Pressure on energy supplies and centralised planning to manage energy consumption have been well documented in the media. It is likely that any energy rationing will be experienced as either a:
- ‘Blackout’, scheduled or unscheduled total loss of grid provided energy, most likely electricity, for a period.
- There is also the threat of ‘Brownout’, a reduction in power produced and distributed, electricity again, a continued high demand may cause amperage and voltage to fall below equipment operating tolerances. This is more likely to cause unexpected interruptions to business operations.
- Finally, self-imposed energy reduction may require a reduced business delivery footprint or time space to be applied, this is likely to affect curriculum delivery.
Preparation is key, all plans are likely to stumble at first contact with a problem but having the plan does provide a framework for those engaged to follow and ensures that all efforts are working towards the same goal. Co-ordination and control can still be managed by senior leaders as underlying variables change and the internal communication methods pause, fail and restart.
The core documentation the organisation should have a business continuity plan (BCP); it may also be written as major incident plan. There is an international standard outlining the requirements of a business continuity plan, ISO22301. However, the BCP is designed with corporate higher-level priorities for return to normal business and individual service areas (IT, Learning Resources, Curriculum, Estates, et al) should use the BCP to define the service area continuity priorities.
Within the IT services area this is most likely to be the production of a disaster recovery plan (DR). The DR plan will be written for identifiable outages and should have documentation to ensure rapid recovery to normal business functioning. It is recommended that the DR plan contains:
- Recovery processes for outages in all areas of the IT service delivery infrastructure.
- Each identified service outage has a documented process to return to business operation.
- Details of who is responsible for each process, both the management and the practical tasks.
- Details of who is the backup person in case the primary operator/technician isn’t available.
- Details of permissions allocated to recovery staff and processes for those in the backup role to gain elevated permissions if not allocated as part of their normal role.
- An up-to-date collection of configuration documents, that include all recent changes implemented.
- Location of the configuration files and access permissions required.
- Details of preferred suppliers who can provide infrastructure compatible equipment at short notice in event of a systems failure during a power reset.
- Currently, IT equipment delivery is being reported as slow, a secondary plan may be required to recover within a Cloud service. This may require additional skills for the recovery team or the engagement of a third-party expert.
- Communications plan to inform senior leadership and users as outage and recovery progress.
Elements of both the BCP and DR should be tested, the BCP is likely to be subject to desk-based scenario-limited exercises that involve all the affected agencies and stakeholders. The DR can often be tested in a more practical manner, with advertised ‘at-risk’ notices issued to users if resilient equipment or sandbox sites are not available.
Backups will be the primary tool to ensure that a full return to business can be achieved. Matching your backup policy to the National Cyber Security Centre (NCSC) model is recommended:
- 3 Copies of the backup.
- 2 different storage media types in use.
- 1 copy residing offsite with both logical and physical isolation.
Proving the integrity of the backup is essential, backup logs should be checked daily. Investigating where a failure is logged. Periodically the backup should be restored and further checked to ensure the integrity of the data held.
In all areas of the DR planning, engage with your team via the usual Plan-Do-Check-Act model to ensure it is fit for purpose and where improvements can be made.
Author: Noel Davis, Subject specialist (Infrastructure programme)