Disaster Planning Policy Framework

Purpose

ICPSR recognizes that effective disaster planning is essential for ensuring the safety of our staff and the sustainability of our digital content and services. We also recognize that disaster preparedness is a primary responsibility of ICPSR's role as a trusted digital repository. This policy framework specifies the components of the disaster planning program at ICPSR with reference to relevant policy and planning documents. The disaster planning program as documented in this framework reflects our commitment to provide leadership in social sciences research and data science as expressed in our Mission Statement and contributes to the sustainability of our digital preservation program as defined in our Digital Preservation Policy Framework. The framework is intended to communicate the components of the disaster planning program at ICPSR to staff, members, depositors, funders, and users, and to facilitate the promulgation of disaster preparedness at ICPSR.

Mandate

The disaster planning program at ICPSR complies with the regulations, policies, procedures, and practice stipulated by the Institute for Social Research (ISR) and the University of Michigan, and prevailing standards and practice in the broader community. The disaster planning program:

Scope

As a center within ISR at the University of Michigan in the City of Ann Arbor, disaster planning and response at ICPSR occurs at several levels, depending on the nature of an emergency (e.g., does the emergency affect the portion of Ann Arbor in which ICPSR is located, some of all of the University's units, some or all of ISR, or only ICPSR?). Therefore, many business continuity and disaster response elements are coordinated by the City of Ann Arbor and its services, the University, or ISR. ICPSR has two core disaster planning responsibilities: to comply with and promulgate existing University and ISR disaster planning procedures and business continuity requirements and to develop and maintain a disaster planning program that fully integrates the repository's digital assets.

Roles and Responsibilities

In accepting its responsibility for the safety of staff and protection physical and digital assets, ICPSR has established a standing disaster planning committee to monitor and maintain the disaster planning program and a disaster response team that will be activated in response to an emergency. Administration and Computer Network Services (CNS) diagnose the nature of an emergency and convene members of the disaster response team, as needed. The roles and responsibilities of the members of each group have been defined and will be updated with changes in staffing. These groups coordinate with disaster planning and business continuity entities at the ISR and the University and inform the ICPSR Council about the status of disaster planning.

Critical Data Backup

ICPSR has a comprehensive program for backing up critical data. The Web Continuity Plan documents the steps ICPSR has taken to ensure that collection delivery services continue during an emergency. Disaster Planning for Digital Preservation at ICPSR documents the backup plan for the archival storage component of the digital preservation program, including archival storage partners who help to ensure distributed, redundant storage for ICPSR. The Storage Plan for ICPSR documents the backup arrangements for digital content in place for other phases of the lifecycle. ICPSR has completed and will regularly update institutional records surveys of print and digital content documenting for core administrative and service programs: Human Resources, Finance, Member Services, and Summer Program.

Disaster Planning, Communication, and Recovery Documents

ICPSR maintains and makes available to ICPSR staff the requisite disaster planning documents as identified by NIST in Contingency Planning Guide for Information Technology Systems:

  • Business Continuity Plan (BCP): The primary focus of business continuity for ICPSR is maintaining continued access to collection delivery services during an emergency. The BCP details the other core functions at ICPSR and the priorities for re-establishing each in case of a disruption. Arrangements for re-establishing core functions at an alternative site are included when appropriate. The University and, in some cases, ISR maintain the record copies of core documentation for human resources and finance, although the institutional records surveys for these core functions identify documents maintained at ICPSR that would be essential to ensuring business continuity. The ICPSR BCP documents the measures ICPSR has taken to ensure business continuity using a University-approved template. The BCP is maintained by Computer and Networked Services (CNS) at ICPSR, although all of the core functional areas contribute to updating it.

  • IT Contingency Plan: ICPSR's IT Contingency Plan addresses the principles of disaster planning for computers:

    1. Document hardware and software
    2. Develop an emergency contact list
    3. Back up and store all data files off-site
    4. Proactively monitor equipment and data
    5. Install and update antivirus software on both computers and servers
    6. Develop recovery scenarios
    7. Communicate and monitor the plan

    The IT Contingency Plan documents ICPSR's steps to adhere to these principles, as well as other components of emergency response for the technology infrastructure that enables our programs and services.

