Information Resource Management Directive 5000.13 USAP Contingency & Disaster Recovery Program



Similar documents
Information Resource Management Directive USAP Information Security Risk Management

Information Resource Management Directive USAP Information Security Architecture

Information Resource Management Directive USAP Information Security Awareness, Training and Education Program

Information Resource Management Directive The USAP Security Assessment & Authorization Program

Information Resource Management Directive USAP Software Management and Protection

Information Resource Management Directive USAP Information Security Incident Management

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS

Checklist For Business Recovery

Disaster Recovery Planning Process

SECTION 15 INFORMATION TECHNOLOGY

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Information Security for Managers

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Office of Inspector General

How To Check If Nasa Can Protect Itself From Hackers

Disaster Recovery and Business Continuity Plan

SAS 70 Exams Of EBT Controls And Processors

Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member

Office of Inspector General

Why Should Companies Take a Closer Look at Business Continuity Planning?

Unit Guide to Business Continuity/Resumption Planning

LONDON PUBLIC LIBRARY POLICY

Ohio Supercomputer Center

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

Overview of how to test a. Business Continuity Plan

NOTICE: This publication is available at:

Identify and Protect Your Vital Records

University of Sunderland Business Assurance Information Security Policy

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance

Hospital Emergency Operations Plan

Federal Information Security Management Act FY 2013 Independent Evaluation Report, Report Number

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

ESKITP6036 IT Disaster Recovery Level 5 Role

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Standard Operating Procedure Contingency Planning Guidance

Compliance Risk Management IT Governance Assurance

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Disaster Recovery Policy

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

AUDIT REPORT. The Energy Information Administration s Information Technology Program

FACT SHEET: Ransomware and HIPAA

Education and Workforce Development Cabinet POLICY/PROCEDURE. Policy Number: EDU-06 Effective Date: April 15, 2006 Revision Date: December 20, 2012

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

MEETING: DATE: TYPE OF ACTION: STAFF CONTACT: PHONE:

REGIONAL CENTER DISASTER RECOVERY PLAN

Office of Inspector General

15 Organisation/ICT/02/01/15 Back- up

Information Security Series: Security Practices. Integrated Contract Management System

Offsite Disaster Recovery Plan

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

R345, Information Technology Resource Security 1

THORNBURG INVESTMENT MANAGEMENT THORNBURG INVESTMENT TRUST. Business Continuity Plan

Final Audit Report -- CAUTION --

March 2007 Report No FDIC s Contract Planning and Management for Business Continuity AUDIT REPORT

Office 365 Data Processing Agreement with Model Clauses

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

TRENDS AND DEVELOPMENTS IN INFORMATION GOVERNANCE AND RECORDS MANAGEMENT. Key Concepts Defined. Key Concepts Defined 4/30/2015

How To Write A Health Care Security Rule For A University

July 30, Internal Audit Report Information Technology Business Continuity Plan Information Technology Department

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

National Information Assurance Certification and Accreditation Process (NIACAP)

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

IT Disaster Recovery Plan Template

Overview. FedRAMP CONOPS

Coconino County Community College District

Select Agent Program Workshop November 2012

GEARS Cyber-Security Services

HIPAA Security Matrix

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

B U S I N E S S C O N T I N U I T Y P L A N

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

DRAFT Disaster Recovery Policy Template

Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.

