IT CONTINUITY, BACKUP AND RECOVERY POLICY

Similar documents
Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 13 Business Continuity

Data Storage, Recovery and Backup Checklists for Public Health Laboratories

Table of Contents. Sample

DATA BACKUP AND RECOVERY POLICY

Trust Services Principles and Criteria

Certified Information Systems Auditor (CISA)

Introduction to Business continuity Planning

SECURITY & PRIVACY DOCUMENTATION

The Common Controls Framework BY ADOBE

University Information Technology Data Backup and Recovery Policy

Physical and Environmental Security Standards

INFORMATION SECURITY- DISASTER RECOVERY

Backup and Restore SOP FOR CONGO CLUSTER

DR Planning. Presented by. Matt Stolk Associate Director Northwest Regional Data Center Florida State University

Texas A&M AgriLife Research Procedures

Module 4 STORAGE NETWORK BACKUP & RECOVERY

Template. IT Disaster Recovery Planning: A Template

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 12 Contingency Planning

WHITE PAPER- Managed Services Security Practices

Business Continuity Plan

BME CLEARING s Business Continuity Policy

Identity Theft Prevention Policy

University Information Systems. Administrative Computing Services. Contingency Plan. Overview

DISASTER RECOVERY PRIMER

Security Standards for Electric Market Participants

Continuity of Business

UCLA AUDIT & ADVISORY SERVICES

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

SERVICE DESCRIPTION MANAGED BACKUP & RECOVERY

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

Disaster Recovery Committee. Learning Resource Center Specialist

Lesson 10 Data and Hardware Protection

Juniper Vendor Security Requirements

Policy. Business Resilience MB2010.P.119

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Server Security Policy

Server Security Procedure

EA-ISP Business Continuity Management and Planning Policy

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

IT Services Policy/Policy Document

Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

Information Technology General Control Review

Back up and Restoration Policy. of VIJETA BROKING INDIA PRIVATE LIMITED

Information Security Policy

INFORMATION TECHNOLOGY SERVICES DISASTER RECOVERY PLAN

Projectplace: A Secure Project Collaboration Solution

Tuskegee Backup and Offsite Policy and Procedures

Business Continuity Plan Executive Overview

HIPAA RISK ADVISOR SAMPLE REPORT

Number: USF System Emergency Management Responsible Office: Administrative Services

Google Cloud Whitepaper September Data deletion on Google Cloud Platform

HP Designing and Implementing HP Enterprise Backup Solutions. Download Full Version :

Keys To Disaster Preparedness

EA-ISP-002 Business Continuity Management and Planning Policy

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Information Technology Disaster Recovery Planning Audit Redacted Public Report

Standard for Security of Information Technology Resources

POLICIES AND PROCEDURES

E-Security policy. Ormiston Academies Trust. James Miller OAT DPO. Approved by Exec, July Release date July Next release date July 2019

BusinessObjects XI Release 2

Information Technology Procedure IT 3.4 IT Configuration Management

Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012

University of Hawaii Hosted Website Service

Administration and Data Retention. Best Practices for Systems Management

SOUTH AFRICAN LIBRARY FOR THE BLIND (SALB)

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Data Security - Backup

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Aras Innovator 11. Backup and Recovery Procedures

Office of Presidential Libraries; Proposed Disposal of George H.W. Bush and Clinton. Agency: National Archives and Records Administration (NARA)

CANADIAN PAYMENTS ASSOCIATION LVTS RULE 11 CHANGE MANAGEMENT, TESTING AND CERTIFICATION

ISO27001 Preparing your business with Snare

Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

Network Security Policy

Infocomm Professional Development Forum 2011

EXHIBIT A. - HIPAA Security Assessment Template -

Standard: Data Center Security

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

NMHC HIPAA Security Training Version

SAS SOLUTIONS ONDEMAND

Have a Backup. Trainer Resource. This document is a reference and preparation sheet for the trainer, and a companion to the lesson plan.

