System Availability Policy
|Version: 1.00||Issue Date: 1/13/2015|
This System Availability Policy is required to link business requirements to hosting requirements.
Hosting requirements and support requirements will vary based on business need. This System Availability Policy will help ensure that a proper hosting environment supports servers based on the business need. It also informs the users that there may be some downtime due to maintenance or other events and provides for the creation of a process to manage the maintenance or recover from events causing downtime.
This System Availability Policy is intended to ensure that a proper hosting environment is used to support servers based on the business need. It also defines when a system may be brought down at unscheduled times and provides for a process for informing the business user about unscheduled downtime.
This System Availability Policy applies to all servers and applications which operate on servers. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 Business Need and Hosting Environment
The following items define:
Prior to hosting, during the project development lifecycle, it must be determined what hosting environment is required to support the business. It is up to the business managers and staff to specify that their needs are and whether the application or project requires 24x7 support or 5 days per week, 8 hours per day support. Hosting requirements during specific hours requires staff to be on site where the servers are during those hours or at least on call and they can get to the site quickly. The business managers and staff must inform the IT managers and staff about the criticality of the project or application to support their business needs and include:
The amount of business received per month on the system or application.
The amount of time the system can be offline before the business is moderately adversely affected.
The amount of time the system can be offline before the business is seriously adversely affected.
This section describes how interruptions to service shall be handled.
The IT management must agree upon maintenance windows with the business managers of applications and projects that are hosted on the servers managed by them.
Emergency situations which may call for bringing a server down or off line include but are not limited to:
Extended power outtage.
When a hardware failure is imminent.
When a security intrusion has occurred or is occurring which may threaten one or more systems or data.
Any event that may cause corruption of data, loss of integrity of data, or unauthorized disclosure of sensitive data which a system shutdown is likely to prevent.
When environmental controls fail to a point where continued operation of the systems may destroy them.
The business managers must be informed in a timely manner (1 hour or less) when systems are brought off line or are turned off during these situations. Users will not have access to the system during this time and user scheduled jobs will not run. Users must be informed as to when the system is expected to be operational and users shall be informed when the affected system is operational.
Since system availability is an important part of organizational operation, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
7.0 Other Requirements
Enforcement of the Asset Control Policy will keep points of contacts for both servers (IT side) and application (business side) available to inform users and administrators when events requiring communication occur including when a user discovers that a system is offline or not operating properly. The contact information for servers must be provided to business owners.
The System Development Life Cycle (SDLC) must require development of a system availability plan which in integrated into the SDLC. The plan must include initial deployment and maintenance phases that set responsibilities and provides guidance about how to meet the required service levels. It must define who is responsible for informing other parties about business or hosting changes.
A process for shutting down systems for emergencies and situations required to protect the business or organization must be developed. This process must include informing the business owners in a timely manner.
Additional details and rules should be developed to further define and link business requirements to hosting requirements. This is an availability plan providing guidance about how to provide the levels of service required by the business. This plan must be communicated to IT staff and other support personnel.
A process for recovery from unscheduled events both to bring systems back on line and inform users and management about status should be developed.
Approved by:__________________________ Signature:_____________________ Date:_______________