Contract Packs / All Documents / Disaster Recovery Plan

Disaster Recovery Plan (DRP)

Company Name

Current Date

Document Version Control Information

Introduction

1 Purpose of this document (Objectives)

Insert the purpose of this document, its objectives, and its intended audience. Example: The purpose of this document is to formally recognize and codify the policies and procedures Company Name wishes to enact in order to both safeguard the Company's Business and ensure its continuity in the event of a disaster or other event. The goals and objectives listed in this plan are meant to allow the Company to minimize any interruption to its businesses and individual recovery plans may be enacted to safeguard and restore specific Company resources, assets or business process.

In order to continue its business operations, The Company provides its Employees, Staff and Vendors this Disaster Recovery Plan (DRP) as an overview of the required steps and policies to be enacted following an emergency.

2 Scope of Document

Insert description of the scope of this Disaster Recovery Plan and whether this covers the entire company; a specific business unit or department; or shall be governed or supersedes other policy documents that may already be in place.

2.1 Scope Constraints

Insert constraints, such as schedules, costs, interactions, overview, or any other information relevant to the testing of the development requirements.

3 Goals of this Plan

Insert an overview or brief description of the product, software, or other desired end result that is being tested under this Disaster Recovery Plan.

4 Business Context

Insert an overview of the business or organizations impacted by this Disaster Recovery Plan. Include the business or organization's critical components and reliance on specific vendors, services or other assets. Note: This section will be primarily used to set priorities and identify and classify risk to the Company as it pertains to recovery from a Disaster Event. While it is generally understood that every possible manner in which a Company or its continuity could be impacted by an event would not be outlined here - this section is intended to quickly communicate in plain language "how", "what" and "who" is important to the business in the event of a disaster.

Following a disaster and the enactment of this plan it is important that personnel involved in the coordination and recovery from a disaster event understand the impact to the Company's operations and the dependent business processes - so they may better identify further business interruption that may occur from enactment of the plan (i.e. additional or cascading business failures due to missing resources or recovery efforts).

5 Goals Defined

The Overall Goals of the DRP are to provide easy and accessible methods for Company Name to recover from any of the following events or occurrences:

Loss of hardware and critical equipment. Loss of critical infrastructure or personnel. Loss or critical vendors, dependent services or other "up-stream" service providers.

Loss of installed software and applications (see Company Software Disaster Recovery Plan). Containment of secondary damage resultant from or the proximate cause of a disaster or other event. Identification and containment of security risks and potential secondary damage resultant from the loss of a critical resource following a disaster or other event. Loss of software installation disks, packages or other media - including software proof of license or ownership.

Loss of any other asset, resource, vendor, direct service provider, data, information or any other asset deemed a resource critical to the continuity of the Company's business.

6 References and Reference Material

Insert a list of all reference documents and other materials related to the Software Disaster Recovery Plan.

References will often include, but are not limited to:

Company Business Continuation Plan (BCP). Company Software Disaster Recovery Plan (SDRP). Company Recovery Point Objectives (RPO).

Company Recovery Time Objectives (RTO).

7 Documentation Items

Insert references to documentation or contact lists, which may include but are not limited to:

Company Critical Services List. Company Critical Vendors List. Company Critical Location List. Company Department Head and Manager List.

Company Disaster Response Team List.

Plan Components

1 Software Inventory Catalog and Control

A centralized Software Database and Control System (SDCS) for inventory is maintained for all software licensed by the Company. A complete copy of all SDCS data is maintained off company property and updated on a regular basis. The SDCS shall be the first resource the Company utilizes in the event of a critical Software failure or interruption.

2 Hardware Inventory Catalog and Control

A centralized Critical Infrastructure and Control System (CICS) for all assets deemed necessary and critical to the continuity of the Company and its business is maintained for all assets owned by the Company. A complete copy of all CICS data is maintained off company property and updated on a regular basis. The CICS shall be the first resource the Company utilizes in the event of a critical hardware or infrastructure failure or interruption.

Information contained in the CICS shall contain, but is not limited to:

Descriptions of Company infrastructure and dependent equipment, vendors and services. Inventory and locations of all company assets deemed critical and the locations of all spare, back-up or reserve equipment. Lists of all Company personnel who have access or the ability to interact request or otherwise direct vendors to act on Company's behalf. (i.e. Account Owners or Administrators). Directing Staff to any additional manuals and documentation.

Insert additional descriptions of the tasks to be performed.

3 Inventory Audits

Company shall conduct periodic audits of all resources to ensure compliance and integrity of our inventory data. Regular checks of employee hardware, software and license counts may be conducted on a random basis. The Company will also conduct a complete audit annually and compare it to the CICS.

