4 -

5 4. Disaster Recovery Plan The focus of a DRP is to restore the operability of the systems that support mission-critical and critical IT services which may have serious impact on the normal operations of the University. The DRP shall identify the resource areas to be covered, with detailed recovery procedures. The responsible staff should be recorded with clear areas of responsibility and line of accountability. According to the level of severity, different data/systems backup and recovery processes should be imposed. Proper records on the recovery incidents should be properly kept in a systematic way for audit purpose and problem tracing. 5. Data and Systems Backup In avoiding any loss of data, a set of comprehensive data and systems backup should be imposed which include: computer systems including applications and servers must be centrally backed up on a daily, weekly, monthly and yearly basis by rotating set of backup media. backup media, such as tapes, must be stored off-site in a secure fire-proof location. a daily log of all backups must be recorded in a log file and kept within the server room. data must be stored on the central server wherever possible to ensure that daily backups (or backups at other appropriate intervals) are taken. where data is stored on a standalone PC or a laptop, it is the responsibility of the owner of the PC and/or data to ensure that the data are securely and properly backed up. applications and hardware must have appropriate hardware and software support contracts in place. Uninterruptible power supply should be installed to protect data and hardware systems from damage due to electricity/generator facilities failure. data network connection to server rooms of critical systems must be designed for system resilience to prevent destruction of a particular network system/path which in turn will lead to failure in accessing critical University data. in case of a disaster that renders the data centre unusable, alternative arrangements for an appropriate disaster recovery site or a temporary computer room must be in place. documented procedures should be prepared for system housekeeping activities associated with computer and network management, such as start-up and shut-down procedures, data backup, equipment maintenance, computer room management and safety. FOR INTERNAL USE ONLY - 5 -

6 6. Testing, Review and Update Since the operations of the University and its IT infrastructure and information systems keep changing from time to time, the DRP should therefore be reviewed and updated at least annually to ensure that it is in alignment with the prevailing business objectives/requirements, and has taken into account the changing information resource environment. Periodic testing of the DRP should be performed in a simulated environment to ensure that it can be implemented in emergency situations, and that the University s senior management and all respective staff members understand their roles and know how the DRP is to be executed during the disaster. Test results should be reviewed and be used to update the DRP accordingly. 7. Summary The principal objective of the disaster recovery program is to develop, test and document a wellstructured and easily comprehensible plan which will help the University recover the operability of the systems that support mission-critical and critical business processes to normal operation as quickly as possible from an unforeseen disaster or emergency. The ITO/departmental IT management should ensure that an appropriate and up-to-date DRP be ready at all times to minimise the potential impact to mission-critical processes of the University/respective departments. FOR INTERNAL USE ONLY - 6 -