Service Reliability and Continuity Policy

Version: 1.00Issue Date: 2/2/2015

This Service Reliability and Continuity ensures that information technology continuity plans support the required business processes.

1.0 Overview

This Reliability and Continuity Policy will help ensure that information technology continuity practices support the business processes to meet the business needs.

2.0 Purpose

This Reliability and Continuity Policy requires that information technology continuity plans support the organizational business needs to minimize damage to the organization during a disaster or event that may disrupt the business.

3.0 Scope

This Reliability and Continuity Policy applies to all information technology activities and projects and all personnel managing or working on any information technology activities or projects. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Information Technology Continuity Plan

  • Upper information technology management is responsible for the development of an information technology continuity plan.
  • The upper management must ensure the business interests are represented when the information technology continuity plan is being developed.
  • The upper information technology management must assign roles and responsibilities for the development of the information technology continuity plan.
  • The information technology continuity plan must meet the organizational business requirements for continuity of business processes.
  • The information technology continuity plan must be based on a Business Impact Assessment (BIA) which should document how long business processes may be down before the business is seriously affected and what the consequences are. The BIA should document costs of downtime and analyze threats. The BIA should be updated annually.
  • Business owners must review the information technology continuity plan annually to be sure it meets the business requirements. The plan must be updated to meet the requirements of the business owners if it is required. When the plan is updated, dates when it was changed, who changed it, and the reasons why must be logged.
  • Processes must be implemented so when business processes change, the business continuity needs are assessed (and documented in a business continuity plan) and the needs are covered by the information technology continuity plan in a manner supporting the business continuity plans.
  • When the plan is updated, all copies of it must be updated including any copies that are offsite. A document control process should be used to ensure the new plan is properly distributed to all parties who require it. The security level (need for confidentiality) of the plan should be considered and it should be appropriately marked. Copies of the plan should be properly disposed of according to set processes for disposal of confidential information.
  • There should be a distribution list for the plan so when updates are done, all old copies can be located and destroyed while new copies can be distributed.
  • After a disaster and the recovery process is complete, the plan should be reviewed and modified to provide for lessons learned to be added the plan. It should reflect on any items missed, areas to be improved upon and what worked.

5.0 Information Technology Continuity Plan Requirements

  • The information technology continuity plan must consider all possible scenarios under which the business should continue to operate including natural and man made disasters.
  • The information technology continuity plan must consider risk and the information technology framework.
  • The information technology continuity plan must consider the organizational office locations along with locations of business partners and the ability to continue business with organizational partners.
  • The information technology continuity plan must consider laws, regulations, and other external requirements.
  • The information technology continuity plan must identify covered hardware including network cabling, servers, firewalls, routers, switches, and more. It must consider the order in which systems must be brought back online to provide for the business processes.
  • The information technology continuity plan must document acceptable recovery levels for each service. It should document required supplies, personnel, facilities, furniture, and equipment.
  • The information technology continuity plan must consider the organizational structure including the business and information technology organization.
  • The information technology continuity plan must consider how it integrates with other IT processes including incident response and management, security policies, user policies, equipment policies, network policies, and others.
  • The information technology continuity plan must provide an emergency response plan and consider how notification will occur. Roles for personnel must be documented and communicated.
  • The information technology continuity plan must provide information about where recovery sites are. It should describe how backup media will be made available at the recovery site.
  • The information technology continuity plan must provide plans for recovery of services including business contact information required.
  • The information technology continuity plan must define the recovery teams and roles and responsibilities of team members.
  • Recovery team members must be qualified.
  • Recovery team members, business stakeholders, crisis management team members, service providers, external business providers, contractors, and others who are required must have their contact information available to those who would need them. This information should also be available at an alternate location.
  • Emergency communication processes must be considered and prioritized in the information technology continuity plan.
  • The information technology continuity plan must cover both the business continuity and the recovery to normal services which includes management of alternate temporary sites and the rebuilding of the original sites.
  • The information technology continuity plan must provide for worker safety.
  • If a backup site is used, during temporary operations, procedures for dealing with additional disasters must be considered.
  • The information technology continuity plan must consider change management processes.
  • The information technology continuity plan must consider changes to staff such that contact lists are kept current.

6.0 Planning and Change Control

  • Information technology management must regularly provide redundant technologies (such as Dual power supplies and RAID) and provide redundant infrastructure such as redundant servers and redundant network connections where the business needs call for them.
  • Information technology management must consider capacity planning and ensure that redundant systems and backup and restoration methods are functioning properly through testing.
  • Information technology change control processes must provide for modifications to the information technology continuity plan as new equipment, capabilities, or software are put into production.

7.0 Enforcement

Since following the Reliability and Continuity Policy is important to meet the business needs of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

8.0 Other Policies

  • Business Continuity Policy
  • Disaster Recovery Policy
  • System Availability Policy
  • Change Management Policy
  • Development Life Cycle Policy
  • Quality Policy
  • Confidential data/information disposal policy (electronic and hard copy)

9.0 Additional Requirements

  • Processes must be implemented so when business processes change, the business continuity needs are assessed (and documented in a business continuity plan) and the needs are covered by the information technology continuity plan in a manner supporting the business continuity plans.
  • Information technology change control processes must provide for modifications to the information technology continuity plan as new equipment, capabilities, or software are put into production.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________