DR Policies and Business Continuity Management in the Government of Sri Lanka – A Situation

Analysis

1. Mr. Shriyananda Rathnayake, Digital Development Consultant, Shriyananda@gmail.com

2. Dr. Kanishka Karunasena, Head of Research, Policy and Projects at Sri Lanka CERT|CC,
kanishka.Karunasena@gmail.com

Abstract— Nowadays, both the government and private sectors are highly dependent on the use of
information communication technology to ensure smooth business continuity and it has been forecasted a
total of 3.9 trillion USD of IT market turnover in the year of 2021. Hence Business Continuity Management
(BCM) has been identified as a vital corporate and management proficiency in the 21st Century where the
“Disaster Recovery (DR)” plays a major role in it.

This paper discussed and detailed the steps have been taken forward by the Sri Lankan Government to
assure BCM with regards to ICT context in a disaster. It critically analyzes the current national policy
framework, disaster recovery policies, disaster management act, BCP Guidelines No: 01/2006 by Central
Bank Sri Lanka, digital government policies and disaster recovery and various sector specific DR practices
in Sri Lnaka comparing them with the rules, policies, legislations and regulations with standards and best
practices to promote BCM in technically advanced developed countries.

Finally, the paper discusses about the various Sri Lankan Government organization encompass in
establishing rules, policies, legislations and regulations to secure BCM in a disaster expounding their
current roles and future expectations by the industry stakeholders.

Keywords—Business Continuity management, Disaster recovery, Sri Lanka, eGovernment Policies and
Procedures. Introduction

Today, both government and private sectors are highly dependent on the use of information
communication technology to cater to the requirement of modern society and ensure smooth business
continuity [1]. Statistics show that both corporate and government sectors use information systems and
information technologies to become more competitive in the marketplace and improve service efficiency
[2]. Gartner has forecasted a total of 3.9 trillion USD of IT expenditure for the year 2021. However,
forecasted technological advancement and investment could create many threats, for instance, a system
crash and data loss. Hence business continuity management identifies as a vital corporate and management
proficiency in the 21st Century.
Although Business Continuity Management (BCM) was a part of the core management concepts, the
importance of BCM was repeatedly highlighted after the 9/11th terrorist attack, the Indian Ocean tsunami
in 2004, the terrorist attack on London’s subway and throughout several natural and man-made disaster
during last two decades. Business Continuity Management recognizes probable negative effects that an
organization exposed to risk, and BCM proposed a basis for building resilience [3]. BCM also protect the
interest of the stakeholders, the organization reputation and the brand. The study conducted by the public
research university, Minnesota, revealed that 93% of businesses lose vital information and software
systems for two weeks immediately after file insolvency [4]. Another study conducted by CPA found that
90% of organizations running their business without a business continuity plan face a disastrous loss of
equipment and information, closedown business within two years [5]. A study conducted by Hartford
insurance found that a minimum of 49% of companies that operates their business without disaster
recovery plans went out of the business when a disaster occurred [6]. The statistic shows the importance
of planning and managing the business continuity and illustrates that Disaster Recovery (DR) plays a major
role in BCM. Most developed countries follow strict legislation, regulations with standards and best
practices to promote business continuity management while developing countries continue to relax
standards or best practices [7].

A. Initial Policy intervention in GOSL

Sri Lanka identified the need for information communication technology with the development of the
“National Computer Policy” (COMPOL) published in 1983 [8]. Based on the COMPOL report, Sri Lanka
passed the “Computer and Information Technology Act” no. 10 of 1984 and formed the “Computer and
Information Technology Council of Sri Lanka” (CINTEC) and CINTEC become an apex government
body for computer and IT. Although Sri Lanka spearheads the IT policy formulation in the early 80s, the
actual implementation of the information technology was not occurred due to 88-89 revolt, Sri Lankan
civil war and many other related reasons [9]. The “Information and Communication Technology Act”,
approved in 2003 and the “ICT Agency of Sri Lanka (ICTA)” was established to implement the eSri Lanka
Development Programme [8]. eSri Lanka consists of five main programmes interlinked, namely; Re-
engineering Government, eSociety, Private sector development, ICT HR capacity building, and
information infrastructure. All though e-Sri Lanka contributed to improving the eGov through its
programmes, e-Gov service remains low compared to the other countries according to the UN eGOV index
[10].
B. National Policy Framework
First time in the Sri Lanka history, the Government has pledged to improve the digital ecosystem in the
country while enabling digital government application through the “National Policy Framework Vistas of
Prosperity and Splendour” [11]. The policy framework is based on ten key policies and fourfold outcome
aimed at productivity, family, disciplined society and prosperous nation. The policy framework also has
identified key national digital projects such as;
1. Establishment of high-speed fibre optical and 5G Mobile Broadband network
2. Introduction of mobile payment and digital payment
3. Introduction of new laws to facilitate cross border payment settlement, cybersecurity
4. Establishment of nine centre throughout nine provinces to enable digital citizen services
5. Introduction of smart traffic fine with digital payment methods
6. Establishment of electronic procurement system for the government procurement process.
7. Introduction of future technologies such as 3D printing, Robotics, AI, Machine Learning,
Augmented and mix reality, Nanotechnology,.etc
8. Increase the IT industry export up to 3 billion by 2025
 9. Introduce the e-ticketing system
10. Introduce modern diagnosis and treatment facilities with digital health.
The government of Sri Lanka has already implemented few key national digital transformation project
like Revenue Administration Management Information System (RAMIS), Lanka Gate, Vehicle revenue
license system, National identity system, Driving License system, Budget progress monitoring system and
etc. Since Sri Lanka is in process to expand the digital economy and the echo system, it is highly important
to understand the IT disaster readiness of the country and current disaster recovery policies. It is also
important to compare the existing disaster recovery policies with worldwide cooperate practices and
government best practices.
II. INTERNATIONAL FRAMEWORK FOR MANAGING DR

