DR CARE
To increase resiliency, the Disaster Recovery (DR) Program works to conduct in-depth disaster recovery assessments on critical university systems through the DR CARE model.
The DR CARE Model
Consult
This phase includes consultation with DR Coordinators to strengthen information technology (IT) system disaster recovery activities, capabilities, and objectives. Activities in this phase include meeting with your unit's DR Coordinator to review the process, discussing necessary individuals and timeframe, and working to gather evidence.
Assess
In this phase, system (application and service) assessments are conducted around DR Information Security Control Requirements (ISCR) (IT17.1, DAT1.1.2, and all of IT1). Activities in this phase are examining, interviewing, and testing evidence to provide a preliminary assessment report to be reviewed by the DR Coordinator.
Rate
This phase rates system recovery by providing a score that allows us to improve our risk posture over time. Activities in this phase include providing the final assessment report and rating.
Enhance
The final phase works to enhance resiliency by providing feedback and consultation to address identified areas of concern, track enhancements and update ratings. Activities in this phase involve consulting and addressing findings, tracking potential risks, and updating assessment ratings.
Assessments Using the DR CARE Model
By completing DR system assessments, we will be able to effectively measure and monitor our recovery risk at the university and identify how prepared the university is to recover from a disaster. The DR CARE process was adopted to describe how a DR system assessment is conducted and what happens in each phase of the process.
DR systems assessments will take a targeted approach; systems with the highest fundamental risk will be assessed first.
Priority 1: Foundational University Systems
These systems are expected to be available for other enterprise systems to work, like Duo.
Priority 2: Foundational Communication Systems
These systems that are expected to be available for university communications, like O365.
Priority 3: C4 Critical Systems
These systems are fundamental to university operations, like CrowdStrike.
Priority 4: Critical Systems in Units
Additional C4 systems or highly critical systems in units throughout the university, like the Advancement system (TAS).
Currently we are working to build a prioritized list of systems for each of these areas. During 2024, we will be working to complete the pilot, which will encompass Digital Security and Trust and Office of Technology and Digital Innovation priority one systems.
Frequently Asked Questions
What is DR CARE?
DR CARE is a continual improvement assessment process that allows for complete understanding of a unit’s ability to effectively respond to a disaster. DR CARE was adopted to break down and describe how a DR system assessment is conducted and what happens in each phase of the process. The more often the process is repeated, the more effective the DR CARE effort will be and the more resilient our organization will become.
Why do we need to complete DR Assessments?
By completing DR system assessments, we will be able to effectively measure and monitor our recovery risk at the university and identify how prepared the university is to recover from a disaster. With DR assessments we will be able to:
Know what we are doing well and where we have gaps.
Recognize how to meet the ISCR DR controls to be better prepared.
Understand where the highest DR needs and risks are at the university.
Provide observations that will aid in increasing our resilience.
Provide detailed recommendations and guides to reduce the potential impacts from a disaster.
Aid in determining if a particular risk is critical enough to commit money and resources to manage.
Who is involved in the DR CARE process and how long does it take?
The DR Program Lead, along with DR Coordinators, will work to complete system level (application and service) DR assessments. DR Coordinators will rely on system information gathered from service owners, architects, and engineers.
The amount of time to complete the process will depend on the complexity of the system in question. The DR CARE Assess process reviews existing documentation and processes of DR requirements in the ISCR, so the process' time is based on how long it takes to provide necessary data, answer questions, and enhance after the assessment by remediating discovered gaps.
Isn't this just an audit?
DR system assessments are a compliance process which allows measurement of a unit’s preparedness in accordance with the requirements of the ISCR and outlines steps to remediate gaps and mitigate risk. DR assessments look further into each requirement to ensure specifications are met and operating as required, and that information is prepared and available for use during an event. For example, an assessment will ensure criticality levels are assigned and align with a unit’s recovery and criticality expectations. In addition, the DR program will provide specific details how to mitigate any risks found.
The DR Program team has reviewed this process with Internal Audit to align efforts and will continue to coordinate to minimize duplication of effort within a unit. Internal Audit has and will continue to review the DR Program’s plans and process to attest that the DR requirements are being met, thereby reducing and/or eliminating their need to focus on DR during audits.
Why wouldn’t we just save our time and resources for when audit comes?
Each DR system assessment will provide a gap analysis that helps ensure recovery activities are designed to aligned with the ISCR. This will give units additional assurance that their DR processes meet industry standards (ISCR) or what is needed to further mature those processes. A proactive approach ensures the university is better protected. Additionally, units will be better prepared to respond to internal and external assurance (audit) requests and can show compliance with various regulatory requirements.
What is not covered with DR CARE?
DR CARE is NOT a Business Impact Analysis.
DR CARE is NOT intended to assist with developing Business Continuity Plans (BCPs), and will not assess BCPs, but may utilize BCPs to assist with identifying DR risks.
How is this going to be reported and who will receive the report?
Reviewing assessment results will support the university’s readiness for disaster. The DR assessment report will be provided to the respective DR Coordinators, Security Coordinators, service owners, managers, IT leadership, and Deans/VPs. Identified risks will be tracked and shared with necessary parties.
What systems will be assessed and when?
Systems with the highest fundamental risk will be assessed first. This will drive university discussions around what IT systems are foundational and vital to the functioning of many enterprise-wide IT systems. This will also allow us to have a stronger understanding of where our key dependencies lie.
Under advisement from Office of Technology and Digital Innovation's Infrastructure Risk Management, Business Continuity, and the Security and Trust Advisory Board, the DR Program is working to build a prioritized list of systems for each of these systems. For FY24, we will be working to complete pilot and priority one systems.
Learn more about our Targeted System Approach.
Are these foundational systems "above" the basics like power and internet connectivity?
Yes, infrastructure, networking, and buildings will not be assessed with the DR CARE process. Our current focus is what to do for applications (cloud and on-premises). It is likely we will have a different approach for each of these areas.