HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (8 Sep 2024)

GB/T 20988-2007 PDF in English


GB/T 20988-2007 (GB/T20988-2007, GBT 20988-2007, GBT20988-2007)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20988-2007English150 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Disaster recovery specifications for information systems Valid
Standards related to: GB/T 20988-2007
PDF Preview

GB/T 20988-2007: PDF in English (GBT 20988-2007)

GB/T 20988-2007 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Disaster recovery specifications for information systems ISSUED ON: JUNE 14, 2007 IMPLEMENTED ON: NOVEMBER 01, 2007 Issued by: General Administration of Quality Supervision, Inspection and Quarantine of PRC; Standardization Administration of PRC. Table of Contents Foreword ... 3  Introduction ... 4  1 Scope ... 5  2 Normative references ... 5  3 Terms and definitions ... 5  4 Overview of disaster recovery ... 9  4.1 Work scope for disaster recovery ... 9  4.2 Organization of disaster recovery ... 10  4.3 Management of disaster recovery planning ... 11  4.4 External collaboration for disaster recovery ... 11  4.5 Audit and filing of disaster recovery ... 12  5 Determination of disaster recovery needs ... 12  5.1 Risk analysis ... 12  5.2 Business impact analysis ... 12  5.3 Determine disaster recovery objectives ... 13  6 Development of disaster recovery strategy ... 13  6.1 Elements for developing disaster recovery strategy ... 13  6.2 Method to obtain disaster recovery resources ... 14  6.3 Requirements for disaster recovery resources ... 16  7 Implementation of disaster recovery strategy ... 17  7.1 Implementation of technical solution for backup system for disaster recovery ... 17  7.2 Selection and construction of backup center for disaster recovery ... 18  7.3 Implementation of professional technical support capabilities ... 19  7.4 Implementation of operation, maintenance, management capabilities ... 19  7.5 Implementation of disaster recovery plan ... 20  Appendix A (Normative) Classification of disaster recovery capability grades 23  Appendix B (Informative) Framework of disaster recovery plan ... 29  Appendix C (Informative) Example of relationship between RTO/RPO and disaster recovery capability grade in an industry ... 32  Information security technology - Disaster recovery specifications for information systems 1 Scope This standard specifies the basic requirements for the disaster recovery of information system. This standard applies to the planning, approval, implementation, management of disaster recovery of information system. 2 Normative references The provisions in following documents become the provisions of this Standard through reference in this Standard. For the dated references, the subsequent amendments (excluding corrections) or revisions do not apply to this Standard; however, parties who reach an agreement based on this Standard are encouraged to study if the latest versions of these documents are applicable. For undated references, the latest edition of the referenced document applies. GB/T 5271.8 Information technology - Vocabulary - Part 8: security GB/T 20984 Information security technology - Risk assessment specification for information security 3 Terms and definitions The terms and definitions as established in GB/T 5271.8 as well as the following terms and definitions apply to this standard. 3.1 Backup center for disaster recovery Alternate site A site used to take over the primary system for data processing and support critical business functions (3.6) after a disaster, which can provide the backup system for disaster recovery (3.3), backup infrastructure and technical support and operational maintenance management capabilities, or alternate living facilities in or around the site. Data backup strategy Backup steps and behaviors as determined to achieve data recovery and rebuild objectives. Through determining the backup time, technology, medium, off-site storage method, it guarantees achieving the recovery time objectives (3.18) and recovery point objectives (3.19). 3.8 Disaster A sudden event which causes serious fault or paralysis of the information system and makes the business functions as supported by the information system suspend or the service grade be unacceptable and reach a specific time, due to human or natural causes. Generally, it will cause the information system to switch to the backup center for disaster recovery (3.1). 3.9 Disaster recovery The activity and process as designed to restore an information system from a fault or paralysis state as caused by a disaster (3.8) to a normal operation state and to restore the business functions it supports from an abnormal state as caused by a disaster to an acceptable state. 3.10 Disaster recovery plan A document that defines the tasks, actions, data, resources required for a disaster recovery of information system process. It is used to guide the relevant personnel to restore critical business functions supported by the information system within the scheduled disaster recovery objectives. 3.11 Disaster recovery planning DRP The pre-planning and arrangement as made to reduce the losses caused by disasters and to ensure the critical business functions (3.6) supported by the information system for timely recovery and continued operation after a disaster occurs. 3.12 Disaster recovery capability Recovery time objective RTO The time required for an information system or business function from a standstill to the time it must be recovered after a disaster. 3.19 Recovery point objective RPO After a disaster, the requirements for the time point that the system and data must be recovered to. 3.20 Resumption The process that the backup center for disaster recovery (3.1) replaces the primary center (3.15) and supports the re-operation of critical business functions (3.6). 3.21 Return Restoration The process that the information system that supports the business operation returns from the backup center for disaster recovery (3.1) back to the primary center (3.15). 