Disaster Planning at ICPSR: Short-term Action Plan

Note: ICPSR has completed many of the recommendations in this Short-term Action Plan. It is provided as originally written to serve as a guide to others implementing disaster planning programs.

Overview

This document identifies five action areas for aligning ICPSR's disaster planning program with common practice: full implementation of the disaster planning program, examination of digital content preparations in the event of an emergency, development of a comprehensive business continuity plan, an examination of digital content preparations in the event of an emergency, the development of training and awareness measures for staff and stakeholders, and a full review of information technology requirements and plans.

Disaster Planning Program

Background: The ICPSR Disaster Planning Task Force has developed the basic structure and documentation for the disaster planning program at ICPSR. The next step is to formalize the program as a core function for ICPSR.

Recommendations:

  • Replace the Disaster Planning Task Force with a standing Disaster Planning Committee to maintain, update, and extend disaster planning documents and initiate periodic audits and tests

  • Establish a Disaster Response Team with Administration and CNS as the leads to detect and assess emergencies and convene an appropriate team to respond

  • Consider inviting peer or cognate institutions to review the ICPSR disaster planning program (e.g., a Data-PASS partner, the University Library)

  • Institute annual emergency drills (at least one) to test and improve procedures and responses

Digital Content

Background: Digital content for ICPSR has three core phases: deposited digital content during processing, archival storage, and dissemination. Archival Storage has largely been addressed through recent efforts to move digital content to online storage, the closure of the warehouses, and storage partnerships. The Web Continuity Plan addresses concerns about digital content (and services) as disseminated. Steps are under way to address potential gaps in protection and security during data processing.

Recommendations:

  • Processing: Continue with audit and control efforts in Collection Delivery to document and demonstrate continuity of control over data from the moment of deposit

  • Archival Storage: Review storage partnerships to ensure that at least six complete online copies in distributed are in place and secured (allowing for exceptions for confidential data); conduct tests to demonstrate the restoration of digital content from secondary copies of digital content stored on tapes

  • Dissemination: Implement, test, and evaluate the Web Continuity Plan

Business Continuity

Background: The Web Continuity Plan provides a means for addressing gaps in preparedness. An additional step should be to develop a full Business Continuity Plan for ICPSR, especially to address the administrative and enabling functions.

Recommendations:

  • Using the analysis of core ICPSR functions and acceptable down times as a starting point, develop and disseminate a comprehensive Business Continuity Plan

  • Update the institutional records surveys (Finance, Human Resources, Member Services, and Summer Program) and identify additional functions to survey

  • Develop action plans for each function to address potential vulnerabilities in print or digital records that enable each function, particularly records for which ICPSR is responsible

Crisis Communications

Background: Communications is an essential component of disaster preparedness and response. The ICPSR piece of crisis communications focuses on emergencies that affect only ICPSR, rather than the larger environment in which ICPSR operates (e.g., ISR, the University of Michigan, the State of Michigan). For ICPSR, crisis communications is represented on the standing disaster planning committee and crisis communications is a role on the disaster response team, as explained in the ICPSR Crisis Communications Plan.

Recommendations:

  • Conduct two reviews of the crisis communications plan annually

  • Develop and maintain an ICPSR Staff Phone Tree that covers the Disaster Response Team, senior management, Archive Managers, and full ICPSR Staff

  • Designate phone tree manager with responsibility to keep phone tree updated and to activate the phone tree at the request of the Disaster Response Team during an emergency

  • Ensure that the response to an emergency identifies individuals who are responsible for posting information to ICPSR's communication vehicles (e.g., warm backup sites, Facebook, ICPSR Blog, email listserv, as available)

  • Include crisis communications in ICPSR disaster preparedness drills

Training and Awareness

Background: Now that the basic foundation of the disaster planning program at ICPSR is in place, the next step is to integrate the policies, procedures, and practices into ongoing training programs for current and future staff in order to promulgate the program within ICPSR (e.g., ensure that responsibilities are defined and assigned, make the disaster planning documents and updates known to staff, as appropriate).

Recommendations:

  • Integrate disaster planning components in training programs at ICPSR

  • Seek external training opportunities to supplement internal training

  • Implement the communications plan to ensure that staff and stakeholders are aware of essential information before, during, and after an emergency

  • Implement a phone tree system to support the communications plan

Information Technology

Background: ICPSR relies upon technology to provide data and services to users.

Recommendations:

  • Formalize, test, and document existing procedures to ensure that disaster preparations are comprehensive and effective

  • Complete requisite documents: Business Continuity Plan, IT Contingency Plan, Cyber-incident Response Plan, and Disaster Recovery Plan

  • Complete the ISP 27001/27002 information security audit to demonstrate the soundness of the resulting plan