UFIT Security Continuance of Operations Standards

The Level 2 Unit ISM must ensure that their unit maintains an Information Technology Continuance of Operations Plan (ITCOP). There must be written plans detailing procedures for various disaster scenarios, both natural and man made. To guard against disaster, critical IT resources must be preserved against loss or corruption by appropriate backup procedures.

The Level 2 Unit ISA has the responsibility to coordinate with the campus emergency response team as appropriate regarding preparation and recovery from incidents.

Continuance of Operations Guidelines

University of Florida units are required to maintain a written IT Continuance of Operations Plan (ITCOP).  This document is intended as a guideline to help simplify the development of a Unit ITCOP.

Since the ITCOP contains sensitive information about unit IT resources, the plan should not be advertised, but it must be made available to the UF ISM upon request.

Include the unit name in the plan title.  Identify the network managers, the unit administrator and list their contact information.

It is not necessary that units include everything listed here, but they should include those things that are relevant to IT functions of their unit.

Components of ITCOP

  • Cover Sheet: identification, dates, locations, disclosure statement
  • Overview: executive summary, policies, concepts
  • Introduction: purpose, goals, objectives, benefits
  • Scope: what IT resources does the ITCOP address
  • Contacts and Responsibilities
  • Resources: documentation
  • Risk assessment: value, criticality, threats, replacement costs, acceptable downtimes
  • Preparation: monitoring, backups, training, testing
  • Recovery: what constitutes a disruption, procedures
  • Revisions: environmental changes, test results, revision schedule

ITCOP cover sheet

  • Unit name
  • Unit ISM
  • Unit ISA
  • Date Established
  • Date of Last Revision
  • Distribution list
  • Locations of document
  • Sensitive Information Disclosure Notice

Overview

  • Executive management perspective
  • Policies
  • Plan concepts
  • What constitutes a disruption
  • Summary of ITCOP

Introduction

  • Purpose
  • Goals
  • Objectives
  • Benefits

Scope

  • IT resources addresses by ITCOP

Contacts and Responsibilities

  • ITCOP Activation Authority
  • ITCOP Coordinator
  • Resource contact(s)
  • Alerting/monitoring contact(s)
  • Training contact(s)
  • Testing contact(s)
  • Update contact(s)
  • PPD/Facilities contact
  • Emergency Building Coordinator contact
  • UPD contact
  • Key management contact
  • Other physical security contacts
  • Other contacts

Resources

Resource types

  • People
  • Data
  • Equipment and hardware
  • Software
  • Processes
  • Service Providers
  • Buildings and Facilities

Resource documentation details

  • Location
  • Description
  • Value
  • Criticality

Resource considerations

  • Data backups
  • Power backups, batteries and generators
  • Replacement resources
  • Warranty records
  • Maintenance contracts
  • Vendor managed resources
  • Environmental controls

Risk assessment

  • Prioritize IT resources
  • Assess the value and criticality of IT resources
  • Determine threat to IT resources
  • Assess cost to replace IT resources
  • Determine acceptable downtime of IT resources

Preparation

  • Alerting/monitoring
  • Maintenance contracts that need to be maintained
  • Data backup procedures
    • Location
    • Frequency
    • Incremental vs. full
    • What is backed up
  • Privileged passwords maintenance and recovery
  • Power backups
  • Training
    • Team
    • Scope
    • Schedule
    • Procedures
  • Testing
    • Team
    • Scenario
    • Schedule
    • Monitoring
    • Follow-up

Recovery

A prioritized business resumption task list based on type of event (facilities, personnel, IT services, IT equipment failures or loss). What needs to be done (damage assessment, notification procedures, ITCOP activation), when, where, and how.

  1. Establish communication
  2. Notification
    • Internal personnel
    • Network Services
    • Network Managers
    • PPD
    • UPD
    • EHS
    • State insurance
  3. Damage assessment and documentation
    • Photograph scene untouched to document smoke, water, or other damage
    • Outsource forensics services if needed
  4. Establish basic services
    • Networking
    • Restore backups
    • Relocate equipment
  5. Replacements
    • Building and facilities
    • Staff
    • Equipment
    • Keys
    • Tools
  6. Cleanup
    • PPD
  7. Resumption of services
    • Full resumption
    • Alternative manual methods for operation
  8. Establish communication
    • Phones – forwarding numbers and other configuration options
    • Email – establish alternative email accounts for key contact personnel

Revisions

  • Consider equipment and environmental changes
  • Consider test results
  • Establish revision schedule