nabinj

Baseline Disaster Recovery Plan Policy at SaveTheChildrens’: Defined Scope and Requirements

Table of Contents

1.      Overview.. 3

2.      Purpose. 3

3.      Scope. 3

4.      Policy. 3

5       Policy Compliance. 5

5.2        Exceptions. 6

5.3        Non-Compliance. 6

6       Related Standards, Policies and Processes. 6

7       Revision History. 6

References. 6

1.     Overview

Since disasters happen so rarely, management often ignores the disaster recovery planning process.  It is important to realize that having a contingency plan in the event of a disaster gives SaveTheChildrens’ a competitive advantage.   This policy requires management to financially support and diligently attend to disaster contingency planning efforts.  Disasters are not limited to adverse weather conditions.   Any event that could likely cause an extended delay of service should be considered.  The Disaster Recovery Plan is often part of the Business Continuity Plan.

2.     Purpose

This policy defines the requirement for a baseline disaster recovery plan to be developed and implemented by SaveTheChildrens’ that will describe the process to recover IT Systems, Applications and Data from any type of disaster that causes a major outage.

3.     Scope

This policy is directed to the IT Management Staff who is accountable to ensure the plan is developed, tested and kept up-to-date.  This policy is solely to state the requirement to have a disaster recovery plan, it does not provide requirement around what goes into the plan or sub-plans.

4.     Policy

The following contingency plans must be created:

  • Computer Emergency Response Plan:Who is to be contacted, when, and how? What immediate actions must be taken in the event of certain occurrences?

For handling an emergency an Incident response team should be established with a cloud expert, a legal expert, and a customer relations expert.

The actions will be run in the following order:

  • Creation of DR team
  • Identification of the disaster
  • Assessment of the disaster
  • Finding what assets are affected
  • How many of the assets are machine critical?
  • Check for backups
  • Restore operations
  • Documentation of the response

Alongside the above actions, the Business impact analysis will have to be performed using the following steps.

  • Inform SaveTheChildrens’ leadership of the disaster
  • Identifying and selecting the team of expert to handle this disaster
  • Conduct analysis and find out affected systems
  • Create a new report for the leadership
  • Strategize the recovery process
  • Succession Plan:Describe the flow of responsibility when normal staff is unavailable to perform their duties.

The Emergency Response Team (ERT) is responsible for activating the DRP for disasters identified in this plan, as well as in the event of any other occurrence that affects the company’s capability to perform normally.

One of the tasks during the early stages of the emergency is to notify the Disaster Recovery Team (DRT) that an emergency has occurred.

The notification will request DRT members to assemble at the site of the problem and will involve sufficient information to have this request effectively communicated.

The Business Recover Team (BRT) will consist of senior representatives from the main business departments.

The BRT Leader will be a senior member of the company’s management team and will be responsible for taking overall charge of the process and ensuring that the company returns to normal working operations as early as possible.

For every personnel in the ERT, DRT, BRT teams will have a back up assigned for the scenario when specific employees are unavailable.

  • It also explains the order of recovery in both short-term and long-term timeframes.
    • The team will be contacted and assembled by the ERT.
    • The team’s responsibilities include:
      • Establish facilities for an emergency level of service within 2.0 business hours.
      • Restore key services within 4.0 business hours of the incident.
      • Recover to business as usual within 8.0 to 24.0 hours after the incident.
      • Coordinate activities with disaster recovery team, first responders, etc.
      • Report to the emergency response team
  • Data Backup and Restoration Plan: Detail which data is backed up, the media to which it is saved, where that media is stored, and how often the backup is done.  It should also describe how that data could be recovered.
    • Best practice in backup and recovery revolves around having a 3-2-1 data backup plan. This dictates that you always maintain three copies of your data: two stored locally (but on different storage media) and one copy off-site, for a total of three.
    • Backups will be performed daily at a gap of 24hrs
    • All backed up data will be replicated on-site and in a different cloud region.
    • Recovery can be performed using a onsite backup or the different cloud region data.
    • Loss of 24hrs data will not be very impactful to BCP.
  • Mass Media Management:Who is in charge of giving information to the mass media?
    • Customer relations expert of the company
  • Also provide some guidelines on what data is appropriate to be provided.
    • Assigned staff will coordinate with the media, working according the guidelines that have been previously approved and issued for dealing with post-disaster communications.
    • Avoiding adverse publicity
    • Take advantage of opportunities for useful publicity
    • Have answers to the following basic questions:
      • What happened?
      • How did it happen?
      • What are you going to do about it?

After creating the plans, it is important to practice them to the extent possible.   Management should set aside time to test implementation of the disaster recovery plan.  Tabletop exercises should be conducted annually. During these tests, issues that may cause the plan to fail can be discovered and corrected in an environment that has few consequences.

The plan, at a minimum, should be reviewed an updated on an annual basis.

5       Policy Compliance

  • Compliance Measurement

The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thru, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

Any exception to the policy must be approved by the Infosec Team in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Leave a comment