Risk Management Guide for Information Technology Systems. NIST SP Overview

CISM Certified Information Security Manager

Summary of CIP Version 5 Standards

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

Missouri Student Information System Data Governance

Minimum Security Requirements for Federal Information and Information Systems

The Technology Trilogy:

D2-02_01 Disaster Recovery in the modern EPU

Office of Inspector General

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

USGS Guidelines for the Preservation of Digital Scientific Data

Review of Information Technology s Data System Backup and Disaster Recovery Process Page 2 of 10 September 30, 2013

Security Architecture. Title Disaster Planning Procedures for Information Technology

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Information Services IT Security Policies B. Business continuity management and planning

Hawaii Behavioral Health. Information Technology. Contingency Plan Version: 1.0. Carla Gross Chief Operating Officer

Client information note Assessment process Management systems service outline

Transcription:

The National Science Foundation Polar Programs United States Antarctic Program Information Resource Management Directive 5000.13 USAP Contingency & Disaster Recovery Program Organizational Function Policy Category Subject Office of Primary Responsibility Information Resource Management Information Security Policies and Instructions Contingency & Disaster Recovery National Science Foundation Geosciences Directorate Division of Polar Programs Antarctic Infrastructure & Logistics Policy Number Issue Date Effective Date Updated Authorized By Responsible Official 5000.13 1 August 2004 1 August 2004 12 May 2013 Section Head, NSF/GEO/PLR/AIL Primary Responsibility: Mr. Patrick D. Smith Technology Development Manager Address Distribution Online Publication Suite 755 4201 Wilson Blvd Arlington, VA 22230 USAP-Wide http://www.usap.gov/technology/contenthandler.cfm?id=1563 Phone Fax Web Status Security Responsibility: Ms. Desari Mattox Information Security Manager 703.292.8588 703.292.9080 http://www.nsf.gov/div/index.jsp?div=plr Final Policy 1. PURPOSE This directive establishes the program to develop and maintain a Contingency & Disaster Recovery (C&DR) Program for the National Science Foundation (NSF), Geosciences Directorate (GEO), Polar Programs (PLR), United States Antarctic Program (USAP). This program includes contingency and disaster recovery planning for information systems supporting USAP science and operations activities. The program shall create plans for contingency and disaster response. These plans will be tested periodically to ensure they reflect current operating conditions and address current threats. 2. BACKGROUND Federal information technology regulations presented in OMB Circular A-130 and supporting legislation require USAP information systems to have plans for contingencies Page 1

and disaster recovery, to determine the proper actions to accomplish in the event of a disaster. An effective contingency and disaster recovery program ensures science and operations activities continue at locations not affected by the disaster while recovery proceeds at the affected site. 3. GUIDING PRINCIPLES The USAP Contingency & Disaster Recovery Program shall be developed following existing NSF and NIST guidelines. The USAP Contingency & Disaster Recovery Program will require the involvement of all USAP participants to ensure an effective response to contingencies and disasters. The USAP Contingency & Disaster Recovery Program must incorporate the physical and logistical limitations of the USAP operating locations. The USAP Contingency & Disaster Recovery Program will be aligned with the PLR Emergency Response Program 4. POLICY The USAP shall establish a program to develop, maintain, and evaluate plans to appropriately respond to a wide range of contingencies and disasters that may occur at all of the USAP operating locations. The plans shall describe the actions to be taken before, during and after events that disrupt essential information system operations. 4.1 Operational Definitions 4.1.1 Contingency Planning A coordinated strategy involving plans procedures and technical measures that enable the recovery of information systems, operations and data after disruption. Such measures may necessitate relocating IT systems and operations to an alternate location, using alternate equipment to recover IT functions, or performing IT functions using manual methods. 4.1.2 Contingency Plan The contingency plan is a set of procedures created to restore operations to normal conditions. A contingency plan must involve procedures for preparation, testing, and updating the actions required to protect critical processes from the effects of major system and network failures. An IT contingency plan must also identify essential and sensitive activities and their supporting information systems. 4.2 Contingency Response 4.2.1 Station Contingency Plan Each USAP operating location shall have an Information Systems Contingency Plan that addresses contingencies and potential disasters for each Major Application and General Support System in use at that location. The plan will be integrated with the larger station Page 2