Insert additional descriptions of the tasks to be performed.

4 Off-site Storage

Off-site storage of all information contained in the CICS shall be facilitated by the Company. This includes (whenever possible) copies of all purchase information, service agreements, warranties, installation media, documentation, licenses, serials and other relevant information. Regardless of whether multiple copies of the same asset or resource are being utilized, it shall be necessary to store copies of each relevant warranty, service agreement, End-user License Agreement (EULA) or any other information that may be specific to an individual or serialized asset.

Data will be updated on a regular basis and more than one member of the Incident Response Team shall have access to this storage at all times. Insert additional descriptions of the tasks to be performed.

5 Proof of Ownership

All original supporting Proof of Ownership documents shall be retained off-site while the Company shall retain copies of Proof of Ownership onsite for auditing purposes. Insert additional descriptions of the tasks to be performed.

6 Documentation

Whenever possible photocopies or reproductions of all documentation should be made for employee use, while the originals are stored off-site. Insert additional descriptions of the tasks to be performed.

7 Plan Objectives

This Disaster Recovery Plan may be superseded by actions taken by individual Company Disaster Recovery Plans, such as those governing Software, Employees and Personnel, utilizing alternate locations or other specific plans that are a part of the Company's Business Continuity Plan (BCP).

The following shall be considered to be objectives of the Disaster Recovery Plan:

Safeguard the lives and personal safety of all Company employees and other staff members. Gain assistance, direction and support from civil services such as fire, police and emergency management. Secure information and establish channels of communications concerning a natural disaster event(s) from fire, police and emergency management in order to tie into Company Command and Communication Centers.

Company Recovery Point Objectives (RPO) - The Company Recovery Point Objective (RPO) shall be considered a point in time in which operations must be restored in order to be acceptable to Company within the context of the following:

The difference in time between a back-up resource or asset and the disruptive event that could occur. The Company's tolerance for loss of data and continued operations. The Company's tolerance for risk and exposure to risk during a disaster event. The Company's exposure to cost and financial loss due to restoration of data and/or time spent recovering or re-entering data.

Company Recovery Time Objective (RTO) - The Company Recovery Time Objective (RTO) shall be the acceptable boundary of time in which recovery efforts must be accomplished in order to meet the expectations the Company has determined critical to meet when a disaster event or business interruption occurs. An individual RTO may be established for each process covered under this recovery plan as established during the Company Business Impact Analysis (BIA) for each department. An RTO may also encompass a series of processes as well. All RTO's are to be determined by Senior Management and/or the Executive Team.

Implementation of the Plan

Insert the overall objectives for implementation of the plan. Your Disaster Recovery Plan may contain several different approaches for certain events, large or small.

1 Definition of a Disaster Event

A disaster event shall be defined as an event or occurrence which results in the sudden or unexpected loss of key resources, functions, software, licenses, components, dependencies or any other failure of an asset deemed critical to the Company's continued business.

An event may include, but is not limited to:

• Fire or Smoke Damage.
• Floods or Water Damage.
• Power and Utility Failures.
• Natural Disasters.
• Terrorist Attacks.
• Theft or Criminal Activity.
• Computer Viruses or Security Breaches.
• Hardware and Equipment Failures.
• Human Error or Omissions.
• Legal Issues.
• Riots, Strikes and Civil Disturbances.
• Planned Maintenance and Testing.
• Unplanned Maintenance and Testing.

2 Notification of an Event

In the event of an occurrence of any event or disaster, regardless if it is known to impact a single user, department or the entire company - the following people must be immediately notified:

Insert notification information here - including back-up/secondary notification information. A specific person will be noted as "Disaster Recovery Coordinator" - which you will want specify who in your organization must take on that role. Be sure to specify all back-up and secondary notifications that must take place as well as who the role of "Disaster Recovery Coordinator" falls to in the event that the primary point of contact cannot be reached.

3 Event Recovery Strategy

Business interruption events or disaster have different levels of severity or degrees of impact to the Company. The strategies, procedures and objectives of this Business Continuity Plan outline a plan of action that deals with the worst case scenario that the Company could face should such an event occur. Insert a summary for the specific strategy the Company wishes to employ for managing disaster events. The Company recovery strategy is a high-level overview of the recovery process that the Company will enact if a disaster event or interruption occurs.

This strategy shall include, but is not limited to:

Current Company Command and Communication Centers. Alternate Company Command and Communication Centers. Use of alternate business operations, methods or other alternative business processes. Use of alternate data processing or processing centers.

