Availability and Resilience Policy Template

Availability and Resilience Policy Template

Purpose

The purpose of this policy is to ensure the availability, reliability, and resilience of our cloud services in alignment with section 3.7 of the New Zealand Government Cloud Risk Assessment Tool. This policy outlines our commitments and procedures to meet service level agreements, protect against denial of service attacks, ensure network performance, and maintain business continuity.

Scope

This policy applies to all employees, contractors, and third-party vendors involved in the management and support of the organization’s cloud services.

Policy Statements

1. Service Level Agreement (SLA)

1.1 Expected and Minimum Availability Performance

  • Commitment: Our SLA includes an expected availability performance of 99.9% over a 12-month period. This performance level meets the agency's business requirements, including the Recovery Time Objective (RTO) and Acceptable Interruption Window (AIW).

1.2 Scheduled Outage Windows

  • Definition: Our SLA includes clearly defined scheduled outage windows.

    • Impact Assessment: We ensure that scheduled outage windows do not adversely affect New Zealand business operations.

  • Maintenance Technologies: If necessary, we utilize technologies that enable maintenance without requiring service outages.

1.3 Compensation for Breach of Availability

  • Compensation Clause: Our SLA includes a compensation clause for breaches of guaranteed availability percentages.

    • Adequacy: The compensation provided is adequate to cover potential impacts on the agency’s operations.

2. Denial of Service Attacks

2.1 Protection Against DDoS Attacks

  • Protocols and Technologies: We utilize advanced protocols and technologies to protect against Distributed Denial of Service (DDoS) attacks.

    • Impact Assessment: Enabling our DDoS protection services does not negatively affect compliance with security requirements.

2.2 Protection Against EDoS/Bill Shock

  • Resource Usage Limits: We allow the agency to specify or configure resource usage limits to protect against Economic Denial of Sustainability (EDoS) and bill shock.

3. Network Availability and Performance

3.1 Network Services Adequacy

  • Availability: Network services managed or subscribed to by the agency provide a high level of availability.

  • Redundancy/Fault Tolerance: Our network services include redundancy and fault tolerance measures.

  • Bandwidth: We ensure adequate network throughput to meet the agency’s operational needs.

  • Latency and Packet Loss: We monitor and maintain acceptable levels of latency and packet loss to ensure a positive user experience.

    • Issue Resolution: Any latency or packet loss issues will be resolved promptly, whether they occur on our network or that of the service provider.

4. Business Continuity and Disaster Recovery

4.1 Service Provider Plans

  • Plans and Testing: Our service provider maintains business continuity and disaster recovery plans, which are regularly tested and reviewed.

  • Agency Review: The agency is permitted to review these plans.

  • Data Recovery: The plans include provisions for the recovery of agency data and prioritize customer data recovery based on predefined criteria.

4.2 Agency Continuity Plan

  • Agency Plans: The agency must maintain its own business continuity and disaster recovery plans to address service outages or the provider’s business failure.

  • Data Backup Strategy: The agency must implement a data backup strategy, ensuring backups are encrypted using approved algorithms.

5. Incident Response and Management

5.1 Service Provider Processes

  • Formal Processes: Our service provider has formal incident response and management processes.

    • Review: The agency can review these processes and plans.

  • Regular Testing: Incident response and management processes are regularly tested.

  • Customer Engagement: Customers are engaged during testing.

  • Staff Training: Our staff receive regular training on incident response and management processes.

5.2 Support During Incidents

  • Incident Notification: Customers are promptly notified of any incidents affecting their data or services.

  • Reporting Channels: We provide clear channels for reporting incidents.

  • Roles and Responsibilities: Defined roles and responsibilities ensure effective incident management.

  • Access to Evidence: Customers are provided with necessary evidence for their investigations.

  • Regulatory Cooperation: We assist customers in cooperating with regulatory bodies.

  • Data and Service Recovery: Responsibilities for data and service recovery are clearly defined.

  • Post-Incident Reports: We share post-incident reports with affected customers.

  • Insurance, Liability, and Indemnity: These terms are clearly specified in our contracts.

5.3 Compatibility with Agency Procedures

  • Alignment: Our incident response procedures align with the agency’s policies to ensure timely and effective incident management.

Review and Updates

This policy must be reviewed annually or whenever there are significant changes to cloud services or related procedures. Updates to the policy will be communicated to all relevant stakeholders.