Roles and Responsibilities

Activating the Unit IT Recovery Plan in consultation with the Risk Manager.

Reviewing and approving the Unit IT Recovery Plan. See also IV. 1.5.3.

Allocating sufficient funding to meet IT Recovery objectives.

Reviewing and approving exceptions before they are presented to the Risk Manager or CRE for approval.

The Unit Head must identify a role (e.g., UITRL, UISL, or other suitable role) that will collect Unit recovery team contact information and share it with the Location IT Recovery Lead and Risk Manager. 

Unit Heads have discretion in planning for and addressing IT Recovery needs for IT Resources and Institutional Information that support business processes and that are not identified in the Location BCP. 

Identifying and establishing procedures to achieve Unit compliance with Location implementation of the BCP. This task can be delegated.

Appointing one or more IT Recovery Leads for the Unit.

Assigning, or designating a delegate to assign, IT Recovery related training.

Assigning one or more Workforce Members to develop the Unit IT Recovery Plan.

Unit Heads that are Service Providers must plan for the IT Recovery needs of client Units, communicate clearly to client UITRLs concerning the response priority, and respond to supported client Units during disasters or disruptions.

IT Recovery Plan updates that result from testing or from the use of the IT Recovery Plan are made and presented for approval by the Unit Head within forty-five (45) calendar days of test completion or event/use.

UITRL must identify compensating controls when required by external obligations or situations involving IT Resources or Institutional Information classified at RL3 or above.

Unit IT Recovery Lead (UITRL) must maintain an inventory for the lifecycle of Institutional Information and IT Resources procured or managed by the Unit and classified at any Recovery Level.

UITRLs  must  assign in-scope  Institutional  Information  and  IT  Resources  Recovery  Level  Classifications.

UITRLs  must  ensure IT  Recovery  requirements  are  addressed  during  the design/specification of  in-scope information  processing  systems  and  throughout  the lifecycle  of  in-scope  IT  Resources  and  Institutional  Information. 

The UITRL  must  ensure the Unit  IT  Recovery  Plan is  developed  per  the requirements  in section VI  Procedures. 

The LITRL must  ensure the Location IT  Recovery  Plan is  developed  per  the requirements  in section VI  Procedures. 

LITRLs  and  UITRLs  must  review  or  update  their  respective IT  Recovery  Plan:

•  Annually;

•  When required  by  modifications  to the  Location BCP;  and 13  of  26

•  In response  to  major  changes  made  by  the Unit. 

LITRLs  and UITRLs  must  ensure their:

•  IT Recovery  Plans  are  stored in  the UC-approved centralized repository  or  a CRE-approved alternative for  storage location.

•  IT Recovery  Plan methods  of  access  are recorded with the  Location  Business Continuity  Planner.

•  IT Recovery  Plans  are  highly  available and accessible (e.g.,  redundant, geographically  dispersed,  etc.)  in the  event  of  a  major  disaster  or  adverse event.

•  IT Recovery  Plans  are  securely  stored. 

LITRLs  and UITRLs  must  ensure IT  Recovery  Plan testing:

•  Includes  a  method to inform  Location  stakeholders  of  planned testing  and  any impact  to operations.

•  Is performed at  least  annually  or  on a  Location schedule  approved by  the CRE.  

•  Reflects  mission risk  and includes  a mix  of:

•  Appropriately  scoped  tabletop exercises.

•  Live recovery  drills  that  include  fail-over  testing  and  fail-back  testing.

•  Includes  a representative set  of  IT  Resources  and  Institutional  Information.

•  Analyzes  the results  obtained  from  testing  the IT  Recovery  Plan and make required adjustments  based  on lessons  learned,  identified gaps,  or  errors.

•  Is tested according  to  a  schedule based  on risk  (e.g.,  Recovery  Level  and Availability  Level).

•  Produces  documented  test  results.

•  Includes  records  of  lessons  learned  and required changes.

•  Includes  the CRE  as  a  participant  at  least  once every  three (3)  years. 

LITRLs  and  UITRLs  must  anticipate adverse  events  when choosing the location  and  connection  of  their  respective  backups  (e.g.,  backup  stored  away from  physical  or  logical  area(s)  of  possible  loss).