A. Information Technology Infrastructure Library (ITIL).

ITIL is a library of best practices in managing the service of Information Technology [12]. “Central
Computer and Telecommunications Agency” (CCTA) in Britain developed the framework of good
practices in late 1980 to guide the IT Service Management [13]. According to ITIL, disaster recovery is
one main component of “IT Service Continuity Management (ITSCM)”. However, the ITSCM has aligned
to the business continuity life cycle management, and it’s designed to prepare for prevention of disaster,
recover from a disaster and even preparing for a worst-case scenario such as Services failures of an
application, nonperformance of critical providers, corruption of key information, sabotage, thoughtful
unlawful access, attacks on vital software systems [13]. The ITSCM aims to provide an overall framework
that guides the high-level continuity of the business and management process. Continuity management of
the IT service also ensures that all IT-related services can be recovered and re-established within specified
and decided periods.
Time is a critical factor for disaster recovery. Hence ITIL defined three main common terminologies for
disaster recovery, which are “Recovery Time Objective (RTO)”, “Recovery Point Objective (RPO)” and
“Tolerable Maximum Outage (MTO)” [14]. RTO defines how long the business process can run without
IT application and service without damaging the business. And RTO defines as how much of the data can
afford to be lost or recreated by an organisation. The maximum amount of time the organisation can survive
without a manual or automated system is defined as a Tolerable Maximum Outage. ITIL has well defined
best practices for ITSCM management.

The ITIL service design process of 4.4.5.2, 4.5.5.2, 4.5.5.3, 4.5.5.4. are discussed the disaster recovery.
The initiation of development policies, scope, crisis management resources and organisation of the
programme are mainly addressed in SD 4.4.5.2. As a predecessor of initiation, Business Impact Analysis
(BIA) must be conducted to assess the financial and non-financial and overall impact for the business
processors [15]. Based on the business impact analysis, “recovery time objective”, “recovery point
objective”, and “maximum tolerable outage” can be defined [16]. ITIL Service design 4.4.5.2 facilitates
analysing the risk factors on technology, people, natural events, physical security, and data security [16].
Implementation of the recovery plan illustrates in the service design process SD 4.5.5.3 and SD 4.5.5.4.
Implementation of the recovery includes determining the strategy, using alternate sites with hardware, data
protection such as backup and replication, cloud base solutions, server recovery, for example, physical
virtual or information as a service and network resilience [16].

B. Control Objectives for Information Technology (COBIT)

“Information Systems Audit and Control Association” (ISACA) formulated the “Control Objectives for
Information Technology” (COBIT) in 1996. COBIT is an information technology management framework
and structured international standardisation process of information technology published by the
“Information Systems Audit and Control Association” [17].
COBIT discussed the business continuity & disaster recovery in COBIT processes DS4.1 to DS4.9 and
DS11.5 [18]. The DS 4.1 is mainly forcing on the information technology continuity framework. It
discusses enterprise-wide business continuity management by developing a disaster recovery plan and
Information technology contingency plan. The IT continuity plan and its importance in reducing the major
destruction to critical business functions are discussed in DS 4.2. The DS 4.3 focus on critical information
technology resources. Maintenance of the information technology continuity plan and testing of IT
continuity plan is discussed in DS. 4.4 and DS 4.5, respectively. Training is a major component of the IT
continuity plan. DS 4.6 mainly discussed the importance of training on disaster management and activating
relevant roles and responsibilities [17]. DS 4.7 is based on the distribution of the IT continuity plan and
making them available for intended parties. The IT service recovery and resumption are illustrated in DS
4.8, and offsite backup storage is guided in DS 4.9. The DS 11.5 also discuss backup and restore procedures
[18]. The Deliver and Support (DS) section of CORBIT 4 provides a solid approach to managing business
continuity and disaster recovery.

