Disaster Recovery Policy
|Version: 1.00||Issue Date: 2/10/2015|
This Disaster Recovery Policy provides goals and guidance for recovering from a disaster.
This Disaster Recovery Policy will discuss a number of adverse events to provide guidance in recovering from those events.
This Disaster Recovery Policy is intended to provide guidance and standards to be used in developing disaster recovery plans, business contingency plans, business continuity plans, and the process of recovering from a disaster.
This Disaster Recovery Policy applies to all computer equipment, all employees, and includes any equipment or buildings which could be affected by a disaster. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 Disaster Recovery Goals
There are general and specific disaster recovery goals. General disaster recovery goals are listed here.
Activate appropriate teams
Communicate any changes in work plans to workers
Communicate to customers or to the public
Use alternate communications where necessary.
Protect and preserve your data.
Minimize and reduce damage
Preserve the business function
Restore normal operations
The Chief Information Security Officer is responsible for creating the disaster recovery planning team and ensuring that the disaster recovery plan and goals are created and met. The disaster recovery planning team should set more specific disaster recovery goals depending on the type of disaster such as a server room fire, tornado, flood, etc. These disaster recovery goals should meet the business needs to preserve and restore business functionality and prevent downtime in excess of stated goals for specific disaster types. A determination must be made about how long specific business functions can run at reduced capacity or be offline and the amount of damage done. The damage may be a consideration of inconvenience to complete disruption of the business.
5.0 Disaster Types
A disaster may be minor or major and may be any one or more of the following (this list only provides a few examples and is not nearly inclusive):
Disk array or hard drive failure
Server offline or server damaged.
Several servers destroyed or damaged.
Network switch failure.
6.0 Planning Phases
This section outlines the planning phases required to create a disaster recovery plan. For complete information see Disaster Recovery Planning. This policy requires the test plan to be created and maintained using this document.
Create a contingency planning policy statement
Perform a business system analysis
Perform a risk assessment and analysis
Develop recovery strategies
Develop the plan
Test the plan
Maintain the plan
A paper copy of the disaster recovery plan must be available from multiple locations. Several members of management must be designated to ensure the disaster recovery plan is made available to appropriate personnel when needed.
A copy of all critical data must be stored away from the main site where the computers that normally contain the data.
Paper copies of critical data should be kept stored off site. Several designated managers should be designated to ensure this data is available to appropriate personnel when required. This type of data includes:
Internal contact list including names of vendors where computers can be purchased.
Vendor contact list
Plans for re-building computers
Disaster recovery plan
Contact information for internal people and external ones including contractors, vendors, and customers.
Keep copies of critical software and information off site including backups, system logs, hardware inventories, equipment serial numbers, computer configuration information, instructions for rebuilding computers, software license keys, internal and external contact information, and network documentation including DNS settings, DHCP settings, and network drawings.
The asset owners must define what an emergency situation is. The asset owner must define emergency actions to be taken and define who emergency access rights are given to along with what those rights are. All emergency access rights actions must be logged. Emergency access rights must be removed as soon as the emergency is over.
Updates to the Disaster Recovery Plan and the Business Continuity Plan must be applied on an annual basis. The updates must reflect changes in technology, infrustructure changes, and changes to business requirements considering effects due to downtime.
The firewalls and firewall configurations and enviromnent must be covered by the Disaster Recovery Plan and business continuity Plan.
This is a listing of considerations that should be taken into account when creating the Disaster Recovery Plan, Business Continuity Plan, and associated plans.
Who will be in charge during and after a disaster.
What is a member of management is unavailable? Who stands in for them?
Who coordinates internal communications?
Who coordinates communications to vendors, customers, and the public?
What must be done during the disaster?
What must be done after the disaster?
Will there be a means for the organization to receive and pay it's financial obligations?
Will the organization still be able to collect payments?
Determine who will be responsible for what functionality in the organization such as network manager, payments coordinator, communications officer, and others.
Since proper disaster recovery planning and implementation is critical for maintaining the business functionality of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
10.0 Other Requirements
Incident Response Policy
Incident Response Plan
Business Continuity Plan
Approved by:__________________________ Signature:_____________________ Date:_______________