• For RL3  and above,  a separate copy  of  Institutional  Information  and applications/tools  must  be  stored off-site  (i.e.,  not  another  location onsite).

•  For the  purposes  of  this  policy,  a live transactional/operational  copy  at the  Location is  not  considered  a backup  (i.e.,  a geographically  and logically  separated second copy  is  required). 

ITRLs/UITRLs  must  ensure the  isolation  and protection  of  their respective  backups  reflect  and  anticipate  modern  cyber  risks  (e.g., ransomware,  wipers,  sabotage). This  includes  the  protection  of:

•  Logical/virtual  backups.

•  Physical  backups  from  unauthorized access,  theft,  tampering,  or destruction. 

LITRLs  and  UITRLs  must  ensure backup and  tool  strategies  are tested independently  from  IT  Recovery  Plans. 

LITRLs  and UITRLs  must  ensure testing  of  IT  Recovery  related backups includes:

•  Retrieval  of  identified  backups;

•  Ensuring  the  MTD,  RPO,  and RTO  objectives  are  met;

•  Integrity  of  the  backup;  and

•  Recovery/restoring  the Institutional  Information and IT  Resources, including  having  emergency  access  to  secrets  (e.g.,  keys  and passphrases)  so  that  operations  can continue. 

LITRLs  and UITRLs  must  ensure  backup  media retrieval  planning  includes:

•  The specific  method to  retrieve off-site backup media in support  of  the RTO requirements.

•  Supplier  contact  information used  for  media  retrieval.

For  RL3  and above,  LITRLs  must  review  the results  from  testing  of  IT  Recovery related  backups  with  the CRE  at  least  annually. 

LITRL/UITRLs  must  plan for  and comply  with  IS-3  security requirements  in  the planning  and execution of  IT  Recovery.  This  includes ensuring  security  is  maintained during  a disaster  or  disruption. 

LITRLs/UITRLs  must  ensure  backups  are  protected using  IS-3 controls.   

LITRLs  and UITRLs  must  conduct  a  lessons-learned  review  after  a  major  event or  after  testing  of  the  IT  Recovery  Plan  and supporting  processes. 

LITRLs  and UITRLs  must  ensure  IT  Recovery  Plan updates  that  result  from testing  or  from  the  use  of  the IT  Recovery  Plan (e.g.,  lessons  learned)  are made  and  presented  for  approval  by  the  Unit  Head within  forty-five (45) calendar  days  of  test  completion  or  event/use. IT Recovery supporting processes must be updated as determined in the lessons learned review. 

LITRLs and UITRLs should update IT Recovery supporting processes as determined in the lessons learned review. 

Overseeing the development of assigned (Location or Unit) IT Recovery Plans in accordance with this policy.

Briefing Unit Heads on the progress of IT Recovery Planning.

Overseeing the testing of assigned IT Recovery Plans.

Ensuring IT Recovery Plan updates that result from testing or from use of the IT Recovery Plan (e.g., lessons learned) are made and presented for approval

by the Unit Head within forty-five (45) calendar days of test completion.

Ensuring an accurate inventory.

Overseeing the execution of the IT Recovery Plan.

• Monitoring IT Recovery reporting progress.

• Overseeing the restoration of normal operations.

• Reviewing the IT Recovery Plan and participating in updates.

• Briefing Unit Heads on the progress of IT Recovery.

• Performing post-event analysis (i.e., actual use of the IT Recovery) after terminating the declared IT Recovery operation and updating the IT Recovery Plan based on the lessons learned. 

At least annually and when major changes occur, reviewing the Unit’s deployed IT Resources and Institutional Information for changes and ensuring the IT Recovery Plan is up-to-date by requesting appropriate action to close any identified gaps. 

Ensuring proper storage, documentation, and access of IT Recovery Plans and sharing that information with the Location Business Continuity Planner.

Assigning Recovery Level (RL) Classification.

Reviewing and updating the IT Recovery Plan.

Ensuring protection of backups, including testing of backup and tool strategies.

Planning for and complying with IS-3 security related requirements.

Complying with requirements in this policy. 

Completing assigned training. 

Cooperating with Location emergency instructions.

Following business continuity procedures. 

Complying with Location procedures in support of this policy.

Exercising responsibility appropriate to their position and duties.

Completing required training.