C. ISO standards for Disaster Recovery & Business Continuity.

The “International Organization for Standardization” (ISO) is a standard-setting body established

internationally. Today ISO comprised 164 member countries, and ISO promotes industrial and commercial
standards [19]. In terms of business continuity and disaster recovery ISO has published two main
international standards.
The ISO published ISO 22301 in 2012, recognising the importance of contingency planning and disaster
planning considering the impact of a natural and man-made disaster on the business. Mainly the ISO 22301
is central to the customer, and the standards are developed to establish the business continuousness in
alleviating the effects of disruptive cases for people and business. ISO 22301 is a management standard
for business continuity. The organizations which obtain the accredited certification against the ISO 22301
prove to policymakers, government, clients, prospective clients, and other interested parties that the
organization has adhered to the worldwide standards best practice to establish business continuity [20].
The ISO 22301 is explained in 10 main clauses. The first and second clauses describe the scope and
normative references. The third clause defines the terms and definitions. Getting to know about the
organization in an internal and external aspect is important to business continuity planning. Hence context
of the organization is described in clause four. Appropriate leadership is highly important for planning and
implementing business continuity and disaster recovery. Hence clause five of the ISO 22301 dedicates to
leadership. Clause 5 and clause 6 describes the planning and support of business continuity and disaster
recovery. Clause 8 dedicates to the operation of the business continuity, and clause nine and ten discuss
the evaluation and improvements of BCM, respectively [20].

Although ISO 22301 discusses business continuity management and good practices for disaster and
disaster repossession in general terms, IT disaster management has not emphasised this standard. Hence
ISO has published separate sets of international standards for “ICT readiness for business continuity”
under the ISO 27031.

The “information and communication technology (ICT) readiness for business continuity” (IRBC), ISO
27031 provides a high-level outline and process to identify all facets of the ICT readiness of the
organization to improve and provide the continues business. ISO 2031help organization to improve the
readiness and respond to the rapidly changing risks in the ICT industry and ensure critical business
functions are not affected by imagining information security threats [21]. This standard also supports the
organization to be ready and act even before an ICT disruption occurs and respond and recover from an
incident and disaster.

First four sections in the ISO 27031 are dedicated to the standards sections of any ISO standards: Scope,
Normative References, Terms and definitions, and abbreviations. Section five of the standards dedicated
overview of the ISO27031. The overview consists; the role of IRBC, Elements of IRBC, outcome and
benefits, establishing IRBC, use of plan do check act and management responsibility [22]. Section 6 of the
ISO 270031 discuss the IRBC planning, and section 7 discuss the implementation and operation.
Maintenance of IRBC, IRBC internal audit, Management review and measurement of ICT readiness
performance criteria are discussed in section 8 of the standards under Monitoring and reviewing. Section
9 of the standards illustrates the IRBC improvement, including continual improvement, corrective action,
and preventive actions [22].

After carefully evaluating both ISO policies ISO 22301 & 27031, it can be decided that ISO 22301
discusses the business's business continuousness as a whole for any incident or a disaster like pandemic
disease, economic crisis or IT system crash or hacking. But ISO 27031 can be used as more specific tools
and policies, and procedures to ensure the ICT readiness for business continuity.

III. INTERNATIONAL LEGISLATIONS AND REGULATIONS

Business continuity management becomes a vital integral part of every business irrespective of
government or private sector since most organizations are dependent on information technology resources
[23]. Disaster recovery is the core of business continuity management. Therefore, the government in the
developed and developing world have established the importance of disaster recovery policies through
legislation, regulations and best practices.

