Survey Expectation
The purpose of the survey is to find out the current state of your DR-disaster recovery and not an expectation of a full DR solution.
As a UITRL person, we don't expect you to know everything. Most of the questions in the survey can be answered by your technical team members, your unit in-charge or manager, or your unit chief administrative officer for any BIA related questions. And if you come across any question that no one has the answer to, then "I don't know" might be a sufficient answer we'll accept.
UITRLs who are not in the IT role should work on this survey with someone in their department who would have a deeper knowledge about their department (such as the chief administrative officer); for example, they would know about daily business operations, knowledge about different program offerings within the unit, marketing, sales, etc. Most likely, they would know which systems are used for these programs. And if you still cannot find anyone in your department, I can help perform IT-focused BIA for your unit in a meeting(s) format to discover in scope critical IT Applications and Services. If your unit does not have any departmental IT staff and you receive IT services from ITCS or use centrally provided IT services and systems and/or RTL programs and services, then it is likely you won't have any critical IT systems and applications, and you may not need to participate. In this case, the survey will end after the first question.
In Scope example:
The policy focuses on IT Apps and IT Services that are developed in-house by your unit's IT person (or IT savvy person), along with any vendor-purchased software, website, or application that your unit's critical business function depends upon. Below are some examples.
A website that your unit uses to intake customers and process payments.
In-house developed database or vendor-purchased database system your unit's critical business function depends upon and cannot perform a regular business operation without it.
Out of Scope example:
If your unit relies solely on centrally provided IT services and systems and/or RTL programs and services
If your Unit receives IT services from ITCS
If your IT Service or Application is supported and managed by central IT or bIT, then you can ask bIT service providers for some of these questions. bIT teams should be able to answer questions related to your setup, such as; where my service is hosted, do I have a backup configured, and is it stored in the disaster recovery site (SDSC). However, they are not in the position to answer any high-level disaster recovery questions such as;
When and how long it will take to recover my service from a disaster.
Here is the link to the survey. Please use this link if you filling out the survey for one or two IT services or applications.
Here is the direct link to the multiple-entry survey sheet. Please use this link if you filling out the survey for several IT services or applications to avoid survey fatigue. The columns in red are mandatory.
In the survey, the questions we use for IS-12 information gathering are below.
Section 1 (To gather general information about your IT System, where it is hosted, who provides support, who are the primary users, etc)
Email Address (to capture who is filling out the survey)
1. Does your unit support or maintain a critical IT system that your unit depends on for it's daily operations? Or does your unit manage a vendor who does this for you?
The policy focuses on IT Apps and IT Services that are developed in-house by your unit's IT person (or IT savvy person), along with any vendor-purchased software, website, or application that your unit's critical business function depends upon. Below are some examples.
A website that your unit uses to intake customers and process payments.
In-house developed database or vendor-purchased database system your unit's critical business function depends upon and cannot perform a regular business operation without it.
The survey will END if you select No on question 1
2. System name (for example: Eye Care for the School of Optometry or eGrades for the School of Law)
3. What is the purpose or function of the system? (Provide the accurate name of your service so that it is easier to find, and the name should represent the accurate purpose of the service)
4. From below, select how long the system can be unavailable before significantly impacting your unit operations. (To help us guide impact with the time during an outage)
5. Where is the system hosted? (To find out the location it resides)
6. If known, what is the system's web address (URL)?
7. Are there any plans to eliminate or replace this system in the future? (To find out how long you plan to utilize)
8. What office or department is the primary user of the system if known? (To find out who uses these systems primarily)
9. Who is the main point of contact for the system in the office or department noted above?
10. What is the email address for the point of contact above?
11. What office or department is the primary technical support for the system, if known? (To find out who provides technical support)
12. Who is the main technical point of contact for the system in the office or department noted above? (To find out if there is a person or a team who supports this system)
13. What is the email address for the technical point of contact above.
14. UITRL - Unit IT Recovery Lead Contact Name
15. UITRL - Unit IT Recovery Lead Contact Email address
Section 2
16. How many total users across campus would be negatively affected if the system becomes unavailable? (To find out how many users will be impacted during an outage)
Section 3 (Questions in Section 3 help to find out if you have Recovery and Availability setup for your IT Systems)
17. If you have been onboarded to IS-3, what is the system's Availability Level under the UC IS-3 standard? (To find out if your unit has already gone through IS-3 process and its AL assignment for your IT System)
Section 4 (Questions in Section 4 help to find out if your unit has documented IT DR - IT Disaster Recovery plan and where it is located)
18. Does the unit or department have an existing documented IT Disaster Recovery (IT DR) plan for this system?
An IT Disaster Recovery plan (IT DR) is a formal document created by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events.
19. If Yes, what is the location of your documented IT DR plan?
20. How frequently do you test your IT DR plan? (To find out if you test your plan and if it will work during a disaster)
21. When was your IT DR plan document last updated?
22. Does everyone who has a role in your IT DR plan know how to access the plan document?
23. If your system has a recovery level of RL4 or RL5, have you implemented system resiliency? That is, will the system restart on it's own with little to no human intervention following an outage?
24. Has the Office of Emergency Management (OEM) assessed this system during their Business Impact Analysis (BIA) process? (To find out if the MTD-Maximum Tolarable downtime is already identified and help with assigning the RL-Recovery Level)
25. When was the system's Business Impact Analysis (BIA) last updated?
26. Is there anything else we should record about this system that we didn't ask you about?
Section 5 (Questions in this section help to find out if you have back in place for your IT System, it's location, and if it is secure)
27. Is the system backed up?
28. What type of backup?
29. How frequently is the system backed up? (check all that apply)
30. Where are backups stored? (check all that apply)
31. Have you tested your backups to confirm that they are recoverable?
32. How frequently do you test your backups to confirm that they are recoverable?
33. Have you confirmed that physical security is in place where your backups are stored?
34. What type of cyber-security measures are in place for the location where your backups are stored? (check all that apply)