risk assessment and disaster recovery

Risk Assessment and Disaster Recovery of 58 Version 1.0 October 2016

Standard Operating Procedure 1 (SOP 1)

Risk Assessment and Disaster Recovery

Why we have a procedure? (Background)

Preparing for a data loss disaster before it occurs can speed up the Disaster Recovery process tremendously. The dependency on computers exponentially increases the Social and Healthcare/Legal/Commercial risks associated with failure of any component of that system. Data corruption, viruses, hard disk failure, power failure, accidental or malicious data deletion, theft and natural disasters are all situations that necessitate attention for a meaningful disaster recovery policy. Typically when a computer crashes, the first and foremost task is for ICT to rebuild and reconfigure the system, restoring mission-critical applications and data without excessive downtime. Overall disaster risk assessment pertaining to monetary, customer, legal and regulatory exposures, as well as interdepartmental dependencies should be considered. Recovery and data freshness windows should also be considered when building a disaster recovery plan to ensure the recovery time objectives can be attained during a full-scale restore operation. This document forms the Business continuity from an ICT perspective and covers anything to do with service provision including server/personal computing, telephony, physical/information security and data. Business Continuity is not a single defined document, process, policy or set of instructions. Business continuity is comprised of a number of processes and policies, organised and documented outlining emergency and contingency planning with cost and risk based analysis.

What overarching policy the procedure links to?

BCPFT-ICT-POL-01 ICT Change Control BCPFT-ICT-POL-02 ICT Email and Internet Acceptable Use BCPFT-ICT-POL-03 ICT Security BCPFT-ICT-POL-04 ICT Portable Devices and Portable Media Security BCPFT-ICT-POL-05 ICT Remote Access BCPFT-ICT-POL-06 ICT Telecommunications BCPFT-ICT-POL-07 ICT Priority 1 Incident Handling BCPFT-ICT-SOP-03-4 ICT Security - SOP 04 - Password Protection BCPFT-ICT-SOP-03-3 ICT Security - SOP 03 - Identity Management BCPFT-ICT-SOP-02-1 ICT Email and Internet Acceptable Use - SOP 01 - Web Access Service for Patients


BCPFT-ORG-POL-03 – Business Continuity Management Policy

Which services of the trust does this apply to?

Corporate/ICT Services

Where is it in operation?

Delta House.

Who does the procedure apply to? (staff roles and responsibilities)

All members of the ICT Department.

When should the procedure be applied? (Context)

In the event of a disaster rendering business critical systems out of use.


How to carry out this procedure (step step-by-step information)

1.0 Determine the needs

For each operating system, service and application component we should consider the following. These questions should be addressed for each system that is supported by ICT.

What are the possible failure scenarios?

- Environment failure - Server hardware Failure - Disk/Raid Failure - Network Failure

Where is the critical data?

- Oasis Applications - Finance Server - Datix - File Stores - E-mail

How often should backups be performed? - Full daily backups are run on all critical servers

Should backups be performed on-line while users are working, or off-line? - Backups are run “off-line” so that all files are backed up.

Will backups be done manually or via an automatic scheduling process? - We run automated daily schedules on all Servers that require backups.

How can we verify that a backup was successfully performed? - The backup log files are error checked and “signed” for on a daily basis.

The file is held in the ICT documentation drive.

How will we determine if the backups are useable? - Restores are carried out through normal helpdesk requests and

restoring data to an alternative destination checks tapes. - Test Restores will be carried out on a quarterly basis by the ICT

department, at file and server level. - These trial restorations will be logged into the evidence file on the ICT

documentation drive.

How long will we save backups before reusing the medium? - For tape media we use we keep monthly and annual tapes to one side. - For Disk based backups we currently keep 2 years of weekly backups on-

line.

How much time will it take to restore from the last back up?


- Depends on the amount of data to restore, typically we can restore 120 GB + in just over 3 hours if need be.

Where will our backup media be stored? - Tape media is stored in a secure room in a secured separate building to

where the servers are physically located.

Do appropriate personnel have access to backup media for restores? - All ICT staffs have access to the backup media and they are capable of

restoring data.

