Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 20988-2007 English PDF (GBT20988-2007)

GB/T 20988-2007 English PDF (GBT20988-2007)

Regular price $145.00 USD
Regular price Sale price $145.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 20988-2007 to get it for Purchase Approval, Bank TT...

GB/T 20988-2007: Information security technology -- Disaster recovery specifications for information systems

This standard specifies the basic requirements for the disaster recovery of information system. This standard applies to the planning, approval, implementation, management of disaster recovery of information system.
GB/T 20988-2007
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Disaster recovery
specifications for information systems
ISSUED ON: JUNE 14, 2007
IMPLEMENTED ON: NOVEMBER 01, 2007
Issued by: General Administration of Quality Supervision, Inspection and Quarantine of PRC;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Overview of disaster recovery ... 9
4.1 Work scope for disaster recovery ... 9
4.2 Organization of disaster recovery ... 10
4.3 Management of disaster recovery planning ... 11
4.4 External collaboration for disaster recovery ... 11
4.5 Audit and filing of disaster recovery ... 12
5 Determination of disaster recovery needs ... 12
5.1 Risk analysis ... 12
5.2 Business impact analysis ... 12
5.3 Determine disaster recovery objectives ... 13
6 Development of disaster recovery strategy ... 13
6.1 Elements for developing disaster recovery strategy ... 13
6.2 Method to obtain disaster recovery resources ... 14
6.3 Requirements for disaster recovery resources ... 16
7 Implementation of disaster recovery strategy ... 17
7.1 Implementation of technical solution for backup system for disaster recovery ... 17 7.2 Selection and construction of backup center for disaster recovery ... 18 7.3 Implementation of professional technical support capabilities ... 19 7.4 Implementation of operation, maintenance, management capabilities ... 19 7.5 Implementation of disaster recovery plan ... 20
Appendix A (Normative) Classification of disaster recovery capability grades 23 Appendix B (Informative) Framework of disaster recovery plan ... 29
Appendix C (Informative) Example of relationship between RTO/RPO and
disaster recovery capability grade in an industry ... 32
Information security technology - Disaster recovery
specifications for information systems
1 Scope
This standard specifies the basic requirements for the disaster recovery of information system.
This standard applies to the planning, approval, implementation, management of disaster recovery of information system.
2 Normative references
The provisions in following documents become the provisions of this Standard through reference in this Standard. For the dated references, the subsequent amendments (excluding corrections) or revisions do not apply to this Standard; however, parties who reach an agreement based on this Standard are
encouraged to study if the latest versions of these documents are applicable. For undated references, the latest edition of the referenced document applies. GB/T 5271.8 Information technology - Vocabulary - Part 8: security
GB/T 20984 Information security technology - Risk assessment specification for information security
3 Terms and definitions
The terms and definitions as established in GB/T 5271.8 as well as the following terms and definitions apply to this standard.
3.1
Backup center for disaster recovery
Alternate site
A site used to take over the primary system for data processing and support critical business functions (3.6) after a disaster, which can provide the backup system for disaster recovery (3.3), backup infrastructure and
technical support and operational maintenance management capabilities, or alternate living facilities in or around the site.
Data backup strategy
Backup steps and behaviors as determined to achieve data recovery and
rebuild objectives. Through determining the backup time, technology,
medium, off-site storage method, it guarantees achieving the recovery time objectives (3.18) and recovery point objectives (3.19).
3.8
Disaster
A sudden event which causes serious fault or paralysis of the information system and makes the business functions as supported by the information system suspend or the service grade be unacceptable and reach a specific time, due to human or natural causes. Generally, it will cause the information system to switch to the backup center for disaster recovery (3.1).
3.9
Disaster recovery
The activity and process as designed to restore an information system from a fault or paralysis state as caused by a disaster (3.8) to a normal operation state and to restore the business functions it supports from an abnormal state as caused by a disaster to an acceptable state.
3.10
Disaster recovery plan
A document that defines the tasks, actions, data, resources required for a disaster recovery of information system process. It is used to guide the relevant personnel to restore critical business functions supported by the information system within the scheduled disaster recovery objectives.
3.11
Disaster recovery planning
DRP
The pre-planning and arrangement as made to reduce the losses caused by disasters and to ensure the critical business functions (3.6) supported by the information system for timely recovery and continued operation after a disaster occurs.
3.12
Disaster recovery capability
Recovery time objective
RTO
The time required for an information system or business function from a standstill to the time it must be recovered after a disaster.
3.19
Recovery point objective
RPO
After a disaster, the requirements for the time point that the system and data must be recovered to.
3.20
Resumption
The process that the backup center for disaster recovery (3.1) replaces the primary center (3.15) and supports the re-operation of critical
business functions (3.6).
3.21
Return
Restoration
The process that the information system that supports the business
operation returns from the backup center for disaster recovery (3.1) back to the primary center (3.15).
4 Overview of disaster recovery
4.1 Work scope for disaster recovery
