Disaster Recovery Planning Template

Disaster Recovery Plan Template 5.4

Business Continuity
ISO 27000 Series, Sarbanes - Oxley,
CobiT, PCI-DSS, & HIPAA Compliant

Version History

 

This Disaster Recovery Plan (DRP) can be used as a Disaster Planning template for any enterprise. The Disaster Recovery template and supporting material have been updated to be Sarbanes-Oxley and HIPAA compliant.

     

Version 5.5 - Release Date January 2010

  • Updated to comply with CobiT requirements
  • Added Sample Disaster Recovery Plan Service Agreement

Version 5.4 - Release Date May 2009

  • Added Pandemic Coordinator job description
  • Added Business Pandemic Planning Checklist
  • Updated organization chart to include Pandemic Coordinator
  • Corrected minor errata

Version 5.3 – Release date January 2009

  • Updated backup and backup retention section
  • Updated style sheet to be CSS Style sheet format
  • Added Disaster Recovery Business Continuity General Distribution Information 
    • What to do after an explosion / terrorist attack
    • How to clean up after a disaster

Version 5.2 – Release date August 2008

  • Replaced WORD 2003 style sheet with WORD 2007 style sheet
  • Updated all forms used in the template

Version 5.1 – Release date July 2008

  • Added Backup & Backup Retention Policy (9 pages)
  • Minor Formatting Changes

Version 5.0 – Release date February 2008

  • Updated  Disaster Recovery / Business Continuity Plan Audit Program to be compliant with ISO 27000 Series (ISO 27001 and ISO 27002)
  • Added a section on Communication Strategy and Policy to be implemented when the Disaster Recovery / Business Continuity Plan is activated
  • Added a section on Disaster Recovery / Business Continuity and Security basics
  • Added Personnel Location Report
  • Added Project Status Report Form

Version 4.5 – Release date November 2007

  • Added Disaster Recovery / Business Continuity Audit Program 
  • Updated excel work plan to refer to sections versus pages

Version 4.4 – Release date September 2007

  • Section added on implications of Sarbanes-Oxley, Treadway Commission, and PCI DSS requirements 
  • Disaster Planning Branch Offices added
  • Back-up strategy table added
  • Back-up strategy for PDA’s updated to reflect smartphones

Version 4.3 – Release date July 2007

  • Defined generic metrics for DR/BC success
  • Business & IT Impact Analysis Questionnaire Updated
  • Updated references to the DRP card
  • Updated formatting to meet WORD 2007 requirements
  • A fully indexed version of the Template in PDF format included with the Word format
  • Now comes in both Office 2003 and Office 2007 formats

Version 4.2 – Release date February 2007

  • Added Section defining the ISO 17799 compliance requirements
  • Review and modified entire DRP/BCP template to ensure compliance with ISO 17799
  • Business & IT Impact Questionnaire updated to meet ISO 17799 compliance requirements
  • Corrected errata
  • Added Best Data Retention and Destruction Practices Section

Version 4.1 – Release date August 2006

  • Department DRP / BCP Activation Workbook Updated in the appendix
  • Correct work plan formatting and numbering for project initiation
  • Web Site Disaster Recovery Planning Form added to the appendix

Version 4.0 - Release date March 2006

  • Vendor Disaster Recovery Planning Questionnaire added to the appendix
  • Department Disaster Recovery Planning Workbook added to the appendix
  • Vendor Phone List form updated
  • Key Customer Notification List form added
  • Critical Resources to be Retrieved form added
  • Business Continuity Off-Site Materials form added

Version 3.1 - Release date January 2006

  • Site Strategy section added (Section 3.1) all other section numbers in Chapter 3 were increased to adjust for this modification.
  • Audit Disaster Recovery Plan Process added (Section 8.13).
  • Manager Disaster Recovery and Business Continuity job description added
  • Entire template reviewed to validate compliance with Sarbanes-Oxley


This template is not for resale or re-distribution - Disaster Recovery Planning Template Disaster Recovery Template, Disaster Recovery

 

 

 

 

 

 

 

 

 

Disaster Recovery / Business Continuity News



Business continuity planning for a Pandemic

Larger corporations typically can continue business as usual even while many employees are out sick in a Pandemic.  However Business Continuity Planning  at small firms rely heavily on key individuals and find themselves nearly incapacitated if several of those key people get sick, must stay home with sick children, or are in areas put under quarantine.

