S 6.73 Creation of a contingency plan for failure of the Lotus Notes system

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

The partial or complete failure of a Notes system will in many cases have serious consequences on the ability of users to get on with their work as it is no longer possible to execute any server-based actions. As part of contingency planning, a concept covering how to minimise the consequences of a failure and what activities must be carried out in the event of a failure should be drawn up.

The following parameters need to be considered here:

• Contingency planning for the Notes system must be integrated into the existing contingency plan (see also module 3.3 "Contingency Planning Concept").

• Data can be lost during a system failure. Therefore a data backup policy for Lotus Notes must be developed. This should be integrated into the existing data backup policy (see also module 3.4 "Data Backup Policy"). All the components of a Lotus Notes system should be considered here, especially the clients.

• Important databases should be distributed through the creation of replicas on several servers in order that if an individual server should fail the replicas can be accessed.

• The clustering possibilities provided under Notes enable several physical servers to be run as a single virtual server. If one of the servers should fail, an automatic "failover" takes place and the other servers in the cluster take over the tasks performed on the failed server. Whether this is an appropriate option must be considered on a case-by-case basis as part of developing the Lotus Notes operational concept.

• Lotus Notes provides a recovery mechanism for Notes IDs. This can be used in two ways. One possibility is to restore the entire Notes ID file if it is unusable or has been deleted. A second option is to reset forgotten Notes ID passwords using the password recovery mechanism. In this case the user must request a recovery password from one or more Administrators, following which he can then be issued a new Notes ID password.

• At least one external copy of important system Notes IDs (root certifier, certifier, server, Administrator) must always be held (see S 4.129 Secure handling of Notes ID files).

• The system configuration must be documented. Important tasks must be described in such a way that in an emergency they can also be carried out by ordinary users who are not well versed in technical matters.

• A post-incident recovery plan which ensures the controlled start-up of the system must be created.

• Contingency planning must take into account the peculiarities of important Notes servers (e.g. a certification authority) and be oriented towards them.

• As part of contingency planning, various scenarios in which critical data is compromised (e.g. the root certifier ID) should be considered along with how to respond to them.

Additional controls:

• Is there a contingency plan for failure of the Lotus Notes system?

• Does a data backup policy for Lotus Notes that covers all the components exist?