Disaster recovery of information system includes disaster recovery planning daily operations of the backup center for disaster recovery, recovery and resumption of critical business functions in the backup center for disaster recovery, post-disaster reconstruction and return work of primary system, emergency response after an incident occurs.
Among them, disaster recovery planning is a repeated process of continuous improvement, which includes the following stages:
4.2.2.2 Disaster recovery plan implementation team
The primary responsibility of the disaster recovery plan implementation team is: - Demand analysis for disaster recovery;
- Proposing disaster recovery strategies and grades;
- Implementation of disaster recovery strategy;
- Developing a disaster recovery plan;
- Organizing tests and drills for disaster recovery plans.
4.2.2.3 Disaster recovery daily operation team
The primary responsibility of the disaster recovery daily operation team is: - Assisting in the implementation of disaster recovery system;
- Daily management of the backup center for disaster recovery;
- Operation and maintenance of the backup system for disaster recovery; - Professional technical support for disaster recovery;
- Participating in and assisting to the education, training and drills of disaster recovery plans;
- Maintaining and managing disaster recovery plans;
- Loss control and damage assessment at the time of the emergency;
- Recovery of information systems and business functions after a disaster; - External collaboration after a disaster.
4.3 Management of disaster recovery planning
The organization shall assess the risks of the disaster recovery planning process, prepare the required resources, determine detailed tasks and
timelines, supervise and manage planning activities, track and report on the progress of task, conduct problem management and change management.
4.4 External collaboration for disaster recovery
The organization shall liaise and collaborate with relevant management, - Qualitative analysis: Use such methods as induction and deduction,
analysis and synthesis, abstraction and generalization, to assess the non- economic losses that an interruption of business function may bring to the organization, including organizational reputation, customer loyalty,
employee confidence, social and political influence, etc.
5.3 Determine disaster recovery objectives
Based on the results of risk analysis and business impact analysis, identify the disaster recovery objectives, including:
- Critical business functions and prioritization of recovery;
- Time range of disaster recovery, that is, the range of RTO and RPO.
6 Development of disaster recovery strategy
6.1 Elements for developing disaster recovery strategy
6.1.1 Resource elements for disaster recovery
The resources required to support disaster recovery at different grades (hereafter referred to as ?€?disaster recovery resources?€?) may be divided into the following seven elements:
- Data backup system: It generally consists of hardware, software and data backup media for data backup (hereinafter referred to as ?€?media?€?). If it is a data backup system that relies on electronic transmission, it also includes data backup lines and corresponding communication devices;
- Standby data processing system: It refers to backup computers, peripherals, software;
- Backup network system: The network used by the end user to access the backup data processing system, including the backup network
communication device and the backup data communication line;
- Standby infrastructure: The buildings, equipment, organizations which are required for disaster recovery and support the operation of the backup
system for disaster recovery, including off-site storage for media, spare equipment rooms, disaster recovery work aids, living facilities that allows disaster recovery personnel to stay continuously;
- Professional technical support capabilities: The capability to provide support and comprehensive assurance for the operation of the disaster
devices already in place with reciprocal agreements.
6.2.3 Backup network system
The backup network communication device may be obtained in the manner as described in 6.2.2; the backup data communication line may use its own data communication line or lease a public data communication line.
6.2.4 Backup infrastructure
It may select the following three methods to get the backup infrastructure: - Owned or operated by the organization;
- Obtained by multi-party construction or through reciprocal agreements; - Rent the infrastructure from a commercial disaster recovery center.
6.2.5 Professional technical support capability
It may select the following methods to obtain professional technical support capabilities:
- Set up full-time technical support staff in the backup center for disaster recovery;
- Sign technical support or service contract with the manufacturer;
- Served by the primary center?€?s technical support staff. However, for the critical business functions of the short-term RTO, it shall consider the technical support personnel?€?s failure to provide effective support due to the abnormality of traffic and communication at the time of the disaster.
6.2.6 Operation and maintenance management capabilities
It may select the following operation, maintenance, management mode of the disaster recovery center:
- Self-operation and maintenance;
- Entrust other agencies to operate and maintain.
6.2.7 Disaster recovery plan
It may select the following methods to establish, implement, manage the disaster recovery plans:
- Finished by the organization independently;
for the backup infrastructure, including:
- Requirements for the distance from the primary center;
- Requirements for site and environment (e.g., area, temperature, humidity, fire-proof, electricity, working hours, etc.);
- Requirements for operational maintenance and management.
6.3.5 Professional technical support capabilities
The organization shall, according to the disaster recovery objectives, based on the principle of cost-risk balance, determine the technical support requirements of the backup center for disaster recovery in terms of software, hardware, network, including the organizational structure of technical support, the quantity and quality of various technical support personnel.
6.3.6 Operation, maintenance, management capabilities
