Disaster Recovery and Business Continuity Plan

Similar documents
Business Continuity Planning and Disaster Recovery Planning

PBSi Business Continuity Planning

Creating a Business Continuity Plan for your Health Center

Business Continuity Plan

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

DRAFT Disaster Recovery Policy Template

Unit Guide to Business Continuity/Resumption Planning

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

Business Continuity Management

Disaster Recovery Planning Process

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Business Continuity Planning in IT

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

SAMPLE IT CONTINGENCY PLAN FORMAT

Business Continuity Planning (800)

Technology Recovery Plan Instructions

Application / Hardware - Business Impact Analysis Template. MARC Configuration Requirements. Business Impact Analysis

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

Virginia Commonwealth University School of Medicine Information Security Standard

Business Unit CONTINGENCY PLAN

Business Continuity Planning Instructions

Chapter I: Fundamentals of Business Continuity Management

Documentation. Disclaimer

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

Overview of how to test a. Business Continuity Plan

Domain 3 Business Continuity and Disaster Recovery Planning

BUSINESS CONTINUITY PLAN

Disaster Recovery Plan Documentation for Agencies Instructions

Office of Inspector General

Why Should Companies Take a Closer Look at Business Continuity Planning?

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

Security Architecture. Title Disaster Planning Procedures for Information Technology

MARQUIS DISASTER RECOVERY PLAN (DRP)

Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

HA / DR Jargon Buster High Availability / Disaster Recovery

Fundamentals of Business Continuity Planning Have a Plan!

Keys to Narrowing Business Continuity Planning Gaps: Training, Testing & Audits

Business Continuity Information Gathering Template

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

DISASTER RECOVERY PLANNING GUIDE

Business Continuity and Emergency Preparedness Planning. Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010

CISM Certified Information Security Manager

NCUA LETTER TO CREDIT UNIONS

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Disaster Recovery Planning Procedures and Guidelines

Disaster Recovery Plan The Business Imperatives

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

a Disaster Recovery Plan

The PNC Financial Services Group, Inc. Business Continuity Program

Domain 1 The Process of Auditing Information Systems

General Computer Controls

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

How To Ensure That Non-Peoplesoft Applications Can Withstand Adverse Events

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

IT Service Management

EXECUTIVE SUMMARY 1.1 PROJECT OBJECTIVES

Balancing and Settlement Code BSC PROCEDURE BSCP537. QUALIFICATION PROCESS FOR SVA PARTIES, SVA PARTY AGENTS AND CVA MOAs

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

How Routine Data Center Operations Put Your HA/DR Plans at Risk

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

Business Continuity Management

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

State of South Carolina Policy Guidance and Training

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June Report 6c Page 1 of 15

Overview of Business Continuity Planning Sally Meglathery Payoff

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

Business Continuity Overview

Disaster Recovery Policy

The PNC Financial Services Group, Inc. Business Continuity Program

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

Ohio Conference for Payroll Professionals Disaster Recovery

Disaster Prevention and Recovery for School System Technology

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

BNA FEDERAL CREDIT UNION DISASTER RECOVERY PLAN

FORMULATING YOUR BUSINESS CONTINUITY PLAN

Transcription:

Disaster Recovery and Business Continuity Plan

Table of Contents 1. Introduction... 3 2. Objectives... 3 3. Risks... 3 4. Steps of Disaster Recovery Plan formulation... 3 5. Audit Procedure.... 5 Appendix A IT Disaster Recovery Plan Template... 7

1. Introduction IT disaster recovery plans provide step-by-step procedures for recovering disrupted systems and networks, and help them resume normal operations. The goal of these processes is to minimize any negative impacts to company operations. The IT disaster recovery process identifies critical IT systems and networks; prioritizes their recovery time objective; and delineates the steps needed to restart, reconfigure, and recover them. A comprehensive IT DR plan also includes all the relevant supplier contacts, sources of expertise for recovering disrupted systems and a logical sequence of action steps to take for a smooth recovery. 2. Objectives The objective of having a Business Continuity and Disaster Recovery Plan and associated controls is to ensure that the organization can still accomplish its mission and it would not lose the capability to process, retrieve and protect information maintained in the event of an interruption or disaster leading to temporary or permanent loss of computer facilities. 3. Risks The absence of a well-defined and tested Business Continuity and Disaster Recovery Plan may pose the following major threats to the very existence of the organization in the event of a disaster: The organization s ability to accomplish its mission after re-starting its operations. To retrieve and protect the information maintained. To keep intact all the organizational activities after the disaster. To start its operations on full scale at the earliest to minimize the business loss in terms of money, goodwill, human resources and capital assets. 4. Steps of Disaster Recovery Plan formulation According to National Institute for Standards and Technology (NIST) Special Publication 800-34, Contingency Planning for Information Technology Systems, the following summarizes the ideal structure for an IT disaster recovery plan: 1. Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan. 2. Conduct the business impact analysis (BIA). The business impact analysis helps to identify and prioritize critical IT systems and components.