4 Overview of disaster recovery 4.1 Work scope for disaster recovery Disaster recovery of information system includes disaster recovery planning daily operations of the backup center for disaster recovery, recovery and resumption of critical business functions in the backup center for disaster recovery, post-disaster reconstruction and return work of primary system, emergency response after an incident occurs. Among them, disaster recovery planning is a repeated process of continuous improvement, which includes the following stages: 4.2.2.2 Disaster recovery plan implementation team The primary responsibility of the disaster recovery plan implementation team is: - Demand analysis for disaster recovery; - Proposing disaster recovery strategies and grades; - Implementation of disaster recovery strategy; - Developing a disaster recovery plan; - Organizing tests and drills for disaster recovery plans. 4.2.2.3 Disaster recovery daily operation team The primary responsibility of the disaster recovery daily operation team is: - Assisting in the implementation of disaster recovery system; - Daily management of the backup center for disaster recovery; - Operation and maintenance of the backup system for disaster recovery; - Professional technical support for disaster recovery; - Participating in and assisting to the education, training and drills of disaster recovery plans; - Maintaining and managing disaster recovery plans; - Loss control and damage assessment at the time of the emergency; - Recovery of information systems and business functions after a disaster; - External collaboration after a disaster. 4.3 Management of disaster recovery planning The organization shall assess the risks of the disaster recovery planning process, prepare the required resources, determine detailed tasks and timelines, supervise and manage planning activities, track and report on the progress of task, conduct problem management and change management. 4.4 External collaboration for disaster recovery The organization shall liaise and collaborate with relevant management, - Qualitative analysis: Use such methods as induction and deduction, analysis and synthesis, abstraction and generalization, to assess the non- economic losses that an interruption of business function may bring to the organization, including organizational reputation, customer loyalty, employee confidence, social and political influence, etc. 5.3 Determine disaster recovery objectives Based on the results of risk analysis and business impact analysis, identify the disaster recovery objectives, including: - Critical business functions and prioritization of recovery; - Time range of disaster recovery, that is, the range of RTO and RPO. 6 Development of disaster recovery strategy 6.1 Elements for developing disaster recovery strategy 6.1.1 Resource elements for disaster recovery The resources required to support disaster recovery at different grades (hereafter referred to as “disaster recovery resources”) may be divided into the following seven elements: - Data backup system: It generally consists of hardware, software and data backup media for data backup (hereinafter referred to as “media”). If it is a data backup system that relies on electronic transmission, it also includes data backup lines and corresponding communication devices; - Standby data processing system: It refers to backup computers, peripherals, software; - Backup network system: The network used by the end user to access the backup data processing system, including the backup network communication device and the backup data communication line; - Standby infrastructure: The buildings, equipment, organizations which are required for disaster recovery and support the operation of the backup system for disaster recovery, including off-site storage for media, spare equipment rooms, disaster recovery work aids, living facilities that allows disaster recovery personnel to stay continuously; - Professional technical support capabilities: The capability to provide support and comprehensive assurance for the operation of the disaster devices already in place with reciprocal agreements. 6.2.3 Backup network system The backup network communication device may be obtained in the manner as described in 6.2.2; the backup data communication line may use its own data communication line or lease a public data communication line. 6.2.4 Backup infrastructure It may select the following three methods to get the backup infrastructure: - Owned or operated by the organization; - Obtained by multi-party construction or through reciprocal agreements; - Rent the infrastructure from a commercial disaster recovery center. 6.2.5 Professional technical support capability It may select the following methods to obtain professional technical support capabilities: - Set up full-time technical support staff in the backup center for disaster recovery; - Sign technical support or service contract with the manufacturer; - Served by the primary center’s technical support staff. However, for the critical business functions of the short-term RTO, it shall consider the technical support personnel’s failure to provide effective support due to the abnormality of traffic and communication at the time of the disaster. 6.2.6 Operation and maintenance management capabilities It may select the following operation, maintenance, management mode of the disaster recovery center: - Self-operation and maintenance; - Entrust other agencies to operate and maintain. 6.2.7 Disaster recovery plan It may select the following methods to establish, implement, manage the disaster recovery plans: - Finished by the organization independently; for the backup infrastructure, including: - Requirements for the distance from the primary center; - Requirements for site and environment (e.g., area, temperature, humidity, fire-proof, electricity, working hours, etc.); - Requirements for operational maintenance and management. 6.3.5 Professional technical support capabilities The organization shall, according to the disaster recovery objectives, based on the principle of cost-risk balance, determine the technical support requirements of the backup center for disaster recovery in terms of software, hardware, network, including the organizational structure of technical support, the quantity and quality of various technical support personnel. 