If the ICT System Administrator(s) is (are) not available, is there a source for acquiring system passwords and procedures to back ups, and if necessary, perform restores? - There will always be a member of the ICT department available to enable

these requests. - Any request should be reported to the helpdesk for the ICT department

engineers to action. Escalation should be via the ICT Support team leader then the ICT Services Manager.

2.0 Developed Practices

An effective backup strategy can only be developed by understanding data management goals and requirements then effectively creating guidelines for daily operation. Here are a few common practices that have been taken into consideration when developing our Disaster Recovery contingency plans.

Develop backup and restore procedures with appropriate resources. We do.

Test the procedures, ensuring that we can recover data in a timely manner. We do.

Ensure we have a designated backup and restore administrator(s). We do.

Backup our entire system volume to prepare for the hopefully unlikely event of a catastrophic disk failure, providing the ability to restore the entire volume in a single operation. We do.

Backup our local directory services database (Active Directory) to prevent loss of user accounting and security information. We have

Keep backup logs available to enable faster, granular file restores. We do.

Periodically perform trial restorations to verify that files are being backed up properly. Usually trial restorations will uncover any hidden hardware anomalies. We do.

Ensure procedures are in place to prevent a system administrator from restoring data onto the wrong server


We have.

3.0 Additional Considerations

Keep detailed asset management information up to date. This information will help us in the event of a severe hardware failure and forced to rebuild or replace the system.

Keep system owners informed of any remedial maintenance required on servers that they manage and liaise with them on defining or changing the backup schedules and definitions.

See section 4.0 of this document.

Ensure that the following are readily available: O/S distribution media, patches, service packs, and OEM specific drivers. Copies of the Critical OS and other media have been made and are kept at a different site, for disaster recovery requirements.


Maintain an updated profile of each system configuration including network settings (TCP/IP configuration), machine names, domain information, account information, disk configuration, disk partition layouts, partition sizes, partition file system format type, and O/S patches installed. Always maintain a list of current patches installed on each of the corresponding systems.


4.0 Asset Database

The ICT Department maintains an up-to-date Asset spreadsheet, which is located within: - Hooch\ICT\Hardware\Asset Spreadsheet This spreadsheet is kept current by ICT staff following the procedure laid out in the Asset Management guidance, which can be found on the Trust Intranet in the relevant folder.

5.0 Software Library

The ICT department keeps an up to date register of all software procured through agreed Standing Financial Instructions (SFIs). All software is checked to ensure compatibility and integrity with Trust systems, before being installed in the “live” environment.


6.0 Critical Server Information

The majority of Trust servers* now sit within a virtualised environment based within the Delta house Trust site. Virtualised server systems provide the Trust with more resilience, stability and flexibility for providing high availability services for the purpose of providing health care.

The configuration documentation for the virtualised system resides in a secure folder within the ICT department resource share and access to the physical hardware is restricted. Only senior members of the ICT support team have privilege to manage the virtualised environment.

*Some exceptions are located off site.

7.0 Risk Assessment; Servers and Services

This risk assessment has been carried out to ascertain the effect of a critical server or service failure on Trust staff and performance.

The Trust IT department is formally involved within departmental and group level business impact assessments thereby ensuring the identification of realistic and mutual awareness of system Recovery Time Objectives (RTO). Recovery Time Objectives are reflected within this risk assessment in hours.

The risk assessment does not suit the Australia 5x5 system of risk scoring and as such the “R.A.G.” system has been used; Red, Amber, Green.

Resultant documentary evidence on the Risk assessment is hypothetical, sought through experience and knowledge gained through previous work carried out by senior members of the ICT department.

The Following pages are dynamic, in that, the information they contain may change from time to time. For that reason, the pages will be a separate document that needs to be updated regularly and incorporated when modified, into this document.

Disaster Recovery, Process and Procedure of 58 Version 1.0 October 2016

Risk Assessment of ICT Infrastructure, Services and Servers.

This document will form part of the Business Continuity and Disaster Recovery plan. Officer responsible for document: ICT Services Manager.