DRP Security Template  DRP BCP Audit

  • Phone Trees

At a minimum, small business owners should update employees' contact information to include current home phone numbers and addresses, e-mail addresses, and cell phone numbers. Some employers establish phone trees so they can efficiently contact all their employees to check on and alert them during an emergency.

Another vital component to a business continuity plan is to collect contact information, including cell phone numbers, for their suppliers, vendors, and key customers. Keep this information in print and online, and store copies off-site in case you can't get into your office.

A host of legal and medical questions may arise for small business owners if swine flu roars back with a vengeance this fall.

Imagine you run a small business like a day-care center, where vulnerable children congregate and colds and flu are prevalent. Do you close and send your entire staff and all children home at the first sign of any flu? Do you send home only sick children and sick staff? When? When do you reopen or allow them to return? What information and medical clearance would you need to send staff or children home, allow them to return, close, or reopen the center? These are not easy questions.

  • Backup Staff

Janco recommends that companies prepare for operational disruptions by doing employee cross training or lining up backup staff now. Employers should review and enhance existing emergency disaster plans to ensure business continuity. Employers that are just getting started should develop a plan that includes pandemic preparedness, and review it and conduct drills regularly. A checklist for flu policy is posted at the government's flu awareness Web site.

Aside from preparing and practicing for pandemic, small business owners may want to check with their attorneys for advice on unusual situations -- What do you do with employees who are medically vulnerable to the flu or those with young children or elderly relatives at home? Do you send them home? When and for how long? With pay?

  • Paid Sick Leave?

The federal Family Medical Leave Act provides eligible employees with up to 12 weeks of unpaid leave to care for themselves or sick family members. Generally, FMLA regulations do not cover flu absences unless complications arise, but courts recently have interpreted the FMLA to mandate leave for the flu and other viral infections.

However, the federal law does not cover firms with fewer than 50 employees. Small employers usually do not have to provide sick leave, so it is a surprise to many employees that they are not entitled to any sick leave, much less any paid sick leave.

Another question for your human resources manager and/or attorney is what communications responsibility you have as a business owner if one of your employees is diagnosed with swine flu. There are health confidentiality and privacy issues for employees, so employers should not disclose personal health information. But employers do not want a modern day Typhoid Mary spreading swine flu at work. If there is an employee with confirmed swine flu, some employers are alerting employees that there may be swine flu exposure at work without identifying the involved employee.

You might need to think about giving an infected person's immediate co-workers enhanced sick leave to protect themselves or family members, particularly if they have particular medical vulnerability to the illness, he says. Some employers bring in cleaning crews to disinfect an office where swine flu has been found. Providing hand disinfectant for employees is not a bad idea.

- more info


Cloud Recovery Not Easy - Disaster Recovery Not Under User Control

DRP Security Template

Microsoft officials still have not provided many details about what caused the outage, other than to say it was a core system failure. The failure is unrelated to Microsoft's cloud infrastructure and/or Microsoft's Azure datacenters, as the company has continued to run the Sidekick back-end on the same infrastructure it has been running on before Microsoft acquired the company in 2008.

The Microsoft/Danger team apologized for the amount of time they are taking to restore contacts, photos, e-mail and other Sidekick services to which users lost access at the start of the month. The team said they were taking their time "to make sure we are doing everything possible to maintain the integrity of your data."

The team still is not committing to an exact recovery timetable, but is saying restoration should begin this week. Microsoft said, "We continue to make steady progress, and we hope to be able to begin restoring personal contacts for affected users this week, with the remainder of the content (photographs, notes, to-do-lists, marketplace data, and high scores) shortly thereafter."

After telling users that they likely had lost all of their personal data, the Microsoft/Danger team then said they expected to be able to recover some of their data. Mid-weeklast week, they said they expected to recover "most if not all" of the missing user data.

Order Disaster PlanDisaster Plan Template

What is a Disaster Recovery and Business Continuity Plan

Disaster recovery and business continuity planning are processes that help organizations prepare for disruptive events - whether those event might include a hurricane or simply a power outage caused by a backhoe in the parking lot. The CIO's involvement in this process can range from overseeing the plan, to providing input and support, to putting the plan into action during an emergency.

- more info


Cloud is not as secure as many thought

DRP Security TemplateT-Mobile and Microsoft Sidekick is a set of exterior shells (for mobile phones)  that can be personalized  and provides the capability to record, play and share videos: record videos using the camera; receive video attachments from e-mail, picture messaging, or side load videos to the microSD card; play video using the built-in media player; share videos via e-mail, Bluetooth or picture messaging. 

