Disaster Recovery. Example Policy. Author: A Heathcote Date: 24/05/2017 Version: 1.0

Transcription

1 Example Policy Author: A Heathcote Date: 24/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

2 Contents 1 Purpose 3 2 Scope 3 3 Applicability 3 4 Guidance 3 Terminology 3 Policy 3 General 4 Disaster Recovery Plan 4 Responsibilities 5 Training and Awareness 5 Management and Implementation 6 Testing 6 5 Key Words 6 Copyright 2017 Health and Social Care Information Centre. 2

3 1 Purpose The purpose of this Disaster Recovery Example Policy is to provide exemplar guidance in line with HMG and private sector best practice for the production of an organisation wide Disaster Recovery Policy. This is in order to allow the reader to produce the necessary policy and guidance for their business area and to ensure that the applicable and relevant security controls are set in place in line with the Department for Health, the wider NHS, health and social care and HMG requirements. 2 Scope The drafting of any policy governing the production of a Disaster Recovery Policy for NHS systems, devices or applications and information deployed in support of NHS or health and social care business functions. 3 Applicability This Example Policy is applicable to and designed for use by any NHS, health and social care or associated organisations that use or have access to NHS systems and/or information at any level. 4 Guidance This Example Policy provides guidance on the production of a Disaster Recovery Policy. The Example Policy is in italics with areas for insertion shown as <> and the rationale for each paragraph or section, where required, in [.]. Terminology Term SHALL SHOULD MAY Definition This term is used to state a Mandatory requirement of this policy This term is used to state a Recommended requirement of this policy This term is used to state an Optional requirement Policy The Disaster Recovery Policy shall be used to enable <insert name of organisation> to produce, implement, test and manage the necessary disaster recovery measures on <insert name of organisation> IT systems to enable a structured recovery post an IT or information loss incident. This policy supports and is linked to the <insert name of organisation> Business Continuity and Forensic Readiness policies. [The aim of this section is to state the objectives and aims of the disaster recovery policy. If applicable for the organisation it may be required to relate it to the overall business continuity approach for the organisation.] Copyright 2017 Health and Social Care Information Centre. 3

4 General <Insert name of organisation> Information Asset Owners (IAOs) and the associated Business Owner, with the Senior Information Risk Owner (SIRO) shall: Identify, locate and prioritise NHS and other Government data/information for its importance to <insert name of organisation> and the wider NHS business functions. This will be driven by the Business Continuity requirements. Identify the single points of failure within the <insert name of organisation> IT networks and IT systems. Identify the essential data stores, data bearers and software (operating systems and applications) for the <insert name of organisation> business. [This section should be used to identify the core requirements of disaster recovery as they apply to the organisation. For larger organisations with their own IT the identification of where the critical information is held and points of failure should be possible from within the IT services/operations; however, where the IT is outsourced, particularly for smaller organisations, the policy will need to either require the outsourced provider to identify these elements or state that any contract with the provider will require these objectives to be met.] Using the above information, the <insert name of organisation> IAOs and the SIRO with the Chief Information Security Officer (CISO) shall: Ensure that <insert name of organisation> has a comprehensive backup process that supports the identified and prioritised data stores, bearers and essential software. Produce a Disaster Recovery Plan that meets the business continuity requirements and will enable forensic recovery to take place if required. The requirements of the Disaster Recovery Plan shall be related to the Business Continuity Plan and the Backup policy to ensure the approach is holistic. [This part of the section relates to the requirement for disaster recovery/back-up plans to be produced. For larger organisations, the Disaster Recovery Plan will probably be produced in-house and relate to business continuity. For smaller organisations, the disaster recovery and back-up plans may be possible to be joined; it is also likely that as the IT is provided by an outsourced third party provider the policy will require the plans to be part of the contract. Within smaller organisations the roles of SIRO and CISO, maybe also ISAO, will be within the information governance lead function.] Disaster Recovery Plan A Disaster Recovery Plan shall be produced to enable data and IT systems/functionality to be recovered in a structured and managed manner post an incident. The Disaster Recovery Plan shall support the requirements of Business Continuity. The Plan shall be regularly tested, this should be at least annually. The Plan should cover: Ownership which post owns and controls the plan Responsibilities identification of roles and their responsibilities Identification of critical assets with priority order for recovery/business functionality Copyright 2017 Health and Social Care Information Centre. 4