Use of alternate data and voice communications. Descriptions for when to move critical data to off-site storage facilities and vendors and what control document or plan is to be enacted following such a decision. Descriptions of the Company's alternate locations; the functions of these locations and how they fit into the continuity of a particular business process; the control documents or plans that govern these locations and their capabilities and all other relevant information to the strategy concerning the utilization of alternate locations for assets, equipment and personnel.

Use of additional or temporary work personnel or contractors. Use of telecommuting and remote work locations.

4 Event Classification and Response

Response to a disaster event requires classification of the event in order to access its impact to the business and the safety of the Company personnel.

The Company uses the following definitions as a guideline for classifying events:

Business Interruptions: Business Interruptions shall be defined as disruptions to the normal operations and activity of the Company that may evolve from either a single event, or events that worsen to the point where the disruption becomes critical to the continued operation of the Company or a dependent process. Problems may be the results from either tangible (telephone, power failures or interruptions, sabotage, negligence or utility failure) or intangible (pandemic or viral outbreak, Company-dependent labor disruptions, inclement weather) events. Business interruptions should be thought of events that may necessitate the enactment of the BCP, but may contain more temporary measures and/or restrictions in order to contain cost or contain the further disruption to the Company by not enacting recovery efforts aimed at disasters or more long-term recovery efforts.

Disaster Events: Disaster events are those events listed in Sec. 3.1 which are deemed to potentially cause long-term disruption or interruption. Proper classification of events will help direct the response and/or recovery for each situation.

5 Event Escalation

Event escalation shall be the point at which a business interruption shall be reclassified as a disaster event. The following are the various thresholds that the Company has defined for event escalation. Insert the threshold that must be met and the individual steps to follow for escalating unresolved business interruptions and problems to disaster status.

The following contact tree shall be used in order to notify senior management and individuals with recovery responsibilities at the point in which each individual threshold has been met. Insert Disaster Recovery Contact Tree.

6 Event Recovery Time Lines

Within the first Hours hours after notification of an event, the Disaster Recovery Coordinator will take the following steps:

The Disaster Recovery Coordinator will assess all damage to Company and its operations - including determination of all affected locations and resources. Special consideration should be made for all dependant systems and software which are not yet impacted by an event, but share a dependency with an impacted software or resource. The Disaster Recovery Coordinator will recover and consult all relevant Company Recovery Time Objective (RTO) and Company Recovery Point Objectives (RPO).

The Disaster Recovery Coordinator will notify senior management and/or the proper Executives. The Disaster Recovery Coordinator will notify all support staff responsible for implementing this plan, recovery services - including all vendors who have responsibility for implementing the Company Business Continuity Plan (BCP). The Disaster Recovery Coordinator will make decisions regarding containing the damage from the disaster event and decide whether a recovery is to be enacted or whether back-up resources must be employed.

Within the first Hours hours after notification of an event, the Disaster Recovery Coordinator will take the following steps:

If the disaster event impacts Company customers, and upon successful contact with Senior Management or Executives - the Disaster Recovery Coordinator shall contact all Customer Support Managers to provide them with information concerning service restrictions, limitations or other downtime that may occur. The Disaster Recovery Coordinator shall notify all disaster recovery vendors, services or off-site storage providers as deemed necessary. The Disaster Recovery Coordinator will schedule all support staff or employees with disaster recovery duties and task them with recovery efforts.

The Disaster Recovery Coordinator will schedule obtaining all relevant back-up data, software, manuals and other required resources. The Disaster Recovery Coordinator will contact all Managers, Supervisors or Department Heads impacted by the Disaster Event/.

Within the first Hours hours after notification of an event, the Disaster Recovery Coordinator will take the following steps:

The Disaster Recovery Coordinator will provide Senior Management and/or the proper Executives with an updated assessment, recovery progress report and an estimate/timeline for the recovery schedule. In the case of critical software and systems not immediately recoverable, the Disaster Recovery Coordinator shall have discretion to enact emergency funding up to Insert Amount of Disaster Recovery Funding to cover the procurement and acquisition of resources. Review all hardware and software support contracts and contact all vendors to alert them for emergency assistance, enactment of support contracts and service level agreements (SLAs) temporary license keys or to enact provisions of support agreements that may exist between the vendor and Company. Acquisition of back-up resources, if deemed necessary shall be proceeding at this time.

Activation of alternate resources, sites, locations or other critical resource shall be proceeding at this time. All recovery and event logs shall have been secured. An alternate base of operations shall have been secured if deemed necessary.

Company-wide communication is to be enacted, subject to Senior Management and/or Executive approval. Customer communication is to be enacted, subject to Senior Management and/or Executive approval.

