10.8 Contingency and Disaster Recovery Planning
10.8 Contingency and Disaster Recovery Planning
Copyright(c), 1995 - Management Analytics - All Rights Reserved
Management officials who are dependent upon IT systems for the
support of essential functions are responsible for the development and
maintenance of contingency plans for these functions. The contingency
planning process will address the following activities:
-
1. Backup and retention of data and software;
-
2. Selection of a backup or alternate operations strategy;
-
3. Emergency response actions to be taken to protect life
and property and minimize the impact of the emergency;
-
4. Actions to be accomplished to initiate and effect
backup or alternate site; and
-
5. Resumption of normal operations in the most efficient
and cost-effective manner.
Each DOC IT system shall develop and maintain in a current state, a
contingency plan for disaster recovery which will provide reasonable
assurance that critical data processing support can be continued, or
resumed quickly, if normal operations of the system are interrupted.
These plans will include adequate coverage of:
-
1. Emergency response procedures appropriate to fire,
flood, civil disorder, natural disaster, bomb threat or
any other incident or activity which may endanger
lives, property or the capability to perform essential
functions. These emergency procedures will be
prominently displayed in the areas to which they apply;
-
2. Arrangements, procedures and responsibilities will be
defined and documented to ensure that essential
(critical) operations can be continued if normal
processing or data communications are interrupted for
any reason for an unacceptable period of time;
-
3. Recovery procedures and responsibilities to facilitate
the rapid restoration of normal operations at the
primary site, or if necessary, at a new facility,
following the destruction, major damage or other
interruptions at the primary site; and
-
4. The minimally acceptable level of degraded operation of
the essential (critical) systems or functions will be
identified and prioritized to guide implementation at
the backup operational site. The contingency plan must
accommodate these priorities.
The plan for large systems supporting essential Departmental or
agency functions shall be fully documented. Small systems, such as
those located in office environments, may develop a more abbreviated and
less formal plan. All plans must be operationally tested at a frequency
commensurate with the risk and magnitude of loss or harm that could
result from disruption of information processing support, but not to
exceed one year.
Section 8 of the "DOC IT Security Manual" contains specific
information and guidance concerning contingency and disaster recovery
planning.