Disaster Recovery/Business Continuity Roadmap Update
Disaster Recovery/Business Continuity Roadmap Update
Steven Lovaas, CISO, Colorado State University
Presented to Division of IT Senior Leadership Team, November 2024
Contents
Phase 1 (established, Summer 2024)
The primary capability gap identified for starting this roadmap was insufficient backup facilities to prevent significant loss from ransomware attacks. That gap has been addressed with the addition of ransomware-resistant cloud backups using Veeam and Azure for critical on-campus resources as well as Microsoft 365 information (from email, OneDrive, and SharePoint). Periodic scheduled restoration testing is practiced, assuring functionality of the backups.
Phase 2 (in progress with consultant, Winter 2024/2025)
A Business Impact Analysis (BIA) process is in development via engagement with Summit Security Group, planning establishment of the BIA capability beginning in January, 2025. The deliverable from this engagement will give CSU a regular process to follow in performing BIAs for any critical information system. The framework for this capability will be compared to a BIA that was performed during Spring 2024 by the Office of the Registrar for functions in the Banner student information system.
Phase 3 (pending, anticipating March 2025)
Model DR/BC plan to be developed based on recommended practices and templates provided by EDUCAUSE, supported by service level agreements for recovery operations. This model will be made available for use by system owners and prioritized for planning based on criticality of systems identified in BIA and risk assessment activities during FY25.
As an interim approach, DR and BC Planning is approached as a sequence of activities to be practiced as time allows:
- Do a BIA against three major enterprise systems.
- The BIA for Banner performed by the Registrar’s Office is the first instance of this for a single system; it will be consulted as a template.
- As Phase 2 completes (with the Summit Security Group), the delivered BIA methodology will be used for this step.
- Select the highest risk (by whatever metric is most salient until formalized).
- The metric for risk will be formalized in concert with the HALOCK engagement to develop a Duty of Care Risk Assessment methodology and initial risk register.
- Determine RTO and RPO for that system (a rough guess is fine for the first iteration)
- Schedule/test backup restore; assess performance against RTO, RPO, and staff time for restoration. Review the RTO and RPO expectations, revising if needed.
- Repeat with the next-highest-risk system from step #1.
Future work
DR/BC planning is an ongoing activity, which will involve continued testing and revision of plans as well as IT systems involved in backup and recovery. Notably, this will include periodic review of:
- Critical systems across the CSU System that currently do not participate in centralized backups.
- IT platforms involved in performing backup and recovery.
- The level of backup required based on the nature of the data.