Within the first Hours hours after notification of an event, the Disaster Recovery Coordinator will take the following steps:

The Disaster Recovery Coordinator will provide senior management and/or the proper Executives with an updated assessment, recovery progress report and an estimate/timeline for the recovery schedule. Begin installation and testing all hardware and critical components. Begin installation and testing all software and critical applications.

Begin restoration or reloading of all critical or dependant data. Enact monitoring of all restored software and operation of software to verify data integrity and operational continuity. Coordinate with Customer Support Managers and Department Heads to confirm successful resumption of schedules and functionality of restore software and systems.

Within Days days after successful restoration from an event, the Disaster Recovery Coordinator will take the following steps:

The Disaster Recovery Coordinator will provide Senior Management and/or the proper Executives with an updated assessment and recovery progress report, noting any outstanding reduction in functionality, loss of data or an extended estimate/timeline for the recovery or such items subject to each relevant RPO. The Disaster Recovery Coordinator will also coordinate the evaluation and certification that each objective in the Company's RPO for a impacted business process has been met. Store all recovery logs.

Provide to Senior Management and/or the proper Executives a Disaster Recovery Report (DRR). Upon successful restoration of all critical software and systems, Disaster Recovery Coordinator shall complete a new re-assessment of all systems and software associated with or relating to the recovery. Disaster Recovery Coordinator shall complete an assessment of all vendor performance.

Disaster Recovery Coordinator shall complete an assessment of all support staff performance related to the recovery and enactment of the Software Disaster Recovery Plan. If recovery efforts included use off offsite or alternate locations, resources or vendors - Disaster Recovery Coordinator will work with Senior Management and/or Executives to outline a plan for restoration and normalization of usage of such assets and resources - including addition back-up (e. Allowing for back-ups for the back-ups in essence) resources to be deployed .

7 Disaster Recovery Plan Testing

Insert the objectives and requirements for testing that the plan operates correctly within the parameters set forth by the Company and the provisions of it BCP.

8 Plan Objectives vs Mandates

The objectives set forth in RPO and RTO objectives should be considered the overall goals of the Company in a disaster event. They are not exact mandates. Individual departmental policies and procedures, contingency plans and other disaster recovery plans may outline additional instructions to be followed.

9 Plan Performance Testing

Insert the objectives and requirements for testing that the plan operates correctly in regards to normal operation, response and execution times, scalability, portability and all other performance requirements within the business environment.

10 Plan Regression Testing

Insert the objectives and requirements for testing that any changes applied to the plan do not affect functions previously tested.

11 Plan Acceptance Testing

Insert the objectives and requirements for testing that the plan meets all criteria and deliverables as set forth in the Company's Business Continuity Plan (BCP). The Acceptance Testing is important to ensure that all requirements are met and that all components, modules, hardware requirements and recovery and restore operations function that a viable plan exists to demonstrate such functionality for a customer.

Plan Testing Process and Methods

Insert the specific testing process and methods to be used in performing each testing activity. In this section you will describe and define each type of test that the Disaster Recovery Plan contains. You may attach additional exhibits to this section if your testing plan requires them.

Test Deliverables

Insert the specific deliverables and documents that are to be delivered from the testing process. Test deliverables may include incremental data or data derived from incomplete tests.

Typical test deliverables include, but are not limited to:

Individual RTO/RPO Test Summary Reports. Group/Department RTO/RPO Summary Reports. Individual and Combined Test Logs.

Test Metrics and Benchmark Reports. Test Incident Reports. Testing Task and Requirements List. A description of tasks and the skills required for plan performing testing as a part of the deliverables.

Testing Hardware and Environmental Requirements List. A description of the hardware and environmental requirements for performing testing as a part of the deliverables. Focus on restraints such as resource availability, time constraints, staff and developer availability, and all other external factors that can influence testing.

Risk and Assumption Contingency Plan(s)

Insert a description of the contingency plan for each item listed above.

Change Request and Management

A description of the Disaster Recovery Plan change request and change management procedure. Describe the process that must be followed for submission, review and authorization for all requests for change to the Disaster Recovery Plan or any change to any part of the deliverables.

Approval for Disaster Recovery Plan

A description of the personnel authorized to approve the Disaster Recovery Plan. Their Name, Title and signature must accompany this document. Date when the contact was signed.

Appendices

A description of all other supporting information required for the understanding and execution of the Disaster Recovery Plan and requirements.

All Disaster Recovery Plan documents require the following two appendices:

1 Definitions, Acronyms, Abbreviations

A description of the definition of important terms, abbreviations and acronyms. This may also include a Glossary of terms.

2 References

A listing of all citations to all documents and meetings referenced or used in the preparation of this Disaster Recovery Plan and testing requirements document.