5 Capabilities identified internal and external capabilities Resources allocation of tasks to resources, internal and external Task flow including: Points of contact Relationship to incident management team Recovery processes and actions in a structured order Recording of recovery actions taken and time when assets recovered/restored. Post Action Review lessons learnt. Test Schedule. [The size and complexity of the Disaster Recovery Plan will vary according to the size and type of information processed by the organisation, and whether it is outsourced. The above outline is the recommended minimum policy requirement for such a Plan; however, for smaller organisations where the IT is outsourced the policy may need to be altered to reflect that the above requirements should be contractually required form their provider.] Responsibilities The following roles shall undertake the responsibilities listed: Senior Information Risk Owner (SIRO) coordinate the development and maintenance of the Disaster Recovery Plan ensuring it relates to the <insert name of organisation> Business Continuity Plan. Disaster Recovery Plan Manager maintains the Plan on behalf of the SIRO ensuring that testing is undertaken. A post shall be allocated for this role. Information Asset Owners (IAOs) and Business Owners ensure that the requirements from the Disaster Recovery planning are adequately considered and documented for all information assets of which they have ownership; and, enable the recovery to be enacted. Line Managers - ensure that staff follow the <insert name of organisation> Disaster Recovery Plan procedures. Chief Information Security Officer (CISO) management of disaster recovery procedures relating to IT and information security. [For smaller organisations, the roles of SIRO and CISO may be undertaken as a secondary role by senior partners or the owners of the business; provided the individual/role identified is one that is in a position to make informed, executive decisions that are appropriate for the SIRO and CISO functions. These roles may be part of the information governance lead; as may be the case for the IAO role(s) where the size does not merit individual SIRO, CISO and IAO roles.] Training and Awareness Personnel who are required to undertake specific technical and functional roles associated with disaster recovery shall be trained and formally qualified to complete this specialist function. Copyright 2017 Health and Social Care Information Centre. 5

6 All <insert name of organisation> staff, including third parties, shall be made aware of the requirements of the <insert name of organisation> Disaster Recovery Plan and its Procedures. [A policy should outline the requirement for personnel to be appropriately trained and made aware of the disaster recovery requirements. The specific training and roles which require it, or the necessity to mandate in third party contracts that the provider (e.g. IT provider) has trained and appropriately skilled people, would be detailed in the actual Disaster Recovery Plan.] Management and Implementation The Disaster Recovery Policy and the resulting Disaster Recovery Plan shall be reviewed and re-issued annually or upon identification of a change in procedure or lesson learnt. The effectiveness of the Policy and Plan shall be monitored through audits and tests (external and internal) and from lessons learnt during any business continuity activity. [It is essential that the Plan is reviewed and audited, as well as tested regularly, and the requirement for this should be included in the Policy. The actual processes should be covered in the Disaster Recovery Plan.] Testing On behalf of the SIRO the Disaster Recovery Plan Manager shall coordinate and manage testing which should follow the below levels and is recommended to be at least annually at each level: Table Top Walkthrough Real-time Live Test [Testing is critical to ensure that the Plan is fit for purpose; it is recommended that this is mandated in the Policy, or if third party providers are utilised it is mandated as a contractual requirement.] 5 Key Words Backup, Business Continuity, CISO, Data Recovery, Disaster Recovery, Forensic Readiness, IAO, Single Points of Failure, SIRO, Copyright 2017 Health and Social Care Information Centre. 6