The organization shall, according to the disaster recovery objectives, based on the principle of cost-risk balance, determine the operation, maintenance, management requirements of the backup center for disaster recovery, including the organizational structure of operation, maintenance, management, the quantity and quality of personnel, the requirements of operation, maintenance, management system.
6.3.7 Disaster recovery plan
The organization shall, based on the results of the needs analysis, according to the principle of cost-risk balance, clarify the following aspects of the disaster recovery plan:
- Overall requirements;
- Requirements of development process;
- Requirements for education, training, drill;
- Management requirements.
7 Implementation of disaster recovery strategy
7.1 Implementation of technical solution for backup system for disaster recovery
7.1.1 Design of technical solutions
According to the disaster recovery strategy, develop the technical solution of the primary center from the same risks. The backup centers for disaster recovery include two types: city-wide and different locations, to avoid the disaster risks of different impact ranges.
The backup center for disaster recovery shall have the resources such as communication and power required for data backup and disaster recovery, as well as the traffic conditions for disaster recovery personnel and equipment to arrive.
The backup center for disaster recovery shall be reasonably laid out according to the principle of overall planning, resource sharing, combination of peacetime and warfare.
7.2.2 Requirements for infrastructure
When newly-building or selecting the infrastructure of a backup center for disaster recovery:
- The computer room shall meet the requirements of the relevant national standards;
- Work support facilities and living facilities shall meet the requirements of disaster recovery objectives.
7.3 Implementation of professional technical support
capabilities
The organization shall, according to the requirements of the disaster recovery strategy, acquire the professional technical support capabilities for the disaster backup system.
The backup center for disaster recovery shall establish a corresponding technical support organization, to regularly train technical support personnel. 7.4 Implementation of operation, maintenance, management
capabilities
In order to achieve disaster recovery objectives, the backup center for disaster recovery shall establish various operational procedures and management
systems, to ensure that:
- Timeliness and effectiveness of data backup;
- The backup data processing system and the backup network system are in overall tests. The entire process of testing shall have a detailed record and form a test report;
- Improvement: According to the results of review and test, correct the problems and defects as found in the preliminary review process and test process, to form an approval draft of the plan;
- Review and approval: The disaster recovery leadership team will review and approve the approval draft, determine it as the implementation draft of the plan.
7.5.2 Education, training, drills of disaster recovery plans
In order to familiarize relevant personnel with the objectives and processes of disaster recovery of information system and familiarize themselves with the operational procedures for disaster recovery, the organization shall organize the education, training, drills of the disaster recovery plan as follows: - It shall carry out advocacy and education on the concept of disaster
recovery in the early stages of disaster recovery planning;
- Pre-assess the training needs, including the frequency and scope of the training, develop and implement the corresponding training/educational
courses, ensure that the course content is consistent with the requirements of the plan, keep records of the training afterwards;
- Develop a drill plan in advance, explain the scenario of the exercise in the plan;
- The entire process of the drill shall have a detailed record and form a report; - Complete a complete walkthrough with end user participation at least once a year.
7.5.3 Management of disaster recovery plans
The reviewed and approved disaster recovery plan shall be preserved and distributed according to the following principles:
- Be responsible by a dedicated person;
- Have multiple copies saved in different locations;
- Distribute to all personnel involved in disaster recovery;
- All copies are uniformly updated after each revision and a set is kept for review;
- The old version shall be destroyed in accordance with relevant regulations. Appendix B
(Informative)
Framework of disaster recovery plan
B.1 Objectives and scope
Define the relevant terms and methodology in the disaster recovery plan and describe the objectives of disaster recovery, such as recovery time objectives (RTO) and recovery point objectives (RPO). Explain the action?€?s scope of the plan, which problems to solve, which problems not to solve.
B.2 Organization and responsibilities
Describe the composition of the disaster recovery organization, the
responsibilities of each position, the list of people. The disaster recovery organization shall include an emergency response team, a disaster recovery team, and so on.
B.3 Contact and communication
List the contact forms for disaster recovery related personnel and organizations. It includes disaster recovery teams, operators, vendors, authorities, media, employee?€?s family members, and so on. Contact methods include landline, mobile, walkie-talkie, email, home address.
B.4 Emergency response process
B.4.1 Notice of event
Any person who discovers an information system related emergency or is about to happen, shall report the relevant personnel according to the predetermined process. The relevant personnel shall make preliminary judgment, notice, disposition.
B.4.2 Personnel evacuation
Provide designated assembly locations and alternative assembly locations, including the method to notice personnel evacuation, the organization and procedures of evacuation.
B.4.3 Assessment of damage
After an emergency occurs, the damage assessment personnel of the
emergency response team shall determine the severity of the situation. The responsible person for disaster recovery convenes the appropriate

View full details