How do you write a Software Disaster Recovery Plan document?

Software Disaster Recovery Plan SDRP THE SDRP PROJECT DOCUMENT TITLE Author Title Company CurrentDate

Document Version Control Information 1. Introduction 1 Purpose of this document Objectives Insert the purpose of this document its objectives and its intended audience. Example. The purpose of this document is to formally recognize and codify the policies and procedures Company wishes to enact in order to both safeguard the Company’s investment in their Software and to ensure that in the event of disaster the Company can minimize any interruption to its businesses. The Company recognizes that its Software is an important part of its continued business operations and this plan provides Company Employees Staff and Vendors this Software Disaster Recovery Plan SDRP as an overview of the required steps and policies to be enacted following an emergency. 1 Scope of Document Insert description of the scope of this Software Disaster Recovery Plan. Describe whether this covers the entire company or specific business unit or department and whether this plan shall be governed by or supersedes other policy documents that may already be in place. 1. Scope Constraints Insert constraints such as schedules costs interactions overview or any other information relevant to the Software Disaster Recovery Plan.

1 Goals of this Plan Insert an overview or brief description of the product software or other desired end result that is included in this Software Disaster Recovery Plan. 1 Business Context Insert an overview of the business or organizations impacted by this Software Disaster Recovery Plan. Include the business or organizations critical components and reliance on Software. Note. This section will be primarily used to set priorities and identify and classify risk to the Company as it pertains to recovery from Disaster Event. 1 Goals Defined The Overall Goals of the SDRP are to provide easy and accessible methods for Company to recover from any of the following events or occurrences. * Loss of installed software and applications * Loss of updates patches fixes or other required upgrades

* Loss of installation disks packages or other media * Loss of software proof of license or ownership * Loss of software inventory software inventory data or other DRM Digital Rights Management information 1 References and Reference Material Insert list of all reference documents and other materials related to the Software Disaster Recovery Plan. References will often include but are not limited to. * Company Business Continuation Plan BCP

* Company Disaster Recovery Plan DRP * Company Recovery Point Objectives RPO * Company Recovery Time Objectives RTO * Company Computer Use Policies * Software Acquisition Plan

* Software Management Plan 1 Documentation Items Insert references to documentation including but not limited to. * Software Requirements Specification SRS * Software Design Specification SDS * Software Development Plan SDP

* Software Installation Guides * Software User Guides * Software Features Guides * Software Bug Error Correction or Defect Removal Guides 2. Plan Components 2 Inventory Catalog and Control A centralized Software Database and Control System SDCS for inventory shall be maintained for all software licensed by the Company. Before new software can be put into service it must be entered into the SDCS by the IT department. Regular audits of employee computers will be performed to ensure compliance. complete copy of all SDCS data shall be maintained off Company property and updated on regular basis. 2. Check in Procedures

Software shall undergo check in procedure including all downloadable virtual online ASP or hosted application forms. All software regardless of its form or the media on which it is delivered shall be entered in the SDCS. This procedure is subject to change based on the individual software licensing requirements; however all software shall have record of entry in the SDCS regardless of its physical form. Check in shall include but is not limited to. * Providing proof of purchase. * Providing proof of license. * Providing proof of Company license and not individual license. * Providing all installation disks media manuals and collateral materials. * Directing IT staff to any online manuals and documentation. * Providing original downloads and installation files for all software and licenses delivered virtually. * Providing copies of all licenses serial numbers activation keys IDs passwords logins or other information required to run the software or application.

Submitting complete set of information concerning the software you want to license and install will ensure faster entry into the SDCS and approval for the use of the software. Insert additional descriptions of the tasks to be performed. 2 Inventory Audits Company shall conduct periodic audits of all software licenses to ensure compliance and integrity of our software inventory data. Regular checks of employee software and license counts may be conducted on random basis. The Company will also conduct complete Software and License Audit annually and compare it to the SDCS. Insert additional descriptions of the tasks to be performed.

2 Off site Storage Off site storage of all information contained in the SDCS shall be facilitated by the IT Department. This includes whenever possible copies of all installation media documentation licenses serial numbers and other relevant information. In the case where multiple copies of the same software are being utilized it is only necessary to store single copy of each version off site. Data will be updated on regular basis and more than one member of the Incident Response Team shall have access to this storage at all times. Insert additional descriptions of the tasks to be performed. 2 Proof of Ownership All original supporting Proof of Ownership documents shall be retained off site while the Company shall retain copies of Proof of Ownership onsite for auditing purposes.