emergency response plan for that location, and will be consistent with PLR guidelines for emergency response within the USAP. The plan will be based on a risk assessment of conditions at the location. The station manager will ensure that an Information Systems Contingency Plan is created for their location. The station Information Systems Contingency Plan will be integrated with other station disaster response and recovery plans, and with the station Information Security Incident Response Capability (see 5000.12, USAP Incident Response Capability). 4.2.2 System Contingency Plans Each Major Application and General Support System will have a contingency and disaster response plan. The system owner will ensure that an Information Systems Contingency Plan is created for their system, following NSF and NIST guidelines. Where a system exists at multiple locations, the system owner will create a basic plan, and local IT managers will augment the plan with their site-specific responses. 4.2.3 Information Systems Contingency Response Coordinator The station IT manager serves as the coordinator for response to contingencies and disasters affecting station information systems. Where the contingency or disaster affects more than just station information systems, the station IT manager integrates their activities as directed by the station manager and station disaster response procedures. 4.2.4 Station Risk Assessment The USAP ISM and station management will prepare a risk assessment for each station that considers the station s unique features and limitations. The USAP ISM, in consultation with the station IT managers, will establish a list of potential contingency and disaster situations for each station. The list will evaluate the probability of occurrence and the severity of occurrence, and will be used to assist in the risk management process for that station. The risk assessment will follow NSF and NIST guidelines for risk assessments. The risk assessment will address threats and contingencies specific to the station, in the areas of natural disaster, environmental threats, and human originated threats, either accidental or malicious. The risk assessment will be reviewed annually according to NSF guidelines. 4.2.5 Prioritization of Recovery The USAP Technology Manager will prioritize activities and their supporting information systems at each location to determine the criticality of each system and the order of restoration during a contingency or disaster situation. The USAP Information Security Manager, with support from the Prime Contractor, will establish and maintain a list of mission essential operations systems, and their components, for each site. This list will be part of the station contingency plan. Prioritization will address the information s categorization, as identified in USAP Information Security Policy 5000.3, Information Categorization. Page 3

4.2.6 Contingency Response Resource Each station manager will establish a contingency response team and staff it according to the station s needs. Contingency Team members may not necessarily be the same resources as assigned to the Incident Response team. Each station IT manager will maintain a checklist for each team position that assigns responsibility for the tasks each team member will be expected to complete during a contingency or disaster. The station IT manager will train personnel assigned to the Contingency Team, as well as those responsible for specific systems. 4.2.7 Contingency Plan Testing The USAP Prime Contractor will test at minimum, one component from each General Support System and each Major Application at least annually. The testing will be organized to test all plan elements and all related operations procedures. Where possible, the testing will be integrated with the testing of other site response plans. After each test of a plan element, the Prime Contractor will forward an After Action report to the USAP Information Security Manager. The report will include lessons learned from the testing, deficiencies noted during the testing, and a plan to remedy those deficiencies. The USAP Information Security Manager will ensure funding is included in the annual budget to support the Contingency Testing program. The USAP ISM will include a proposed test program in the annual update of the USAP Information Security Plan. 4.3 Information Systems Recovery 4.3.1 Alternate Operating Capability Each USAP operating location will have a designated alternate location for establishing temporary control of information resources during a contingency or disaster. Normally such a site will be geographically removed from the immediate disaster location. For the Antarctic research stations, the alternate location will be isolated from the primary operations to the extent possible. 4.3.2 System Redundancy The Prime Contractor, as manager of the USAP infrastructure, will determine and implement a cost-effective means for providing redundant operations at all stations. This includes maintaining suitable spares or replacement equipment for all mission essential systems. 4.3.3 Information Back-Up and Recovery The Prime Contractor shall establish operations procedures for creating, maintaining, and storing information backup media to support contingency response and disaster recovery activities at each operating location. Each station s procedures for data backup will include a schedule for daily, weekly, and monthly backups. Each station shall establish media control procedures that include steps for the preparation of media for reuse, or destruction. Using the Recovery Prioritization list, each station will prepare an information backup plan that ensures information is saved according to its priority for recovery. Page 4