The European Commission has published legislation, “The European Program for Critical Infrastructure
Protection (EPCIP)” to increase the safety of critical infrastructures in Europe [24]. This legislation is
proposed to ensure that the designated European IT infrastructures are established with disaster recovery
to identify vital information assets, main hazard situations and the vulnerability of information asset, and
define them, implementation and prioritization of counter-procedures. Authority of Electronic and Postal
Communications (AEPC) in the Government of Albania has published legislation on Electronic
Communication to prescribe the values for competition and the infrastructure efficiency on digital
communications to make available high-quality information communication system in Albania [7].
Australian Government Attorney General’s Department (AGD) enacts the “Protective Security
Framework” which apply for all government agencies to have business continuity management and
disaster recovery [25]. “National Emergency Management Agency of Bahamas” has enacted “Disaster
Preparedness and Response Act 2006” and “Emergency Relief Guarantee Fund Act 1999” which discuss
the mandate of the disaster recovery [7]. The Canadian government has published two legislations on
Emergency Management & Civil Protection. The Personal Data (Privacy) Ordinance of Hong Kong also
discussed the importance of the continued economic wellbeing by protecting the free flow of individual
data. The “Code for Digital Public Administration” (D.Lgs 235/2010)” legislation enacted by the
government of Italy mandated all public administrations initiate 15 months disaster recovery solutions
[26]. The Civil Defense & Emergency Management Act in New Zealand aims to increase and stimulate
the sustainable management of vulnerable incidents, including the disasters in the digital environment
safeguarding personal data and business continuity [27]. Although many countries and the political and
economic union have enacted the disaster recovery and business continuation through legislation, it is
noticed that most countries have managed the establishment of disaster recovery and business continuation
through regulations, standards, and best practices.

IV. DISASTER RECOVERY POLICIES IN SRI LANKA

Sri Lanka is well known for weather-related hazards since the country is located in the Indian Ocean.
Sri Lanka receives rain from two monsoons, namely the South-West monsoon and North-East monsoon.
The boxing day tsunami or 2004 Indian Ocean earthquake and tsunami recorded as the major catastrophe
Sri Lanka faced during the 20th and 21st century. Sri Lanka lost over 35000 people, and more than 500,000
people were affected [28]. With this devastating tsunami, Sri Lanka identified the need for disaster
management in Sri Lanka.

A. Disaster Management Act of Sri Lanka, No 13

Parliament of the democratic socialist republic of Sri Lanka passed Sri Lanka "disaster management
act", No. 13 of 2005. This Act enabled the national council for disaster management, disaster management
centre, appointing the technical advisory committee, and preparing disaster management plans for Sri
Lanka [29]. The Act provides provision when the life of Sri Lankans or property of Sri Lanka and the
environment of Sri Lanka are being at risk and dying out due to certain disaster taking place inside the
land of Sri Lanka. The Government of Sri Lanka has identified the need for the greatest attention of the
country's leadership; hence, the President of Sri Lanka appointed as the council's chairmen and the prime
minister of Sri Lanka appointed as the vice-chairmen of the council. The leader of the opposition also
appointed to the national council by law. The national council of disaster management constitutes the
ministers from ministry of "Social welfare, Rehabilitation and re-construction, Environment, Home affairs,
Health, Science and technology, Housing, Coast conservation, Irrigation, Power, Defense, Police, Finance,
Land, Fisheries, Foreign affairs, Water supply, Highways, Urban Development and Education". As per the
Act, disaster is defined as "occurrence of a natural or man-made event, which endangered of threatens to
endanger the safety or health of any person or group of persons in Sri Lanka, or which destroys or damage
or threatens to destroy or damage any property" [29]. The Act has identified 21 different types of disasters,
including natural disasters and man-made disasters, excluding Information Technology disasters.

Although Sri Lanka has passed a law on managing disasters, the most prevailing information
technology disasters in the present society are not included in this Act. During the development period of
the disaster management act of Sri Lanka in 2005, the information technology disaster may not have been
identified as a major sector to be considered owing to the low presence of Information technology in the
private and the government sectors.

The use of information technology for the government work process introduced with the eSri Lanka
programme commences in 2006. According to the UN eGovernment Survey of 2014, Sri Lanka becomes
first in South Asia and 74th place globally after introducing 108 e-services for citizens. Management of
large ICT infrastructure and e-service without having proper policies and regulations related to Information
technology disaster management can lead to information technology disaster in the government sector.

B. BCP Guidelines No: 01/2006 by Central Bank Sri Lanka

The BCP guideline of the Central Bank of Sri Lanka (CBSL), which addressed all licensed commercial
banks, primary dealers, central depository system, and LankaClear, highlights the importance of the BCP
and disaster recovery planning among the banking sector [30]. With the introduction of the new guideline,
the CBSL has immediately ensured business continuity and disaster recovery since the license renewal
process is attached to the BCP guideline.

C. HPOL#10 - Business Continuity Management

ICT Agency of Sri Lanka has released high-level information policies (HPOL) for the Government in
2005 to create shared IT infrastructure to facilitate efficient sharing of information and documents between
Government agencies and enable citizen services in the most efficient manner [31]. The HPOL#10 of this
document highlight the importance of business continuity management and disaster readiness. This policy
document mainly discusses; the business continuity framework and management process, business impact
analysis, implementation of the continuity plan, continuity plan testing and maintaining and assessing the
plan.