Insert additional descriptions of the tasks to be performed. 2 Documentation Whenever possible photocopies or reproductions of all documentation should be made for employee use while the originals are stored off site. Insert additional descriptions of the tasks to be performed. 2 Plan Objectives

This Software Disaster Recovery Plan may be superseded by actions required by the Company Disaster Recovery Plan DRP and is part of the Company’s Business Continuity Plan BCP. The following shall be considered to be objectives of the Software Disaster Recovery Plan. * Company Recovery Point Objective RPO The Company Recovery Point Objective RPO shall be considered point in time at which data must be restored in order to be acceptable to Company within the context of the following. 1. The difference in time between back up resource or asset and the disruptive event that could occur. 2. The Company’s tolerance for loss of data and continued operations. 3. The Company’s tolerance for risk and exposure to risk during disaster event.

4. The Company’s exposure to cost and financial loss due to restoration of data and or time spent recovering or re entering data. * Company Recovery Time Objective RTO The Company Recovery Time Objective RTO shall be the acceptable boundary of time in which recovery efforts must be accomplished in order to meet the expectations the Company has determined critical when disaster event or business interruption occurs. * An individual RTO may be established for each process covered under this recovery plan as established during the Company Business Impact Analysis BIA for each department. An RTO may encompass series of processes as well. All RTOs are to be determined by Senior Management and or the Executive Team. 3. Implementation of the Plan Insert the overall objectives for implementation of the plan. Your Software Disaster Recovery Plan may contain several different approaches for certain events large or small. 3 Definition of Software Disaster Event A software disaster event shall be defined as an event or occurrence that results in the sudden or unexpected loss of key software licenses components or dependencies; or any other failure. An event may include but is not limited to.

* Fire or smoke damage * Floods or water damage * Power and utility failures * Natural disasters * Terrorist attacks * Theft or criminal activity * Computer viruses or security breaches * Hardware and equipment failures * Human error or omissions

* Legal issues * Riots strikes and civil disturbances * Planned maintenance and testing * Unplanned maintenance and testing 3 Notification of an Event In the event of an occurrence of any event or disaster regardless if it is known to impact single user department or the entire company the following people must be immediately notified. Insert notification information here including back up secondary notification information. specific person will be noted as “Disaster Recovery Coordinator” you will want to specify who in your organization must take on that role. Be sure to specify all back up and secondary notifications that must take place as well as who the role of “Disaster Recovery Coordinator” falls to in the event that the primary point of contact cannot be reached.

3 Event Recovery Timelines Within the first Hours hours after notification of an event the Disaster Recovery Coordinator will take the following steps. 1. Assess all damage to Company and its operations including the determination of all affected locations and resources. Special consideration should be made for all dependent systems and software which are not yet impacted by an event but share dependency with an impacted software or resource. 2. Consult all relevant Company Recovery Time Objectives RTO and Company Recovery Point Objectives RPO. 3. Notify Senior Management and or the proper Executives.

4. Notify all support staff responsible for implementing this plan and recovery services including all vendors who have responsibility for implementing the Company Business Continuity Plan BCP. 5. Make decisions regarding containing the damage from the disaster event and decide whether recovery is to be enacted or whether back up resources must be employed. Within the first Hours hours after notification of an event the Disaster Recovery Coordinator will take the following steps. 1. If the disaster event impacts Company customers and after successful contact with Senior Management or Executives contact all Customer Support Managers to provide them with information concerning service restrictions limitations or other downtime that may occur. 2. Notify all disaster recovery vendors services or off site storage providers as deemed necessary.

3. Schedule all support staff or employees with disaster recovery duties and task them with recovery efforts. 4. Schedule obtaining all relevant back up data software manuals and other required resources. 5. Contact all Managers Supervisors or Department Heads impacted by the Disaster Event. Within the first Hours hours after notification of an event the Disaster Recovery Coordinator will take the following steps. 1. Provide Senior Management and or the proper Executives with an updated assessment recovery progress report and an estimate timeline for the recovery schedule. 2. In the case of critical software and systems not immediately recoverable the Disaster Recovery Coordinator shall have discretion to enact emergency funding up to Insert Disaster Recovery Funding Amount to cover the procurement of resources. 3. Review all software support contracts and contact all software vendors to alert them for emergency assistance temporary license keys or to enact provisions of support agreements that may exist between the vendor and Company. 4. Proceed with acquisition of back up resources if deemed necessary at this time.

5. Proceed with activation of alternate resources sites locations or other critical resources. 6. Secure all recovery logs. 7. Secure an alternate base of operations if deemed necessary. 8. Carry out Company wide communication subject to Senior Management and or Executive approval. 9. Carry out customer communication subject to Senior Management and or Executive approval. Within the first Hours hours after notification of an event the Disaster Recovery Coordinator will take the following steps. 1. Provide Senior Management and or the proper Executives with an updated assessment recovery progress report and an estimate timeline for the recovery schedule. 2. Begin installation and testing of all software and critical applications.