Professional Documents
Culture Documents
BCPDRPTemplate
BCPDRPTemplate
BCPDRPTemplate
&
Business Continuity
Template
ISO 27000, Sarbanes-Oxley, HIPAA, PCI DSS and ITIL Compliant
Prepared by
Thisisasampl eofthefinalproduct
thesepagesareforyourr eview only
and areprot
ected byJanco’scopyright
PAGES HAVEBEEN EXCLUDED
email - support@e-janco.com
Web sites – http://www.e-janco.com - http://www.it-toolkits.com -- http://www.itproductivity.org
Version 5.2
© 2008 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED
Enterprise logo here Disaster Recovery Business Continuity
Table of Contents 1
1.0 Plan Introduction ..................................................................................11
1.1 Mission and Objectives ................................................................. 12
Compliance ...................................................................................12
Implication of Legislated and Industry Standards Requirements ................................. 12
Sarbanes-Oxley ....................................................................................................... 12
COSO ............................................................................................................ 14
PCI DSS ............................................................................................................ 15
ISO 27000 Compliance Process .................................................... 16
Define the Control Environment ................................................................................ 16
Control the Environment by Implementation and Management ................................... 16
Audit and Examine the Control Processes .................................................................. 17
1.2 Disaster Recovery / Business Continuity Scope ........................... 18
1.3 Authorization ................................................................................18
1.4 Responsibility ............................................................................... 18
1.5 Key Plan Assumptions .................................................................. 19
1.6 Disaster Definition ........................................................................20
1.7 Metrics ..........................................................................................20
1.8 Disaster Recovery / Business Continuity and Security Basics ........ 22
Servers ................................................................................... 22
Network ...................................................................................24
Clients ...................................................................................24
Recovery Procedures .................................................................... 25
Communication .............................................................................25
Designated operators ...................................................................25
Designated manager..................................................................... 25
External resources ........................................................................ 26
Insurance ................................................................................... 26
Thisisasampl eofthefinalproduct
thesepagesareforyourr eview only
and areprot
ected byJanco’scopyright
PAGES HAVEBEEN EXCLUDED
1
Major sections of this document were extracted from Client Server Management HandiGuide, PC Policies and
Procedures HandiGuide, Metric for the Internet and IT Management HandiGuide, and the IT Position Description
HandiGuide which are copyrighted by M. V. Janulaitis and published by Janco Associates, Inc. These copyrighted
materials remain the property of the copyright owners and the licensed user of this document is only granted a
limited use license of this material. For more information see www.e‐janco.com
Thisisasampl eofthefinalproduct
thesepagesareforyourr eview only
and areprot
ected byJanco’scopyright
PAGES HAVEBEEN EXCLUDED
The intent of a Disaster Recovery Plan is to provide a written and tested plan directing
the computer system recovery process in the event of an interruption in continuous
service resulting from an unplanned and unexpected disaster.
The Disaster Recovery Plan preparation process includes several major steps as follows:
Thisisasampl eofthefinalproduct
thesepagesareforyourr eview only
and areprot
ected byJanco’scopyright
PAGES HAVEBEEN EXCLUDED
Compliance
SarbanesOxley
With the rise of both financial (Sarbanes‐ Oxley for SEC – US Security
and Exchange Commission) and industry ITIL (Version 3 of the
Information Technology Infrastructure Enterprise) standards specific
additional requirements have been added to the Disaster Recovery /
Business Continuity processes.
2
Critical time frames include both the point in time that the recovery will be set to and the point in time that the recovery will be
completed and the enterprise can be back in operation.
3
This section is for informational purposes and can be excluded from the plan.
COSO
The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Assertions relating to business continuity,
influencing the outcome of the SOX evaluation process, primarily relate
to Completeness and Accuracy, as well as Presentation and Disclosure.
The question is whether the company maintains the ability to meet its
obligations to file timely reports in accordance with established
deadlines.
The timeliness of reporting could also affect other processes such as the
month‐end close process. A company’s financial system that supports
the outputs of the close‐the‐books process could be affected, causing
filing delays or certification of potentially inaccurate or incomplete
information.
