Software Disaster Recovery Plan

Software Disaster Recovery Plan (SDRP)

1 Purpose of this document (Objectives)

Insert the purpose of this document, its objectives, and its intended audience. Example: The purpose of this document is to formally recognize and codify the policies and procedures Company Name wishes to enact in order to both safeguard the Company's investment in their Software and to ensure that in the event of a disaster the Company can minimize any interruption to its businesses. The Company recognizes that its Software is an important part of its continued business operations and this plan provides Company Name Employees, Staff and Vendors this Software Disaster Recovery Plan (SDRP) as an overview of the required steps and policies to be enacted following an emergency.

2 Scope of Document

Insert description of the scope of this Software Disaster Recovery Plan. Describe whether this covers the entire company or a specific business unit or department, and whether this plan shall be governed by or supersedes other policy documents that may already be in place.

1 Scope Constraints

Insert constraints, such as schedules, costs, interactions, overview, or any other information relevant to the Software Disaster Recovery Plan.

3 Goals of this Plan

Insert an overview or brief description of the product, software, or other desired end result that is included in this Software Disaster Recovery Plan.

4 Business Context

Insert an overview of the business or organizations impacted by this Software Disaster Recovery Plan. Include the business or organization's critical components and reliance on Software. Note: This section will be primarily used to set priorities and identify and classify risk to the Company as it pertains to recovery from a Disaster Event.

5 Goals Defined

The Overall Goals of the SDRP are to provide easy and accessible methods for Company Name to recover from any of the following events or occurrences:

Loss of installed software and applications. Loss of updates, patches, fixes or other required upgrades. Loss of installation disks, packages or other media.

Loss of software proof of license or ownership. Loss of software inventory, software inventory data or other DRM (Digital Rights Management) information.

6 References and Reference Material

Insert a list of all reference documents and other materials related to the Software Disaster Recovery Plan.

References will often include, but are not limited to:

• Company Business Continuation Plan (BCP).
• Company Disaster Recovery Plan (DRP).
• Company Recovery Point Objectives (RPO).
• Company Recovery Time Objectives (RTO).
• Company Computer Use Policies.
• Software Acquisition Plan(s).
• Software Management Plan(s).

7 Documentation Items

Insert references to documentation, including but not limited to:

• Software Requirements Specification (SRS).
• Software Design Specification (SDS).
• Software Development Plan (SDP).
• Software Installation Guides.
• Software User Guides.
• Software Features Guides.
• Software Bug, Error Correction, or Defect Removal Guides.

Plan Components

1 Inventory Catalog and Control

A centralized Software Database and Control System (SDCS) for inventory shall be maintained for all software licensed by the Company. Before new software can be put into service, it must be entered into the SDCS by the IT department. Regular audits of employee computers will be performed to ensure compliance. A complete copy of all SDCS data shall be maintained off Company property and updated on a regular basis.

1 Check-in Procedures

Software shall undergo a check-in procedure, including all downloadable, virtual, online, ASP or hosted-application forms. All software, regardless of its form or the media on which it is delivered, shall be entered in the SDCS. This procedure is subject to change based on the individual software licensing requirements; however, all software shall have a record of entry in the SDCS regardless of its physical form.

Check-in shall include, but is not limited to:

Providing proof of purchase. Providing proof of license. Providing proof of Company license and not individual license. Providing all installation disks, media, manuals and collateral materials.

Directing IT staff to any online manuals and documentation. Providing original downloads and installation files for all software and licenses delivered virtually. Providing copies of all licenses, serial numbers, activation keys, IDs, passwords, logins or other information required to run the software or application. Submitting a complete set of information concerning the software you want to license and install will ensure a faster entry into the SDCS and approval for the use of the software.

Insert additional descriptions of the tasks to be performed.

2 Inventory Audits

Company shall conduct periodic audits of all software licenses to ensure compliance and integrity of our software inventory data. Regular checks of employee software and license counts may be conducted on a random basis. The Company will also conduct a complete Software and License Audit annually and compare it to the SDCS.

Insert additional descriptions of the tasks to be performed.

3 Off-site Storage

Off-site storage of all information contained in the SDCS shall be facilitated by the IT Department. This includes (whenever possible) copies of all installation media, documentation, licenses, serial numbers and other relevant information. In the case where multiple copies of the same software are being utilized, it is only necessary to store a single copy of each version off-site.

Data will be updated on a regular basis and more than one member of the Incident Response Team shall have access to this storage at all times. Insert additional descriptions of the tasks to be performed.

4 Proof of Ownership

All original supporting Proof of Ownership documents shall be retained off-site while the Company shall retain copies of Proof of Ownership onsite for auditing purposes. Insert additional descriptions of the tasks to be performed.