RAG

Rating Definition

Target

Initial

Response

Time

Target Call Update/

Escalation Time, every

Target

Resolution Time

(During Standard

Working Hours)

Response

Red

Total Loss of service. - Any fault that renders a critical System or Service inoperative or prevents absolutely necessary business transactions. For example: Complete system failure impacting on critical business processes or clinical care

30 Minutes

1 hour 8 hours (Excluding faults caused by a third

party system)

Response within 10 minutes, by incident number, time to fix or advice within 1 hour, updates at a time period to be agreed with the ICT Management Team. Reasonable endeavours will be used to provide a fix within half a working day where it is entirely in the Service Provider’s control.

Am

ber

Partial Loss of Service - Any fault which prevents Trust staff from performing normal day-to-day business transactions. For example: Partial system failure impacting on critical business processes or clinical care and affecting all users.

1 Hour 2 Hours or such longer period as agreed

between the parties

16 Hours (Excluding faults caused by a third

party system)

Response within 10 minutes, by incident number, time to fix or advice within 1 hour, updates at a time period to be agreed with the ICT Management Team. Reasonable endeavours will be used to provide a fix within 1 working day where it is entirely in the Service Provider’s control.

Gre

en Degraded Service State - Any

other fault that causes the Trust staff inconvenience in performing normal day-to-day business transactions.

2 Hours 4 Hours or such longer period as agreed

between the parties

24 Hours (Excluding faults caused by a third

party system)

Response within 10 minutes, by incident number, time to fix or advice within 1 hour, updates at a time period to be agreed with the ICT Management Team. Reasonable endeavours will be used to provide a fix within 2 working days where it is entirely in the Service Provider’s control.


Service Service Effect and Impact

(R.A.G and RTO)

Control Measures In Place

Workarounds Service User Impact

Mitigation

Internal only

Hardware Firewall

Main firewall

Handles VPN connections from other Fortinet sites

Provides Trust with protection from outside

world.

Security & Rules for all outgoing traffic.

Limits inbound traffic to absolute

minimum.

Red 1 Hour

Loss of connectivity from other Fortinet sites.

Loss of wireless at Delta House.

Dual sets of hardware to provide resilience, if one fails the second will

step in.

Internet Central for Software & Hardware

Support.

N/A

Sites using Fortinet lose complete system access with possible impact on service users as services cannot be accessed.

N/A


Fortigate Roles and responsibilities:

Description Detail Notes

Owner ICT Department Central Hub of Fortinet VPN

Daily Maintenance / Support ICT

Extraordinary Support ICT / Internet Central

Change management ICT / Internet Central

IP12200 Location Delta House Server room

Edge Devices One at each VPN site

Annual Maintenance/Licence costs Subs and licence

Maintenance/Licence responsibility ICT Services Manager

Cost to replace all VPN Hardware


Server Service Effect and Impact

(R.A.G and RTO)



Mitigation

Internal only

Virtualised Server

Management console for Checkpoint

Firewall.

Log file host for usage

tracking.

Amber 12.0 hours

Loss of log transactions.

Loss of control of the Firewalls.

Consultancy with Cygnia for Software & Hardware.

Normal service will not be affected by an outage of this server.

None

Edge devices continue to protect each site. Only affect is inability to update rules base and push out updates.


FW-1 Roles and responsibilities:


Owner ICT Department

Daily Maintenance / Support ICT We pay for Checkpoint SW & Licences Annually £16,000.00

Extraordinary Support ICT / Hytec Hytec have support of Checkpoint

Change management ICT / Hytec

Location Delta House Server room

Cost to replace Hardware £1500.00 Standard PC.



Server Service Effect and Impact (R.A.G

and RTO)


Workarounds Mitigation

Meshed VPN Checkpoint firewalls IP12208 IP4607 IP2205 UTM-132 Edge Devices (x 16) Edge Devices (x 32)

Edge Devices (x U)

Meshed VPN over N3 Links. Inter-site

connectivity.

Provides Trust with protection from outside

world.

Security & Rules for all outgoing

traffic.

Limits inbound traffic to absolute minimum.

RED

Site affected

Loss of outgoing transactions.

Loss of outgoing e-mail.

Loss of outgoing Internet

access.

