5.2.4 Suitable written disaster preparedness and recovery plan(s), including at least one off-site backup of all preserved information
The repository shall have suitable written disaster preparedness and recovery plan(s), including at least one off-site backup of all preserved information together with an offsite copy of the recovery plan(s).
This is necessary in order to ensure that sufficient backup and recovery capabilities are in place to facilitate continuing preservation of and access to systems and their content with limited disruption of services.
Repository employs the codes of practice found in the ISO 27000 series of standards; disaster and recovery plans; information about and proof of at least one off-site copy of preserved information; service continuity plan; documentation linking roles with activities; local geological, geographical, or meteorological data or threat assessments. Repository maintains ISO 17799 certification.
The level of detail in a disaster plan, and the specific risks addressed need to be appropriate to the repository’s location and service expectations. Fire is an almost universal concern, but earthquakes may not require specific planning at all locations. The disaster plan must, however, deal with unspecified situations that would have specific consequences, such as lack of access to a building or widespread illness among critical staff. In the event of a disaster at the repository, the repository may want to contact local and/or national disaster recovery bodies for assistance. Repositories may also conduct a variety of disaster drills that may involve their parent organization or the community at large.
The threat of a natural disaster or other cataclysmic event is analyzed, and described in the Natural Disaster section of Risk Management, Threats, and Mitigations. However, this is somewhat dated, and will require a complete replacement, based on more modern standards, and the new architecture. Work has begun on this process, and it will be based on the agnostic Cloud Security Alliance (CSA) matrix for the areas identified. It will be re-pointed when complete.
The delineated roles and responsibilities have been documented in the Security section as well as the APTrust Staff section and section 3.2.1. This will be updated to the new environment.
See the APTrust Succession Policy which outlines the plan for organizational failure. This is current.
As an actual response, an APTrust Disaster Recovery and Management plan covering incident management has been created. This is current and valid to DR.
AWS meets the 27001 ISO standards, which is more robust and expansion of 27000. AWS 27001 ISO certification
Wasabi meets the 27001 ISO standards, which is more robust and expands on 27000.
“Wasabi is deployed in top tier data centers certified for SOC 2, ISO 27001 and PCI-DSS. Copies of SOC 2 or ISO 27001 reports for data centers can be obtained by requesting them.”
Refer to APTrust Disaster Management Plan. Revisions have begun, with more detailed processes, including the creation of an Incident management plan for all incidents. ( Any loss of data is considered a ‘disaster.’ ) The latest version needs to be completed.