5 Documentation

Whenever possible, photocopies or reproductions of all documentation should be made for employee use, while the originals are stored off-site. Insert additional descriptions of the tasks to be performed.

6 Plan Objectives

This Software Disaster Recovery Plan may be superseded by actions required by the Company Disaster Recovery Plan (DRP) and is a part of the Company's Business Continuity Plan (BCP).

The following shall be considered to be objectives of the Software Disaster Recovery Plan:

Company Recovery Point Objective (RPO) - The Company Recovery Point Objective (RPO) shall be considered a point in time at which data must be restored in order to be acceptable to Company within the context of the following:

The difference in time between a back-up resource or asset and the disruptive event that could occur. The Company's tolerance for loss of data and continued operations. The Company's tolerance for risk and exposure to risk during a disaster event. The Company's exposure to cost and financial loss due to restoration of data and/or time spent recovering or re-entering data.

Company Recovery Time Objective (RTO) - The Company Recovery Time Objective (RTO) shall be the acceptable boundary of time in which recovery efforts must be accomplished in order to meet the expectations the Company has determined critical when a disaster event or business interruption occurs. An individual RTO may be established for each process covered under this recovery plan as established during the Company Business Impact Analysis (BIA) for each department. An RTO may encompass a series of processes as well. All RTOs are to be determined by Senior Management and/or the Executive Team.

Implementation of the Plan

Insert the overall objectives for implementation of the plan. Your Software Disaster Recovery Plan may contain several different approaches for certain events, large or small.

1 Definition of a Software Disaster Event

A software disaster event shall be defined as an event or occurrence that results in the sudden or unexpected loss of key software, licenses, components or dependencies; or any other failure.

An event may include, but is not limited to:

• Fire or smoke damage.
• Floods or water damage.
• Power and utility failures.
• Natural disasters.
• Terrorist attacks.
• Theft or criminal activity.
• Computer viruses or security breaches.
• Hardware and equipment failures.
• Human error or omissions.
• Legal issues.
• Riots, strikes and civil disturbances.
• Planned maintenance and testing.
• Unplanned maintenance and testing.

2 Notification of an Event

In the event of an occurrence of any event or disaster, regardless if it is known to impact a single user, department or the entire company, the following people must be immediately notified:

Insert notification information here, including back-up/secondary notification information. A specific person will be noted as "Disaster Recovery Coordinator" - you will want to specify who in your organization must take on that role. Be sure to specify all back-up and secondary notifications that must take place as well as who the role of "Disaster Recovery Coordinator" falls to in the event that the primary point of contact cannot be reached.

3 Event Recovery Timelines

Within the first Hours hours after notification of an event, the Disaster Recovery Coordinator will take the following steps:

Assess all damage to Company and its operations, including the determination of all affected locations and resources. Special consideration should be made for all dependent systems and software which are not yet impacted by an event, but share a dependency with an impacted software or resource. Consult all relevant Company Recovery Time Objectives (RTO) and Company Recovery Point Objectives (RPO).

Notify Senior Management and/or the proper Executives. Notify all support staff responsible for implementing this plan and recovery services, including all vendors who have responsibility for implementing the Company Business Continuity Plan (BCP). Make decisions regarding containing the damage from the disaster event and decide whether a recovery is to be enacted or whether back-up resources must be employed.

Within the first Hours hours after notification of an event, the Disaster Recovery Coordinator will take the following steps:

If the disaster event impacts Company customers, and after successful contact with Senior Management or Executives, contact all Customer Support Managers to provide them with information concerning service restrictions, limitations or other downtime that may occur. Notify all disaster recovery vendors, services or off-site storage providers as deemed necessary. Schedule all support staff or employees with disaster recovery duties and task them with recovery efforts. Schedule obtaining all relevant back-up data, software, manuals and other required resources.

Contact all Managers, Supervisors or Department Heads impacted by the Disaster Event.

Within the first Hours hours after notification of an event, the Disaster Recovery Coordinator will take the following steps:

Provide Senior Management and/or the proper Executives with an updated assessment, recovery progress report and an estimate/timeline for the recovery schedule. In the case of critical software and systems not immediately recoverable, the Disaster Recovery Coordinator shall have discretion to enact emergency funding up to Insert Disaster Recovery Funding Amount to cover the procurement of resources. Review all software support contracts and contact all software vendors to alert them for emergency assistance, temporary license keys or to enact provisions of support agreements that may exist between the vendor and Company. Proceed with acquisition of back-up resources, if deemed necessary at this time.