Dual sets of hardware to provide resilience, if one fails the second

will step in.

Consultancy with Hytec for Software & Hardware

Support.

N/A

N/A Support £387.27 Subs £78.62 Support £580.91 Subs £117.94 Support £968.19 Subs £196.56

“Star VPN” Roles and responsibilities:



Owner ICT Department Central Hub of VPN


Extraordinary Support ICT / Hytec Cygnia have support of Checkpoint

Change management ICT / Hytec

IP12200 Location Delta House Server room

Edge Devices One at each VPN site

Annual Maintenance/Licence costs Subs and licence £16k per annum


Cost to replace all VPN Hardware £113,000.00



(R.A.G and RTO)



Mitigation

Internal only Virtualised Servers

Datix: Risk Incident reporting System

Amber 12.0 hours

Loss of Incident reporting

SLA and Maintenance contract with Datix Technologies.

Restore server image from Blade backup regime

Restore data from backup tapes

None

Not 24/7 business critical

Localised to Medical secretarial staff for inputting and clinical managers for reporting on incidents

Datix Roles and responsibilities:


Owner Risk Manager HTTP local based service


Extraordinary Support ICT / Datix Annual Maintenance & Licence charge £6000.00

Change management Datix

Location Web and DB server local

Cost to replace Hardware N/A

Maintenance/Licence responsibility Risk Manager

The system owner for Datix has been made aware of disaster recovery processes and timescales, is aware of backup schedules and processes and has agreed to the working practices employed by ICT in support and facilitation of the system. The system owner will be informed of any change to any of the schedules or processes. Any change of system owner will result in the newly named system owner being asked to agree current working practises.



(R.A.G and RTO)



Mitigation

Virtualised Servers

Integra: Procurement and finance System

Red RTO:

4.0 hours RTO: 12.0

hours

Loss of Ledger

Loss of procurement

SLA and Maintenance contract with Integra Solutions.

Restore server image from Blade backup regime


None

Provide resilience with standby hardware

Datix Roles and responsibilities:


Owner Head of Estates & Facilities HTTP local based service


Extraordinary Support ICT / Integra Annual Maintenance & Licence cost: Database and Application - £12K. Help

Desk - £9.6K

Change management Integra

Location Web and DB server local


Maintenance/Licence responsibility Head of Estates & Facilities

The system owner for Integra has been made aware of disaster recovery processes and timescales, is aware of backup schedules and processes and has agreed to the working practices employed by ICT in support and facilitation of the system. The system owner will be informed of any change to any of the schedules or processes. Any change of system owner will result in the newly named system owner being asked to agree current working practises.



(R.A.G and RTO)



Mitigation

Internal only Virtualised Server

Intranet Server

Green 12.0 hours

Loss of links

to some internal applications: helpdesk, Datix

Loss of immediate access to policies and

trust forms

Consultancy with Creative

Mark Ltd.

None

Provide fail over

software

Provide resilience with standby

hardware

Fawkes Roles and responsibilities:



Daily Maintenance / Support N/A

Extraordinary Support ICT / Creative Mark Ltd.

Change management Creative Mark Ltd.






(R.A.G and RTO)



Mitigation


ICT helpdesk

Clinical supervision

portal

Green 4.0 hours

Loss of some Internal applications

-Helpdesk

Consultancy with Creative

Mark Ltd.

None

Provide fail over

software


Molly Roles and responsibilities:











and RTO)



Mitigation


Email gateways

RED 4 Hours

Loss of external email communications.

Consultancy with Creative Mark Ltd.

Switch all Services to other server.

None

Provide fail over software


hardware

Auror and Walter Roles and responsibilities:











(R.A.G and RTO)



Mitigation


Email Archive

Green 12.0 hours

Loss of external email Archival

facilities

Consultancy

with Creative

Mark Ltd.

Restore

server image from Blade backup regime


None

Provide fail

over

software


Friar roles and responsibilities:











(R.A.G and RTO)



Mitigation


Key cabinet

controller

Green 12.0 hours

Loss of Documentation of key issue.