Disaster Recovery Planning Blackout. Katrina

Checklist: Credit Union Information Security and Privacy Policies

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Introduction. How Does it Work with Autodesk Vault? What is Microsoft Data Protection Manager (DPM)? autodesk vault

emarketeer Information Security Policy

Apex Information Security Policy

Business Continuity Policy

Tintri Cloud Connector

Veeam Endpoint Backup

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

(Self-Study) Identify How to Back Up and Restore NetWare Systems

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Records Information Management

After the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning

Google Cloud & the General Data Protection Regulation (GDPR)

State of Rhode Island Department of Administration Division of Information Technol

Transcription:

IT CONTINUITY, BACKUP AND RECOVERY POLICY IT CONTINUITY, BACKUP AND RECOVERY POLICY Effective Date May 20, 2016 Cross- Reference 1. Emergency Response and Policy Holder Director, Information Business Resumption Policy Technology Approver Executive Council Review Schedule Every 5 years Appendices 1. IT DRP and Backup Guidelines 1. Policy Statement 1.1. Grande Prairie Regional College ( GPRC or the Institution ) business operations rely on stable and constantly available Information Technology ( IT ) systems. Effective recovery plans are in place to ensure that IT services can be resumed within required recovery times in the event of a system disruption or disaster. 2. Background 2.1. A disruption, loss, damage or compromise of IT systems and data may negatively impact GPRC reputation and operations, resulting in significant costs to recover. Formal and comprehensive IT continuity, backup and recovery controls are necessary to mitigate such risks. 3. Policy Objective 3.1. The objective of this policy is to define formal requirements for IT continuity, backup and recovery, in order to prevent or mitigate the risk of IT system disruption or disaster, and allow for an efficient recovery of IT services and data in a timely manner. 4. Scope 4.1. This policy applies to all IT systems or applications managed by GPRC that store, process or transmit information, including network and computer hardware, software and applications. 4.2. This policy does not apply to information that is stored locally by users on desktops, laptops, tablets and mobile phones. Device owners are responsible for appropriate backup of the data stored locally on their mobile devices, with the exception of data synchronized with the device and stored on GPRC servers (such as Outlook emails and contacts). 5. Definitions 5.1. A BCP Business Continuity Plan is a comprehensive plan describing the strategy and necessary activities to recover from a significant disruption of business operations, including by relocating part or all personnel and system resources, making urgent decisions, and conducting business operations with diminished or altered capabilities. 5.2. A DRP Disaster Recovery Plan is a documented set of procedures describing the key activities that are necessary to recover minimum IT services, applications and data to continue critical business operations, and to fully recover such operations after a disaster affecting normal IT services. Page 1 of 8

IT CONTINUITY, BACKUP AND RECOVERY POLICY 5.3. A RTO Recovery Time Objective refers to the maximum tolerable length of time that a computer, system, network, or application can be down after a failure or disaster occurs. 6. Guiding Principles 6.1. IT systems that are critical to Institution activities must be clearly identified, as well as the potential risks of disruption that apply to them. 6.2. IT continuity, backup and recovery must be managed in accordance with: 6.2.1. The Emergency Response and Business Resumption Policy. 6.2.2. Guidelines contained in Appendix 1 of this policy. 6.3. Recovery Time Objectives ( RTOs ) of critical systems must be formally defined as per the business needs. 6.4. Procedures and technology must be in place and tested regularly to ensure: 6.4.1. Prevention against IT system disruption. 6.4.2. Regular and comprehensive backup of critical systems, applications and data. 6.4.3. Timely recovery of critical systems, in line with the business expectation or RTO. 7. Roles and Responsibilities Stakeholder Responsibilities Executive Council Approve and formally support this Policy. Vice-President Administration IT Director Review and formally support this Policy. Develop and maintain this Policy. Review and approve any exceptions to the requirements of this Policy. Take proactive steps to reinforce compliance of all stakeholders with this Policy. Communicate with the Institution, directly or through Institution representatives, in informal or formal instances, to understand the Institution needs and expectations, explain the capabilities of the existing technology in production, including backup and recovery capabilities. Page 2 of 8

IT CONTINUITY, BACKUP AND RECOVERY POLICY 8. Exceptions to the Policy 8.1 Exceptions to the guiding principles in this policy must be documented and formally approved by the IT Director. 8.2 Policy exceptions must describe: 9. Inquiries 8.2.1 The nature of the exception 8.2.2 A reasonable explanation for why the policy exception is required 8.2.3 Any risks created by the policy exception 8.2.4 Evidence of approval by the IT Director 9.1 Inquiries regarding this policy can be directed to the IT Director. 10. Amendments (Revision History) 10.1 Amendments to this policy will be published from time to time and circulated to the Institution community. Page 3 of 8

