GUIDELINES FOR ADP DISASTER PREVENTION AND CONTINGENCY BACK-UP PLANNING

Approved For Release 200 FID1 - 79M0009 6A0001 QQ@6-%WAnt 1 to IHC-MM-296 17 February 1972 IBSEC-CSS-R-9 I1FEB1972 MEMORANDUM FOR: Chairman, Intelligence Information Handling Committee, United States Intelligence Board SUBJECT : Guidelines for ADP Disaster Prevention and Contingency Back-up Planning 1. The attached "Guidelines for ADP Disaster Prevention and Contingency Back-up Planning[ were developed by the Computer Security Subcommittee in coordination with the Support Staff of the Intelligence Information Handling Committee. The Security Committee approved these Guidelines at its 25 January 1972 meeting. 2. The Guidelines are intended for the use of USIB member agencies in ensuring against disruption of the computer processing and exchange of vital information. Throughout their development no consideration has been given to making them directive in nature. 3. Subsequent to IHC review and approval, I would propose their issuance and dissemination as a joint product of the SECOM and IHC. 25X1 Chairman, Securi ommittee USIB Approved For Release 2004102/1 P7 00"1" N A ML xcng and down redin; and  Approv"lF?rReilev/0~1p :fl/,1-i7M,Q?9QQp060007-3 ANP Cni! T I iiGEiICY BACK-UP PL/,?l?~ I MC IBSEC-CSS-R-9 25 Jan 72 provide basic guidance for the development of a disaster prevention and contingency back--u1} proram for insuring, the continuous compute-.r processing and exchange of vital information. To outline the major areas of concern and 1 i st conditions and procedures necessary to insure the protection of APP assets. To 11st actions and procedures for consideration in the formulation of a contingency plan. Guidance set forth herein is based on the premise that organizations relying heavily on computer system operations should develop an into rated APP Disaster Prevention and Contingency Back-Up Program to minimize the severity and effects of unforeseen computer system disasters. Such pl a n n ing should be a specific design factor integrated into total system. planning for each individual W yster:a and its unique environnent. I I I . GEi1EPAL C011S I DEPAT I GP; Potential causes of disaster vary considerably in their Approved For Release 2004/02/10 : CIA-RDP79M00096A000100060007-3 OFFICIAL USE ONLY  Approved For Release 2O? I -F 9M00096A000100060007-3 PAGE 2 prohah i l ity of occurrence, degree of criticality and feas i b i l i ty of preventive and/or hack-up measures. Fires, explosions, toxic fumes, nuclear weapon detonation and the effects of natural disasters such as earthquakes, hurricanes and floods can be immediately disastrous resulting in the death or serious injury to personnel. The damage caused by such events to computer equipment, the physical structure housing the system, and the storage media may be disastrous for an extended period of t 1r?e depending upon resource recovery capabilities. Other disruptive events such as outages of electric power or- air conditioning, the loss of telecommunications facilities or the erasure of vital information from r.lagnetic storage media are not 1 ikely to be as serious because back-up measures can be provided. Al though positive security actions and procedures can reduce the effects of riots, theft, sabotage and vandal i srn, these events can Occur and result in disastrous operating consequences. IV. DISASTEP ANALYSIS A disaster includes any incident or event which results in a critical disruption of the computer operations. Peschedul inL of work loads according; to user priority nay be requi red depending upon the al lowable delay of the most critical user processing r(?quirements. Processing, priorities 1,my also 1) n r- ~c~rI'ed ee Approved jor" I elease 1v04/62"M-0 `' 6fP -I bOt9MO(YO%AbOOu100b?OQW;3t i a 1 T1'TrIT T. TT.CtiTV  OFFICIAL USE ONLY Approved For Release 2004/02/10 : CIA-RDP79M00096AO0010006 ,, E3 3 N..,~ w ope rab 11 1 ty of the system. The disruption can reach major proportions rendering the system inoperable for a prolonged period of time and requiring movement of highest priority processing to an alternate Computer site. The emergency or back-up act ions needed to restore the capabilities of a computer system after a disaster has occurred should be proportionate to the critical effects of that disaster. These actions may be identified through consideration of at least the follm,;ing: 1. The event, cause or condition creating the disruption; The capab i l ity to restore the system; 3. The total period of time the system is expected to be nonoperational; The tolerable t i ne-l i ni is of system inactivity based on user requirements; 5. The feasibility of a degraded mode of system, operation whereby critical processing could continue; and G. The ava i 1 ab 11 i ty of an alternate system capable of assuming the critical processing requirements for a specified period of tire. V . MAJOR ARE;"-,S OF COFICER?i AMC; PREVENT I VE 1417- A"') U ['\I ES The major areas of concern involve the protection of assets required for computer operation. The protection of APP assets requires the implementation of various measures as part of a disaster prevention pro ram. Security and Approved For Release 2004/02/10 : CIA-RDP79M00096AO00100060007-3 OFFICIAL USE ONLY  OFFICIAL USE ONLY Approved For Release 2004/02/10 : CIA-RDP79M000996A00010006(p 3 rr computer personnel should he alert to the passibility that a disruption in computer activity may be del ibe rate rather than accidental and Should invest i cate any situation ti-:here such evidence exists. Although the configuration of computer systems and the physical environment of computer centers vary, the following areas are applicable to all systems: 1. System Ilardware: The mechanical, electromechanical, electronic, magnetic and electrical components of a computer system. a. taintenance: Effective. maintenance planning; represents the initial preventive measure against a potentially serious disruption of operations. b. Engineering Support: Technical support should be available on a 24 hour on-site basis if the computer center rewires such support. Rack-up of critical hardware parts should be maintained on-site or in a readily accessible location. c. Hardware Secrrrity: The implementation of measures such as memory protection and user/executive modes of operation is recommended to insure protection of user data sets. 2. System Software: Computer prograr.