D. Digital Government policies and Disaster recovery

The Government of Sri Lanka has published three policy documents up to date related to the digital
Government. The "Policy and Procedures for ICT Usage in Government" published in 2009 is the first
policy issued on e-Government. Section 6 of this policy document discusses backup measures related to
disaster recovery and business continuity policies.

Policy number 060301 emphasize the importance of government organization identifying and
documenting the vital processes of an organization relating to its central business, and the vital assets and
resources involved in the organizational processes [32]. This policy provides high-level guidance for
analyzing the requirements of business continuity and risk components of the government organization.

Policy number 060301 discusses the importance of developing the disaster recovery plan and
implementing such plans to ensure the organization’s security and vital assets comprising information and
software, and application. Policy number 060301 highlights the requirement of taking the backup for
assuring that all required software and data can recover after a disaster or a media failure [32]. This policy
has provided a reference for section 10.5 of ISO/IEC 17799.

The ICT Agency of Sri Lanka formulated the draft "eGovernment Policies and Procedures" version 4.0
after conducting a series of discussion with government stakeholders in 2014. Version control of this
document shows that the draft document has been amended 16 times starting from May 2012 to November
2014. In terms of disaster recovery, this draft policy has repeated the need for backup facilities mentioned
in Policy number 060301in "Policy and Procedures for ICT Usage in Government" in 2009. This draft
policy has not provided the policy level guidance for planning, implementing, and monitoring and
evaluating disaster recovery and business continuity. But the "Sri Lanka eGovernment Strategy" published
in 2013 has identified the importance of business continuity and disaster recovery [33].

The "Ministry of Digital Infrastructure and Information Technology" (MDIIT) and ICT Agency of Sri
Lanka have published the draft version of "National Digital Policy for Sri Lanka" in August 2019. This
policy focus to provide high-level guidance and an abstract outline for Sri Lanka to accomplish sustainable
digital economic growth [34]. This policy has been designed on two main pillars: innovative economy and
effective Government and four enablers: digital & network infrastructure, smart society, data protection
and cybersecurity, and sustained implementation.

E. Information and Cyber Security Policy Framework for Government.

Sri Lanka is currently in the process of implementing nation’s first Information and Cyber Security
Strategy (2019: 2023) with a vision of creating a resilient and trusted cyber security ecosystem that will
enable Sri Lankan citizens to realize the benefits of digitalization and to facilitate growth. In line with
the implementation of the strategy, National Information and Cyber Security Policy for Government
Organizations, and the Minimum Information Security Standards (MISS) have being drafted to ensure
that digital government systems are resilient to information and cyber threats.

The National Information Security Policy, and the MISS which were stemmed from ISO 27002 and
NIST standards of US, emphasize the necessity of establishing disaster recovery plans by all government
institutions regardless of their maturity of the information systems (Policy number 4.6.1). The
Information Security Policy Frameworks further emphasized that, a disaster recovery plan shall be
developed by conducting risk assessments and business impact analysis of the information assets, and
by taking into account the RPO and RTO of the systems. It is further highlighted the importance of
testing and updating the disaster recovery plan on periodical basis, and the importance of clearly defining
the roles responsibilities of the disaster recovery team in activating the plan.
 Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT), who has the mandate to protect
digital government systems from various cyber threats, is currently in the process of assessing the
adoption Information Security Policy and MISS by government organizations. In their assessments, a
special attention is drawn to examine whether individual organizations have implemented disaster
recovery plans.

V. DISCUSSION & CONCLUSION

Information communication technology becomes a key enabler in every business and the life of every
citizen in 21 centuries specially during the Covid-19 pandemic. Hence, both developed and developing
countries have invested in information technology to foster development and sustain development. Since
the disasters are unpredictable, most developed countries have recognized the importance of the disaster
recovery of information technology and business continuity through legislation, regulations, standards and
guidelines [7]. Developed countries in the European region and countries like Australia [35], USA [36],
United Kingdome, New Zealand, and many other developed countries have published disaster recovery
policies since the disasters are subjective from countries to country. Developed countries have facilitated
developing international standards, governance procedures, and good practices like ITIL, COBIT and
ISO/IEC standards related to business continuity as disaster recovery.

