S 6.73 Contingency planning and emergency drills for the Lotus Notes/Domino environment

Initiation responsibility: IT Security Officer, Emergency Officer, Head of IT

Implementation responsibility: Emergency Officer, Administrator, Specialists Responsible, IT Security Officer

Appropriate contingency planning must be drawn up for the Lotus Notes/Domino environment depending on the contingency planning relevance defined in the superior business continuation planning (see also module S 1.3 Emergency management). It must include all aspects of contingency planning and also the steps required for environment recovery and restart after an emergency occurs.

Contingency planning must consider relevant emergency scenarios for the Lotus Notes/Domino environment. In particular, the failure of Notes/Domino as the basis of the organisation-wide identity management and the failure of the external, centralised identity management (both only if correspondingly relevant) must be taken into consideration in the emergency scenarios.

The objective of contingency planning must not only be to recover and restart individual components, but first and foremost to recover and restart the Lotus Notes/Domino environment. Therefore, contingency planning must aim at the recovery of the data taking into consideration the replication issues and a synchronised recovery of the components taking into consideration all component dependencies. It is possible to provide the recovery of limited environments where only the most important services are operated.

Clustering on different levels (operating system, Lotus Notes/Domino environment) and redundant data storage using corresponding storage solutions primarily are aids for securing a high or very high availability of Lotus Notes/Domino and are no substitute for contingency planning. Nevertheless, they can be helpful in efficiently resolving diverse emergency scenarios if configured accordingly.

The mechanisms for recovery (e.g. recovery for Notes IDs), resetting passwords in an ID Vault (in version 8.5 and higher), failover for directory management, database repair (Fixup, Compact, Updall), and automatic restart (Fault Recovery) offered by Lotus Notes/Domino must be used within the framework of contingency planning only when completely familiar with their mode of operation.

The recovery of the certificate infrastructure must be a focus. The emergency scenario of a compromised certificate infrastructure must be taken into consideration in this.

If DAOS (Domino Attachment and Object Service) is used within the framework of the new Lotus Notes/Domino versions (in version 8.5 and higher), contingency planning must be adapted to the no longer redundant storage of attachments and objects.

In order to ensure that contingency planning is appropriate and practical for the Lotus Notes/Domino environment, emergency drills must be conducted.

Emergency drills must be planned in advance in detail. Ideally, there is a superior plan for emergency drills ensuring that all emergency-relevant information systems are to be taken into consideration within the framework of emergency drills periodically.

Detailed planning and performance of emergency drills for the Lotus Notes/Domino environment should be focused on emergency scenarios including the specifics of the Lotus Notes/Domino platform (e.g. compromise of the certificate hierarchy of Notes, corruption of the replication mechanisms of Lotus Notes/Domino, and the like).

When planning and conducting emergency drills, the risks that may occur while conducting emergency drills must always be considered as well. Therefore, it is recommendable to conduct emergency drills on a small scale and to conduct larger-scale emergency drills later on. The scenarios such as the recovery of corrupt Lotus Notes/Domino databases by means of repair or backup or the recovery of comprehensive database consistency in the event of corrupt replication mechanisms must be processed applying the corresponding care within the framework of emergency drills in particular.

Denial-of-service attacks against email or web services and/or compromising the environment by using weaknesses of a service offered on the internet constitute further realistic scenarios for emergency drills for the Lotus Notes/Domino environment.

The performance of the emergency drills must be documented and the findings from the drill must be incorporated into the enhancement of contingency planning and operations.

Review questions:

• Is there a sufficiently detailed contingency plan for the Lotus Notes/Domino environment?
• Does contingency planning for the Lotus Notes/Domino environment take into consideration the technical conditions of the version currently used?
• Are the emergency scenarios considered for the Lotus Notes/Domino environment plausible and realistic?
• If DAOS is used, is this taken into consideration within contingency planning?
• Were emergency drills taking into consideration the specifics of the platform planned and/or conducted for the Lotus Notes/Domino environment?