Information Services Risk Management, Business Continuity and

advertisement
Information Services Risk Management, Business Continuity and
Disaster Recovery Policies
Purpose
Through the adoption of Business Continuity Management best practices Lingnan University
will achieve its business continuity aim of safeguarding our reputation and public image.
This will occur by using best endeavours to meet the needs of staff, students, the wider
community and other critical stakeholders, through ensuring that business critical teaching
and research outcomes are not compromised by a major disruptive event.
The Business Continuity Policy forms part of the risk management framework at Lingnan
University.
Definitions
Business Continuity:
Business continuity is ‘the uninterrupted availability of all key resources supporting essential
business functions’.
Business Continuity Plans:
A collection of procedures and information that is developed, compiled and maintained in
readiness for use in the event of an emergency or disaster. (Associated terms: Business
Recovery Plan, Disaster Recovery Plan, and Recovery Plan).
Business Continuity Management:
Business Continuity Management provides for the availability of processes and resources in
order to ensure the continued achievement of critical objectives.
Business Impact Analysis (BIA):
A management level analysis, which identifies the impacts of losing organisational resources.
The BIA measures the effect of resource losses and escalating losses over time in order to
provide senior management with reliable data upon which to base decisions on risk
management and continuity management.
Major Disruptive Event:
May be Natural (e.g. flood, hurricane, earthquake), Accidental (e.g. fire, contamination),
Commercial (e.g. loss of supply of critical services) or Wilful (e.g. sabotage, vandalism, arson,
terrorism). Associated terms: "major crisis’, ‘disaster’.
Risk Assessment:
The overall process of risk analysis and risk evaluation.
Stakeholders:
Those people and organisations that may affect, or be affected by, or perceive themselves to
be affected by, a decision or activity.
-1-
Policy
Lingnan University must…
1. Establish a Business Continuity Plan, or Plans, to ensure business continuity for the
Office of the President, plus all academic departments, administrative units and the
student hostels.
The Business Continuity Plan (or plans) must address both the general management
aspects of the continuity process and those for IT and data/voice communications
elements.
The Business Continuity Plan must include action plans for the reactivation of all
essential university services, and must include provision for loss of supply of services
by those external agents upon which the University is critically dependant.
2. Annually review the Risk Assessment including periodic maintenance of the Business
Impact Analysis.
3. Periodically update the Business Continuity plan (or plans) to ensure currency of
information, and response strategies. The plan must be reviewed for possible updating
within 30 days of any major operational or system changes that will have a material
effect on the contingency strategy of any department/unit/hostel.
4. Undertake exercises for training and evaluation purposes of the Business Continuity
Plan each year or within 30 days of any major operational or system changes that will
have a material effect on the contingency strategy of any department/unit/hostel.
Management responsibilities
University Heads of Departments/Units must ensure that the key function, for which they
have responsibility, are able to continue following credible major disruptive events and that
arrangements are in place to achieve this. This requires the proactive development,
maintenance and devolution of business continuity planning within their areas. Managers are
expected to encourage the active participation of staff in business continuity issues and must
ensure that key personnel are able to perform competently during a major disruptive event.
University Heads of Departments/Units must…
1. Complete a periodic Risk Assessment or more detailed Business Impact Analysis if
requested.
2. Manage risks in accordance with this policy.
3. Ensure that the Business Continuity Plan in their area of influence and control is
exercised on schedule.
ITSC Business Continuity Plan for Mission Critical IT services
In order to provide continual IT services for the university’s operation, a Business Continuity
Plan (BCP) has been devised by ITSC. It is currently defined in two stages.
In addition to the University’s Main Data Centre (MDC), a Secondary Data Centre (SDC)
was established in the New Academic Block in March 2008. The SDC houses a VMware
cluster, IP-phone equipment, plus other ITSC services. It is fully equipped with 12 equipment
cabinets, separate cabling system, UPS and CRAC units, plus a fire suppression system.
-2-
Stage 1:
An additional VMware cluster is planned to be setup in the SDC to connect to a fibre channel
SAN system as well as iSCSI storage. The schedule is listed in Table A below.
All mission critical services that are running on VMware in the MDC will be backed up by
copying their virtual server images to iSCSI storage in the SDC. These services are defined
as High Priority systems (High Availability VMware servers). If there is a failure in a
mission critical IT service, then the backup virtual server image will be initiated from the
SDC VMware cluster, in order to recover the failed IT service. The Database and Network
Services (DNS) Team in ITSC will be responsible for backup as well as recovery of the
backup services, upon request by the corresponding System Manager/Team Leader. Proper
procedures and startup criteria for the different virtual servers will be supplied by the
corresponding System Managers/Team Leaders, in order to effectively manage these disaster
recovery services.
Stage 2:
In the 2009-2010 academic year, ITSC will expand the VMware cluster with additional CPU
nodes, plus add major investment in a high speed/capacity data backup tape library system.
Stage 2 of the Business Continuity Plan (BCP) will focus on data backup of all systems (High,
Medium and Low), compared to Stage 1 which focused on backup of all High Priority
systems only. Stage 2 will also be extended to allow virtual server image backup of Medium
Priority systems. Table B below indicates the timeframe for the implementation of Stage 2.
Table A: Schedule for the setup of a VMware cluster in the SDC
Project Date
Mid Jan – Mid Mar 09
End of Mar 2009
Mid May 2009
End of May 2009
End of Jun 2009
Tasks
Tender
Place order
SAN system Delivery and Setup
Complete second VMware Cluster in the SDC
VMware Infrastructure Service Delivered into Production
Table B: Schedule for the setup of a high speed/capacity Tape Library
Project Date
Jul 2009
Aug 2009
Sep 2009
Oct-Nov 2009
Dec 2009
Jan 2010
End of Jan 2010
Tasks
Review of ITSC Backup Strategies
Tender
Place order
Tape Library Delivery and Setup
Completed Tape Library Installation
Testing of new ITSC Backup Procedures
Tape Library Service Delivered into Production
-3-
Document management control
Prepared by:
Updated:
Authorised by:
Approved by:
Date issued:
Last review:
Next review:
Waiman Cheung, Jeff McDonell, ITSC
2 March, 2009
University Comptroller
TLIS, ???? 2009
???? 2009
December 2009
-4-
Download