4.3.4 Information Retention and Archive Backup media should be retained on station for operational use up to one year after its creation. One year after its creation, backup media will be reviewed, and if appropriate, archived to comply with guidance from the National Archives and Records Administration. Every six months, or at the end of each operational season, the station IT managers will review all backup media to identify archival data. Archival data will be removed to the program headquarters facility for disposition and storage. Backup media that has passed the one-year retention point and is not scheduled for archiving will be prepared for reuse, or destroyed if appropriate. Station IT managers may forward their backup media to the program headquarters for storage if space limitations preclude onsite storage. 4.3.5 Offsite Storage of Backup Material Where possible, backup media will be stored at a suitable off-site location. For locations where off-site storage is not practicable, such as the Antarctic research stations and vessels, the station manager will designate an appropriate facility to serve as the off-site storage of backup media. A suitable facility is one within reasonable distance of the main station, but not likely to be immediately threatened by the contingency or disaster. The nature of vessel operations precludes the use of an offsite or removed facility. Vessel backup material will be stored in an appropriate location aboard the ship, but removed from the main IT area. 5. APPLICABILITY AND COMPLIANCE This policy applies to all information resources, systems, and technology and to all users of these resources, systems and technology within the USAP operating environment or connected to the USAP information infrastructure. Compliance with this policy is as indicated in USAP Information Resource Management Directive 5000.01, The USAP Information Security Program. 6. RESPONSIBILITIES 6.1 Section Head, Antarctic Infrastructure & Logistics (AIL) The Section Head, AIL, ensures a comprehensive cost-effective security program is in place to protect NSF USAP information systems. After recovery from a contingency or disaster is complete, the Section Head, AIL, or their designated representative approves the return to normal system operations. 6.2 Technology Development Manager, Antarctic Infrastructure & Logistics (AIL) The AIL Technology Development Manager coordinates Information Systems Contingency and Disaster Response with other USAP participant organizations, and with other NSF staff elements. Page 5

NSF OPP 5000.13 Contingency and Disaster Recovery Plan Effective Date: 1 August 2004 6.3 USAP Information Security Manager The USAP Information Security Manager manages the Information Systems Contingency & Disaster Response program. The ISM will establish processes and procedures for enterprise contingency response and recovery. The ISM supports the development of procedures by each USAP organization, and maintains awareness of the external threat environment. 6.4 USAP Information Systems Managers and Administrators The information system managers and administrators have a significant role in the successful response to and recovery from information security contingencies and disasters. Depending on the circumstances, the system managers and administrators will usually provide the technical expertise at the core of the response. 7. POLICY IMPLEMENTATION 7.1 Guiding Standards The USAP Contingency & Disaster Response program will be based on existing federal and NSF directives. 7.2 Publication of Contingency Procedures. Each USAP participant organization will establish internal procedures for implementing this policy, and provide copies to the USAP Information Security Manager. The USAP procedures will implement NSF guidance and appropriate federal regulations. The participant organizations will coordinate their procedures with the PLR Emergency Response Working Group to ensure compliance with PLR Emergency Response Guidelines. 8. AUTHORITY Publication of this policy is in conformance with the authority of the National Science Foundation Act of 1950, as amended and extended, the Federal Information Security Management Act of 2002 and NSF guidance. Brian Stone Section Head, NSF/GEO/PLR/AIL Page 6

REVISION/CHANGE RECORD Pages Date Version Author/Reviewer Reason for Change All 6/9/2011 1.0 Matthew Rogers All 5/3/2012 2.0 Alex Jerasa All 5/12/2013 3.0 Desari Mattox Verified alignment with NIST Special Publication 800-53 Revision 2. Changed ISM name. Updated key contacts and conducted FY12 review Updated OPP and AIL titles to align with NSF re- organization & Verify alignment with NIST SP 800-53 rev 3. Page 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information