Sidekick failed and lost user data.  On the face of it, there are some obvious lessons to be learned from the Sidekick snafu, even as Microsoft Corp. reported today that most of the data that was missing will be recovered from servers at its Danger Inc. subsidiary.

Security Audit ProgramThe lessons learned are:

  • Back up your mobile phone's critical data independently - on a laptop, a desktop or a thumb drive.
  • Raise questions about cloud computing and related services.
  • Find out how your mobile device stores data, and make sure you understand it.
     
    The Sidekick incident should serve as a reminder to users to back up critical data. You cannot rely on cloud services to be 100% available all the time.

DRP BCP AuditNot only is a backup of critical data imperative, users need to have a way to retrieve the backed-up data. CIOs need to think about the value of the data and what happens if the service is not available. There are many Internet-based services that can be a second backup version to the original backup, such as Plaxo. Having the second one drastically reduces the odds of total loss.

At larger companies, data backups are commonplace and often include information contained on wireless phones as well as desktop computers, analysts said. The issue becomes more difficult when IT shops trust users who put critical company data on personally-owned wireless phones that aren't backed up.

Despite urging users to back up critical data, Staten joined three other analysts in remaining faithful to the mobile phone industry's strong push for cloud computing services, noting that the Sidekick case was relatively isolated.

Nearly every major smartphone provider is working on some version of cloud computing to back up data from smartphones and other cell phones. All those services could be vulnerable to data loss, and the Sidekick example is likely to prompt a broad re-examination of internal server backup procedures.

One added is risk is that backend services open enterprisees up to having data potentially lost, stolen or replicated somewhere that enterprises do not have knowledge of.

Imagine if this happened across an entire carrier's servers. For Verizon Wireless that could be 90 million people. Everybody should think twice if these services could really save your data up in the cloud.

- more info


Improve your RTO and RPO

How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this question. Download this outline learn how the Janco Disaster Recovery Business Continuity Template can reduce RPOs and RTOs even more. 

Disaster Business Continuity

Disaster Recovery Guide
Business Continuity Planning

ISO 27001, ISO 27002, ISO 17799, Sarbanes-Oxley, and HIPAA Compliant

    Buy      Table of Contents

What is Disaster Recovery and how does the Disaster Recovery Planning Template help?

This DRP Template can be used for any sized enterprise.  

The template and supporting material have been updated to be Sarbanes-Oxley compliant.  The complete package includes:

  • Disaster Recovery Planning and Business Continuity Template
  • Business and IT Impact Analysis Questionnaire
  • Work Plan
  • Disaster Recovery / Business Continuity Audit Program

With lost data being a competitive liability, there is no room for downtime in today's business world.

- more info


Huge Waves - Office Buildings and Businesses Demolished

A series of tsunamis smashed into the Pacific island nations of American and Western Samoa killing possibly more than 100 people, some washed out to sea, destroying office buildings and homes, and injuring hundreds. Television images showed offices and homes ripped apart, cars submerged in the sea or lodged in trees and large fishing boats hurled ashore by the waves generated by a 8.0 magnitude quake southwest of American Samoa.

Disaster Business Continuity  Security Policies Procedures  DRP Security Template

DRP BCP AuditSecurity Audit Program

 

A second 7.9 magnitude earthquake hit the Indonesian island of Sumatra late.

Disaster officials said the toll may reach 100 as rescuers search for bodies in flattened villages along the southern shore of the island of Upolu. Twenty villages on Upolu's south side were reportedly destroyed, including Lepa, the home of Samoa's prime minister. The area is also the main tourist area, and the waves destroyed some resorts. In neighboring American Samoa at least 24 people were killed and 50 injured with the southern portion of the main Tutuila island "devastated". The death toll there may also rise, said officials.

Huge Waves, Buildings Demolished

The waves that hit Pago Pago village were about 20 feet high. Some buildings were demolished by the waves, you know, there are no buildings anymore except the foundation. In addition, the island of Tonga was hit by a 13-foot wave on its northern coast. Tongan officials confirmed seven people were killed, while three were missing late on Wednesday.

Small tsunamis also reached New Zealand, Hawaii, and Japan.

Some areas have been flattened and the tsunami brought a lot of sand onshore. The Samoan resort Sea Breeze on the Southside of Upolu was destroyed when the waves hit it. The restaurant just floated out to sea complete, until it was smashed up in the water.

