GB/T 20988-2007 PDF in English
GB/T 20988-2007 (GB/T20988-2007, GBT 20988-2007, GBT20988-2007)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 20988-2007 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Disaster recovery specifications for information systems
| Valid |
Standards related to: GB/T 20988-2007
PDF Preview
GB/T 20988-2007: PDF in English (GBT 20988-2007) GB/T 20988-2007
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Disaster recovery
specifications for information systems
ISSUED ON: JUNE 14, 2007
IMPLEMENTED ON: NOVEMBER 01, 2007
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine of PRC;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Overview of disaster recovery ... 9
4.1 Work scope for disaster recovery ... 9
4.2 Organization of disaster recovery ... 10
4.3 Management of disaster recovery planning ... 11
4.4 External collaboration for disaster recovery ... 11
4.5 Audit and filing of disaster recovery ... 12
5 Determination of disaster recovery needs ... 12
5.1 Risk analysis ... 12
5.2 Business impact analysis ... 12
5.3 Determine disaster recovery objectives ... 13
6 Development of disaster recovery strategy ... 13
6.1 Elements for developing disaster recovery strategy ... 13
6.2 Method to obtain disaster recovery resources ... 14
6.3 Requirements for disaster recovery resources ... 16
7 Implementation of disaster recovery strategy ... 17
7.1 Implementation of technical solution for backup system for disaster recovery ... 17
7.2 Selection and construction of backup center for disaster recovery ... 18
7.3 Implementation of professional technical support capabilities ... 19
7.4 Implementation of operation, maintenance, management capabilities ... 19
7.5 Implementation of disaster recovery plan ... 20
Appendix A (Normative) Classification of disaster recovery capability grades 23
Appendix B (Informative) Framework of disaster recovery plan ... 29
Appendix C (Informative) Example of relationship between RTO/RPO and
disaster recovery capability grade in an industry ... 32
Information security technology - Disaster recovery
specifications for information systems
1 Scope
This standard specifies the basic requirements for the disaster recovery of
information system.
This standard applies to the planning, approval, implementation, management
of disaster recovery of information system.
2 Normative references
The provisions in following documents become the provisions of this Standard
through reference in this Standard. For the dated references, the subsequent
amendments (excluding corrections) or revisions do not apply to this Standard;
however, parties who reach an agreement based on this Standard are
encouraged to study if the latest versions of these documents are applicable.
For undated references, the latest edition of the referenced document applies.
GB/T 5271.8 Information technology - Vocabulary - Part 8: security
GB/T 20984 Information security technology - Risk assessment specification
for information security
3 Terms and definitions
The terms and definitions as established in GB/T 5271.8 as well as the following
terms and definitions apply to this standard.
3.1
Backup center for disaster recovery
Alternate site
A site used to take over the primary system for data processing and support
critical business functions (3.6) after a disaster, which can provide the
backup system for disaster recovery (3.3), backup infrastructure and
technical support and operational maintenance management capabilities, or
alternate living facilities in or around the site.
Data backup strategy
Backup steps and behaviors as determined to achieve data recovery and
rebuild objectives. Through determining the backup time, technology,
medium, off-site storage method, it guarantees achieving the recovery time
objectives (3.18) and recovery point objectives (3.19).
3.8
Disaster
A sudden event which causes serious fault or paralysis of the information
system and makes the business functions as supported by the information
system suspend or the service grade be unacceptable and reach a specific
time, due to human or natural causes. Generally, it will cause the information
system to switch to the backup center for disaster recovery (3.1).
3.9
Disaster recovery
The activity and process as designed to restore an information system from
a fault or paralysis state as caused by a disaster (3.8) to a normal operation
state and to restore the business functions it supports from an abnormal
state as caused by a disaster to an acceptable state.
3.10
Disaster recovery plan
A document that defines the tasks, actions, data, resources required for a
disaster recovery of information system process. It is used to guide the
relevant personnel to restore critical business functions supported by the
information system within the scheduled disaster recovery objectives.
3.11
Disaster recovery planning
DRP
The pre-planning and arrangement as made to reduce the losses caused by
disasters and to ensure the critical business functions (3.6) supported by
the information system for timely recovery and continued operation after a
disaster occurs.
3.12
Disaster recovery capability
Recovery time objective
RTO
The time required for an information system or business function from a
standstill to the time it must be recovered after a disaster.
3.19
Recovery point objective
RPO
After a disaster, the requirements for the time point that the system and data
must be recovered to.
3.20
Resumption
The process that the backup center for disaster recovery (3.1) replaces
the primary center (3.15) and supports the re-operation of critical
business functions (3.6).
3.21
Return
Restoration
The process that the information system that supports the business
operation returns from the backup center for disaster recovery (3.1) back
to the primary center (3.15).