Traka

Restore



None

Provide fail

over

software


Auror and Walter Roles and responsibilities:




Extraordinary Support ICT / Traka

Change management Traka






and RTO)



Mitigation


Anti-Virus Server

Amber 12.0 hours

Loss of management of anti-virus

updates

Loss of real time monitoring anti-virus

statistics

Consultancy

via Caretower Ltd. For

software

Rebuild AV

image from backup and

restore data

None

Provide fail

over software


hardware

Currently protected PCs and servers stay

protected

Morpheus Roles and responsibilities:



Daily Maintenance / Support ICT Annual Maintenance charge £2500.00

Extraordinary Support ICT / Caretower Ltd

Change management ICT






(R.A.G and RTO)



Mitigation

Internal only

PAS Database Server

Amber 4 Hours

Effects only reporting

managers

SLA with Oasis Medical Solutions on Software

Maintenance.

Four Hour Response for Hardware maintenance.

N/A

No direct impact but care could potentially be affected

Patient paper records available. Clinic appts printed off. Employ data warehousing solutions. Provide fail over software Provide resilience with standby hardware

Merlin Roles and responsibilities:


Owner Head of Business Intelligence

Daily Maintenance / Support ICT / Head of Business Intelligence / OMS

User admin, App administration

Extraordinary Support ICT / OMS Network, Hardware Faults

Change management Head of Business Intelligence / OMS Upgrades/Projects


Cost to replace Hardware £2510.00 Rack Server.

Maintenance/Licence responsibility Head of Business Intelligence


Servers Service Effect and Impact (R.A.G and RTO)


Workarounds

Service User Impact

Mitigation


Business Objects Reporting

Amber RTO: 1.0 hour RTO: 8.0 hours RTO: 4.0 hours

Effects only reporting managers

SLA with Oasis Medical Solutions on Software Maintenance

.

Four Hour Response for Hardware maintenance

.

N/A


Patient paper records available. Clinic appts printed off. Employ data warehousing solutions. Provide fail over software Provide resilience with standby hardware

Figg Roles and responsibilities:



Daily Maintenance / Support Head of Business Intelligence / OMS User admin, App administration

Extraordinary Support ICT / Head of Business Intelligence / OMS

Network, Hardware Faults

Change management Head of Business Intelligence / OMS Upgrades/Projects £99,000.00 per annum for support




The system owner has been made aware of disaster recovery processes and timescales, is aware of backup schedules and processes and has agreed to the working practices employed by ICT in support and facilitation of the system.



and RTO)



Mitigation


Authentication

File & Print resource.

Accounts resource

E-Mail accounts resource

DNS Server -

Secondary

Amber 12 Hours

Loss of Logons

Loss of

Authentication

Loss of accounts

administration

Loss of resource administration

Re-build from

config build backup approximately one hour, restore data

Promote

another AD server to

be master

Temporarily locate file resources to another File Server

None

Training

required for ICT staff to administer, manage and

support AD

Vincent Roles and responsibilities:



Daily Maintenance / Support ICT Department User admin, App administration

Extraordinary Support ICT Department Network, Hardware Faults

Change management ICT Department Upgrades/Projects






and RTO)



Mitigation


Authentication

Accounts resource

DNS Server - Primary

DHCP Server

Amber 8 Hours

Loss of Logons

Loss of Authentication

Loss of accounts

administration

Loss of resource

administration

Loss of workstation

functionality

Consultancy

via Hytec.


Promote

another AD server to be

master

Temporarily locate DHCP

None

Training required for

ICT staff to administer, manage

and support AD

Hedwig Roles and responsibilities:










Server Service Effect and Impact (R.A.G and RTO)



Mitigation

Internal only

Authentication

Accounts resource

DNS Server - Primary

DHCP Server

Amber 8 Hours

Loss of Logons

Loss of Authentication

Loss of accounts administration

Loss of resource administration

Loss of workstation

functionality

Consultancy

via Hytec.

Four Hour Response for Hardware maintenance

.

