Purpose

This policy defines the requirement for a baseline disaster recovery plan to be developed and implemented by your company that will describe the process to recover IT systems, applications and data from any type of disaster that causes a major outage.

Scope

This policy is directed to IT management staff accountable to ensuring the plan is developed, tested, and kept up to date. This policy is solely to state the requirement to have a disaster recovery plan, it does not provide requirements around what goes into the plan or sub-plans.

Policy

Contingency Plans

The following contingency plans must be created:

• Computer Emergency Response Plan: Who is to be contacted, when and how? What immediate actions must be taken in the event of certain occurrences?
• Succession Plan: Describe the flow of responsibility when normal staff is unavailable to perform their duties.
• Data Study: Detail the data stored on the systems, its criticality, and its confidentiality.
• Criticality of Service List: List all services provided and their order of The order of recovery should also be defined in both short-term and long-term timeframes.
• Data Backup and Restoration Plan: Detail which data is backed up, the media to which it is saved, where that media is stored, and how often the backup is It should also describe how that data could be recovered.
• Equipment Replacement Plan: Describe what equipment is required to begin to provide services, list the order in which it is necessary, and note where to purchase the equipment.
• Mass Media Management: Who is in charge of giving information to the mass media?
• Appropriate Data: Provide some guidelines on what data is appropriate to be provided.

After creating the plans, it is important to practice them to the extent possible. Management should set aside time to test the implementation of the disaster recovery plan. Tabletop exercises should be conducted annually. During these tests, issues that may cause the plan to fail can be discovered and corrected in an environment that has few consequences.

The plan, at a minimum, should be reviewed and updated on an annual basis.

Policy Compliance

Compliance Measurement

Your security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exception to the policy must be approved by your security team in advance.

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Related Standards, Policies and Processes

Revision History

Date of Change

Responsibility

Summary of Change

Disclaimer: This is not a legal document. The intent is to be used as sample/foundation policy for small businesses. Every company should consult with legal counsel familiar with any unique state/country government laws or regulations.

Please contact us for additional information and a free analysis of your current infrastructure, policies, and vulnerability along with advice on how to protect remote workers.

Please feel free to contact your nearest Vivitec office

Vivitec specializes in Cybersecurity and Managed IT Services and was recently ranked by our peers as a Top 100 Cybersecurity Advisor and Top 500 MSP Company in North America. We know your business relies on technology and Vivitec believes your experience should be Simple, Secure, and Reliable.