Roles and Responsibilities
Unit Head duties and responsibilities
Activating the Unit IT Recovery Plan in consultation with the Risk Manager.
Reviewing and approving the Unit IT Recovery Plan. See also IV. 1.5.3.
Allocating sufficient funding to meet IT Recovery objectives.
Reviewing and approving exceptions before they are presented to the Risk Manager or CRE for approval.
The Unit Head must identify a role (e.g., UITRL, UISL, or other suitable role) that will collect Unit recovery team contact information and share it with the Location IT Recovery Lead and Risk Manager.
Unit Heads have discretion in planning for and addressing IT Recovery needs for IT Resources and Institutional Information that support business processes and that are not identified in the Location BCP.
Identifying and establishing procedures to achieve Unit compliance with Location implementation of the BCP. This task can be delegated.
Appointing one or more IT Recovery Leads for the Unit.
Assigning, or designating a delegate to assign, IT Recovery related training.
Assigning one or more Workforce Members to develop the Unit IT Recovery Plan.
Unit Heads that are Service Providers must plan for the IT Recovery needs of client Units, communicate clearly to client UITRLs concerning the response priority, and respond to supported client Units during disasters or disruptions.
IT Recovery Plan updates that result from testing or from the use of the IT Recovery Plan are made and presented for approval by the Unit Head within forty-five (45) calendar days of test completion or event/use.
Unit IT Recovery Lead (UITRL) roles and responsibilities
UITRL must identify compensating controls when required by external obligations or situations involving IT Resources or Institutional Information classified at RL3 or above.
Unit IT Recovery Lead (UITRL) must maintain an inventory for the lifecycle of Institutional Information and IT Resources procured or managed by the Unit and classified at any Recovery Level.
UITRLs must assign in-scope Institutional Information and IT Resources Recovery Level Classifications.
UITRLs must ensure IT Recovery requirements are addressed during the design/specification of in-scope information processing systems and throughout the lifecycle of in-scope IT Resources and Institutional Information.
The UITRL must ensure the Unit IT Recovery Plan is developed per the requirements in section VI Procedures.
The LITRL must ensure the Location IT Recovery Plan is developed per the requirements in section VI Procedures.
LITRLs and UITRLs must review or update their respective IT Recovery Plan:
• Annually;
• When required by modifications to the Location BCP; and 13 of 26
• In response to major changes made by the Unit.
LITRLs and UITRLs must ensure their:
• IT Recovery Plans are stored in the UC-approved centralized repository or a CRE-approved alternative for storage location.
• IT Recovery Plan methods of access are recorded with the Location Business Continuity Planner.
• IT Recovery Plans are highly available and accessible (e.g., redundant, geographically dispersed, etc.) in the event of a major disaster or adverse event.
• IT Recovery Plans are securely stored.
LITRLs and UITRLs must ensure IT Recovery Plan testing:
• Includes a method to inform Location stakeholders of planned testing and any impact to operations.
• Is performed at least annually or on a Location schedule approved by the CRE.
• Reflects mission risk and includes a mix of:
• Appropriately scoped tabletop exercises.
• Live recovery drills that include fail-over testing and fail-back testing.
• Includes a representative set of IT Resources and Institutional Information.
• Analyzes the results obtained from testing the IT Recovery Plan and make required adjustments based on lessons learned, identified gaps, or errors.
• Is tested according to a schedule based on risk (e.g., Recovery Level and Availability Level).
• Produces documented test results.
• Includes records of lessons learned and required changes.
• Includes the CRE as a participant at least once every three (3) years.
LITRLs and UITRLs must anticipate adverse events when choosing the location and connection of their respective backups (e.g., backup stored away from physical or logical area(s) of possible loss).
• For RL3 and above, a separate copy of Institutional Information and applications/tools must be stored off-site (i.e., not another location onsite).
• For the purposes of this policy, a live transactional/operational copy at the Location is not considered a backup (i.e., a geographically and logically separated second copy is required).
ITRLs/UITRLs must ensure the isolation and protection of their respective backups reflect and anticipate modern cyber risks (e.g., ransomware, wipers, sabotage). This includes the protection of:
• Logical/virtual backups.
• Physical backups from unauthorized access, theft, tampering, or destruction.
LITRLs and UITRLs must ensure backup and tool strategies are tested independently from IT Recovery Plans.
LITRLs and UITRLs must ensure testing of IT Recovery related backups includes:
• Retrieval of identified backups;
• Ensuring the MTD, RPO, and RTO objectives are met;
• Integrity of the backup; and
• Recovery/restoring the Institutional Information and IT Resources, including having emergency access to secrets (e.g., keys and passphrases) so that operations can continue.
LITRLs and UITRLs must ensure backup media retrieval planning includes:
• The specific method to retrieve off-site backup media in support of the RTO requirements.
• Supplier contact information used for media retrieval.
For RL3 and above, LITRLs must review the results from testing of IT Recovery related backups with the CRE at least annually.
LITRL/UITRLs must plan for and comply with IS-3 security requirements in the planning and execution of IT Recovery. This includes ensuring security is maintained during a disaster or disruption.
LITRLs/UITRLs must ensure backups are protected using IS-3 controls.
LITRLs and UITRLs must conduct a lessons-learned review after a major event or after testing of the IT Recovery Plan and supporting processes.
LITRLs and UITRLs must ensure IT Recovery Plan updates that result from testing or from the use of the IT Recovery Plan (e.g., lessons learned) are made and presented for approval by the Unit Head within forty-five (45) calendar days of test completion or event/use. IT Recovery supporting processes must be updated as determined in the lessons learned review.
LITRLs and UITRLs should update IT Recovery supporting processes as determined in the lessons learned review.
Overseeing the development of assigned (Location or Unit) IT Recovery Plans in accordance with this policy.
Briefing Unit Heads on the progress of IT Recovery Planning.
Overseeing the testing of assigned IT Recovery Plans.
Ensuring IT Recovery Plan updates that result from testing or from use of the IT Recovery Plan (e.g., lessons learned) are made and presented for approval
by the Unit Head within forty-five (45) calendar days of test completion.
Ensuring an accurate inventory.
Overseeing the execution of the IT Recovery Plan.
• Monitoring IT Recovery reporting progress.
• Overseeing the restoration of normal operations.
• Reviewing the IT Recovery Plan and participating in updates.
• Briefing Unit Heads on the progress of IT Recovery.
• Performing post-event analysis (i.e., actual use of the IT Recovery) after terminating the declared IT Recovery operation and updating the IT Recovery Plan based on the lessons learned.
At least annually and when major changes occur, reviewing the Unit’s deployed IT Resources and Institutional Information for changes and ensuring the IT Recovery Plan is up-to-date by requesting appropriate action to close any identified gaps.
Ensuring proper storage, documentation, and access of IT Recovery Plans and sharing that information with the Location Business Continuity Planner.
Assigning Recovery Level (RL) Classification.
Reviewing and updating the IT Recovery Plan.
Ensuring protection of backups, including testing of backup and tool strategies.
Planning for and complying with IS-3 security related requirements.
Complying with requirements in this policy.
Completing assigned training.
Workforce Member roles and duties
Cooperating with Location emergency instructions.
Following business continuity procedures.
Complying with Location procedures in support of this policy.
Exercising responsibility appropriate to their position and duties.
Completing required training.
Questions? = itdrhelp@berkeley.edu