Disaster Planning Policy Framework: Outline
Contributors: Nancy McGovern, Lance Stuchell
Last updated: January 2014 for DPM Workshops
This document provides an outline for constructing the disaster policy for ICPSR and offers a step towards identifying core components of a disaster planning policy. The outline was developed to produce a policy that:
- Establish and communicate policies and procedures that protect the safety of personnel, and the protection of an organization's physical and digital assets
- Presents the high-level perspective of an organization’s disaster planning program
- Provides links to documents containing more detailed and frequently-updated documents, e.g., individual disaster planning documents and procedures
- Documents the policy approval and maintenance process, including training requirements
- Facilitates the promulgation of disaster preparedness
This outline is especially guided by the NIST’s Contingency Planning Guide for Information Technology Systems, which outlines the different components of a complete disaster plan while providing concrete definitions and procedures in an area that lacks universal standards.
Lance Stuchell, Intern, Digital Preservation team, ICPSR prepared Version 1.0 of this outline in August, 2008. Version 2.0 reflects revisions made after developing the ICPSR Crisis Communication Plan in March 2009. The outline also adapts content from “Version 2.0 Digital Preservation Policy Framework: Outline,” prepared by Nancy McGovern. Version 2.1 is an update underway at MIT Libraries.
Purpose: makes explicit the intentions of an institution and defines the essential role a disaster planning program plays in providing a safe work environment and protecting the assets of the organization. This section defines the rationale for the policy, identifies responsible parties and stakeholders, indicates the intended audience for the document, and places the document in the context of organization-wide efforts. Links: mission statement, high-level policy statements, strategic plans, digital preservation policies, other high-level policies.
Mandate: stipulates the authority, jurisdiction, or governance upon which responsible parties have developed the digital preservation program, e.g., laws, legislation, policies, and mission. Links: laws, legislation, contracts with users or vendors, policies, mission statements, regulations, etc.
Scope: establishes the overall timeframe, levels of responsibility, boundaries, extent, limitations, and priorities of the disaster planning program. This section delineates what the organization’s disaster planning program will do and, as importantly, will not do. If a disaster policy focuses on a sub-unit, the scope statement can be useful in identifying how the policy supplements and extends the planning of the larger organization. The scope also provides a useful metric for measuring the effectiveness of the program. Links: strategic plan, role definition, digital asset documentation, service agreements, etc.
Roles and Responsibilities: describes key stakeholders and their respective roles in disaster planning, including creators, producers, digital repository staff, facility staff, administrators, financial managers, user groups, advisors, other repositories, and collaborators. This section makes an explicit statement that disaster planning is a shared responsibility requiring participants within and beyond the organization. It describes broad categories of roles and responsibilities and cites documents containing more specific descriptions. Links: role definitions with explicit responsibilities, documentation of current role assignments, job descriptions, organizational charts, etc.
Critical Data Backup: outlines the requirements for all backups of data and metadata, operating systems, utility files and software licensing. This section also lists the location and format of the backups. Links: backup policy, external partnership agreements, technical details of backups and configurations, preservation storage plan,etc.
Disaster Planning, Communication, and Recovery Documents: identifies and outlines the set of documents used to properly prepare response, recovery, and continuity activities for disruptions affecting the organization’s IT systems, business processes, and the facility. A disaster plan includes these documents plus related action plans and other documents. Each organization needs to determine the appropriate set of documents for their disaster planning program and the description of each document should include the lead department or staff person (NOTE: the summary and definitions of individual documents are adapted from the NIST Contingency Planning Guide for Information Technology Systems, 2002, pg. 7-11):
Business Continuity Plan (BCP): focuses on sustaining an organization’s business functions during and after a disruption. An example of a business function may be an organization’s payroll process or consumer information process. A BCP may be written for a specific business process or may address all key business processes. IT systems are considered in the BCP in terms of their support to the business processes. In some cases, the BCP may not address long-term recovery of processes and return to normal operations, solely covering interim business continuity requirements. A disaster recovery plan, business resumption plan, and occupant emergency plan may be appended to the BCP. Responsibilities and priorities set in the BCP should be coordinated with those in the Continuity of Operations Plan (COOP) to eliminate possible conflicts. Links: full Business Continuity Plan and supporting documentation, etc.