Promote

another AD server to

be master

Temporarily locate

DHCP

None

Training

required for ICT staff to administer, manage and support AD

Terance Roles and Responsibilities:










Hedwig Roles and responsibilities:


(R.A.G and RTO)



Mitigation

Internal only

E-mail application Server

Red 4 Hours

Loss of

access to Mailboxes

Loss of Blackberry

Service

Consultancy via Hytec.

Four Hour Response for Hardware

maintenance.

N/A

None

Provide standby hardware

Fred Roles and responsibilities:







Cost to replace Hardware £2991.00 Blade Server.




(R.A.G and RTO)



Mitigation

Internal only

E-mail application Server

Red 4 Hours

Loss of access to

Mailboxes

Loss of Blackberry

Service



N/A

None

Provide standby hardware

George Roles and responsibilities:







Cost to replace Hardware £3782.46 Blade Server.




(R.A.G and RTO)



Mitigation


User F: drives.

Amber 4.0 hours

Loss of access to

files

Loss of access to some network printers



maintenance.

Temporarily locate file resources to another File

Server

None

N/A

Draco Roles and responsibilities:







Cost to replace Hardware N/A Rack Server.




(R.A.G and RTO)



Mitigation


User F: drives.

Amber 8.0 hours

Loss of access to files

Loss of access to some network

printers



maintenance.

Temporarily locate file resources to another File Server

None

N/A

Malfoy Roles and responsibilities:











(R.A.G and RTO)



Mitigation


Profile Server

Amber 8.0 hours

Loss of access to

files



maintenance

.

Temporarily locate file resources to another File

Server

None

N/A

Newt Roles and responsibilities:











(R.A.G and RTO)



Mitigation


Terminal Server Profile Server

Amber 4.0 hours

Loss of access to

files

Consultancy

via Hytec.


maintenance

.

Temporarily

locate file resources to another File

Server

None

N/A

Binns Roles and responsibilities:











(R.A.G and RTO)



Mitigation


Terminal Server Session Manager

Amber 8 Hours

Loss of access to Terminal Server

sessions

Consultancy

via Hytec.

Restore



None

Fast Image

Restore is

available

TS00 Roles and responsibilities:











and RTO)



Mitigation

Internal only

Terminal Services

Green 24 Hours

Loss of Terminal Server Access, Remote working.

Consultancy via

Hytec.


Rebuild server

on new Hardware.

None

The system

works as a team, with built in resilience and load

balancing.

TS01 to TS07 Roles and responsibilities:







Cost to replace Hardware £2500 Blade Server.



(R.A.G and RTO)



Mitigation


Internal only Virtual IP

Terminal Services

Amber 8Hours

Loss of Terminal Server Access

control

Consultancy via LoadBalancers.com

Next day replacement of failed

equipment.

The system is comprised of a High availability

pair.

None

Switch to backup unit is

automatic.

Load Balancers Roles and responsibilities:







Cost to replace Hardware £5000.00 Rack Appliance.




(R.A.G and RTO)



Mitigation


Print Server

Amber 8.0 hours

Printing at Delta

Consultancy via Computerworld.

Consultancy

via Hytec.


Rebuild server on new Hardware.

None


hardware

“Hagrid” Roles and responsibilities:











(R.A.G and RTO)



Mitigation


Windows

Update

Server

Amber 12 Hours

Inability to update workstations with the latest

patches

Consultancy

via Computerworl

d.



maintenance.

Rebuild

server on new

Hardware.

None

Provide

resilience with standby

hardware

“Crabbe” Roles and responsibilities:











(R.A.G and RTO)


Workarounds

Service User Impact

Mitigation


Finance Application

Server

Amber

Loss of access to historical accounts

records

Consultancy via TAH for Sage application



N/A

None

Employ data warehousing

solutions.

Provide fail over software


hardware

Localised to Finance staff.

“BCMHFIN” Roles and responsibilities:


Owner Costing and Contracting Accountant Mandip Bal

Daily Maintenance / Support Finance Department User admin, App administration

Extraordinary Support ICT Department / Datel Group Network, Hardware Faults

Change management Finance Department / Datel Group Upgrades/Projects



Maintenance/Licence responsibility Deputy Director of Finance

The system owner has been made aware of disaster recovery processes and timescales, is aware of backup schedules and processes and has agreed to the working practices employed by ICT in support and facilitation of the system. The system owner will be informed of any change to any of the schedules or processes. Any change of system owner will result in the newly named system owner being asked to agree current working practises.





