Information Services Risk Management, Business Continuity and Disaster Recovery Policies Purpose Through the adoption of Business Continuity Management best practices Lingnan University will achieve its business continuity aim of safeguarding our reputation and public image. This will occur by using best endeavours to meet the needs of staff, students, the wider community and other critical stakeholders, through ensuring that business critical teaching and research outcomes are not compromised by a major disruptive event. The Business Continuity Policy forms part of the risk management framework at Lingnan University. Definitions Business Continuity: Business continuity is ‘the uninterrupted availability of all key resources supporting essential business functions’. Business Continuity Plans: A collection of procedures and information that is developed, compiled and maintained in readiness for use in the event of an emergency or disaster. (Associated terms: Business Recovery Plan, Disaster Recovery Plan, and Recovery Plan). Business Continuity Management: Business Continuity Management provides for the availability of processes and resources in order to ensure the continued achievement of critical objectives. Business Impact Analysis (BIA): A management level analysis, which identifies the impacts of losing organisational resources. The BIA measures the effect of resource losses and escalating losses over time in order to provide senior management with reliable data upon which to base decisions on risk management and continuity management. Major Disruptive Event: May be Natural (e.g. flood, hurricane, earthquake), Accidental (e.g. fire, contamination), Commercial (e.g. loss of supply of critical services) or Wilful (e.g. sabotage, vandalism, arson, terrorism). Associated terms: "major crisis’, ‘disaster’. Risk Assessment: The overall process of risk analysis and risk evaluation. Stakeholders: Those people and organisations that may affect, or be affected by, or perceive themselves to be affected by, a decision or activity. -1- Policy Lingnan University must… 1. Establish a Business Continuity Plan, or Plans, to ensure business continuity for the Office of the President, plus all academic departments, administrative units and the student hostels. The Business Continuity Plan (or plans) must address both the general management aspects of the continuity process and those for IT and data/voice communications elements. The Business Continuity Plan must include action plans for the reactivation of all essential university services, and must include provision for loss of supply of services by those external agents upon which the University is critically dependant. 2. Annually review the Risk Assessment including periodic maintenance of the Business Impact Analysis. 3. Periodically update the Business Continuity plan (or plans) to ensure currency of information, and response strategies. The plan must be reviewed for possible updating within 30 days of any major operational or system changes that will have a material effect on the contingency strategy of any department/unit/hostel. 4. Undertake exercises for training and evaluation purposes of the Business Continuity Plan each year or within 30 days of any major operational or system changes that will have a material effect on the contingency strategy of any department/unit/hostel. Management responsibilities University Heads of Departments/Units must ensure that the key function, for which they have responsibility, are able to continue following credible major disruptive events and that arrangements are in place to achieve this. This requires the proactive development, maintenance and devolution of business continuity planning within their areas. Managers are expected to encourage the active participation of staff in business continuity issues and must ensure that key personnel are able to perform competently during a major disruptive event. University Heads of Departments/Units must… 1. Complete a periodic Risk Assessment or more detailed Business Impact Analysis if requested. 2. Manage risks in accordance with this policy. 3. Ensure that the Business Continuity Plan in their area of influence and control is exercised on schedule. ITSC Business Continuity Plan for Mission Critical IT services In order to provide continual IT services for the university’s operation, a Business Continuity Plan (BCP) has been devised by ITSC. It is currently defined in two stages. In addition to the University’s Main Data Centre (MDC), a Secondary Data Centre (SDC) was established in the New Academic Block in March 2008. The SDC houses a VMware cluster, IP-phone equipment, plus other ITSC services. It is fully equipped with 12 equipment cabinets, separate cabling system, UPS and CRAC units, plus a fire suppression system. -2- Stage 1: An additional VMware cluster is planned to be setup in the SDC to connect to a fibre channel SAN system as well as iSCSI storage. The schedule is listed in Table A below. All mission critical services that are running on VMware in the MDC will be backed up by copying their virtual server images to iSCSI storage in the SDC. These services are defined as High Priority systems (High Availability VMware servers). If there is a failure in a mission critical IT service, then the backup virtual server image will be initiated from the SDC VMware cluster, in order to recover the failed IT service. The Database and Network Services (DNS) Team in ITSC will be responsible for backup as well as recovery of the backup services, upon request by the corresponding System Manager/Team Leader. Proper procedures and startup criteria for the different virtual servers will be supplied by the corresponding System Managers/Team Leaders, in order to effectively manage these disaster recovery services. Stage 2: In the 2009-2010 academic year, ITSC will expand the VMware cluster with additional CPU nodes, plus add major investment in a high speed/capacity data backup tape library system. Stage 2 of the Business Continuity Plan (BCP) will focus on data backup of all systems (High, Medium and Low), compared to Stage 1 which focused on backup of all High Priority systems only. Stage 2 will also be extended to allow virtual server image backup of Medium Priority systems. Table B below indicates the timeframe for the implementation of Stage 2. Table A: Schedule for the setup of a VMware cluster in the SDC Project Date Mid Jan – Mid Mar 09 End of Mar 2009 Mid May 2009 End of May 2009 End of Jun 2009 Tasks Tender Place order SAN system Delivery and Setup Complete second VMware Cluster in the SDC VMware Infrastructure Service Delivered into Production Table B: Schedule for the setup of a high speed/capacity Tape Library Project Date Jul 2009 Aug 2009 Sep 2009 Oct-Nov 2009 Dec 2009 Jan 2010 End of Jan 2010 Tasks Review of ITSC Backup Strategies Tender Place order Tape Library Delivery and Setup Completed Tape Library Installation Testing of new ITSC Backup Procedures Tape Library Service Delivered into Production -3- Document management control Prepared by: Updated: Authorised by: Approved by: Date issued: Last review: Next review: Waiman Cheung, Jeff McDonell, ITSC 2 March, 2009 University Comptroller TLIS, ???? 2009 ???? 2009 December 2009 -4-