Hong Kong Baptist University



Similar documents
Hong Kong Baptist University

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

Disaster Recovery Policy

DRAFT Disaster Recovery Policy Template

SECTION 15 INFORMATION TECHNOLOGY

Education and Workforce Development Cabinet POLICY/PROCEDURE. Policy Number: EDU-06 Effective Date: April 15, 2006 Revision Date: December 20, 2012

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

Disaster Recovery Plan Documentation for Agencies Instructions

IBX Business Network Platform Information Security Controls Document Classification [Public]

Business Continuity Planning and Disaster Recovery Planning

Technology Recovery Plan Instructions

San Francisco Chapter. Information Systems Operations

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

State of South Carolina Policy Guidance and Training

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Disaster Recovery Planning

CENTER FOR NUCLEAR WASTE REGULATORY ANALYSES

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

University of Liverpool

Disaster Recovery and Business Continuity Plan

Business Continuity Planning

Resource Ordering and Status System. User Business Resumption Plan

Business Continuity & Recovery Plan Summary

IT Disaster Recovery Plan Template

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Supplier Security Assessment Questionnaire

Disaster Recovery Planning Process

Information Systems and Technology

Information Resources Security Guidelines

Attachment to Data Center Services Multisourcing Service Integrator Master Services Agreement

INSIDE. Preventing Data Loss. > Disaster Recovery Types and Categories. > Disaster Recovery Site Types. > Disaster Recovery Procedure Lists

15 Organisation/ICT/02/01/15 Back- up

This policy is not designed to use systems backup for the following purposes:

Disaster Recovery Plan Review Checklist. A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans

Identify and Protect Your Vital Records

ICT Disaster Recovery Plan

Disaster Prevention and Recovery for School System Technology

14/03/12 Updated Annex 1 to refer to current backup details. 15/03/12 Included section detailing NetApp filer data storage

2.1 To define the backup strategy for systems and data within the Cape Winelands District Municipality (CWDM).

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

Prepared by Rod Davis, ABCP, MCSA November, 2011

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Does it state the management commitment and set out the organizational approach to managing information security?

DETAIL AUDIT PROGRAM Information Systems General Controls Review

Birkenhead Sixth Form College IT Disaster Recovery Plan

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

OKHAHLAMBA LOCAL MUNICIPALITY

Offsite Disaster Recovery Plan

Business Continuity & Recovery Plan Summary

Policy Document. Communications and Operation Management Policy

MARQUIS DISASTER RECOVERY PLAN (DRP)

Massachusetts Institute of Technology. Functional Area Recovery Management Team Plan Development Template

What is Business Continuity Planning (BCP) / Disaster Recovery Plan(DRP)?

IT - General Controls Questionnaire

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Continuity of Business

INFORMATION GOVERNANCE POLICY: DATA BACKUP, RESTORE & FILE STORAGE HANDLING

Why cloud backup? Top 10 reasons

IT Service Management

Business Continuity and Disaster Recovery Planning

R345, Information Technology Resource Security 1

IT Security Standard: Computing Devices

Auditing in an Automated Environment: Appendix C: Computer Operations

Ohio Supercomputer Center

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Virtual Disaster Recovery

Application / Hardware - Business Impact Analysis Template. MARC Configuration Requirements. Business Impact Analysis

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT

HIPAA RISK ASSESSMENT

CIS 523/423 Disaster Recovery Business Continuity

TOSM Server Backup Service

How to Plan for Disaster Recovery and Business Continuity

Business Continuity Management

Running head: COMPONENTS OF A DISASTER RECOVERY PLAN 1

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Transcription:

Hong Kong Baptist University Disaster Recovery Standard FOR INTERNAL USE ONLY Date of Issue: JULY 2012

Revision History Version Author Date Revision 1.0 Information Security Subcommittee (ISSC) July 2012 Initial Version Copyright Statement All materials in this document are, unless otherwise stated, the property of Hong Kong Baptist University ( HKBU or the University ), and protected by the copyright and other intellectual property laws. Reproduction or retransmission of the materials, in whole or in part and in any manner, without the prior written consent of HKBU, is an offence under the relevant laws. FOR INTERNAL USE ONLY - 2 -

