Governments provide many essential services to their citizens. The disruption of these services following a disaster could result in significant harm or inconvenience to those whom a government serves. State and local governments have a duty to ensure that disruptions in the provision of essential services are minimized following a disaster. The public sector, like the private sector, relies heavily upon computers and other advanced technologies to conduct its operations. Therefore, disaster recovery planning, to be effective, must specifically address policies and procedures for minimizing the disruption of government operations if computers or other advanced technologies are disabled following a disaster. Often such disasters will have effects ranging for an extended period, making recovery and business continuity planning interrelated.
GFOA recommends that every government formally establish written policies and procedures for minimizing disruptions resulting from failures or inaccessibility of computers and other advanced technologies following a disaster. These written policies and procedures should be reviewed and thoroughly tested, including, at a minimum by use of simulations or the like (i.e. table-top exercises), annually and updated after the annual testing, where warranted.
At a minimum, a government’s policies and procedures for computer disaster recovery should do the following:
- Formally assign disaster recovery coordinators for each agency or department to form a disaster recovery team reporting to a single disaster recovery manager. The responsibilities of team members should be defined and contact information for them maintained (as discussed in the next bullet). The government should also establish procedures for assembling and communicating with the team in the event of a disaster.
- Require the creation of a disaster contact log and frequently review (such as monthly) the log updating contact information to include names, titles, work and personal phone numbers and email addresses, for (1) all team members (as discussed in the prior bullet) (2) contact information for key vendors, (3) other internal and external contacts related to disaster recovery, and (4) the inclusion of policies and procedures for minimizing disruptions discussed above (5) in addition to names of individual incumbents, job titles should be included on the contact lists, to be used in the event the individual named is no longer in that position.
- Require the creation and preservation of back-up data including application software. The back-up data must be reliable, effective, storable, and usable. A government’s procedures in this regard should cover the regular and timely back-up of computer data with proper documentation. All back-up data planning should include protection from corruption or infection of backups by use of separate authentication and connections for this data. For data that is backed up on cloud servers, governments should include procedures to ensure that the cloud servers are in a secure location and protected by appropriate disaster planning. If data is not being backed up to a cloud server, the government’s procedures should include the transportation and storage of back-up data off site with proper documentation. The storage location(s) of back-up data should be physically distant enough from the government’s locus of operations that a regional disaster will not render them inaccessible or unusable. The government should also ensure the security of back-up data in the cloud server and during the transport to the off-site facility, including encryption of data sent electronically to a back-up location, and during storage off site.
- Make advanced provisions through a contract for alternative data processing following a disaster. A government should enter a contract for the alternative data processing so that in the event of a disaster, the government has the ability to process data. It is essential that the government carefully monitors software upgrades to ensure that any such alternative processing site remains capable of processing the government’s data. A government should also establish processing priorities should the use of the alternative processing site become necessary. In addition, in situations qualifying for federal emergency assistance, it is essential that the government be capable of providing information to the federal government in the format mandated by the Federal Emergency Management Agency.
- For asset control and insurance purposes, governments should have an up-to-date inventory of technology assets at facilities, including periodic photos of the assets. If a government has warning of a potential disaster (such as a major storm) and adequate time, the currency of such records should be verified and updated if necessary.
- Provide detailed instructions for restoring files.
- Establish guidelines for the immediate aftermath of a disaster. Specifically, the government’s computer disaster recovery plan should provide guidelines for declaring a disaster, for issuing press releases and dealing with the media, for recovering communications networks, and for assessing damage:
- A copy of the government’s formal computer disaster recovery policies and procedures should be disseminated to key employees and available on the employee portal or intra-net site. Hard copies of the plan should be kept off site and on a remote cloud server to which all relevant staff members have access to ensure its availability in the event of a disaster;
- Employees should receive training on, and participate in regular testing of, these policies and procedures;
- Every government should annually test its computer disaster recovery plan, including communication within the disaster recovery team, and take immediate action to remedy deficiencies identified by that testing. It is essential that such testing encompass the restoration and the processing of the government’s data. A government’s testing protocols should ensure that all phases of processing can be completed for a given transaction; and
- A government that hires a third party to perform some or all of these disaster recovery planning and execution duties should satisfy itself concerning the adequacy of the third party’s own controls and disaster recovery plans for outsourced services, including a requirement that a copy of the vendor’s plan be made available to the government. The third-party vendor should also be required to submit its Service Organization Control (SOC) Type 2 report to the government on an annual basis.
- Governments should consider purchasing cybersecurity insurance. A cyberattack can be costly for a government. The government will incur labor costs to restore data, and possibly pay a ransom to have the data restored. During the down time, a government may not be able to collect receipts or make payments. A cybersecurity policy may help defray some of the costs of the cyberattack.
1. A SOC Type 2 report includes results of tests of controls conducted by an independent auditor, whereas no testing is reported in a Type 1 SOC report.
- Board approval date: Friday, October 1, 2021