4 Overview of disaster recovery
4.1 Work scope for disaster recovery
Disaster recovery of information system includes disaster recovery planning
daily operations of the backup center for disaster recovery, recovery and
resumption of critical business functions in the backup center for disaster
recovery, post-disaster reconstruction and return work of primary system,
emergency response after an incident occurs.
Among them, disaster recovery planning is a repeated process of continuous
improvement, which includes the following stages:
4.2.2.2 Disaster recovery plan implementation team
The primary responsibility of the disaster recovery plan implementation team is:
- Demand analysis for disaster recovery;
- Proposing disaster recovery strategies and grades;
- Implementation of disaster recovery strategy;
- Developing a disaster recovery plan;
- Organizing tests and drills for disaster recovery plans.
4.2.2.3 Disaster recovery daily operation team
The primary responsibility of the disaster recovery daily operation team is:
- Assisting in the implementation of disaster recovery system;
- Daily management of the backup center for disaster recovery;
- Operation and maintenance of the backup system for disaster recovery;
- Professional technical support for disaster recovery;
- Participating in and assisting to the education, training and drills of disaster
recovery plans;
- Maintaining and managing disaster recovery plans;
- Loss control and damage assessment at the time of the emergency;
- Recovery of information systems and business functions after a disaster;
- External collaboration after a disaster.
4.3 Management of disaster recovery planning
The organization shall assess the risks of the disaster recovery planning
process, prepare the required resources, determine detailed tasks and
timelines, supervise and manage planning activities, track and report on the
progress of task, conduct problem management and change management.
4.4 External collaboration for disaster recovery
The organization shall liaise and collaborate with relevant management,
- Qualitative analysis: Use such methods as induction and deduction,
analysis and synthesis, abstraction and generalization, to assess the non-
economic losses that an interruption of business function may bring to the
organization, including organizational reputation, customer loyalty,
employee confidence, social and political influence, etc.
5.3 Determine disaster recovery objectives
Based on the results of risk analysis and business impact analysis, identify the
disaster recovery objectives, including:
- Critical business functions and prioritization of recovery;
- Time range of disaster recovery, that is, the range of RTO and RPO.
6 Development of disaster recovery strategy
6.1 Elements for developing disaster recovery strategy
6.1.1 Resource elements for disaster recovery
The resources required to support disaster recovery at different grades
(hereafter referred to as “disaster recovery resources”) may be divided into the
following seven elements:
- Data backup system: It generally consists of hardware, software and data
backup media for data backup (hereinafter referred to as “media”). If it is a
data backup system that relies on electronic transmission, it also includes
data backup lines and corresponding communication devices;
- Standby data processing system: It refers to backup computers, peripherals,
software;
- Backup network system: The network used by the end user to access the
backup data processing system, including the backup network
communication device and the backup data communication line;
- Standby infrastructure: The buildings, equipment, organizations which are
required for disaster recovery and support the operation of the backup
system for disaster recovery, including off-site storage for media, spare
equipment rooms, disaster recovery work aids, living facilities that allows
disaster recovery personnel to stay continuously;
- Professional technical support capabilities: The capability to provide
support and comprehensive assurance for the operation of the disaster
devices already in place with reciprocal agreements.
6.2.3 Backup network system
The backup network communication device may be obtained in the manner as
described in 6.2.2; the backup data communication line may use its own data
communication line or lease a public data communication line.
6.2.4 Backup infrastructure
It may select the following three methods to get the backup infrastructure:
- Owned or operated by the organization;
- Obtained by multi-party construction or through reciprocal agreements;
- Rent the infrastructure from a commercial disaster recovery center.
6.2.5 Professional technical support capability
It may select the following methods to obtain professional technical support
capabilities:
- Set up full-time technical support staff in the backup center for disaster
recovery;
- Sign technical support or service contract with the manufacturer;
- Served by the primary center’s technical support staff. However, for the
critical business functions of the short-term RTO, it shall consider the
technical support personnel’s failure to provide effective support due to the
abnormality of traffic and communication at the time of the disaster.
6.2.6 Operation and maintenance management capabilities
It may select the following operation, maintenance, management mode of the
disaster recovery center:
- Self-operation and maintenance;
- Entrust other agencies to operate and maintain.
6.2.7 Disaster recovery plan
It may select the following methods to establish, implement, manage the
disaster recovery plans:
- Finished by the organization independently;
for the backup infrastructure, including:
- Requirements for the distance from the primary center;
- Requirements for site and environment (e.g., area, temperature, humidity,
fire-proof, electricity, working hours, etc.);
- Requirements for operational maintenance and management.
6.3.5 Professional technical support capabilities
The organization shall, according to the disaster recovery objectives, based on
the principle of cost-risk balance, determine the technical support requirements
of the backup center for disaster recovery in terms of software, hardware,
network, including the organizational structure of technical support, the quantity
and quality of various technical support personnel.
