Last updated: 2023-03-30
The Fox and Geese Disaster Recovery Plan establishes procedures to recover Fox and Geese services following a disruption caused by a disaster. This Disaster Recovery Policy and Plan is maintained by the Fox and Geese DevOps Team.
The following objectives have been established for this plan:
This Disaster Recovery Plan has been developed as required under the Federal Information Security Modernization Act (FISMA) of 2014, the Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule, Section §164.308(a)(7), the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials, the Cybersecurity Maturity Model Certification (CMMC), and the General Data Protection Regulation (GDPR). These requirements establish the necessity for the creation and implementation of procedures for responding to events that damage systems containing electronic protected health information and ensuring the security and resilience of critical infrastructure.
The Disaster Recovery Plan is created in accordance with the guidelines established by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34 Rev. 1, titled "Contingency Planning Guide for Federal Information Systems" dated May 2010, and the NIST Cybersecurity Framework.
The Disaster Recovery Plan also complies with the following federal and departmental policies:
Example of the types of disasters that would initiate this plan are natural disasters, political disturbances, man-made disasters, external human threats, and internal malicious activities.
Fox and Geese defines two categories of systems from a disaster recovery perspective:
Critical Systems. These systems host application servers and database servers containing customer data, sensitive information, and other essential services. An interruption in the availability of these systems directly impacts our ability to provide services to our customers. Specific RTO and RPO should be established for each critical system. As a general guideline, critical systems have an RTO of 2 hours and an RPO of 1 hour.
Non-critical Systems. These are all systems not considered critical by definition above. While these systems may affect the performance and overall security of critical systems, they do not directly impact our ability to provide services to our customers. These systems are restored at a lower priority than critical systems. Specific RTO and RPO should also be established for each non-critical system. As a general guideline, non-critical systems have an RTO of 2 hours and an RPO of 6 hours.
This Disaster Recovery Policy and Plan is integrated with the Fox and Geese Business Continuity Plan to ensure a comprehensive approach to disaster recovery and business continuity, addressing the recovery of datacenter and contracted support services.
This Disaster Recovery Policy and Plan is reviewed and updated at least once every 12 months to ensure its continued effectiveness and alignment with the organization's evolving needs.
A clear communication plan is essential during a disaster to keep employees, partners, customers, and stakeholders informed about the situation and the steps being taken to restore services. The communication plan should include:
The Disaster Recovery Coordinator (DRC) is responsible for overseeing the communication plan and ensuring that all stakeholders are kept informed during a disaster.
A training and awareness program should be established to ensure that employees are aware of the disaster recovery procedures and their roles during a disaster. The program should include:
The DRC is responsible for overseeing the training and awareness program and ensuring that all employees are prepared to respond effectively during a disaster.
After each test or actual disaster recovery event, a process should be in place for documenting lessons learned and making necessary updates to the plan based on those lessons. This process includes:
The DRC is responsible for overseeing the lessons learned process and ensuring that the plan is updated as needed.
The disaster recovery plan should include procedures to ensure compliance with relevant regulations and legal requirements during a disaster. This includes:
The DRC is responsible for overseeing regulatory and legal compliance during a disaster.
The following order of succession ensures that decision-making authority for this Disaster Recovery Plan is uninterrupted. The designated Disaster Recovery Coordinator (DRC) is responsible for ensuring the safety of personnel and the execution of procedures documented within this Disaster Recovery Plan. The Chief Technology Officer (CTO) typically serves as the DRC; however, if the CTO is unable to function as the overall authority or chooses to delegate this responsibility to a successor, the CEO or COO shall function as the DRC. To provide contact initiation should the contingency plan need to be initiated, please use the prioritized contact list below.
The following teams have been developed and trained to respond to a contingency event affecting the IT system.
Members of the Ops and Web Services teams must maintain local copies of the contact information from the documented line of succession. Additionally, the DRC must maintain a local copy of this policy in the event Internet access is not available during a disaster scenario.
The DRC shall establish criteria for validation/testing of a Disaster Recovery Plan, an annual test schedule, and ensure implementation of the test. This process will also serve as training for personnel involved in the plan's execution. At a minimum, the Disaster Recovery Plan shall be tested annually (within 365 days). The types of validation/testing exercises include tabletop and technical testing. Disaster Recovery Plans for all application systems must be tested at a minimum using the tabletop testing process. However, if the application system Disaster Recovery Plan is included in the technical testing of their respective support systems, that technical test will satisfy the annual requirement.
Tabletop Testing is conducted in accordance with the CMS Risk Management Handbook, Version 1.2 January 28, 2019. The primary objective of the tabletop test is to ensure designated personnel are knowledgeable and capable of performing the notification/activation requirements and procedures as outlined in the Disaster Recovery Plan, in a timely manner. The exercises include, but are not limited to:
The primary objective of the technical test is to ensure the communication processes and data storage and recovery processes can function at an alternate site to perform the functions and capabilities of the system within the designated requirements. Technical testing shall include, but is not limited to:
The Disaster Recovery Plan is tested at least once every 12 months, addressing datacenter recovery and contracted support services. This annual testing requirement is satisfied through the Tabletop and Technical Testing exercises mentioned above.
This section provides more detailed procedures for recovering the application at an alternate site, addressing datacenter recovery, and contracted support services. These procedures are designed to ensure the quick and efficient restoration of Fox and Geese services after a disaster.
Please provide specific technical details on the architecture, systems, and requirements for Fox and Geese services to ensure the accuracy of the procedures outlined below.
The Notification and Activation phase remains the same as previously described.
This section provides more detailed procedures for recovering the Fox and Geese infrastructure at the alternate site. Each procedure should be executed in the sequence it is presented to maintain efficient operations.
Contact affected Partners and Customers - Web Services Team
Assess damage to the environment - Web Services Team
Establish a Recovery Team - DRC
Set up the alternate site - DevOps Team
Begin rebuilding the environment using AWS CloudFormation templates and other AWS-specific tools - DevOps Team
Restore databases and data - DevOps Team
Implement security measures - DevOps Team
Test the new environment - Web Services Team
Deploy the environment to production - Web Services Team
Update DNS to the new environment - DevOps Team
Communicate the recovery status - DRC
This section discusses activities necessary for restoring Fox and Geese operations at the original or new site. The goal is to restore full operations within 24 hours of a disaster or outage. When the hosted data center at the original or new site has been restored, Fox and Geese operations at the alternate site may be transitioned back. The goal is to provide a seamless transition of operations from the alternate site to the computer center.
Original or New Site Restoration - DevOps and Web Services Teams
Switching back to the original or new site - DevOps Team
Plan Deactivation - DRC