PCI DSS
PCI Standard requires that any enterprise that processes credit card
information must do the following:
A key strategy for reducing the risk and cost associated with implementing
controls as they are associated with the DRP/BCP is to define policies and
procedures that support the compliance process. By minimizing costly and
error‐prone un‐defined process, you can eliminate the fragmentation and
duplication of effort and transform your controls environment into a proactive
risk management system.
4
This section is for informational purposes and can be excluded from the plan.
Types of Backups
Type of Backups Description Appropriate Use
A full backup creates a copy of every file Annual (verified) Backup
on a storage device. It is also the most Monthly Backup
Full Backup
costly in terms of effort, time and dollar Weekly Backup
output. Daily Backup
An incremental backup creates copies of
only those files or records on a storage
device that have changed since the last
Weekly Backup
Incremental Backup backup. It is also more complex to
Daily Backup
restore when a complete files needs to
be restored but it takes less effort to
create.
A transaction log backup creates copies
of only those records (in some cases
before and after images of records) on a
Transaction Log storage device that are changed since
Daily Backup
Backup the last backup. It requires a version of
the application program to run the all of
the transactions since the last full
backup
ENTERPRISE
Business and IT Impact Questionnaire
The purpose of this questionnaire is to determine the criticality of the applications used at ENTERPRISE. The information
provided will be used to develop a Application Inventory that can be used in the Disaster Recovery Plan that minimizes
the impact of the loss of this application in the event of a disaster. (PLEASE USE ADDITIONAL BLANK PAPER OR
ATTACHMENTS WHEREVER NECESSARY)
Name: _____________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
Was this developed in-house or purchased from a vendor? If purchased from a vendor, do you hold the plans,
source code etc. _____________________________________________________________________________________________________
__________________________________________________________________________________________________________________
If the application is a purchased package, are there extensive modifications to this application (briefly describe modifications): ______________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
Who is the owner of this application (i.e. Joe Smith of Accounting)? ____________________________________________________________
__________________________________________________________________________________________________________________
ENTERPRISE
Business and IT Impact Questionnaire
Comments: ________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
ENTERPRISE
Vendor Disaster Recovery Planning Questionnaire
3 What duration of time is assumed for each ___________________________(please specify # and hours, days,
type of failure scenario or outage you plan weeks, months, etc. for each type)
for?
0 – 4 hours _____
5 If you answered “Yes” to Question (4), 4 – 8 hours _____
what is the expected recovery time for Within one day _____
your critical business functions? 1 – 2 days _____
More than 2 days _____
Other (please specify) _____
N/A _____
ENTERPRISE
Vendor Disaster Recovery Planning Questionnaire
Testing (cont’d)
3 Has your DRP and BCP been activated in Yes ________ or No ________
the last 24 months?
Version History
Version History
2. Review and modified entire DRP/BCP template to ensure compliance with ISO 17799
3. Business & IT Impact Questionnaire updated to meet ISO 17799 compliance requirements
4. Corrected errata
License Conditions
If you have any suggestions please forward them to support@e‐janco.com or contact us directly via phone at 435 940‐9300
License Conditions
This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this
template has acquired the rights to use it for a SINGLE Disaster Recovery Plan unless the purchaser has paid for a
multi‐use or worldwide license.
Anyone who makes an unlicensed copy of or uses the template or any derivative of it is in violation of United
States and International copyright laws and subject to fines that are treble damages as determined by the courts.
A REWARD of up to 1/3 of those fines will be paid to anyone reporting such a violation upon the successful
prosecution of such violators.
The purchaser agrees that derivative of this template will contain the following words within the first five pages of
that document. The words are:
Derived from the Disaster Recovery Plan Template of Janco Associates, Inc.
© 2001 ‐ 2008 Copyright Janco Associates, Inc. – ALL RIGHTS RESERVED
All Rights Reserved. No part of this book may be reproduced by any means without the prior written permission of
the publisher. No reproduction or derivation of this book shall be re‐sold or given away without royalties being
paid to the authors. All other publisher’s rights under the copyright laws will be strictly enforced.
Published by:
435 940‐9300
e‐mail ‐ support@e‐janco.com