Appendix 1 IT DRP and Backup Guidelines 1. IT Disaster Recovery Plan 1.1. An IT Disaster Recovery Plan (IT DRP) must be formally documented and contain the following details: 1.1.1. Step-by-step procedures to recover critical IT systems and applications and restore data after a major disruption, including: 1.1.1.1. Emergency response to a major disruption 1.1.1.2. Initial recovery of the most critical IT systems 1.1.1.3. Full recovery of most critical systems, applications and data 1.1.1.4. Return to a normal situation 1.1.2. Clear roles and responsibilities. 1.1.3. List of critical systems and applications that are aligned with the BCP. 1.1.4. Detailed minimum requirements and specifications for the critical IT system components, including mapping of critical applications and data hosted on servers. 1.1.5. Salvage list of the most important items to be recovered in an emergency, including the location of the asset (e.g. building, floor, work area and cabinets). 1.1.6. Contact information of key resources, including phone numbers (daytime and nonworking hours), email and physical address where possible, for: 1.1.6.1. The IT emergency response team. 1.1.6.2. Other IT contacts (IT staff, 3 rd party IT supplier, application vendors, etc.). 1.1.6.3. Other business contacts (applications and system owners and administrators, key suppliers, customers and stakeholders, communication team, etc.). 1.2. The IT DRP plan must be reviewed and tested at least annually to ensure documented information is up to date and that all team members are aware of their responsibilities, roles and tasks to roll-out the plan effectively. 1.3. Regular tests of the IT DRP may include the following: 1.3.1. High-level plan walkthrough 1.3.2. Table top exercise 1.3.3. Simulation exercise 1.3.4. Test of the communication channels and call notification procedures 1.3.5. Data backup restoration 1.4. A copy of the IT DRP plan must be available off-site (using a laptop for example) and in-situ at each data-center. Page 4 of 8

2. Preventative Requirements 2.1. Protection from power failures or other electrical anomalies must be in place, including where possible: 2.1.1. Multiple power feeds or power supplies. 2.1.2. Uninterruptible Power Supplies (UPS) with sufficient running time for: 2.1.2.1. Switching to an alternative source of power 2.1.2.2. Backing-up IT systems or transferring data 2.1.2.3. Clean shut down of all IT systems. If equipment supporting critical business operations is not capable of auto-shutdown, then the equipment shall be powered down in accordance with an emergency shutdown procedure. 2.1.3. Back-up generators or other source of alternate/secondary power. 2.1.4. All power to critical IT infrastructure shall be filtered to provide a source of clean power. 2.1.5. All power supply equipment must be maintained, regularly checked and tested in accordance with the manufacturer s recommended instructions or procedures. 2.1.6. Surge protection shall be installed, wherever possible, to all buildings housing critical IT processing or infrastructure equipment. 2.2. Protection from environmental hazards must be in place, including where possible: 2.2.1. Hazardous or combustible materials shall not be stored within data-centres or datarooms. 2.2.2. Appropriate equipment must be installed in data-centres or data-rooms to monitor and react to fire, flood, high temperature, vibration, air quality and dust hazards. 2.3. Systems redundancy and high-availability equipment must be in place where appropriate. 3. Backup Procedures 3.1. Generic backup requirements 3.1.1. Contingency IT equipment must be in place where appropriate. 3.1.2. Backups of critical systems must cover system files, software files and data files, for both the running systems and the default system built image. 3.1.3. A combination of backup technology must be used to ensure the most efficient backup and recovery of operation services. Automated backups must be performed including one of the following solutions: 3.1.3.1. Network-Attached Storage (NAS) 3.1.3.2. Direct-Attached Storage (DAS) 3.1.3.3. Storage Area Network (SAN) 3.1.3.4. Replication and mirroring technologies 3.1.3.5. Backup management system, backup tapes and tape libraries 3.1.4. Different backup media must be used and retained for each backup type (i.e. daily, weekly, monthly, or any other defined period). Further, to ensure greater integrity of the backups, distinct backup media pools must be used where possible. Page 5 of 8