3. Identify preventive controls. These are measures that reduce the effects of system disruptions and can increase system availability and reduce contingency life cycle costs. 4. Develop recovery strategies. Thorough recovery strategies ensure that the system can be recovered quickly and effectively following a disruption. 5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system. 6. Plan testing, training and exercising. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. 7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements. Following the mentioned steps we can expand those activities into the following structured sequence of activities. 1. The plan development team should meet with the internal technology team, application team, and network administrator(s) and establish the scope of the activity, e.g., internal elements, external assets, third-party resources etc. IT department senior management should be properly informed. 2. Gather all relevant network infrastructure documents, e.g., network diagrams, equipment configurations, databases. 3. Obtain copies of existing IT and network DR plans if they exist. 4. Identify what management perceives as the most serious threats to the IT infrastructure, e.g., fire, human error, loss of power, system failure. 5. Identify what management perceives as the most serious vulnerabilities to the infrastructure, e.g., lack of backup power, out-of-date copies of databases. 6. Review previous history of outages and disruptions, and how the firm handled them. 7. Identify what management perceives as the most critical IT assets, e.g., call center, server farms, Internet access. 8. Determine the maximum outage time management can accept if the identified IT assets are unavailable. 9. Identify the operational procedures currently used to respond to critical outages. 10. Determine when these procedures were last tested to validate their appropriateness. 11. Identify emergency response team(s) for all critical IT infrastructure disruptions; determine their level of training with critical systems, especially in emergencies. 12. Compile results from all assessments into a gap analysis report that identifies what is currently done versus what ought to be done, with recommendations as to how to achieve the required level of preparedness, and estimated investment required. 13. Have management review the report and agree on recommended actions. 14. Prepare IT disaster recovery plan(s) to address critical IT systems and networks. 15. Conduct tests of plans and system recovery assets to validate their operation. 16. Update DR plan documentation to reflect changes. 17. Schedule next review/audit of IT disaster recovery capabilities.

Important IT disaster recovery planning considerations Senior management support. Be sure to obtain senior management support so that your plan goals can be achieved. Take the IT DR planning process seriously. Although the IT DR plan can take a great deal of time for data gathering and analysis, it doesn't have to be dozens of pages long. Plans simply need the right information, and that information should be current and accurate. Keep it simple. Gathering and organizing the right information is critical. Review results with business units. Once the IT disaster recovery plan is complete, review the findings with business units leaders to make sure your assumptions are correct. 5. Audit Procedure. The organization with computerized systems should have assessed threats to the system, its vulnerability and the impact a loss of operations would have on the organization s ability to operate and achieve organizational objectives. Appropriate measures should then be put in place to reduce risks to a level that is acceptable to the organization s senior management. The extent of business continuity and disaster recovery planning and the detailed measures required will vary considerably. Organizations with large IT departments, with mainframe computers and complex communication networks may require comprehensive, up to date continuity and recovery plans which incorporate standby facilities at alternative sites. At the other end of the scale, a small agency or non-departmental public body with a desk-top PC, running a simple off the shelf package, would have a simpler plan. Continuity and disaster recovery plans should be documented, periodically tested and updated as necessary. To determine whether recovery plans will work as intended, they should be tested periodically in disaster simulation exercises. The importance of adequate documentation is increased where significant reliance is placed on a few key members of the IT department. The loss of key staff, perhaps due to the same reason the computers were disrupted, may adversely affect an organization s ability to resume operations within a reasonable timeframe. Back-up copies of systems software, financial applications and underlying data files should be taken regularly. Back-ups should be cycled through a number of generations by, for example, using daily, weekly, monthly and quarterly tapes. Back- ups should be stored, together with a copy of the disaster recovery plan and systems documentation, in an off-site fire-safe. The IT auditor while assessing the adequacy of business continuity and disaster recovery plan should consider: Evaluating the business continuity and disaster recovery plans to determine their adequacy by reviewing the plans and comparing them to organizational standards and/or government regulations. Verifying that the business continuity and disaster recovery plans are effective to ensure that information processing capabilities can be resumed promptly after an

unanticipated interruption by reviewing the results from previous tests performed, if any, by the IT organization and the end users. Evaluating off site storage to ensure its adequacy by inspecting the facility and reviewing its contents and security and environmental controls. It may be ascertained whether backups taken earlier have ever been tested for data recovery by the auditee organization. Evaluating the ability of IT and user personnel to respond effectively in emergency situations by reviewing emergency procedures, employee training and results of their drill.

<Municipality> IT Disaster Recovery Plan Template

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information