Sri Lanka has gained significant improvements and progress in implementing disaster recovery policies,
regulations, standards, and best practices in the banking and finance sectors. The National Information and
Cyber Security Policy for Government Organizations, and BCP guideline of the Central Bank of Sri Lanka
identified business continuity and disaster recovery as a mandatory requirement. The majority of software
development companies involved in the international trade and software business have also gained ISO
certification related to information security and business continuity. Telecommunication Regulation
Authority (TRC) has given internet service providers and telecom service providers mandatory guidelines
to have business continuity plans. Since the Government of Sri Lanka signed the UNCITRAL rules on
transparency treaty in 2014, business continuity and disaster recovery planning are covered, especially for
the financial and private sectors. However, disaster recovery policies in the government sector in Sri Lanka
are yet to be improved.

Although Sri Lanka passed the disaster management act in 2005, the role of ICT has not properly
identified for managing disaster and disaster recovery. It is highly important to include the Ministry of
Digital Infrastructure Information Technology to the National Disaster Management Council. It is
expected that the man-made disasters in information technology sectors will increase due to high
dependency on information technology. Hence, measures should be taken prior to the information
disasters. The Ministry of Digital infrastructure and information technology should be a part of the
National Disaster Management Council to manage such situation. Sri Lanka is going to embark a large
digital transformation project in order to foster the development and to ensure the equity in Sri Lanka as
per the National policy framework 2019. Hence policies in related to the disaster recovery and business
continuity should be formulated prior or parallel to the massive digital project implementation in the
government.
 High-level information policies published by the ICT Agency of Sri Lanka address the need of a business
continuity plan and disaster recovery policies. The policies have been published under the eSri Lanka
programme by ICT Agency of Sri Lanka and the document has been developed in 2006 and finally updated
in 2007. Although the government has published this policy document, most of government organization
are unaware about this policy. This policy has been listed in the Sri Lanka CERT web site under the
information security policy. Therefore, the people who search the government policy on disaster recovery
will not get in to this section of the document since the overall policy guide is based on information
security. There is no references provided to the high-level information policy in the published
eGovernment policy in 2009. Since the policy has been updated in 2007, the applicability of this document
is questioned. Hence it is highly recommended to revisit this high-level policy and update the policy based
on the present and future requirements.

The eGovernment policy published in 2009 has identified the importance of the business continuity and
the disaster recovery. But the two draft policies developed in 2014 and 2019 has not provided a high-level
policy statement on disaster recovery. The draft policy released in 2019 has no single reference for the
business continuity or disaster recovery, although policy is based on “Trust” as the main enabler.
Therefore, the draft policy should be amended and include the high-level policy statement, which refers to
international best practices or standard and guideline for disaster recovery policies in Sri Lanka.

Even in the absence of the policy level guidance from the government on disaster recovery, large scale
ICT project implemented in Sri Lanka has followed the international standards in implementing the
disaster recovery planning. Driving license issuing system at department of motor traffic has implemented
a hot site as the disaster recovery, and department for registration of persons also has implemented proper
disaster recovery policies and hot site considering the criticalness of the information and service. Though
there is no proper guidance for disaster recovery, the government of Sri Lanka has managed the disaster
recovery policies through contract closes and Service Level Agreement (SLA).

The government of Sri Lanka has implemented Lanka Government Cloud (LGC) – 1 starting from 2011
to 2017 and subsequently has initiated the Lanka government cloud – 2, identifying the national
requirement and gaps in Lanka government cloud -1. Lanka government cloud provides protected and
reliable could infrastructure facilities to the government organization to host application and systems.
Government organizations have used the Lanka government cloud to host applications as well as a hot site
to replicate the applications in the cloud. The LGN infrastructure has also been used to store the periodical
backups.

The information communication technology has made a huge impact on every business and every human
being in the planate in the 21st century. People live in a global village and business run the global market.
Geographic distance become less important. But, with this sophisticated technology, vulnerabilities,
threats and risks have been created owing to man-made and natural disaster. Hence disaster recovery plan
becomes central to the government sector as well as the private sector. However, the implementation of
disaster recovery policies in the government sector worldwide shows disparities between developed and
developing countries. Although Sri Lanka has identified the importance of business continuity and disaster
recovery in the first eGovernment policies in 2009 the rest of draft policies published in 2014 and 2019
has not recognized the importance of disaster recovery. Hence draft digital government policy of 2019
should be amended to incorporate high-level policy statement to the policy document in order to provide
continues citizen service without disruptions owing to the disasters.
Reference