~s and procedures including system and user programs. a. Testing; a flew Installation: Duplicate programs shoul d be run on both the current and proposed system so Approved For Release 2004/02/10 : CIA-RDP79M00096A000100060007-3 OFFICIAL USE ONLY  OFFICIAL USE ONLY Approved For Release 2004/02/10 : CIA-RDP79M00096A000100060p -p 5 that the data can be compared. If duplicate testing is not feasible, a test deck should be used to check the system's logic. b. Program Changes and Testing: Extensive prog ram debugging is recommended to reduce the number of disruptions caused by software errors. Any request for a program change should he submitted in writing and the action authorized only by a responsible manager. The number of persons authorized to make changes in operating programs should be limited. Program testing should be subject to review by authorized personnel and not conducted solely by the person who wrote the program. c. Software Security: Software security measures such as user identification and authorization should be used to reduce the poss i b i l i ty of unauthorized personnel accessing the system. 3. System Operational Personnel: The individuals whose primary duties are concerned with the operation of the computer system. . a. Selection of Key Personnel: Key personnel designated to continue the operation of a computer system should be briefed and provided written guidance as to their responsibilities and duties in the event of a disaster. 5. Training of Key Personnel: Training programs should be developed Mich stress the proper handling and Haintenance of computer system components. Key personnel Approved For Release 261WHIM U 'A V79M00096A000100060007-3  OFFICIAL USE ONLY Approved For Release 2004/02/10 :CIA-RDP79M00096A00010006G0O7r3 r. should be broadly cross-trained in the event that certain key personnel should be unable to respond to an emergency situaatiOn c. Personnel Security: Computer personnel, visitors and users constitute a theft and/or sabotage threat to the computer center. Restrict ions on the nur,mber of people al 1 owed unescorted access and on the areas to which they have access are recommended. It. System Env i ronrment: The computer facility, supporting utilities and operational posture. a. Facility (General): The facility housing a col-iputer system should be constructed of fire resistant building r:mater1als and equipped uith appropriate smoke detection, heat sensing and fire fighting devices. Periodic safety checks of such devices for their operational capability is encouraged. The use of the FPMR anti the flat i onal Fire Code volume 5, section 75 is recommended in the construction of computer facilities. Consideration should be given to maximum physical protection against the potentially catastrophic effects of natural disasters (hurricanes, earthquakes and 171 oods) as wel l as c iv i l disorder and conventional and nuclear warfare. l7. Auxi11ary Power and Air- Conditioning: Malfunctions and failrre s of electric power and/or air conditioning are two of the major causes of disaster affecting a computer- system. Provisions Should he i-.)ade for Approved For Release 20M D U IA4ROR79M00096AO00100060007-3  OFFICIAL USE ONLY Approved For R lease 2004/02/10 : CIA-RDP79M00096A000100060 ~qw PRhL 7 the use of an independent back-ups power source as wel 1 as providing for immediate repair or replacement of air conditioning equipment. Consideration of line monitors and/or- overvoltage protectors to prevent damage from power failure and powder surges is recommended. Security control s should he applied to reduce the possibility of willful or inadvertent damage to the electrical and air conditioning equipments. c. Physical Security and Control: Access to the facility housing the system by other than author i zeal personnel should be prohibited. The mechanisms installed to enhance the security of the computer system area Should be controlled by personnel designated as responsible for their maintenance and integrity. All procedures relating' to facility control should be 1n w,!riting and made available to ass i;g;ned personnel. 5. Data F i les: Storage areas for magnetic s t o r a storage media should be located outs i('10 the main computer area, preferably in a vault or secure area depending upon security considerations. Proper temperature and humidity should be maintained and cleanliness restrictions should be observed. All appra)ri atCe eXeCuIt!V0 programs, system docur;ientation, operation manuals, etc., r0CjL!i red for the computerize d Processing of informm tion should ho identified, duel icated, a nsafely stored. se`c!.jri tV prCocedures should be installed to prevent unauthorized personnel from reriov i ng f i 1 es Such Approved For Release 2004/02/10 : CIA-RDP79M00096A000100060007-3 OFFICIAL USE ONLY  OFFICIAL USE ONLY Approved ForR lease 2004/02/10 : CIA-RDP79M000.99600010006QQQQ7C.3 8 tas !