1. Policy Statement HKBU shall develop a comprehensive Disaster Recovery Plan ( DRP ) to enable the sustained execution of centralised while mission-critical information technology ( IT ) services against any disasters, such as fire, vandalism, natural disaster, or system failure, etc. 2. Objective The objective of this document is to provide guidelines for the development of a comprehensive DRP. 3. Disaster Recovery Process The University shall develop a disaster recovery process, defining the rules, processes, and disciplines, to ensure that the critical IT services will continue to function if there is a failure of any kind. The main elements of the process should include: Identification of critical information resources contributing to the provision of the services, determination of the interdependencies among them and how the University business would be affected by their outage; Identification and rating of areas of vulnerability based on risk assessment; Mitigation of risks by developing system resilience; and Developing, documenting and testing DRPs; The Office of Information Technology ( ITO ) and respective departmental IT units should conduct a risk and business impact analysis on their information resources, including but not limited to IT infrastructure, hardware and software, data and information, and application systems. After analysing the potential risks, priority levels for the recovery should be assigned to each identified resource area on the basis of their importance and criticality to the University. FOR INTERNAL USE ONLY - 3 -

The following table can be used to classify the severity level of the resource areas involved: Classification Description a Mission Critical Critical for accomplishing the vision and mission of the University Can be performed only by computer processing No alternative manual processing capability exists Must be restored within 36 hours (Remarks: If need to be performed by computers only (automatic), the disaster recovery cost will be very high Assume the disaster recovery site is ready Department query about the disaster recovery site (provided by ITO or not) b Critical Critical for accomplishing the work of the University Primarily performed by computer processing Can be performed manually for a limited time Restoration process must start no later than 36 hours, and be completed within 5 days after the disaster has happened c Essential Essential in completing the work of the University Performed by computer processing Can be performed manually for an extended time period Can be restored as early as 5 days after the disaster has happened, but can afford to take a longer time d Non-critical Non-critical for accomplishing the work of the University Can be delayed until the damaged site is restored and/or a new computer system is purchased Can be performed manually ITO and respective departmental IT unit should produce a complete list of equipment, locations, vendors, and points of contact that are necessary for recovery of the Mission Critical and Critical resource areas after the disaster. A DRP should be developed thereafter by related units. FOR INTERNAL USE ONLY - 4 -

4. Disaster Recovery Plan The focus of a DRP is to restore the operability of the systems that support mission-critical and critical IT services which may have serious impact on the normal operations of the University. The DRP shall identify the resource areas to be covered, with detailed recovery procedures. The responsible staff should be recorded with clear areas of responsibility and line of accountability. According to the level of severity, different data/systems backup and recovery processes should be imposed. Proper records on the recovery incidents should be properly kept in a systematic way for audit purpose and problem tracing. 5. Data and Systems Backup In avoiding any loss of data, a set of comprehensive data and systems backup should be imposed which include: computer systems including applications and servers must be centrally backed up on a daily, weekly, monthly and yearly basis by rotating set of backup media. backup media, such as tapes, must be stored off-site in a secure fire-proof location. a daily log of all backups must be recorded in a log file and kept within the server room. data must be stored on the central server wherever possible to ensure that daily backups (or backups at other appropriate intervals) are taken. where data is stored on a standalone PC or a laptop, it is the responsibility of the owner of the PC and/or data to ensure that the data are securely and properly backed up. applications and hardware must have appropriate hardware and software support contracts in place. Uninterruptible power supply should be installed to protect data and hardware systems from damage due to electricity/generator facilities failure. data network connection to server rooms of critical systems must be designed for system resilience to prevent destruction of a particular network system/path which in turn will lead to failure in accessing critical University data. in case of a disaster that renders the data centre unusable, alternative arrangements for an appropriate disaster recovery site or a temporary computer room must be in place. documented procedures should be prepared for system housekeeping activities associated with computer and network management, such as start-up and shut-down procedures, data backup, equipment maintenance, computer room management and safety. FOR INTERNAL USE ONLY - 5 -

6. Testing, Review and Update Since the operations of the University and its IT infrastructure and information systems keep changing from time to time, the DRP should therefore be reviewed and updated at least annually to ensure that it is in alignment with the prevailing business objectives/requirements, and has taken into account the changing information resource environment. Periodic testing of the DRP should be performed in a simulated environment to ensure that it can be implemented in emergency situations, and that the University s senior management and all respective staff members understand their roles and know how the DRP is to be executed during the disaster. Test results should be reviewed and be used to update the DRP accordingly. 7. Summary The principal objective of the disaster recovery program is to develop, test and document a wellstructured and easily comprehensible plan which will help the University recover the operability of the systems that support mission-critical and critical business processes to normal operation as quickly as possible from an unforeseen disaster or emergency. The ITO/departmental IT management should ensure that an appropriate and up-to-date DRP be ready at all times to minimise the potential impact to mission-critical processes of the University/respective departments. FOR INTERNAL USE ONLY - 6 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information