[1] E. Humphreys, Information Security Risk Management; Handbook for ISO/IEC 27001, London:
BSI, 2010.
[2] J. W. Toigo, Disaster Recovery Planning - For Comuters and Communication Resources, 1 ed.,
New York: John Wiley & Sons, Inc, 1996.
[3] Business Continuity Institute, "thebci," 2020. [Online]. Available:
https://www.thebci.org/knowledge/introduction-to-business-continuity.html. [Accessed 3 February
2020].
[4] L. L. Hoong and G. Marthandan, "Critical Dimensions of Disaster Recovery Planning,"
International Journal of Business and Management , vol. 9, no. 12, pp. 145-158, 2014.
[5] S. Kahan, "accountingtoday," 2020. [Online]. Available:
https://www.accountingtoday.com/news/disaster-recovery-is-a-numbers-game. [Accessed 4 February
2020].
[6] M. E. Whitman and H. J. Mattord, Management of Information Security, 6 ed., Boston: Cengage
Learning, Inc, 2018.
[7] D. Higgins, P. Alcantara, G. Riglietti and J. Jolma, "BCM Legislations, Regulations, Standards
and Good Practice," Business Continuity Institute, London, 2017.
[8] M. Munasighe and A. Goonetilleke, "Early History of ICT in Sri Lanka – Lessons for the
Future," Colombo, 2017.
[9] IFIP, "http://www.ifip.org/," 2005. [Online]. Available:
http://www.ifip.org/minutes/GA2005/Rep_SriLanka1.pdf. [Accessed 5 February 2020].
[10] UN, "United Nations E-Government Survey 2018; Gearing E-Government to support
transformation towards sustainable and resilient societies," United Nations Department of Economic and
Social Affairs, New York, 2018.
[11] MOF, "http://www.treasury.gov.lk/," 14 December 2019. [Online]. Available:
http://www.treasury.gov.lk/article/-/article-viewer-portlet/render/view/national-policy-framework-vistas-
of-prosperity-and-splendour. [Accessed 8 February 2020].
[12] T. Orakzai, "COBIT, ITIL AND ISO 27002 ALIGNMENTS FOR INFORMATION SECURITY
GOVERNANCE IN MODERN ORGANISATIONS," South American Journal of Academic Research,
vol. 1, no. 2, pp. 123-129, 2014.
[13] A. Cartlidge, A. Hanna, C. Rudd, I. Macfarlane, J. Windebank and S. Rance, An Introductory
Overview of ITIL® V3, 1 ed., London: The UK Chapter of the itSMF, 2007.
[14] E. Krell, Business Continuity Management, 1 ed., Canada: The Society of Management
Accountants of Canada , 2006.
[15] R. Long, "https://www.mha-it.com/," 2017. [Online]. Available: https://www.mha-
it.com/2017/11/01/itil-process/. [Accessed 9 February 2020].
[16] S. Taylor, V. Lloyd and C. Rudd, "ITIL Version 3 Service Design," in ITIL Version 3,
Buckinghamshire , Office of Government Commerce, 2012, p. 449.
[17] T. Orakzai, "COBIT, ITIL AND ISO 27002 ALIGNMENTS FOR INFORMATION SECURITY
GOVERNANCE IN MODERN ORGANISATIONS," South American Journal of Academic Research,
vol. 1, no. 2, pp. 123-129, 2014.
[18] Institute IT Governance, COBIT 4.1, Illinois: ISA, 2007, p. 196.
[19] ISO, Information technology — Security techniques — Guidelines for information and
communication technology readiness for business continuity, ISO ed., Switzerland: ISO&IEC, 2011.
[20] E. Gasiorowski-Denis, "ISO," 2012. [Online]. Available:
https://www.iso.org/news/2012/06/Ref1602.html. [Accessed 12 February 2020].
[21] C. M. Hopper, "Are you ready ? ICT readiness and business continuity," ISO Focus +, vol. 3, no.
5, May 2012.
[22] ISO, "www.iso.org," 2011. [Online]. Available: https://www.iso.org/obp/ui/#iso:std:iso-
iec:27031:ed-1:v1:en. [Accessed 13 February 2020].
[23] R. Sheikhpour and N. Modiri, "An Approach to Map COBIT Processes to ISO/IEC 27001
Information Security Management Controls," International Journal of Security and Its Applications, vol.
6, no. 2, pp. 13-28, 2012.
[24] P. Gattinesi, European Reference Network for Critical Infrastructure Protection: ERNCIP
Handbook 2018 edition, Luxembourg: Publications Office of the European Union, 2018.
[25] A. AGD, Protective security policy framework Securing government business, Commonwealth
of Australia, 2018.
[26] AGID, "agid," 2020. [Online]. Available: https://www.agid.gov.it/en/security/Minimum-ICT-