`:lial;net IC tapos f k"C7ia the CC,f;1puter center. G. Coi.imunicat 1on Lines: Recquirements for protecting coraar:iun i cation 1 ines tiai 1 l vary depend in? upon the existence and location of remote to rr:i i nal s . The cor;-inun, i cat i on 1 1 nks froi.a the central processor to the remote consoles are vul ne ratl e to crosstalk, el e c t ror,iagnet i c rad i at i on and w-wiretaps. U nprotected data transmission should he el irninated by use of cryptographic techniques or by physical security measures. Back-up coraniun i cat i on facilities should be available to reduce the effect of failures in the corrriun i cation area. 7. supplies: Supplies that are essential to computer operations should he identified and accessibility to baclkk-up suppl ies should be provided. VI . CO"iT I MGPIOY PLANN I NO A manual or handbook data I 1 i n? the computer cc rite r methods of operation in the event of a disaster should be prepared. I t shoul d specify the contingency or back-up actions to be taken, individual responsibilities for these actions and the fol1o%-on investigative anc:i reporting ree;uIrer,aents. The degree of impier.ientat1on of the contingency plan t-i11 depend upon the criticality of the disaster. Approved For Release 20D4EMD :tZIi -ROW79M00096A000100060007-3  OFFICIAL USE ONLY Approved For Release 2004/02/10 : CIA-RDP79M00096A000100060007-3 v PAGE 9 Planning for possible emergencies should consider the recommendations 1 i sted bel ow for disaster prevention and/or copping with disasters which have occurred. . Prior Planning 1. Duplication and storage of vital programs, documentation and data f i les i n a read i 1 y accessible location, preferably off-site. 2. A determination that the fire safety equipment and emergency plans are adequate to minimize damage from sr,moke, chemicals, water or fire. 3. A determination that adequate electrical power, air conditioning equ i pment, and heat in- systems are available for back-up use. It. Training of computer personnel to insure that they are aware of proper procedures for operating and protecting equipment and are aware of their responsibilities in the event of a disaster. 5. Up-to-date 1 i sts of eme r gency and support organizations and personnel with whom contact ray be required. This may include medical centers, fire stations, security services and equipment maintenance services. Approved For Release 2004/02/10 : CIA-RDP79M00096A000100060007-3 OFFICIAL USE ONLY  OFFICIAL USE ONLY Approved For rReelease 2004/02/10 : CIA-RDP79M00096 6A A00010006~~~.3 10 6. JAI data being processed should bear a priority of processing order. Users should be alert to the need for manual information processing, in the event computer processing Is not available for low priority processing. 7. Copies of all disaster planning documentation ShOUld be provided to each major funct1onal area supporting the organization. Specific roles and responsibilities of each supporting, function should he closely coordinated. 8. The contingency plan sihoul d be updated pe r i od i cal 1 y to reflect changes in equipment, user requirements, personnel , and back-up computer comp)at 1 11 1 ty and availal it ity. B. Major Disaster Planning- Contingency planning for a r,maj or cl1 saste r trh i ch requ i res movement of compute r processing activities to an alternate site should also consider the following recommendations: 1. Prior identification of an alternate cog ;,pu.uter system compatible with in-house systems that can be available if needed. Physical surrondings of the alternate system should conform to requ i red seCi.lri ty and safety standards. Approved For Release 2004/02/10 : CIA-RDP79M00096A000100060007-3 OFFICIAL USE ONLY  Approved F~iwr or R Iease 2024/02/'10: Cfh-RDP~9M0009966A00010006Qp 3 Y,~~L- 1 ~. 2. Identification and designation of personnel to manage and operate the alternate system should be documented and updated as the need arises. 3. The computer operations at the alternate site should be careful 1 y documented. Among other issues, this document should address Such items as the transportation of alternate site computer personnel, their responsibilities during alternate site operations, the necessary security considerations for the computer environment and the transfer of classified data to the alternate site, and the priority processing order of data. 4. Periodic operation of the alternate cormpute r system, using the duplicate docurmentat i on, software and data files by the designated alternate system-,a personnel should be made. results should be compared with normal operations in order for changes to be effected if required. 5. Instructions for the destruction of classified data and/or ecruipmnent under combat-emergency conditions whore such classified materials may be reasonably expected to fall into the possession of unauthorized persons. C. Post Disaster Planning Approved For Release 2004/02/10 : CIA-RDP79M00096A000100060007-3 OFFICIAL USE ONLY  Approved ForrRRelease 2'/91J: CIA-RDP79M000966A~00010006j0Pj 3 12 1. A determination of the criticality of the disaster considering anticipated time of system inoperability and user processing requirements. 2 . Immediate notification to management and system users of the estimated length of delay in operations to allow the users to consider alternate operational methods. 3. Notification of the appropriate higher levels of management if the time delay exceeds initial estimates. 4. Contact with the appropriate emergency and support organizations depending upon the cause and extent of the disaster. 5. A determination of the feasibility of continued computer operation in a degraded mode. . Initiation of actions to move computer operations to an alternate site if conditions warrant the move. 7. A determination that the disaster has not degraded the essential system hardware, software or physical security features and that procedural security controls remain in effect. Approved For Release 2Offl2jty ,99M00096AO00100060007-3