Disaster Recovery Plan Policy

1.Overview

Sincedisastershappensorarely,thedisasterrecoveryplanning process can be overlooked. Itisimportanttorealizethathavingacontingencyplanintheeventofadisastergives <CompanyName>acompetitiveadvantage. Thispolicyrequiresmanagementto financially supportanddiligentlyattendto disastercontingencyplanningefforts. Disastersarenotlimitedto adverseweatherconditions. Anyeventthat couldlikelycauseanextendeddelayofservice should be considered. The Disaster Recovery Plan is often part of the Business Continuity Plan.

2.Purpose

This policy defines the requirement for a baseline disaster recovery plan to be developed and implemented by <Company Name> that will describe the process to ensure safety and recover IT Systems, Applications and Data from any type of disaster that causes a major outage.

3.Scope

This policy is directed to the Management Staff who is accountable to ensure the plan is developed, tested and kept up-to-date. This policy is solely to state the requirement to have a disaster recovery plan, it does not provide requirement around what goes into the plan or sub-plans. Plans for various scenarios are included in the Appendices.

4.Policy

4.1 ContingencyPlans

The following contingency plans mustbe created:

  • ComputerEmergencyResponsePlan:Whoistobecontacted,when,andhow?What immediate actions mustbe taken in the event ofcertain occurrences?
  • SuccessionPlan:Describetheflowofresponsibilitywhennormalstaffisunavailableto perform their duties.
  • Inventory Study:Detail the critical infrastructure required to continue operations in the event of a location loss. This includes everything from work space to data stored on the systems,its criticality,and its confidentiality.
  • CriticalityofServiceList:Listalltheservicesprovidedandtheirorderofimportance.
  • Italso explains the order ofrecovery in both short-term and long-term timeframes.
  • DataBackupand RestorationPlan:Detailwhichdataisbackedup,themediatowhich itissaved,wherethat mediaisstored,andhowoftenthebackupisdone. Itshouldalso describe how thatdata could be recovered.
  • EquipmentReplacement Plan:Describe what equipment is required to begin to provideservices, listtheorderinwhichitisnecessary,andnotewheretopurchasethe equipment.
  • MediaManagement:Whooverseesgivinginformationtothemassmedia?

After creating the plans, it is important to practice them to the extent possible. Management should set aside time to test implementation of the disaster recovery plan. Table top exercises should be conducted annually. During these tests, issues that may cause the plan to fail can be discovered and corrected in an environment that has few consequences.

The plan, at a minimum, should be reviewed an updated on an annual basis.

5.Policy Compliance

5.1Exceptions

Any exception to the policy must be approved by the Management Team in advance.

5.2Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6Definitions and Terms

The following definition and terms can be found in the SANS Glossary located at:

  • Disaster

7Revision History

Date of Change

/

Responsible

/

Summary of Change

March 2017

/

Document Creation

Appendix A – Building Fire Scenario

In the event of a building fire that results in the total loss of the <Name> location, the following plan should be used as a framework for ensuring safety of employees and beginning business continuity efforts.

Situation - The fire alarm has been activated and you smell smoke.

Immediate Priority is human safety.

When fire is discovered:

Notify the local Fire Department by calling 911.

Fight the fire ONLY if:

  • The Fire Department has been notified.
  • The fire is small and is not spreading to other areas.
  • Escaping the area is possible by backing up to the nearest exit.
  • The fire extinguisher is in working condition and personnel are trained to use it.

Evacuate the building:

Upon being notified about the fire emergency, or hearing the siren, occupants must:

  • Leave the building using the nearest safe exit. Designated area captains are responsible for coordinating assistance for those that need it.
  • Receptionist should take the visitor log with them and provide to the designated area captain to include in the personnel counts.
  • Assemble in the designated area
  • Remain outside until the Fire Department announces that it is safe to reenter.
  • Designated leadership should take any emergency information that is not accessible outside the building with them.

Area/Department Captains must:

  • Ensure that all employees have evacuated their area/department.
  • Perform an accurate head count of personnel reported to the designated area.
  • Secure or remove flammable equipment unless doing so jeopardizes his/her safety.
  • Report any problems to the Emergency Coordinator at the assembly area.
  • Assist all physically challenged employees in emergency evacuation.

Designated Emergency Coordinator(s) must:

  • Perform an accurate head count of personnel from Area/Department Captain’s reports including visitors from reception list.
  • Determine a rescue method to locate missing personnel.
  • Provide the Fire Department personnel with the necessary information about the facility.
  • Alert appropriate parties using emergency communication mechanism.

Post Evacuation

  • Designated leadership make decision to enact remaining phases of the emergency plan
  • Acquire space if necessary
  • Communication plan is implemented to:
  • Set expectations using a practiced work from home policy
  • Notify staff of plan to work remotely and implement revised processes
  • Notify clients and customers of current situation and steps being taken to resume operations
  • Notify vendors of situation and hold/route orders as needed
  • Update web page
  • Update phone system to route calls and play emergency messages
  • Designated staff member should contact the insurance representative
  • Provide inventory of possibly losses
  • Following system continuity plan using assumed RTO and RPOs
  • Update IT service providers
  • Secure offsite backups if necessary
  • Begin turning on cold/warm site
  • Revert to manual processes for operations as needed

Longer Term Continuity

  • Designated leadership meets to:
  • Determine timeframe and capacity to continue working in temporary/remote environment
  • Decide on enacting further continuity efforts
  • Continue communication updates with staff, customers, and vendors.
  • Review manual processes
  • Upward communication of issues with temporary/work environments/processes

Appendix B – Ransomware Attack

In the event of a ransomware attack that results in the encryption of files/data and potential for loss, this plan should be used as a framework for minimizing the damage and expediting the recovery

Awareness

  • The IT department or service provider needs to be immediately aware of the issue.
  • Users should be aware that reporting any suspicious messages or activity is paramount in minimizing damage.
  • Users should be trained and aware of the methods to report activity and understand the repercussions of not doing so.

Damage Control

  • Isolate known machines through:
  • Removing share permissions
  • Removing network cables

Assess

  • Identify the extent of infection
  • Examine file extensions
  • Update and run scanners
  • Once a pattern is identified:
  • Seek an automated method to scan network servers and workstations to determine infection
  • Record which are problematic and remove from network
  • Secure backups from replicating problems
  • Alert staff and compliance officers if necessary

Restore

  • Review and test restore capability from backups
  • Implement restore process
  • Communicate to staff and compliance officers