6.3.6 Operation, maintenance, management capabilities The organization shall, according to the disaster recovery objectives, based on the principle of cost-risk balance, determine the operation, maintenance, management requirements of the backup center for disaster recovery, including the organizational structure of operation, maintenance, management, the quantity and quality of personnel, the requirements of operation, maintenance, management system. 6.3.7 Disaster recovery plan The organization shall, based on the results of the needs analysis, according to the principle of cost-risk balance, clarify the following aspects of the disaster recovery plan: - Overall requirements; - Requirements of development process; - Requirements for education, training, drill; - Management requirements. 7 Implementation of disaster recovery strategy 7.1 Implementation of technical solution for backup system for disaster recovery 7.1.1 Design of technical solutions According to the disaster recovery strategy, develop the technical solution of the primary center from the same risks. The backup centers for disaster recovery include two types: city-wide and different locations, to avoid the disaster risks of different impact ranges. The backup center for disaster recovery shall have the resources such as communication and power required for data backup and disaster recovery, as well as the traffic conditions for disaster recovery personnel and equipment to arrive. The backup center for disaster recovery shall be reasonably laid out according to the principle of overall planning, resource sharing, combination of peacetime and warfare. 7.2.2 Requirements for infrastructure When newly-building or selecting the infrastructure of a backup center for disaster recovery: - The computer room shall meet the requirements of the relevant national standards; - Work support facilities and living facilities shall meet the requirements of disaster recovery objectives. 7.3 Implementation of professional technical support capabilities The organization shall, according to the requirements of the disaster recovery strategy, acquire the professional technical support capabilities for the disaster backup system. The backup center for disaster recovery shall establish a corresponding technical support organization, to regularly train technical support personnel. 7.4 Implementation of operation, maintenance, management capabilities In order to achieve disaster recovery objectives, the backup center for disaster recovery shall establish various operational procedures and management systems, to ensure that: - Timeliness and effectiveness of data backup; - The backup data processing system and the backup network system are in overall tests. The entire process of testing shall have a detailed record and form a test report; - Improvement: According to the results of review and test, correct the problems and defects as found in the preliminary review process and test process, to form an approval draft of the plan; - Review and approval: The disaster recovery leadership team will review and approve the approval draft, determine it as the implementation draft of the plan. 7.5.2 Education, training, drills of disaster recovery plans In order to familiarize relevant personnel with the objectives and processes of disaster recovery of information system and familiarize themselves with the operational procedures for disaster recovery, the organization shall organize the education, training, drills of the disaster recovery plan as follows: - It shall carry out advocacy and education on the concept of disaster recovery in the early stages of disaster recovery planning; - Pre-assess the training needs, including the frequency and scope of the training, develop and implement the corresponding training/educational courses, ensure that the course content is consistent with the requirements of the plan, keep records of the training afterwards; - Develop a drill plan in advance, explain the scenario of the exercise in the plan; - The entire process of the drill shall have a detailed record and form a report; - Complete a complete walkthrough with end user participation at least once a year. 7.5.3 Management of disaster recovery plans The reviewed and approved disaster recovery plan shall be preserved and distributed according to the following principles: - Be responsible by a dedicated person; - Have multiple copies saved in different locations; - Distribute to all personnel involved in disaster recovery; - All copies are uniformly updated after each revision and a set is kept for review; - The old version shall be destroyed in accordance with relevant regulations. Appendix B (Informative) Framework of disaster recovery plan B.1 Objectives and scope Define the relevant terms and methodology in the disaster recovery plan and describe the objectives of disaster recovery, such as recovery time objectives (RTO) and recovery point objectives (RPO). Explain the action’s scope of the plan, which problems to solve, which problems not to solve. B.2 Organization and responsibilities Describe the composition of the disaster recovery organization, the responsibilities of each position, the list of people. The disaster recovery organization shall include an emergency response team, a disaster recovery team, and so on. B.3 Contact and communication List the contact forms for disaster recovery related personnel and organizations. It includes disaster recovery teams, operators, vendors, authorities, media, employee’s family members, and so on. Contact methods include landline, mobile, walkie-talkie, email, home address. B.4 Emergency response process B.4.1 Notice of event Any person who discovers an information system related emergency or is about to happen, shall report the relevant personnel according to the predetermined process. The relevant personnel shall make preliminary judgment, notice, disposition. B.4.2 Personnel evacuation Provide designated assembly locations and alternative assembly locations, including the method to notice personnel evacuation, the organization and procedures of evacuation. B.4.3 Assessment of damage After an emergency occurs, the damage assessment personnel of the emergency response team shall determine the severity of the situation. The responsible person for disaster recovery convenes the appropriate ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.