Beyond Backups Lance Stuchell Lessons Learned From Disaster Planning for a Digital Archive 2010 SAA Preservation Section Meeting
Overview This slideshow was originally presented at the 2010 SAA Preservation Section on Friday, August 13th 2010 (some slides have been added for clarity) This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Disaster Planning Case Study Overview of ICPSR Campus of the University of Michigan An archive of digital social science research data Preserves over 500,000 files of research data Disaster planning process formalized in 2007 Gained new urgency after 2008 power outage Lessons learned The disaster planning process Incorporating digital asset protection
"By failing to prepare you are preparing to fail." -Benjamin Franklin
“What Could Happen” Approach Drawings by Rebecca Goldman
Core Functions Approach Identify core functions of organization Safety of employees and guests Basic financial procedures (payroll) Access to collections Preservation of digital assets Determine allowable downtime Risk management does play a role Identify other planning mandates
Benefits of Functions Approach Helps frame entire disaster planning process Identifies and prioritizes functions of organization Allocation of resources Resources can be used to protect and recover most important functions Prioritize and allocate time and funding Helps define and identify disasters Events that threaten core functions are “disasters” Less likely to miss the “small” events
Core Functions at ICPSR Initial Core Function Identification and Allowable Downtime
Core Functions at ICPSR Web access identified as vital core function Allowable downtime is minimal Led to development of webserver backup Server is backed up in the cloud Switches over in event of a primary outage Facilitates continuity of web delivered content Resources allocated to recover this function
Access During a Disaster 2008 Power Outage (before backup) Power Outage OAIS Function Model
Access During a Disaster 2009 Power Outage (after backup) Power Outage Amazon Cloud Access DIP OAIS Function Model
Planning Components “Ultimately, an organization would use a suite of plans to properly prepare response, recovery, and continuity activities for disruptions affecting the organization’s IT systems, business processes, and the facility.” From NIST Contingency Planning Guide for Information Technology Systems, pg.7.
Advantages of the Planning Suite Implementation at appropriate levels Administration approves and guides overall policy Finance manages emergency funds or agreements IT handles technical recovery plans Improves the updating process By the people who have ownership of the process Can be scheduled at different times Plans are shareable and modular
First Steps at ICPSR Crisis Communication Plan Disaster Training Plan Disaster Planning Policy
First Steps at ICPSR Initial policies and plans guided process Disaster Planning Policy Created standing disaster planning committee Identified stakeholders and subordinate plans Disaster Training Plan Identified process for promulgating awareness Crisis Communication Plan Identified communication process which will be utilized during and after a disaster
Research for Guidance Archive and library community Guidance and importance of managed backups Stresses continued access and public services Government and educational communities Digital content as organizational assets Guidance on the incorporation of IT Sharing results, high-level polices and procedures Private and for-profit sector Often based on legal requirements Very difficult to find details and examples
Planning Components Crisis Communication Plan Business Continuity Plan (BCP) Business Recovery Plan (BRP) Cyber Incident Response Plan Continuity of Operations Plan (COOP) Disaster Recovery Plan (DRP) Occupant Emergency Plan (OEP) IT Contingency Plan From NIST Contingency Planning Guide for Information Technology Systems, pg. 10.
Digital Centered Components Crisis Communication Plan Business Continuity Plan (BCP) Business Recovery Plan (BRP) Cyber Incident Response Plan Continuity of Operations Plan (COOP) Disaster Recovery Plan (DRP) Occupant Emergency Plan (OEP) IT Contingency Plan From NIST Contingency Planning Guide for Information Technology Systems, pg. 10.
Plans for Digital Assets IT Contingency Plan Provide procedures and capabilities for recovering a major application or general support system Addresses IT interruptions At ICPSR: CNS (IT) is currently documenting and sharing specific system recovery procedures At ICPSR: Many plans already existed, but needed further documentation and sharing From NIST Contingency Planning Guide for Information Technology Systems, pg. 10.
Plans for Digital Assets Cyber Incident Response Plan Provide strategies to detect, respond to, and limit consequences of malicious cyber incident Focuses on information security responses to incidents affecting systems and/or networks At ICPSR: Existing plan incorporated into suite From NIST Contingency Planning Guide for Information Technology Systems, pg. 10.
Plans for Digital Assets Disaster Recovery Plan (DRP) Provide detailed procedures to facilitate recovery of capabilities at an alternate site Limited to major disruptions with long-tem effects At ICPSR: Web Continuity Plan (cloud backup) At ICPSR: Archival backups stored at different locations and documenting recovery procedures From NIST Contingency Planning Guide for Information Technology Systems, pg. 10.
Implementation and Maintenance Standing Disaster Planning Committee Headed by Assistant Director for Administration Web Continuity Plan Tested in controlled environment several times Provided access to content during 1 power outage in May 2009 To Do List Have a tabletop exercise centered around IT assets Get a better hold of in-house digital assets
Promulgate Results From http://www.icpsr.umich.edu/icpsrweb/ICPSR/curation/disaster/index.jsp
Takeaways Disaster Planning Process Core functions provide framework for process Disaster plan is composed of a suite of plans, procedures, and policies Planning for digital assets Some plans are suited to cover digital content Recommend using NIST Guide for guidance Archive community needs more accessible guidance on planning for digital asset protection