Mitigation


MAPs Application and DB servers for MAPS

Green

None, only kept as a staging point until confidence is gained on the new on-line service.

SLA with

Manpower on Software

Maintenance.

N/A

None

Employ data

warehousing solutions.

Provide fail over

software


hardware

Flitwick Roles and responsibilities:


Owner Bank & Rostering Manager Sarah Bennett

Daily Maintenance / Support Bank & Rostering Manager / Manpower Software.

User admin, App administration

Extraordinary Support ICT / Manpower Health. Network, Hardware Faults

Change management Bank & Rostering Manager / Manpower Software.

Upgrades/Projects



Maintenance/Licence responsibility Bank & Rostering Manager




and RTO)



Mitigation


Anti-Virus Server

Green 12.0 hours

Loss of management of anti-virus

updates

Loss of real time monitoring anti-virus

statistics

Consultancy

via Caretower Ltd. For

software

Rebuild AV

image from backup and

restore data

None

Provide fail

over software


hardware

Morpheus Roles and responsibilities:



Daily Maintenance / Support ICT Annual Maintenance charge £3000.00

Extraordinary Support ICT / Caretower Ltd







and RTO)



Mitigation


Business Objects

Green 12.0 hours

Reporting on Oasis

N/A

Rebuild from backup and restore data

None

N/A

Neville Roles and responsibilities:



Daily Maintenance / Support ICT / Information dept. S Clifton maintains universes

Extraordinary Support ICT








and RTO)



Mitigation


Qlikview

Green 12.0 hours

Integrated reporting

system

N/A


None

N/A

Zabini Roles and responsibilities:


Owner Finance Dept Mani Bal

Daily Maintenance / Support ICT / Information / Finance Mani Bal/Steve Clifton

Extraordinary Support ICT /Qliktech Network, Hardware Faults

Change management Finance/Qliktech



Maintenance/Licence responsibility Deputy Director of Finance




(R.A.G and RTO)



Mitigation


GFI USB control Software for AD

Amber 12.0 hours

Loss of control over USB access

N/A

Rebuild from

backup and

restore data

None

Current USBs remain controlled, just unable to add more devices

Millicent Roles and responsibilities:



Daily Maintenance / Support ICT £1000+ per annum licence








and RTO)



Mitigation


Document management server

Green 4.0 hours

Loss of scanning capability and electronic

invoicing

N/A


None

N/A

Uric Roles and responsibilities:




Extraordinary Support Creative Mark & KnowledgeTree £1800









Mitigation


Resource shares

Amber RTO: 4.0 hours RTO: 4.0 hours

Loss of access to shared drives

N/A


None

Data stored on SAN, could be moved to different LUN quickly

Hooch Roles and responsibilities:











(R.A.G and RTO)



Mitigation


Log server for Internet proxy

Green 12.0 hours

Loss of Internet

use reports

N/A

Rebuild from

backup and

restore data

None

Can be done manually

Sawmill Roles and responsibilities:











(R.A.G and RTO)



Mitigation


Snow

Green 12.0 hours

Loss of software

audit

N/A

Rebuild from

backup and

restore data

None

Current reporting not affected

Fudge Roles and responsibilities:











(R.A.G and RTO)



Mitigation


Door Entry system

Green 8.0 hours

Loss of door entry

control

N/A

Rebuild from

backup and

restore data

None

Only unable to produce new cards or alter settings

Blaise Roles and responsibilities:




Extraordinary Support ICT / Feedback systems







(R.A.G and RTO)



Mitigation


Door Entry system

Green 8.0 hours

Loss of door entry

control

N/A

Rebuild from

backup and

restore data

None

Only unable to produce new cards or alter settings

Marge Roles and responsibilities:




Extraordinary Support ICT / Feedback systems







(R.A.G and RTO)



Mitigation


Blackberry

Amber 8 Hours

Loss of Blackberry

mail service

N/A

Rebuild from backup and

restore data

None

Limited staff affected, non-clinical - but Directors

Malkin Roles and responsibilities:




