The City and County of San Francisco (CCSF) requires an IT-focused Disaster Preparedness, Response, Recovery and Resiliency (DPR3) policy with clear, consistent and achievable standards applicable to all City departments that would ensure the delivery of public services during, and after, a disaster. A comprehensive IT-focused DPR3 policy that guides departments on how to successfully prepare for, respond to, and recover from a disaster (either man-made or natural) is required to ensure that CCSF is ready to serve the public when disaster strikes.

The City and County of San Francisco (City) is committed to preparing for natural (e.g., earthquake, floods) and human-caused (e.g., cyber, active assault) disasters and any variety of incidents which may adversely impact the City’s business operations. A critical element of our preparedness is the resilience of our IT systems, through proper prevention and protection of these systems and their environments, and the capability to quickly recover them when applications, systems, or infrastructure environments fail. The IT-focused Disaster Preparedness, Response, Recovery and Resilience (DPR3) Policy provides clear, consistent, and achievable standards for the City’s IT resilience, which apply to all City departments, before, during, and after a disaster. These standards are meant to ensure continued delivery of critical, IT-reliant public services in response to any incident.

PURPOSE AND SCOPE

The DPR3 Policy requires all City departments to develop, test, and maintain departmental IT focused Continuity of Operations plan (IT COOP) also called an IT Contingency Plan for all the Critical IT System/Applications being managed and supported by the city departments to meet the needs of critical system operations in the event of a disruption. 
Goals of IT COOP include:

  1. Safeguarding and restoring data
  2. Safeguarding hardware, software and facilities
  3. Resuming critical business processes through high-availability and automate/manual failover recovery strategy

POLICY STATEMENT

The DPR3 Policy requires all departments to:

  1. Designate an IT COOP/DR Lead and/or Disaster Preparedness Coordinator (DPC) liaison to coordinate planning and implementation of DPR3 policy requirements
  2. Identify and assess the resilience of critical systems
  3. Adopt and implement an IT COOP National Institute of Standard and Technology (NIST) framework
  4. Review and update the departmental IT COOP annually and Disaster Recovery Plans (DRP) for each critical system bi-annually
  5. Exercise the IT COOP at least annually and perform an active Disaster Recovery (DR) test of each critical system bi-annually
  6. Department Heads are responsible for ensuring compliance with this policy