This policy defines acceptable methods for disaster recovery planning, preparedness, management and mitigation of IT systems and services at Weill Cornell Medical College.
Entities Affected By This Policy
The Weill Cornell Medical College and Graduate School of Medical Sciences
- Responsible Executives: WCMC Chief Information Officer
- Responsible Department: Information Technologies and Services (ITS)
- Dates: Issued: Interim, July, 1st 2010. Final Issuance:
- Contact: Information Technologies and Services
Reason for Policy
The disaster recovery standards in this policy provide a systematic approach for safeguarding the vital technology and data managed by the Information Technologies and Services Department. This policy provides a framework for the management, development, and implementation and maintenance of a disaster recovery program for the systems and services managed by ITS.
To assist in the usage of this policy document, the Appendix Section below contains a summary of all the DR Timeline deliverables plus a DR glossary. Please check the DR glossary in the Official Policy for the definition of DR terms.
Disaster Recovery planning is a program that has a continuous lifecycle. Detailed requirements for each of these steps are below. The high-level process for DR Lifecycle is as follows:
- All ITS-managed systems must comply with WCMC disaster recovery policies and requirements.
- The IT Disaster Recovery Manager is responsible for IT DR program coordination and project management: including reporting status of IT DR planning, testing, and auditing activity to ITS senior management on a regular basis; at least twice per year.
- ITS senior management is responsible for ensuring sufficient financial, personnel and other resources are available as needed.
- The DR Manager will review and update the DR Policy as necessary at least every other year. All modifications must be approved by ITS senior management.
- Program Development
- The ITS Disaster Recovery Program (DRP) addresses the protection and recovery of WCMC IT services so that critical operations and services are recovered in a timeframe that ensures the survivability of WCMC and is commensurate with customer obligations, business necessities, industry practices, and regulatory requirements.
- Plans must be developed, tested, and maintained to support the 2.a objectives of the Program, and those plans should include relevant IT infrastructure, computer systems, network elements, and applications. At minimum, annual updating is required.
- The Disaster Recovery Manager is responsible for conducting Business Impact Analyses (BIA) to identify the critical business processes, determine standard recovery timeframes, and establish the criticality ratings for each; at least every other years.
- The Disaster Recovery Manager is responsible for conducting Capability Analyses (CA) to determine ITS's capacity to recover critical IT services that support defined critical business processes and recovery objectives; at least every other years.
- The Disaster Recovery Manager is responsible for maintaining the Recovery Tier Chart , which defines the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) of all ITS-managed systems. The Service managers are required to prioritize their IT processes and associated assets based upon the potential detrimental impacts to the defined critical business processes.
- ITS is required to create disaster recovery plans for the IT portion - including services, systems, and assets - of critical business processes. These IT services, systems, and assets must be inventoried and correlated according to the technical service catalog , prioritized based upon results of the Business Impact Analysis, and ranked according to their Recovery Time Objectives and Recovery Point Objectives.
- A Risk Assessment must be conducted at least every other year to determine threats to disaster recovery and their likelihood of impacting the IT infrastructure.
- For each risk or vulnerability identified in the Capability Review and Risk Assessment, a mitigation or preventive solution must be identified.
- The IT DR program must include a change management and quality assurance process.
- Above Program Development statements will be progressively fulfilled via Disaster Recovery Manager, Departmental and/or other resources.
- Emergency Management
- The IT Disaster Recovery Team/Manager is responsible for overseeing IT DR activities in the event of an emergency -i.e., an unplanned outage where RTO is in jeopardy.
- The IT Disaster Recovery Manager should be part of the ITS representation within the institution's Emergency Management Team .
- Each IT division must develop and maintain a documented emergency plan including notification procedures.
- Each IT division shall account for its associates when a building evacuation is ordered. Supervisory personnel are responsible to account for the associates they supervise.
- The IT Disaster Recovery Team/Manager is required to complete a post-mortem report documenting outages and recovery responses within 45 days after the occurrence of a disaster recovery event.
- IT DR budgeting must be informed annually by requirements gathered in the BIA and CA as well as the ITS budgeting process.
- IT Managers are responsible for tracking and reporting on planned and unplanned outage spending related to the recovery and restoration effort. During an outage, IT Managers may incur special recovery and restoration costs that are unbudgeted. For a small outage, these costs would be immaterial; but for a longer outage, these costs could be significant.
- Plan Objective
- IT DR plans must provide information on Business Impact Analysis, Data Backup, Recovery, Business Resumption, Administration, Organization Responsibilities, Emergency Response & Operations, Training and Awareness and Testing.
- Plans must contain Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).
- Technological solutions for data availability, data protection, and application recovery must be considered by data gathered by the BIA and CA.
- Vital Records
- ITS must maintain a single, comprehensive electronic inventory of all servers, network equipment, relevant configuration, and model information, and the applications they support. This inventory should be aligned with the service catalog and the technical service catalog.
- All Backup data must be labeled and logged, and are available for use during an emergency within stated recovery time objectives. A documented decision making process will be used to determine what subset of backup data will be additionally encrypted, and stored off-site in a secured location outside of the geographical area of the system they are backups of.
- DR plans must be stored in a single, comprehensive database.
- DR plans owners need to be able to access a copy of emergency and recovery plan(s) independent of ITS services and/or network.
- Upon completion or update, DR plans must be sent to the Disaster Recovery Manager and ITS Change Manager for review.
- Plan information must be reviewed and updated as warranted by business and/or information systems environment changes, at least annually.
- Plan Attributes
- Plans must address an outage that could potentially last for a period of up to six weeks.
- Plans must identify risk exposure and either accept the risk or propose mitigation solution(s).
- Backup strategies must comply with predefined businesses continuity requirements, including defined recovery time and point objectives. Backup strategies must be reviewed at least every other year.
- Recovery strategies must meet recovery objectives defined in the DR tier chart.
- Approved recovery strategies must be tested to ensure they meet required recovery time and recovery point objectives.
- Recovery strategies must be implemented within a previously agreed upon period of time, generally not more than 180 days after management approval.
- The ITS Disaster Recovery Manager is required to provide DR training and awareness activities at least twice per year.
- Plans must contain current and accurate information.
- Planning must be integrated into all phases of the IT system life cycle.
- IT DR tests that demonstrate recoverability commensurate with documented IT DR plans must be conducted regularly; as well as when warranted by changes in the business and/or information systems environment.
- Backup media supporting critical business processes must be tested semi-annually. Reviews are required within 60 days after a test to correct exposed deficiencies.
- Plan revisions must be completed within 60 days after a DR test is completed.
- The following maintenance activities must be conducted annually:
- Updating the documented DR plan
- Reviewing the DR objectives and strategy
- Updating the internal and external contacts lists
- Conducting a simulation/desktop exercise
- Conducting a telecommunication exercise
- Conducting an application recovery test
- Verifying the alternate site technology
- Verifying the hardware platform requirements
- Submitting the DR Status and Recoverability Report
- IT managers are responsible for briefing staff on their roles and responsibilities related to DR planning, including developing, updating, and testing plans.