CPA3.5 Technical Resilience - Disaster Planning

Purpose

The objective of disaster planning (security risk management) is to have mechanisms and functions in place to assess and highlight specific risks to the continuity of the digital resources and holdings of the repository. If risks are not managed they may have significant impact on the ability of the repository to carry out its digital preservation activities. It may also affect wider business functions and the repository’s ability to comply with legislation.

Interested parties and stakeholders require that organisations proactively prepare for potential incidents and disruptions in order to avoid suspension of critical operations and services, or if operations and services are disrupted, that they resume operations and services as rapidly as required by those who depend on them (ISO/PAS 22399:2007).

CC3.5: Capability completeness of risk/disaster planning

  1. Initial: one or more of the specific objectives and required activities are at an initial maturity level.
  2. Partial: only some of the specific objectives or required activities are met at a defined maturity level, or all specific objectives are met at a repeatable maturity level.
  3. Complete: all specific objectives and required activities are met at a defined maturity level or better.

 

SO3.5.1: Business continuity plan

To ensure on-going access to and preservation of the holdings of the organisation by having appropriate succession plans, contingency plans, and/or escrow arrangements in place in case the repository ceases to operate or the governing or funding institution substantially changes its scope/obligations.

RA3.5.1.1: Guarantees of continuity

The repository has medium-term (3-5) and long-term (>5) plans in place to ensure the continued availability and accessibility of data in case the organisation ceases to operate (e.g. due to funding issues).

(0) Not defined:

No guarantees in place. No awareness of continuity guarantees.

(1) Initial:

There is some awareness of the issue; low institutional commitment to long-term planning and continuity; no written, formal agreements, plans or other documents exists.

(2) Repeated/partial:

There are partial and/or informal plans are in place, but they lack a specific time frame and are short on details; lacks agreements with external organisations or other third parties; no dedicated funding.

(3) Defined:

Written and credible succession and contingency plan(s) are in place, with an explicit timeframe; specific statements documenting the intent to ensure continuity of the repository are made explicit and are formalised; escrow and/or reserve funds are set aside for contingencies; there may be explicit agreements with external organisations documenting the measures to be taken to ensure the complete and formal transfer of responsibility for the repository’s digital content.

(4) Managed:

Succession / contingency plan(s) and agreements are regularly reviewed and updated; all plans are integrated into higher level policies; dedicated funds are set aside.

(5) Optimised:

Succession / contingency plan(s) and agreements are continuously assessed; monitoring of community risk factors (technology watch); regular and formalised contact with stakeholders and possible successor organisations / arrangements.

RA3.5.1.2: Data recovery provisions/plans

The repository ensures the continuity and/or recovery of data, critical code, software, and metadata sufficient to enable reconstitution of the repository and its content in the event of repository failure.

(0) Not defined:

No recovery plans in place.

(1) Initial:

There is some awareness of the issue; low institutional commitment to recovery issues; no written, formal processes, procedures, plans or other documents exists.

(2) Repeated/partial:

Partial and/or informal plans are in place, but they lack a specific time frame and are short on details; no dedicated funding.

(3) Defined:

Written and credible recovery plan(s) are in place; specific statements documenting the intent to recover essential material are formalised; processes and procedures are formalised and defined.

(4) Managed:

Recovery plan(s) are regularly reviewed and updated; all plans are integrated into higher level policies; dedicated funds are set aside; all relevant staff are trained in recovery procedures; roles and responsibilities are identified and maintained.

(5) Optimised:

Recovery plans are continuously assessed; monitoring of community risk factors (technology watch); regular and formalised contact with relevant stakeholders; assessment of success of training programs and staff knowledge; recovery plans are assessed and measured towards benefit-cost analyses and repository performance.

 

RA3.5.1.3: Security risk factors and analysis

To perform and maintain functions and mechanisms for systematic analysis of security risk factors associated with data, systems, personnel, and physical plant.

(0) Not defined:

No risk analysis undertaken.

(1) Initial:

There is some awareness of the issue; low institutional commitment to security risk factors and analysis; no written, formal processes, procedures, plans or other documents exists.

(2) Repeated/partial:

Partial and/or informal analyses are done, but they are informal and performed on an ad-hoc basis; no written procedures or processes.

(3) Defined:

Credible functions and mechanisms for identifying security risk factors and analyses are in place; repository have implemented controls to adequately address the defined security risks; processes and procedures are formalised and defined.

(4) Managed:

Functions and mechanisms are regularly reviewed and updated; all plans are integrated into higher level policies; all relevant staff are trained in security risk analyses; roles and responsibilities are identified and maintained; some relevant parts of the ISO 27000 series are employed.

(5) Optimised:

Procedures and processes are continuously assessed; monitoring of wider community risk factors (technology watch); regular and formalised contact with relevant stakeholders; assessment of success of training programs and staff knowledge; procedures for security risk analyses are assessed and measured towards benefit-cost assessments and repository performance; all relevant parts of the ISO 27000 series are employed and implemented.

RA3.5.1.4: Disaster preparedness

The repository have suitable written disaster preparedness, including off-site backup of all preserved information (together with an offsite copy of the recovery plan(s)).

(0) Not defined:

No disaster preparedness.

(1) Initial:

There is some awareness of the issue; low institutional commitment to disaster preparedness; no written, formal processes, procedures, plans or other documents exists.

(2) Repeated/partial:

Some awareness of the need to plan and prepare for disasters; no written statements, procedures or processes.

(3) Defined:

Repository have implemented functions and mechanisms to be adequately prepared for disasters; processes and procedures are formalised and defined.

(4) Managed:

Functions and mechanisms are regularly reviewed and updated; all plans are integrated into higher level policies; all relevant staff are trained in security risk analyses; roles and responsibilities are identified and maintained; some relevant parts of the ISO 17799 is employed.

(5) Optimised:

Procedures and processes are continuously assessed; monitoring of wider community disaster preparedness (technology watch); regular and formalised contact with relevant stakeholders; assessment of success of training programs and staff knowledge; procedures for disaster and disaster planning are assessed and measured towards benefit-cost assessments and repository performance; repository maintains ISO 17799 certification.