security-measures-for-public-administrations. [Accessed 6 February 2020].
[27] Parliament of New Zealand, "Civil Defence Emergency Management Amendment Act 2016,"
The Parliament of New Zealand, 2016.
[28] Reuters, "https://www.abc.net," 2004. [Online]. Available: https://www.abc.net.au/news/2014-
12-24/boxing-day-tsunami-how-the-disaster-unfolded/5977568. [Accessed 8 February 2020].
[29] GOSL, Sri Lanka Disaster Management Act No. 13, II ed., Colombo: Department of Government
Printing , 2005.
[30] CBSL, "https://www.cbsl.gov.lk/," 29 Marh 2006. [Online]. Available:
https://www.cbsl.gov.lk/sites/default/files/cbslweb_documents/laws/cdg/BCP_Guidelines_No_01_2006_
e.pdf. [Accessed 8 February 2020].
[31] ICTA, "High Level Information Security Policy," April 2005. [Online]. Available:
https://www.cert.gov.lk/policies.php. [Accessed 8 February 2020].
[32] ICTA, Policy and Procedures for ICT Usage in Government (e-Government Policy, 1 ed.,
Colombo: ICT Agency of Sri Lanka, 2009.
[33] K. K. Mukherjee, Sri Lanka eGovernment Strategy, 1 ed., Colombo: ICT Agency of Sri Lanka,
2013.
[34] T. Iqbal, G. Hurulle and R. Samarajiva, National Digital Policy for Sri Lanka, 1.8 ed., Colombo:
MDIIT & ICTA, 2019.
[35] Government of Western Australia, Western Australian Whole of Government ICT Disaster
Recovery for Business Continuity Policy, 2 ed., Western Australia: Government of Western Australia,
2016.
[36] M. Swanson, P. Bowen, A. Phillips, D. Gallup and D. Lynes, Contingency Planning Guide for
Federal Information Systems, 1 ed., Gaithersburg: National Institute of standards and technology, 2010.
[37] C. McLellan, "zdnet," 2019. [Online]. Available: https://www.zdnet.com/article/it-budgets-2020-
how-the-money-will-be-spent-and-who-will-spend-it/. [Accessed 26 January 2020].
[38] C. Mascarenhas, "ft.lk," 2010. [Online]. Available: http://www.ft.lk/it-telecom-tech/sungard-to-
be-a-vital-presence-in-the-banking-industry/50-7581. [Accessed 4 February 2020].
[39] O. o. t. GCIO, "Whole of Government, ICT Disaster Recovery for Business Continuity Policy,"
Office of the Government Chief Information Officer, Perth, 2017.
[40] M. D. A. Nasiren and . M. N. Abdullah, "Critical Success Factors on the BCM Implementation in
SMEs," Journal of Advanced Research in Business and Management Studies, vol. 3, pp. 105-122, 2016.
[41] S. M. Hawkins, D. C. Yen and D. C. Chou, "Disaster recovery planning: a strategy for data
security," Information Management & Computer Security, pp. 222-229, 2000.
[42] V. A.-G. O. VAGO, "ICT Disaster Recovery Planning," Victorian Government Printer,
Melbourne, 2017.
[43] R. Sobers, "https://www.varonis.com/," 2020. [Online]. Available:
20varonis.com/blog/cybersecurity-statistics/. [Accessed 13 February 2020].
[44] GOSL, "treasury.gov.lk," 2019. [Online]. Available:
http://www.treasury.gov.lk/documents/10181/791429/FinalDovVer02+English.pdf/10e8fd3e-8b8d-
452b-bb50-c2b053ea626c. [Accessed 27 January 2020].
[45] The World Bank, "worldbank," 2010. [Online]. Available:
http://documents.worldbank.org/curated/en/960831468776074259/Sri-Lanka-e-Sri-Lanka-Development-
Project. [Accessed 27 January 2020].
[46] J. Clerk Maxwell, A Treatise on Electricity and Magnetism, 3rd ed., vol. 2. Oxford: Clarendon,
1892, pp.68–73.
[47] I. S. Jacobs and C. P. Bean, “Fine particles, thin films and exchange anisotropy,” in Magnetism, vol.
III, G. T. Rado and H. Suhl, Eds. New York: Academic, 1963, pp. 271–350.
[48] R. Nicole, “Title of paper with only first word capitalized,” J. Name Stand. Abbrev., in press.
[49] Y. Yorozu, M. Hirano, K. Oka, and Y. Tagawa, “Electron spectroscopy studies on magneto-optical
media and plastic substrate interface,” IEEE Transl. J. Magn. Japan, vol. 2, pp. 740–741, August 1987
[Digests 9th Annual Conf. Magnetics Japan, p. 301, 1982].
[50] M. Young, The Technical Writer’s Handbook. Mill Valley, CA: University Science, 1989.