IT Disaster Recovery Policy

How to use this policy

This policy is for technical users. Technical users include:

• Technical architects
• DevOps specialists
• IT service managers
• Software developers

This policy is part of a set of Ministry of Justice (MoJ) policies and supporting guides that cover various aspects of incident and disaster management and response.

The policies are:

• IT Security Incident Management Policy
• IT Disaster Recovery Policy
• IT Investigations - Planning and Operations Policy

The supporting guides are:

• IT Security Incident Response Plan and Process Guide
• IT Disaster Recovery Plan and Process Guide

This policy describes what is needed to recover from an IT Disaster Event.

Information is listed beneath the following headings:

• Policy Statements
• What is an IT disaster event?
• What is IT disaster recovery?
• IT Disaster Recovery Plan
• Roles and responsibilities
• Planning
• Business Impact Assessment
• Testing and readiness review
• Reporting and alerting
• Recovery and review

Policy Statements

This policy refers to Policy Statements, POL.ITDR.001 to POL.ITDR.014.

POL.ITDR.XXX indicates the specific policy statement to be adhered to.

What is an IT disaster event?

An IT disaster event is any incident that causes actual or potential loss of availability or integrity of an MoJ IT system, which results in the MoJ IT system being unable to function during business as usual (BAU) operations.

What is IT disaster recovery?

IT disaster recovery is the planned response to a disaster event which will restore an IT system to BAU operations.

IT Disaster Recovery Plan

An IT Disaster Recovery Plan lists the actions to be taken to recover an IT system from a disaster event, together with a list of key roles and their responsibilities.

POL.ITDR.001: Each MoJ IT system shall have an IT Disaster Recovery Plan.

The IT Disaster Recovery Plan and Process Guide describes the information to include in a Disaster Recovery Plan.

Roles and Responsibilities

POL.ITDR.002: All Disaster Recovery Plans shall contain an up to date list of roles and responsibilities.

Each role shall have a name, with at least two sets of contact details.

POL.ITDR.003: All staff who are listed in a Disaster Recovery Plan shall be aware of their role and its responsibilities.

The list of roles and responsibilities should include internal and external stakeholders, together with everyone listed on the communications list.

The list of roles and responsibilities shall align with the Incident Management Plan (IMP).

A variety of individuals and teams may be responsible for business and IT service continuity, and escalation in case of a disaster. These may include:

• Executive Committee
• Senior Information Risk Owner (SIRO)
• Chief Security Officer (CSO)
• Information Asset Owner (IAO)
• Service Operations (SO), which includes the Major Incident Management Team and the Security Operations Centre (SOC)
• IT Service Continuity Management

A Disaster Recovery plan should include the relevant escalation process through the teams and individuals listed for each MoJ IT system.

Planning

An IT Disaster Recovery Plan supports the decisions and steps taken to reduce the effects of disasters and identifies the steps needed to recover MoJ IT systems back to BAU.

An IT Disaster Recovery Plan shall:

• contain identified risk scenarios and strategies to recover from them
• describe the circumstances in which the plan is invoked.

Business Impact Assessment

A Business Impact Assessment (BIA) shall be undertaken to identify the key disaster recovery requirements of the assets, services, and business processes supported by a specific MoJ IT system.

The BIA should contain:

• a Recovery Time Objective (RTO): the time between a disaster event occurring and full IT systems and services being restored
• a Recovery Point Objective (RPO): the period of time during which the business can tolerate data loss

POL.ITDR.004: A Disaster Recovery Plan shall contain an RTO and RPO. The plan may contain more than one of these depending on the system.

POL.ITDR.005: Any disaster recovery action shall ensure that the IT system can recover from a disaster within the RTO recorded in the BIA.

POL.ITDR.006: Any disaster recovery action shall ensure that the IT system can recover from a disaster within the RPO recorded in the BIA.

Testing and Readiness Review

An IT Disaster Recovery Plan shall be tested regularly to ensure that:

• the plan remains fit for purpose
• the plan reflects all changes in personnel and updates to system information
• everyone with a role in the plan knows their responsibilities

POL.ITDR.007: Each MoJ IT system shall have its IT Disaster Recovery Plan tested before commencing live operations.

POL.ITDR.008: All IT Disaster Recovery Plans shall be tested at least annually, and after significant update to an MoJ IT system. The testing schedule shall be outlined in the IT Disaster Recovery Plan.

POL.ITDR.009: The IT Disaster Recovery Plan shall be reviewed after each test and updated as required to ensure it is fit for purpose.

POL.ITDR.010: Each IT Disaster Recovery Plan shall define the circumstances when the plan is to be invoked.

Reporting and Alerting

The reporting and alerting structure of an IT Disaster Recovery Plan should align with that of the corresponding IT Security Incident Response Plan.

Every stakeholder that needs to be informed, should be listed as a key contact within the plan.

POL.ITDR.011: The reporting and alerting structure within an IT Disaster Recovery Plan shall align with the relevant IT Security Incident Management Plan and Business Continuity Plan. Responsibility for business continuity resides with the SO.

Recovery and Review

The process to recover from a disaster event shall ensure that security vulnerabilities are not introduced or re-introduced during the restoration process.

POL.ITDR.012: Each IT Disaster Recovery Plan shall contain pre-defined and tested processes and procedures to restore an MoJ IT system or services, which has been disrupted or disabled during a disaster event.

POL.ITDR.013: Each Disaster Recovery Plan shall describe in detail the procedures to enable an MoJ IT Security System return from recovery mode to BAU.

Lessons learned shall be collated in an after-action report and be fed back to appropriate stakeholders.

POL.ITDR.014: Following a disaster incident, an after-action report shall be produced, which contains:

• all lessons learned
• actions to be taken to update processes and plans

Contact details

For any further questions or advice relating to security, contact: security@justice.gov.uk.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.