From 36d7311df1bb579d1c7721081f2e45a4e90d7fed Mon Sep 17 00:00:00 2001 From: louzoid-gds <31240444+louzoid-gds@users.noreply.github.com> Date: Wed, 29 May 2024 13:34:40 +0100 Subject: [PATCH 1/3] Update DR page Updated old IA references. Note that issue #846 remains open --- source/standards/disaster-recovery.html.md.erb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/standards/disaster-recovery.html.md.erb b/source/standards/disaster-recovery.html.md.erb index da6503fd..c638b370 100644 --- a/source/standards/disaster-recovery.html.md.erb +++ b/source/standards/disaster-recovery.html.md.erb @@ -1,6 +1,6 @@ --- title: Disaster Recovery -last_reviewed_on: 2023-11-02 +last_reviewed_on: 2024-05-29 review_in: 6 months --- @@ -25,7 +25,7 @@ Disaster recovery planning is the process of identifying the kinds of events tha ### Understand risks and threats to your service -You should work with the [Information Assurance (IA)](https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/gds-operations/information-services/information-assurance) and [Cyber Security](https://sites.google.com/cabinetoffice.gov.uk/cybersecurity/home) teams to understand the risks to your service. This will help you build a more resilient and secure digital service. +You should work with the [Information Security](https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/directorates-and-groups/cto-and-ciso-office/information-security) and [Cyber Security](https://sites.google.com/cabinetoffice.gov.uk/cybersecurity/home) teams to understand the risks to your service. This will help you build a more resilient and secure digital service. You should also work with risk and service owners to plan for the worst-case scenarios. This is particularly important for your data, as loss or theft of data is disastrous for most services. @@ -40,7 +40,7 @@ build pipelines #### Disaster planning workshops -You might find it useful to run a disaster planning workshop to help identify the risks to your service. This should involve important service stakeholders, Information Assurance and Cyber Security colleagues, as well as product and technical members of your delivery team. The more involvement you have from different disciplines the more likely you will be to identify all the risks and understand them. +You might find it useful to run a disaster planning workshop to help identify the risks to your service. This should involve important service stakeholders, Information Security and Cyber Security colleagues, as well as product and technical members of your delivery team. The more involvement you have from different disciplines the more likely you will be to identify all the risks and understand them. You should use a whiteboard or an online alternative for the workshop. Start with a technical architecture diagram of your service to help visualise dependencies and important assets, such as data stores. Then, either individually or in small groups, identify as many disaster scenarios as possible, raising sticky notes on the diagram for each one. @@ -63,7 +63,7 @@ Offline backups also help protect your data from accidental deletion. For exampl ### Decide where to store your backups -Where you are storing your backups is also important for disaster recovery. Most cloud storage solutions have durability guarantees. However, an outage could occur in the region containing your live service and backups. If your service has very high availability requirements, you may need copies of your data in a different region, or with a different service provider. Your conversations with IA and service owners can help you determine your risk tolerance for these hopefully rare scenarios. +Where you are storing your backups is also important for disaster recovery. Most cloud storage solutions have durability guarantees. However, an outage could occur in the region containing your live service and backups. If your service has very high availability requirements, you may need copies of your data in a different region, or with a different service provider. Your conversations with Information Security and service owners can help you determine your risk tolerance for these hopefully rare scenarios. The National Cyber Security Centre (NCSC) article [Offline backups in an online world](https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world) further explains why offline backups are important and suggests some approaches to use in a cloud environment. From 1eb87a43ae563913784cecaa5d6144f2fb189ffc Mon Sep 17 00:00:00 2001 From: louzoid-gds <31240444+louzoid-gds@users.noreply.github.com> Date: Wed, 29 May 2024 13:36:16 +0100 Subject: [PATCH 2/3] Bump licensing review date Guidance still looks relevant --- source/manuals/licensing.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/manuals/licensing.html.md.erb b/source/manuals/licensing.html.md.erb index 611350cb..643dce10 100644 --- a/source/manuals/licensing.html.md.erb +++ b/source/manuals/licensing.html.md.erb @@ -1,6 +1,6 @@ --- title: Licensing -last_reviewed_on: 2023-10-31 +last_reviewed_on: 2024-05-29 review_in: 6 months --- From 26127d03cf89df9659c9af0ed6772bd216c04375 Mon Sep 17 00:00:00 2001 From: louzoid-gds <31240444+louzoid-gds@users.noreply.github.com> Date: Tue, 9 Jul 2024 08:41:27 +0100 Subject: [PATCH 3/3] Update DR page Resolved conflicts. Fixed a mention of IA --- source/standards/disaster-recovery.html.md.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/standards/disaster-recovery.html.md.erb b/source/standards/disaster-recovery.html.md.erb index c638b370..6812209e 100644 --- a/source/standards/disaster-recovery.html.md.erb +++ b/source/standards/disaster-recovery.html.md.erb @@ -1,6 +1,6 @@ --- title: Disaster Recovery -last_reviewed_on: 2024-05-29 +last_reviewed_on: 2024-07-09 review_in: 6 months --- @@ -40,7 +40,7 @@ build pipelines #### Disaster planning workshops -You might find it useful to run a disaster planning workshop to help identify the risks to your service. This should involve important service stakeholders, Information Security and Cyber Security colleagues, as well as product and technical members of your delivery team. The more involvement you have from different disciplines the more likely you will be to identify all the risks and understand them. +You might find it useful to run a disaster planning workshop to help identify the risks to your service. This should involve important service stakeholders, Information Security and/or Cyber Security colleagues, as well as product and technical members of your delivery team. The more involvement you have from different disciplines the more likely you will be to identify all the risks and understand them. You should use a whiteboard or an online alternative for the workshop. Start with a technical architecture diagram of your service to help visualise dependencies and important assets, such as data stores. Then, either individually or in small groups, identify as many disaster scenarios as possible, raising sticky notes on the diagram for each one. @@ -85,7 +85,7 @@ Make sure you discuss and agree your RPOs and RTOs with risk and service owners. Disasters rarely happen, meaning that your disaster recovery plans are likely to become ineffective unless you test them regularly. -You must regularly test that you can restore data from your live and offline backups. You must test the procedure for restoring an offline backup so team members are familiar with the procedure for accessing and using the backup. +You must regularly test that you can restore data from your live and offline backups. You must test the procedure for restoring an offline backup so team members are familiar with the procedure for accessing and using the backup. It also serves as useful reassurance that backups are functioning correctly. You must regularly test your manual or automatic recovery processes so that you are confident they will work in an emergency situation. This also helps team members build familiarity with the relevant procedures.