Disaster Recovery Policy

Version: 1.00Issue Date: 2/10/2015

This Disaster Recovery Policy provides goals and guidance for recovering from a disaster.

1.0 Overview

This Disaster Recovery Policy will discuss a number of adverse events to provide guidance in recovering from those events.

2.0 Purpose

This Disaster Recovery Policy is intended to provide guidance and standards to be used in developing disaster recovery plans, business contingency plans, business continuity plans, and the process of recovering from a disaster.

3.0 Scope

This Disaster Recovery Policy applies to all computer equipment, all employees, and includes any equipment or buildings which could be affected by a disaster. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Disaster Recovery Goals

There are general and specific disaster recovery goals. General disaster recovery goals are listed here.

  1. Communication
    • Activate appropriate teams
    • Communicate any changes in work plans to workers
    • Communicate to customers or to the public
    • Use alternate communications where necessary.
  2. Protect and preserve your data.
  3. Minimize and reduce damage
  4. Preserve the business function
  5. Recover quickly
  6. Restore normal operations

The Chief Information Security Officer is responsible for creating the disaster recovery planning team and ensuring that the disaster recovery plan and goals are created and met. The disaster recovery planning team should set more specific disaster recovery goals depending on the type of disaster such as a server room fire, tornado, flood, etc. These disaster recovery goals should meet the business needs to preserve and restore business functionality and prevent downtime in excess of stated goals for specific disaster types. A determination must be made about how long specific business functions can run at reduced capacity or be offline and the amount of damage done. The damage may be a consideration of inconvenience to complete disruption of the business.

5.0 Disaster Types

A disaster may be minor or major and may be any one or more of the following (this list only provides a few examples and is not nearly inclusive):

  1. Disk array or hard drive failure
  2. Server offline or server damaged.
  3. Server destroyed
  4. Several servers destroyed or damaged.
  5. Network switch failure.
  6. Firewall failure
  7. Tornado
  8. Flood

6.0 Planning Phases

This section outlines the planning phases required to create a disaster recovery plan. For complete information see Disaster Recovery Planning. This policy requires the test plan to be created and maintained using this document.

  1. Create a contingency planning policy statement
  2. Perform a business system analysis
  3. Perform a risk assessment and analysis
  4. Develop recovery strategies
  5. Establish budget
  6. Develop the plan
  7. Test the plan
  8. Maintain the plan

7.0 Requirements

  • A paper copy of the disaster recovery plan must be available from multiple locations. Several members of management must be designated to ensure the disaster recovery plan is made available to appropriate personnel when needed.
  • A copy of all critical data must be stored away from the main site where the computers that normally contain the data.
  • Paper copies of critical data should be kept stored off site. Several designated managers should be designated to ensure this data is available to appropriate personnel when required. This type of data includes:
    • Internal contact list including names of vendors where computers can be purchased.
    • Vendor contact list
    • Plans for re-building computers
    • Disaster recovery plan
    • Contact information for internal people and external ones including contractors, vendors, and customers.
  • Keep copies of critical software and information off site including backups, system logs, hardware inventories, equipment serial numbers, computer configuration information, instructions for rebuilding computers, software license keys, internal and external contact information, and network documentation including DNS settings, DHCP settings, and network drawings.
  • The asset owners must define what an emergency situation is. The asset owner must define emergency actions to be taken and define who emergency access rights are given to along with what those rights are. All emergency access rights actions must be logged. Emergency access rights must be removed as soon as the emergency is over.
  • Updates to the Disaster Recovery Plan and the Business Continuity Plan must be applied on an annual basis. The updates must reflect changes in technology, infrustructure changes, and changes to business requirements considering effects due to downtime.
  • The firewalls and firewall configurations and enviromnent must be covered by the Disaster Recovery Plan and business continuity Plan.

8.0 Considerations

This is a listing of considerations that should be taken into account when creating the Disaster Recovery Plan, Business Continuity Plan, and associated plans.

  • Who will be in charge during and after a disaster.
  • What is a member of management is unavailable? Who stands in for them?
  • Who coordinates internal communications?
  • Who coordinates communications to vendors, customers, and the public?
  • What must be done during the disaster?
  • What must be done after the disaster?
  • Will there be a means for the organization to receive and pay it's financial obligations?
  • Will the organization still be able to collect payments?
  • Determine who will be responsible for what functionality in the organization such as network manager, payments coordinator, communications officer, and others.

9.0 Enforcement

Since proper disaster recovery planning and implementation is critical for maintaining the business functionality of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

10.0 Other Requirements

  • Incident Response Policy
  • Incident Response Plan
  • Business Continuity Plan
  • Contingency Plan

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________