Proceed with activation of alternate resources, sites, locations or other critical resources. Secure all recovery logs. Secure an alternate base of operations, if deemed necessary. Carry out Company-wide communication, subject to Senior Management and/or Executive approval.

Carry out customer communication, subject to Senior Management and/or Executive approval.

Within the first Hours hours after notification of an event, the Disaster Recovery Coordinator will take the following steps:

Provide Senior Management and/or the proper Executives with an updated assessment, recovery progress report and an estimate/timeline for the recovery schedule. Begin installation and testing of all software and critical applications. Begin restoration or reloading of all critical or dependent data.

Enact monitoring of all restored software and operation of software to verify data integrity and operational continuity. Coordinate with Customer Support Managers and Department Heads to confirm successful resumption of schedules and functionality of restored software and systems.

Within Days days after successful restoration from an event, the Disaster Recovery Coordinator will take the following steps:

Provide Senior Management and/or the proper Executives with an updated assessment and recovery progress report, noting any outstanding reduction in functionality, loss of data or an extended estimate/timeline for the recovery of such items subject to each relevant RPO. The Disaster Recovery Coordinator will also coordinate evaluation and certification that each objective in the Company's RPO for an impacted business process has been met. Store all recovery logs.

Provide to Senior Management and/or the proper Executives a Disaster Recovery Report (DRR). Upon successful restoration of all critical software and systems, complete a new re-assessment of all systems and software associated with or relating to the recovery. Complete an assessment of all vendor performance. Complete an assessment of all support staff performance related to the recovery and enactment of the Software Disaster Recovery Plan.

If recovery efforts included use of off-site or alternate locations, resources or vendors, work with Senior Management and/or Executives to outline a plan for restoration and normalization of usage of such assets and resources, including additional back-up (e.g., allowing for back-ups for the back-ups, in essence) resources to be deployed.

4 Software Recovery Plan Testing

Insert the objectives and requirements for testing to ensure that the plan operates correctly within the parameters set forth by the Company and the provisions of its BCP.

5 Plan Objectives vs

Mandates

The objectives set forth in RPO and RTO objectives should be considered the overall goals of the Company in a disaster event. They are not exact mandates. Individual department policies and procedures, contingency plans and other disaster recovery plans may outline additional instructions to be followed.

6 Plan Performance Testing

Insert the objectives and requirements for testing to ensure that the plan operates correctly in regard to normal operation, response and execution times, scalability, portability and all other performance requirements within the business environment.

7 Plan Regression Testing

Insert the objectives and requirements for testing to ensure that any changes applied to the plan do not affect functions previously tested.

8 Plan Acceptance Testing

Insert the objectives and requirements for testing to ensure that the plan meets all criteria and deliverables as set forth in the Company's Business Continuity Plan (BCP). The Acceptance Testing is important to ensure that all requirements are met and that all components, modules, hardware requirements, and recovery and restore operations function and that a viable plan exists to demonstrate such functionality for a customer.

Plan Testing Process and Methods

Insert the specific testing process and methods to be used in performing each test activity. In this section you will describe and define each type of test that the Software Disaster Recovery Plan contains. You may attach additional exhibits to this section if your testing plan requires them.

Test Deliverables

Insert the specific deliverables and documents that are to be delivered from the testing process. Test deliverables may include incremental data or data derived from incomplete tests.

Typical test deliverables include, but are not limited to:

• Individual RTO/RPO Test Summary Reports.
• Group/Department RTO/RPO Summary Reports.
• Individual and Combined Test Logs.
• Test Metrics and Benchmark Reports.
• Test Incident Reports.
• Testing Task and Requirements List.

A description of tasks and the skills required for performing testing as a part of the deliverables. Focus on restraints such as resource availability, time constraints, staff and developer availability, and all other external factors that can influence testing.

Risk and Assumption Contingency Plan(s)

Insert a description of the contingency plan for each item listed above.

Change Request and Management

A description of the Software Disaster Recovery Plan change request and change management procedure. Describe the process that must be followed for submission, review and authorization for all requests for change to the Software Disaster Recovery Plan or any change to any part of the deliverables. Approval for Software Disaster Recovery Plan. A description of the personnel authorized to approve the Software Disaster Recovery Plan .

Their names, titles and signatures must accompany this document. Date when the contact was signed.

Appendices

A description of all other supporting information required for the understanding and execution of the Software Disaster Recovery Plan and requirements.

All Software Disaster Recovery Plan documents require the following two appendices:

1 Definitions, Acronyms, Abbreviations

A description of the definitions of important terms, abbreviations and acronyms. This may also include a Glossary of terms.

2 References

A listing of all citations to all documents and meetings referenced or used in the preparation of this Software Disaster Recovery Plan.

Customer Initials Developer Initials