- more info


Disater Plan Manual - CIO and CSO conflict

When the task of disaster recovery planning (DRP) is dropped in the laps of information security managers and IT staff, DRP becomes a security problem.  If the disaster plan is  handed off to an organization's information security officer or IT director with little or no support, the result is usually either a set of a few policies and procedures without a solid foundation in risk assessment, or a long-winded document that overreaches and focuses on the wrong issues.

When this happens, the disaster recovery plan often does more harm than good. Thinking that disaster recovery is assured by a novice's tape backup rotation plan and off-site storage in a cabinet down the hall could lead to overconfidence, false statements during audits or contract negotiations, or even encourage risky data, network, and service management behavior. Mixing up a data, recovery procedure for a full-blown plan or inflated data-focused plan into a management policy and standards is dangerous stuff for the livelihood of a business.

Worse, there is the possibility that minimal action on the part of the CIO and IT to protect information assets will cause senior management to cool its support for enterprise risk management, disaster recovery and business continuity. Organizations making the transition from small to medium size occasionally check disaster recovery off the list when they have information asset-preservation policies, and neglect to scale up disaster response decisions and processes where they concern human safety.

- more info


A disaster occurs -- now what?

A disaster or business interruption occurs, what do you do?  A quick roadmap to follow is:

  • Do not panic and remain calm! When a disaster or business interruption occurs the first priority number is to ensure the safety of the employees.
  • Evaluate the disaster!  Determine the impact on your personnel and enterprise operations, this evaluation the event is critical in making the decision to activate the disaster recovery business continuity procedures.
  • Communicate with everyone that can be impacted! Communicate with your team, managers, affiliates, and vendors frequently. Even if there is no status to report, do not leave anyone guessing or letting them draw their own conclusions.
  • Know the disaster recovery business continuity plan! Testing the Business Continuity Plan regularly helps everyone in becoming familiar with what will happen and how it will be done.
  • Be decisive! Once you have determined the level of disaster and everyone is safe to operate, it is time to make the decision if you need to implement the business continuity procedures or if the downtime for recovery acceptable.
  • Start the process! Start with recovering the most business critical systems first to restore business operations to a functional level. There should not be any question, which order which applications need to be restored first.
  • Lock down all backups and critical documentation! The first step to the recovery is having a set of data to recover from. This could be anything from archived tape, local disk copy, and a co-location or disaster recovery data center.
  • Use multiple solution paths! Assume that nothing will work and have alternatives in place  
  • Reactivate normal operations! Once the systems are operational, the disaster is over and systems are repaired it is time to move the workloads back to where they were originally.
- more info


Disasters can occur any where at any time

Disasters are unpredictable by nature and can strike anywhere at anytime with little or no warning. Recovering from one is expensive and time consuming, particularly for those who have not taken the time to think ahead and prepare for such possibilities.

Janco has found that 80% of all enterprises that do not have a disaster recovery / business continuity plan in place before a disaster occurs never reopen.  However, when disaster strikes, those who have prepared and made recovery plans survive with comparatively minimal loss and/or disruption of productivity.

Disaster Business Continuity

Disasters can take several different forms. Some primarily impact individuals -- e.g., hard drive meltdowns -- while others have a larger, collective impact. Disasters can occur such as power outages, floods, fires, storms, equipment failure, sabotage, terrorism, or even epidemic illness. Each of these can at the very least cause short-term disruptions in normal business operation. But recovering from the impact of many of the aforementioned disasters can take much longer, especially if organizations have not made preparations in advance.

Most of us recognize that these potential problems as possibilities. Unfortunately the randomness of some of these disasters lulls some organizations into a sense of false security-"that's not likely to happen here." However, if proper preparations have been made, the disaster recovery process does not have to be exceedingly stressful. Instead the process can be streamlined, but this facilitation of recovery will only happen where preparations have been made. Organizations that take the time to implement disaster recovery plans ahead of time often ride out catastrophes with minimal or no loss of data, hardware, or business revenue. This in turn allows them to maintain the faith and confidence of their customers and investors.

Disaster Recovery Planning is the factor that makes the critical difference between the organizations that can successfully manage crises with minimal cost and effort and maximum speed, and those that are left picking up the pieces for untold lengths of time and at whatever cost providers decide to charge; organizations forced to make decision out of desperation.

- more info