Continuity of Operations Plan (COOP): focuses on restoring an organization’s (usually a headquarters element) essential functions at an alternate site and performing those functions for up to 30 days before returning to normal operations. Because a COOP addresses headquarters-level issues, it is developed and executed independently from the BCP. Because the COOP emphasizes the recovery of an organization’s operational capability at an alternate site, the plan does not necessarily include IT operations. In addition, minor disruptions that do not require relocation to an alternate site are typically not addressed. However, COOP may include the BCP, BRP, and disaster recovery plan as appendices. Links: full Continuity of Operations Plan and supporting documentation, listing of core functions and the allowable time lapses for resuming those functions, etc.
Continuity of Support Plan/IT Contingency Plan: outlines the development and maintenance of continuity of support plans for general support systems and contingency plans for major applications. Because an IT contingency plan should be developed for each major application and general support system, multiple contingency plans may be maintained within the organization’s BCP. Links: full Continuity of Support Plan/IT Contingency Plan(s) and supporting documentation, full Business Continuity Plan, etc.
Crisis Communications Plan: prepares an organization’s internal and external communications procedures prior to a disaster. A crisis communications plan is often developed by the organization responsible for public outreach. The crisis communication plan procedures should be coordinated with all other plans to ensure that only approved statements are released to the public. Plan procedures should be included as an appendix to the BCP. The communications plan typically designates specific individuals as the only authority for answering questions from the public regarding disaster response. It may also include procedures for disseminating status reports to personnel and to the public. Templates for press releases are included in the plan. The plan can also include contact lists to initiate recovery procedures and call trees for relevant staff and vendors. Links: full Crisis Communications Plan and supporting documentation, phone tree, webpage with staff contact information other organizational communication entities, etc.
Cyber Incident Response Plan: establishes procedures to address cyber attacks against an organization’s IT system(s). These procedures are designed to enable security personnel to identify, mitigate, and recover from malicious computer incidents, such as unauthorized access to a system or data, denial of service, or unauthorized changes to system hardware, software, or data (e.g., malicious logic, such as a virus, worm, or Trojan horse). This plan may be included among the appendices of the BCP. Links: full Cyber Incident Response Plan and supporting documentation, organization's IT department, etc.
Disaster Recovery Plan (DRP): applies to major, usually catastrophic, events that deny access to the normal facility for an extended period. Frequently, DRP refers to an IT-focused plan designed to restore operability of the target system, application, or computer facility at an alternate site after an emergency. The DRP scope may overlap that of an IT contingency plan; however, the DRP is narrower in scope and does not address minor disruptions that do not require relocation. Dependent on the organization’s needs, several DRPs may be appended to the BCP. Links: full Disaster Recovery Plan(s) and supporting documentation,
Occupant Emergency Plan (OEP): provides the response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a fire, hurricane, criminal attack, or a medical emergency. OEPs are developed at the facility level, specific to the geographic location and structural design of the building. Links: Full Occupant Emergency Plan, emergency numbers, etc.
Training: provides guidance on how the staff is educated on relevant details of the disaster plan, and how the plan is communicated to the organization, addressing both current and incoming staff. This section also identifies the positions responsible for training and plan dissemination. Links: Training policies, guidelines for the training of new hires, etc.
Maintenance and Testing: provides a mechanism for the review and analysis of the disaster plan, including periodic tests and ongoing plan maintenance. This section would provide metrics and methods for the review process. Links: maintenance and testing schedule, historical results of emergency response, etc.
References: provides citations for or pointers to key resources that informed the development and application of the framework. This section identifies more detailed documents, both internal and external, that provide a deeper expression of the mission, underlying principles, illustrative processes, and sustaining roles. It may contain citations for these documents or point to a current list of relevant community standards and guidance. Links: cited resources, community lists of standards and practice.
References Used for This Outline:
Florida State University. “Information Technology Disaster Recovery and Data Backup Policy.”
McGovern, Nancy. “Version 2.0 Digital Preservation Policy Framework: Outline.” ICPSR, October 2007.
National Institute of Standards and Technology. Contingency Planning Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-34. June 2002.
Washington State Department of Information Services. “Disaster Recovery and Business Resumption Planning Policy.” April 2002.