Extraordinary Support ICT / Orange BB support







and RTO)



Mitigation

Internal only

FOG Image management

Amber

Inability to quickly rebuild

computers

N/A

Manual Rebuild

None

Limited staff affected, non-clinical - but Directors

Agrippa Roles and responsibilities:










and RTO)



Mitigation

Internal only Amber


OBSOLETE

VSphere Controller for all VMware and SAN

Loss of control over VMware

configuration

High availability and failover already built into system


None High availability and failover already built into VMware system

Agrippa Roles and responsibilities:




Extraordinary Support ICT / Dell VSphere specialist support









Mitigation

Internal only

Backup scheduler and controller

Amber 12 Hour

Loss of physical based server backups

N/A

Rebuild from backup and restore

data

None

Can copy data manually as a temporary backup and server rebuilt within hours

Peeves Roles and responsibilities:













Mitigation

Internal only

Backup scheduler and controller

Amber 12 Hours

Backup of VMware information to tapes

for offsite storage.

N/A


None

Can copy data manually as a temporary backup and server rebuilt within hours

Spore Roles and responsibilities:










Service Service Effect and Impact

(R.A.G and RTO)



Mitigation

Remote Working Solution Internal only

Remote access Solution

Green 12 Hours

Loss of

Remote access to Trust

resources

Backup running in High Availability Mode

Maintenance and support contracts with Internet

Central

None

N/A

RWS Roles and responsibilities:




Extraordinary Support ICT / Internet Central


Location Delta House Comms room




Service Service Effect and Impact (R.A.G.)



Mitigation

COIN – 10Mb between remote 5 main sites and

corporate LAN.

All connectivity All services

Amber Obsolete

Loss of all services

SLA & Maintenance contract with ZEN.

Four hour response and eight hour fix


Manual fail over to N3 circuits for each Site

VPN – over N3

Links between remote sites and corporate LAN.


Red 8 Hours


SLA & Maintenance contract with N3

Maintenance & consultancy

Cygnia.

Four hour response and eight

hour fix


Provide Fail over Circuits for each Site (Meshed Network)

PSN – Private

Network

Links between remote sites and corporate

LAN.


Red 8 Hours


SLA & Maintenance contract with

Virgin Media.

Maintenance & consultancy

Cygnia.

Four hour response and eight

hour fix


Provide Fail over Circuits for each Site (Meshed Network)

Localised for individual site and staff where problem with Bandwidth provider has occurred

If central VPN connector then all remote VPN sites affected.


Where do I go for further advice or information?

ICT Department, Delta House, Greets Green Road, West Bromwich, B70 9PL Tel: 0121 612 8001. Self service portal: http://fusion.smhsct.local/staff/

Training Staff may receive training in relation to this procedure, where it is identified in their appraisal as part of the specific development needs for their role and responsibilities. Please refer to the Trust’s Mandatory & Risk Management Training Needs Analysis for further details on training requirements, target audiences and update frequencies Monitoring / Review of this Procedure In the event of planned change in the process(es) described within this document or an incident involving the described process(es) within the review cycle, this SOP will be reviewed and revised as necessary to maintain its accuracy and effectiveness.

Equality Impact Assessment Please refer to overarching policy

Data Protection Act and Freedom of Information Act Please refer to overarching policy

http://fusion.smhsct.local/staff/


Standard Operating Procedure Details

Review and Amendment History

Version Date Description of Change

1.0 Oct 2016 New SOP for BCPFT to support ICT Change Control Policy

Unique Identifier for this SOP is BCPFT-ICT-SOP-01-1

State if SOP is New or Revised New

Policy Category ICT

Executive Director whose portfolio this SOP comes under

Director of Strategy, Estates and ICT

Policy Lead/Author Job titles only

ICT Manager

Committee/Group Responsible for Approval of this SOP

Information Governance Steering Group

Month/year consultation process completed

Month/year SOP was approved February 2016

Next review due October 2019

Disclosure Status ‘B’ can be disclosed to patients and the public

risk assessment and disaster recovery

Documents