6.3.6 Operation, maintenance, management capabilities
The organization shall, according to the disaster recovery objectives, based on
the principle of cost-risk balance, determine the operation, maintenance,
management requirements of the backup center for disaster recovery, including
the organizational structure of operation, maintenance, management, the
quantity and quality of personnel, the requirements of operation, maintenance,
management system.
6.3.7 Disaster recovery plan
The organization shall, based on the results of the needs analysis, according to
the principle of cost-risk balance, clarify the following aspects of the disaster
recovery plan:
- Overall requirements;
- Requirements of development process;
- Requirements for education, training, drill;
- Management requirements.
7 Implementation of disaster recovery strategy
7.1 Implementation of technical solution for backup system for disaster
recovery
7.1.1 Design of technical solutions
According to the disaster recovery strategy, develop the technical solution of
the primary center from the same risks. The backup centers for disaster
recovery include two types: city-wide and different locations, to avoid the
disaster risks of different impact ranges.
The backup center for disaster recovery shall have the resources such as
communication and power required for data backup and disaster recovery, as
well as the traffic conditions for disaster recovery personnel and equipment to
arrive.
The backup center for disaster recovery shall be reasonably laid out according
to the principle of overall planning, resource sharing, combination of peacetime
and warfare.
7.2.2 Requirements for infrastructure
When newly-building or selecting the infrastructure of a backup center for
disaster recovery:
- The computer room shall meet the requirements of the relevant national
standards;
- Work support facilities and living facilities shall meet the requirements of
disaster recovery objectives.
7.3 Implementation of professional technical support
capabilities
The organization shall, according to the requirements of the disaster recovery
strategy, acquire the professional technical support capabilities for the disaster
backup system.
The backup center for disaster recovery shall establish a corresponding
technical support organization, to regularly train technical support personnel.
7.4 Implementation of operation, maintenance, management
capabilities
In order to achieve disaster recovery objectives, the backup center for disaster
recovery shall establish various operational procedures and management
systems, to ensure that:
- Timeliness and effectiveness of data backup;
- The backup data processing system and the backup network system are in
overall tests. The entire process of testing shall have a detailed record and
form a test report;
- Improvement: According to the results of review and test, correct the
problems and defects as found in the preliminary review process and test
process, to form an approval draft of the plan;
- Review and approval: The disaster recovery leadership team will review
and approve the approval draft, determine it as the implementation draft of
the plan.
7.5.2 Education, training, drills of disaster recovery plans
In order to familiarize relevant personnel with the objectives and processes of
disaster recovery of information system and familiarize themselves with the
operational procedures for disaster recovery, the organization shall organize
the education, training, drills of the disaster recovery plan as follows:
- It shall carry out advocacy and education on the concept of disaster
recovery in the early stages of disaster recovery planning;
- Pre-assess the training needs, including the frequency and scope of the
training, develop and implement the corresponding training/educational
courses, ensure that the course content is consistent with the requirements
of the plan, keep records of the training afterwards;
- Develop a drill plan in advance, explain the scenario of the exercise in the
plan;
- The entire process of the drill shall have a detailed record and form a report;
- Complete a complete walkthrough with end user participation at least once
a year.
7.5.3 Management of disaster recovery plans
The reviewed and approved disaster recovery plan shall be preserved and
distributed according to the following principles:
- Be responsible by a dedicated person;
- Have multiple copies saved in different locations;
- Distribute to all personnel involved in disaster recovery;
- All copies are uniformly updated after each revision and a set is kept for
review;
- The old version shall be destroyed in accordance with relevant regulations.
Appendix B
(Informative)
Framework of disaster recovery plan
B.1 Objectives and scope
Define the relevant terms and methodology in the disaster recovery plan and
describe the objectives of disaster recovery, such as recovery time objectives
(RTO) and recovery point objectives (RPO). Explain the action’s scope of the
plan, which problems to solve, which problems not to solve.
B.2 Organization and responsibilities
Describe the composition of the disaster recovery organization, the
responsibilities of each position, the list of people. The disaster recovery
organization shall include an emergency response team, a disaster recovery
team, and so on.
B.3 Contact and communication
List the contact forms for disaster recovery related personnel and organizations.
It includes disaster recovery teams, operators, vendors, authorities, media,
employee’s family members, and so on. Contact methods include landline,
mobile, walkie-talkie, email, home address.
B.4 Emergency response process
B.4.1 Notice of event
Any person who discovers an information system related emergency or is about
to happen, shall report the relevant personnel according to the predetermined
process. The relevant personnel shall make preliminary judgment, notice,
disposition.
B.4.2 Personnel evacuation
Provide designated assembly locations and alternative assembly locations,
including the method to notice personnel evacuation, the organization and
procedures of evacuation.
B.4.3 Assessment of damage
After an emergency occurs, the damage assessment personnel of the
emergency response team shall determine the severity of the situation. The
responsible person for disaster recovery convenes the appropriate
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|