17.3.28 Operation and Management

17.3.28.1 Business continuity planning
Information asset managers and IT Division shall develop business continuity plans, ensuring the availability of OIST information assets and resources. Business continuity plans shall be tested at least annually to validate their effectiveness, and to ensure staff are appropriately trained in its execution.

17.3.28.2 Backup
Information Asset Managers and IT Division shall ensure that information assets are backed up to a frequency, and to a level of redundancy, commensurate to the value of the assets. Information Asset Managers shall identify the retention period of information assets and manage them.

Restore tests are to be conducted annually, or more frequently for ‘Critical’ or rapidly evolving information assets.

Information Asset Managers shall request IT Division delete, revoke or physically destroy backup data for assets which have exceeded their retention period, or no are longer required.

17.3.28.3 Change management
Change Management is a process that ensures that any change made to OIST IT Resources is documented, reviewed and approved. It encompasses both larger planned changes such as projects and smaller reactive changes such as software patches and unscheduled server maintenance. Change management processes and procedures must be in place, documented and implemented for all OIST IT Resources. Management responsibilities and procedures will be defined to ensure satisfactory control of all changes to equipment, software, or procedures. These procedures will be defined in the SLA.