  • Crisis Communications Plan: ICPSR has developed a Crisis Communication Plan that addresses requirements for internal and external communications during and after an emergency. The plan identifies levels of crisis response, including the activation of a phone tree mechanism. This component of our disaster planning program is the responsibility of our Internal Communications team leader. The Disaster Response Team coordinates with the Crisis Communication Team in the event of an emergency to ensure that information provided about an emergency is clear, concise, and consistent.

  • Cyber Incident Response Plan: CNS has defined an approach and established procedures for responding to cyber attacks against our IT system, as defined in the Cyber Incident Response Plan. The plan enables CNS to identify, mitigate, and recover from malicious computer incidents, such as unauthorized access to a system or data, denial of service, or unauthorized changes to system hardware, software, or data. CNS monitors the application of the plan and revises it as needed.

  • Disaster Recovery Plan (DRP): The primary focus of the ICPSR Disaster Recovery Plan (DRP) is the restoration of core information systems, applications, and services. It brings together guidance and procedures in the Business Continuity Plan, the Web Continuity Plan, and the IT Contingency Plan pertaining to emergencies that result in interruptions of service that exceed acceptable down times, as defined in the BCP. ICPSR is prepared to take steps to resume operations at an alternate site after an emergency, but has not enacted agreements or protocols for that possibility. The disaster recovery plan is maintained and updated by CNS.

  • Occupant Emergency Plan (OEP): The Perry Building Emergency Action Plan, maintained by ICPSR's parent organization, the Institute for Social Research (ISR), defines response procedures for ICPSR staff in the event of a situation that poses a potential threat to the health and safety of personnel, the environment, or property. ICPSR has identified emergency scenarios based on previous emergency events and will continue to define additional scenarios, as the need is detected. ICPSR is represented at ISR's disaster planning initiatives.

  • Disaster Planning Training Plan: Human Resources at ICPSR has developed a Disaster Planning Training Plan that provides guidance on appropriate training for current and future staff at ICPSR and reflects the responsibilities of managers, supervisors, and staff with respect to the promulgation of disaster preparedness within ICPSR. The training plan references all of the components of the disaster planning program as relevant for specific audiences. The plan also incorporates the training schedule outlined in Perry Building Emergency Action Plan and supplements internal training with external training opportunities.

Maintenance and Testing

ICPSR is committed to fully implementing, maintaining, and extending as necessary the disaster planning program specified in this document. This commitment includes at least one emergency drill each year to verify that the necessary procedures are in place and sufficient. The ICPSR disaster planning program incorporates the maintenance and testing schedule outlined in the Perry Building Emergency Action Plan. We will review the disaster planning program annually to update relevant documents, as needed. These activities are the responsibility of the Disaster Preparedness Committee at ICPSR.

References

Key resources cited or used for the Disaster Planning Policy Framework include:

CCSDS. Recommendation for Space Data System Standards: Reference Model for an Open Archival Information System (OAIS) (PDF). CCSDS 650.0-B-1. Blue Book. January 2002 (adopted as ISO 14721:2003).
Florida State University. "Information Technology Disaster Recovery and Data Backup Policy," 2006.
ICPSR. "ICPSR Digital Preservation Policy Framework," October 2007.
National Institute of Standards and Technology. Contingency Planning Guide for Federal Information Systems (PDF). NIST Special Publication 800-34 Rev. 1. Nov. 2011.
Research Libraries Group and Online Computer Library Center (OCLC). Trusted Digital Repositories: Attributes and Responsibilities. An RLG-OCLC Report (PDF). RLG, Mountain View, CA, May 2002,.
University of Michigan. Standard Practice Guide: Institutional Data Resource Management Policy (PDF), October 2008
University of Michigan Administrative Information Services (MAIS). Emergency Management, Business Continuity, and Disaster Recovery Planning, 2007.
Washington State Department of Information Services. "Disaster Recovery and Business Resumption Planning Policy," (PDF) April 2002.