3.1.5. A Backup Manager must be designated with the responsibility of managing, operating, and troubleshooting backup solutions, as well as answering any requests related to backups and recoveries. 3.1.6. Quality and integrity of backups must be verified at the end of each backup operation. 3.1.7. Backup systems must be configured to automatically generate email alerts, warnings and status updates to the Backup Manager where possible. 3.2. Backup frequency and retention 3.2.1. The following approach, based on a Grandfather-Father-Son (GFS) schedule provides the minimum requirements for the backup of critical IT systems: 3.2.1.1. Daily backups: Differentials or incremental backups. 3.2.1.2. Weekly backups: Full backups. 3.2.1.3. Monthly backups: Full backups. 3.2.2. Daily backups are performed each day. The following backups are performed daily: 3.2.2.1. File-level backups of servers. 3.2.2.2. Recovery-level backups of servers. 3.2.3. Weekly backups are performed each weekend, during non-working hours. The following is performed: 3.2.3.1. File-level backups copied from disk to removable backup tape media. 3.2.3.2. Weekly backup media are stored off-site and retained for a minimum of four weeks. 3.2.4. Monthly backups are performed each month. The following is performed: 3.2.4.1. File-level backups copied from disk to removable backup tape media. 3.2.4.2. Monthly backup media are stored off-site and retained for 3 months. 3.3. Physical security of backup media and contingency IT equipment 3.3.1. Fallback or contingency equipment and backup media stored off-site must be at a sufficient distance to escape any damage from a disaster at the main site. 3.3.2. Long-term storage of backup data must meet the same basic physical and environmental control requirements in place for the critical IT systems in production. 3.3.3. Appropriate care of all backup media must be taken to preserve their integrity. Specifically, tapes must be stored according to the vendor recommendations and must not be exposed to sources of contamination, such as copiers and printers (that emit toner and paper dust), or high voltage electrical equipment (that emit electromagnetic radiation damageable to magnetic tapes). 3.3.4. Backup media reaching the end of their retention period, must be fully erased and recycled in the pool of available backup media. 3.3.5. Any damaged, corrupted or end of life tapes must be destroyed. 3.3.6. All backup media must be labelled and identified with a unique identifier. 3.3.7. A detailed inventory must be maintained at all times to track the position and status of all backup media. The use of an automated inventory system is acceptable but must be completed with regular verification of the true position and status of backup media. Page 6 of 8

3.3.8. Every physical transfer of backup media off-site must be formally tracked with the following criteria: 3.3.8.1. Date and time of transfer. 3.3.8.2. Origin and destination locations. 3.3.8.3. Name of the person and organization taking the responsibility of the transfer. 3.3.8.4. Detailed inventory of the media being transferred. 3.3.9. Backup media stored off-site must be encrypted; where this is not possible, mitigating controls should be considered. 3.3.10. Security controls must be implemented to prevent access to backup management systems, backup files and backup media, including: 3.3.10.1. Physical and logical access restriction based on the user role and responsibilities. 3.3.10.2. Changing all default login and passwords. 3.3.10.3. Logging of: system access; changes to system configuration, system files and user access rights; and access to the log files. 4. Recovery 4.1. Standard Restoration Process 4.1.1. All restore requests must be formally submitted to the IT Help Desk, who will sequence and address the request to the Backup Manager. Requests must detail the following: 4.1.1.1. Specific file(s) and / or folder(s) that are required to be restored. 4.1.1.2. From which server. 4.1.1.3. From which specific date. 4.1.1.4. To what restore location. 4.1.1.5. Whether the restored data should over-write the current data in the original location or not. 4.1.2. A detailed procedure for data restoration must be documented, including the restoration of data stored in both on-site and off-site backups. 4.2. Emergency Restoration 4.2.1. Emergency restoration must be formally approved by the IT Director. 4.2.2. Due care must be followed to prevent any loss of data or damage to backup media in an emergency. 4.2.3. Details of the backup restoration must be formally documented by the Backup Manager, after the emergency. Page 7 of 8

5. Roles and Responsibilities - Procedures Stakeholder Responsibilities IT Director Backup Manager Systems owners Supervisors or Institution representatives Users Develop and maintain this Policy. Review and approve any exceptions to the requirements of this Policy. Take proactive steps to reinforce compliance of all stakeholders with this Policy. Communicate with the Institution, directly or through Institution representatives, in informal or formal instances, to understand the Institution needs and expectations, explain the capabilities of the existing technology in production, including backup and recovery capabilities. Formally approve the backup and recovery policy. Formally approve the IT DRP. Report to the Vice President, Administration, the President and CEO as well as the Board of Governors. Ensure tools used for backup and recovery are configured as per this Policy. Ensure backups and recoveries are performed without issue and remediate any such issue. Answer and address requests to backup or to restore backed-up data or systems. Provide recommendations regarding the processes to backup and recover IT systems, applications and data, and participate in the development of the BCP and the IT DRP. Provide recommendations to improve or update this Policy. Identify the critical IT systems, applications and data necessary to support critical business operations. Define the minimum availability requirements for their systems, including Recovery Time Objectives (RTOs). Participate in the development of the BCP and the IT DRP. Participate in the development of the BCP and the IT DRP. Communicate with the IT group for any need, concern or question related to IT systems availability, IT backup and recovery services. Contact the Help Desk for any question or concern related to the technology. When a question or concern cannot be addressed by the Service Desk, contact their supervisor or representative. Backup their personal files stored locally on computers and mobile devices. Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback