BCPDRPTemplate

Disaster Recovery
&
Business Continuity
Template
ISO 27000, Sarbanes-Oxley, HIPAA, PCI DSS and ITIL Compliant
Prepared by
Thisisasampl eofthefinalproduct
thesepagesareforyourr eview only
and areprot
ected byJanco’scopyright
PAGES HAVEBEEN EXCLUDED
Park City, UT 84060
email - support@e-janco.com
Web sites – http://www.e-janco.com - http://www.it-toolkits.com -- http://www.itproductivity.org
Version 5.2
© 2008 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED
Enterprise logo here Disaster Recovery Business Continuity
Table of Contents 1
1.0 Plan Introduction ..................................................................................11
1.1 Mission and Objectives ................................................................. 12
Compliance ...................................................................................12
Implication of Legislated and Industry Standards Requirements ................................. 12
Sarbanes-Oxley ....................................................................................................... 12
COSO ............................................................................................................ 14
PCI DSS ............................................................................................................ 15
ISO 27000 Compliance Process .................................................... 16
Define the Control Environment ................................................................................ 16
Control the Environment by Implementation and Management ................................... 16
Audit and Examine the Control Processes .................................................................. 17
1.2 Disaster Recovery / Business Continuity Scope ........................... 18
1.3 Authorization ................................................................................18
1.4 Responsibility ............................................................................... 18
1.5 Key Plan Assumptions .................................................................. 19
1.6 Disaster Definition ........................................................................20
1.7 Metrics ..........................................................................................20
1.8 Disaster Recovery / Business Continuity and Security Basics ........ 22
Servers ................................................................................... 22
Network ...................................................................................24
Clients ...................................................................................24
Recovery Procedures .................................................................... 25
Communication .............................................................................25
Designated operators ...................................................................25
Designated manager..................................................................... 25
External resources ........................................................................ 26
Insurance ................................................................................... 26
and areprot
1
Major sections of this document were extracted from Client Server Management HandiGuide, PC Policies and
Procedures HandiGuide, Metric for the Internet and IT Management HandiGuide, and the IT Position Description
HandiGuide which are copyrighted by M. V. Janulaitis and published by Janco Associates, Inc. These copyrighted
materials remain the property of the copyright owners and the licensed user of this document is only granted a
limited use license of this material. For more information see www.e‐janco.com
Version 5.2 CONFIDENTIAL Page 2

2.0 Business Impact Analysis ......................................................................27

2.1 Scope ............................................................................................27
2.2 Objectives .....................................................................................28
2.3 Critical Time Frame .......................................................................28
2.4 Application System Impact Statements ....................................... 28
Essential ...................................................................................29
Delayed ...................................................................................29
Suspended ................................................................................... 29
2.5 Information Reporting.................................................................. 30
2.6 Best Data Practices ......................................................................... 31
2.7 Summary.......................................................................................32
3.0 Backup Strategy..........................................................................................33
3.01 Site Strategy .................................................................................33
3.02 Data Capture and Backups ........................................................... 35
Backup Strategy ........................................................................... 36
3.03 Backup and Backup Retention Policy ........................................... 37
Policy ...................................................................................37
Applicability ..................................................................................37
Types of Backups .......................................................................... 38
Minimal Backup Policy .................................................................. 38
Backup Retention .................................................................................................... 39
Documentation and Backup Media Labeling ............................................................... 40
Storage ............................................................................................................ 40
Responsibilities ........................................................................................................ 40
Testing and Training ................................................................................................ 41
System Specific Backup Policy ..................................................... 42
Backup Retention .................................................................................................... 43
Documentation and Backup Media Labeling ............................................................... 44
Storage ............................................................................................................ 44
Responsibilities ........................................................................................................ 44
Testing and Training ................................................................................................ 45
3.04 Communication Strategy and Policy............................................. 46
DRP / BCP Communication Policy ................................................ 46
3.05 ENTERPRISE Data Center Systems ............................................... 48
Backup Files ..................................................................................48
Storage Rotation........................................................................... 48
ENTERPRISE Data Center ......................................................................................... 48
Off Site Storage ....................................................................................................... 48
3.06 Departmental File Servers ............................................................49
Backup Files ..................................................................................49
Department ............................................................................................................ 49
Off Site Storage ....................................................................................................... 50
3.07 Wireless Network File Servers ......................................................51
Backup Files ..................................................................................51

Wireless Network File Server Area ............................................................................ 51

Off Site Storage ....................................................................................................... 52
3.08 Data at Outsourced Sites (including ISP’s) .................................. 53
Backup Files ..................................................................................53
Outsourced Sites ..................................................................................................... 53
Off Site Storage ....................................................................................................... 54
3.09 Branch Offices (Remote Offices & Retail Locations) .................... 55
Backup Files ..................................................................................55
Laptop location ........................................................................................................ 56
Off Site Storage ....................................................................................................... 56
3.10 Desktop Workstations (In Office) ................................................ 57
Backup Files ..................................................................................57
Desktop Workstation location ................................................................................... 57
Off Site Storage ....................................................................................................... 58
3.11 Desktop Workstations (Off site including at home users) ........... 59
Backup Files ..................................................................................59
Desktop Workstation location ................................................................................... 59
Off Site Storage ....................................................................................................... 60
3.12 Laptops .........................................................................................61
Backup Files ..................................................................................61
Laptop location ........................................................................................................ 61
Off Site Storage ....................................................................................................... 62
3.13 PDA’s and Smartphones ............................................................... 63
Backup Files ..................................................................................63
Storage Rotation ..................................................................................................... 64
Laptop location ........................................................................................................ 64
Off Site Storage ....................................................................................................... 64
4.0 Recovery Strategy .................................................................................65
4.1 Approach .......................................................................................65
4.2 Escalation Plans ............................................................................66
4.3 Decision Points .............................................................................67
Plan 1 ...................................................................................67
Plan 2 ...................................................................................69
Plan 3 ...................................................................................70
5.0 Disaster Recovery Organization ............................................................ 71
5.1 Recovery Team Organization Chart .............................................. 72

5.2 Disaster Recovery Team ............................................................... 74

5.3 Recovery Team Responsibilities ................................................... 75
5.3.1 Recovery Management ........................................................ 75
Senior Recovery Manager Responsibilities ................................................................. 75
Pre‐Disaster ............................................................................................................. 75
Post‐Disaster............................................................................................................ 75
Recovery Manager Responsibilities............................................................................ 76
Pre‐Disaster ............................................................................................................. 76
Post‐Disaster............................................................................................................ 76
5.3.2 Damage Assessment and Salvage Team .............................. 77
Damage Assessment and Salvage Team Responsibilities ............................................ 77
Pre‐Disaster ............................................................................................................. 77
Post‐Disaster............................................................................................................ 77
5.3.3 Physical Security .................................................................. 78
Pre-Disaster ............................................................................................................ 78
Post-Disaster ........................................................................................................... 78
5.3.4 Administration .....................................................................79
Pre-Disaster ............................................................................................................ 79
Post-Disaster ........................................................................................................... 79
5.3.5 Hardware Installation .......................................................... 81
Pre-Disaster ............................................................................................................ 81
Post-Disaster ........................................................................................................... 81
5.3.6 Systems, Applications and Network Software ..................... 82
Pre-Disaster ............................................................................................................ 82
Post-Disaster ........................................................................................................... 82
5.3.7 Communications .................................................................. 83
Pre-Disaster ............................................................................................................ 83
Post-Disaster ........................................................................................................... 83
5.3.8 Operations............................................................................ 84
Pre-Disaster ............................................................................................................ 84
Post-Disaster ........................................................................................................... 84
6.0 Disaster Recovery Emergency Procedures ............................................ 85
6.1 General .........................................................................................86
6.2 Recovery Management ................................................................. 87
6.3 Damage Assessment and Salvage ................................................ 89
6.4 Physical Security........................................................................... 92
6.5 Administration ..............................................................................94
6.6 Hardware Installation .................................................................. 95
6.7 Systems, Applications & Network Software ................................. 97
6.8 Communications ...........................................................................99
6.9 Operations ..................................................................................100

7.0 Plan Administration .............................................................................101

7.1 Disaster Recovery Manager ........................................................101
7.2 Distribution of the Disaster Recovery Plan ................................102
7.3 Maintenance of the Business Impact Analysis ........................... 103
7.4 Training of the Disaster Recovery Team .................................... 103
7.5 Testing of the Disaster Recovery Plan ........................................104
7.6 Evaluation of the Disaster Recovery Plan Tests ......................... 106
7.7 Maintenance of the Disaster Recovery Plan ............................... 107
8.0 Appendix .............................................................................................109
8.01 Plan Distribution .........................................................................110
8.02 ENTERPRISE Sales Offices ..........................................................111
8.03 Disaster Recovery Team Call List ............................................... 112
8.04 Vendor Phone/Address List ........................................................ 114
8.05 Off-Site Inventory.......................................................................118
8.06 Personnel Location Form .............................................................119
8.07 Hardware/Software Inventory ................................................... 120
8.08 People Interviewed ....................................................................121
8.09 Preventative Measures ...............................................................122
8.10 Sample Application Systems Impact Statement ........................ 123
8.11 JOB Descriptions .........................................................................124
Disaster Recovery Manager ........................................................124
Position Purpose .................................................................................................... 124
Problems and Challenges ....................................................................................... 124
Essential Position Functions .................................................................................... 124
Principal Accountabilities ...................................................................................... 124
Authority................................................................................................................ 125
Contacts ................................................................................................................. 125
Position Requirements .......................................................................................... 125
Manager Disaster Recovery and Business Continuity ................ 126
Position Purpose .................................................................................................... 126
Problems and Challenges ....................................................................................... 126
Essential Position Functions .......................................................126
Principal Accountabilities ...................................................................................... 126
Authority................................................................................................................ 127
Contacts ................................................................................................................. 127
Position Requirements .......................................................................................... 127
8.12 Application Inventory and Business Impact Analysis
Questionnaire ......................................................................................128
Facility / Business Function / Application ..............................................................130
Sarbanes‐Oxley Compliance .................................................................................131
ISO – 27000 Compliance ‐ System of Internal Controls ...........................................132
User Environment ...............................................................................................133
Operating Environment .......................................................................................135
Criticality of Application ......................................................................................137
Processing Information........................................................................................139
Application / File Servers .....................................................................................140

Historical Information .........................................................................................141

Database / File Names.........................................................................................142
Documentation ...................................................................................................143
Security ..............................................................................................................143
Application Support and Maintenance..................................................................143
Resource Usage ..................................................................................................144
Equipment Requirements by Department .............................................................144
Backups ..............................................................................................................145
8.13 Key Customer Notification List ...................................................146
8.14 Resources Required for Business Continuity .............................. 148
8.15 Critical Resources to Be Retrieved .............................................149
8.16 Business Continuity Off-Site Materials ....................................... 151
Off Site Stored Materials ...................................................................................151
Recovery Box ....................................................................................................151
8.17 Work Plan ...................................................................................153
Project Initiation .................................................................................................... 154
Project Scheduling ................................................................................................. 154
Business Impact Analysis ....................................................................................... 155
Backup and Recovery Strategy .............................................................................. 155
Initial Implementation ........................................................................................... 156
Post Implementation ............................................................................................. 156
8.18 Audit Disaster Recovery Plan Process ........................................ 157
Audit Program.............................................................................158
Audit Program Overview ....................................................................................... 158
Suggested interviewees for Audit .......................................................................... 158
Objective #1 - Backup Procedures ....................................................................158
Objective #2 - Off-site Storage Facility ..............................................................158
Objective #3 - Disaster Recovery Plan..............................................................158
8.19 Vendor Disaster Recovery Planning Questionnaire .................... 159
Vendor / Partner Information ...............................................................................160
DRP and Business Continuity Strategy ....................................................................161
DRP and Business Continuity Strategy (cont’d) ..........................................162
Crisis Communication ..........................................................................................163
Backup Facilities .................................................................................................164
Backup Facilities (cont’d) .....................................................................................165
Testing ...............................................................................................................166
Testing (cont’d) ...................................................................................................167
Prior DRP and BCP Plan Activations ......................................................................167
DRP and BCP Support ..........................................................................................168

8.20 Departmental DRP and BCP Activation Workbook ..................... 169

Quick Reference Guide ........................................................................................170
Team Alert List ....................................................................................................171
Team Responsibilities ..........................................................................................173
Team Leader Responsibilities / Checklist ..............................................................173
General .................................................................................................................. 173
Critical Functions ................................................................................................173
Normal Business Hours Response .........................................................................174
After Normal Business Hours Response ................................................................174
Primary Location .................................................................................................175
Alternate Location ..............................................................................................175
Team Recovery ...................................................................................................176
Business Resumption Plan Copies ......................................................................... 176
Cellular Phone (TBD) .............................................................................................. 176
Team Work Area .................................................................................................... 176
Notifications .......................................................................................................... 176
Team Recovery Steps............................................................................................. 176
The team leader responsibilities............................................................................ 176
Departmental Meeting .......................................................................................... 177
Personnel Location Form ....................................................................................... 177
Status Report ......................................................................................................... 177
Travel Arrangements ............................................................................................. 177
Notification ........................................................................................................178
Notification Checklist ............................................................................................. 178
Notification Procedure ........................................................................................179
Notification Call List ............................................................................................180
Project Status Report ..........................................................................................181
Planned Activities for the Period................................................................181
Accomplished Planned Activities ................................................................181
Planned Activities Not Accomplished ..........................................................181
Activity .................................................................................181
Reason .................................................................................181
Expected completion ..................................................................181
Unplanned Activities Performed or Identified .............................................. 181
Activity .................................................................................181
Reason .................................................................................181
Impact on project .......................................................................181
Planned Activities for the Next Period...................................................................... 182
Cost Data To Date ................................................................................................. 182
Open Issues and Resolutions .................................................................................. 182
Comments .......................................................................................................... 182
8.21 Web Site Disaster Recovery Planning Form ............................... 183
Backup Site .........................................................................................................184
Backup Site (Secondary) ......................................................................................185
Software Required to Operate Web Site ...............................................................186

9.0 Version Changes .......................................................................................187

Version 5.1 to 5.2 – Release date August 1, 2008 .............................. 187
Version 5.0 to 5.1 – Release date July 1, 2008 ................................... 187
Version 4.5 to 5.0 – Release date February 21, 2008 ......................... 187
Version 4.4 to 4.5 – Release date November 2, 2007 ......................... 187
Version 4.3 to 4.4 – Release date September 1, 2007 ........................ 187
Version 4.2 to 4.3 – Release date July 26, 2007 ................................. 187
Version 4.1 to 4.2 – Release date February 1, 2007 ........................... 188
Version 4.0 to 4.1 – Release date August 28, 2006 ............................ 188
Version 3.1 to 4.0 - Release date March 5, 2006 ................................188
Version 3.0 to 3.1 - Release date January 2, 2006 ............................. 188
License Conditions...............................................................................189
and areprot

1.0 Plan Introduction

ENTERPRISE recognizing their operational dependency on computer systems, including
the Local Area Network (LAN), Database Servers, Internet, Intranet and e‐Mail, and the
potential loss of revenue and operational control that may occur in the event of a
disaster; authorized the preparation, implementation and maintenance of a
comprehensive disaster recovery plan.
The intent of a Disaster Recovery Plan is to provide a written and tested plan directing
the computer system recovery process in the event of an interruption in continuous
service resulting from an unplanned and unexpected disaster.
The Disaster Recovery Plan preparation process includes several major steps as follows:
• Identify Systems and Applications currently in use

• Analyze Business Impact of computer impact and determination of
critical recovery time frames
• Determine Recovery Strategy
• Document Recovery Team Organization
• Document Recovery Team Responsibilities
• Develop and Document Emergency Procedures
• Document Training & Maintenance Procedures
These steps were conducted and this document represents the completed effort in the
preparation of the ENTERPRISE Disaster Recovery Plan.
and areprot

1.1 Mission and Objectives

The mission of the Disaster Recovery Plan is to establish defined responsibilities,
actions, and procedures to recover the ENTERPRISE computer, communication, and
network environment in the event of an unexpected and unscheduled interruption.
The plan is structured to attain the following objectives:
• Recover the physical network within the Critical Time Frames 2

established and accepted by the user community
• Recover the applications within the Critical Time Frames established
and accepted by the user community
• Minimize the impact on the business with respect to dollar losses
and operational interference
Compliance
Implication of Legislated and Industry Standards Requirements

There 3 are a number of legally mandated and standards mandated
issues that need to be covered in the Disaster Recovery / Business
Continuity Planning Process.
In addition to the Security & Exchange Commission (SEC) requirements

of Sarbanes‐Oxley, there are PCI DSS requirements issued by credit card
companies, security requirements of HIPAA, and individual state
requirements (California and New York) that needed to be considered in
the plan.
SarbanesOxley
With the rise of both financial (Sarbanes‐ Oxley for SEC – US Security
and Exchange Commission) and industry ITIL (Version 3 of the
Information Technology Infrastructure Enterprise) standards specific
additional requirements have been added to the Disaster Recovery /
Business Continuity processes.
Sarbanes‐Oxley Section 404 is an important aspect of managing a

company’s overall risk, including its continuation as a going concern, is
its ability to effectively address business continuity and disaster
recovery, particularly with respect to those business processes that are
critical to the successful achievement of the company’s business
2
Critical time frames include both the point in time that the recovery will be set to and the point in time that the recovery will be
completed and the enterprise can be back in operation.
3
This section is for informational purposes and can be excluded from the plan.

objectives. A company’s processes, systems, and controls must make

available all material information needed for fair presentation and
disclosure in its SEC reports, including the update of accounting
estimates with current and reliable information. On a more strategic
scale, an organization’s business continuity methodology and approach
must be agreed to by management as the foundation for mitigating
financial and reputation risk posed by business interruption.
The ability of a company to continue as a going concern is not a new

concept under SOX. This "assumption of a going concern" is addressed
annually by management and the external auditors and is not changed
or impacted by SOX. If the auditors were able to report on prior‐year
financial statements without giving consideration to business continuity
planning (BCP), they in effect agreed with management that last year
the "going concern assumption" was met given the state of BCP in place
at that time. As always, business situations can change and new plans
could be required: however, if "things were fine" last year, SOX alone
only should apply as discussed below.
A company should have a responsive business continuity plan, including

an IT disaster recovery plan, addressing the findings from a Business
Impact Analysis (BIA). The purpose of the BIA is to identify recovery
objectives for critical business processes and IT assets, as well as
continuity‐related risks to which the organization may be vulnerable.
Once an adequate BIA is completed, the company can evaluate whether
changes are needed in its business continuity and disaster recovery
plans. These plans must be kept up to date and periodically tested to
maintain their adequacy in providing reasonable assurance the
company can fulfill its obligations to shareholders and under SOX.
In addition to the required quarterly certifications under SOX Section

302, the CFO and CEO are required by Section 404 to issue an annual
report on the effectiveness of internal controls over financial reporting.
Their ability as certifying officers to provide the required
representations in public reports would be affected if there were
inadequate BCP processes that could lead to periods of time during the
year when data and controls could not be relied upon to produce
timely, accurate, and complete financial reports as required by the SEC.

COSO
The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Assertions relating to business continuity,
influencing the outcome of the SOX evaluation process, primarily relate
to Completeness and Accuracy, as well as Presentation and Disclosure.
The question is whether the company maintains the ability to meet its
obligations to file timely reports in accordance with established
deadlines.
The key financial reporting processes which are often affected by

business continuity issues include:
• Capturing, authorizing and processing transactions;

• Processing cut‐offs;
• Ability to develop disclosure data;
• Consolidation;
• Fair‐value information pricing; and
• Trading position and current market exposures.
The timeliness of reporting could also affect other processes such as the
month‐end close process. A company’s financial system that supports
the outputs of the close‐the‐books process could be affected, causing
filing delays or certification of potentially inaccurate or incomplete
information.

PCI DSS
PCI Standard requires that any enterprise that processes credit card
information must do the following:
• Build and Maintain a Secure Network

o Install and maintain a firewall configuration to protect
cardholder data
o Do not use vendor‐supplied defaults for system
passwords and other security parameters
• Protect Cardholder Data
o Protect stored cardholder data
o Encrypt transmission of cardholder data across open, public
networks
• Maintain a Vulnerability Management Program
o Use and regularly update anti‐virus software
o Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
o Restrict access to cardholder data by business need‐to‐
know
o Assign a unique ID to each person with computer access
o Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
o Track and monitor all access to network resources and
cardholder data
o Regularly test security systems and processes
• Maintain an Information Security Policy
o Maintain a policy that addresses information security

ISO 27000 Compliance Process
Define the Control Environment

Today’s 4 business environment is characterized by mounting pressure to comply
with a growing variety of laws and regulations concerning IT standards and
controls. To create a pathway to compliance for your organization requires
having a clear understanding of your current control environment and a solid
plan for creating policies that promote compliance.
This DRP/BCP template helps ENTERPRISE to:
⇒ Understand your business requirements, outline control

objectives, and perform IT risk assessments as they relate to
the DRP/BC process;
⇒ Analyze the IT control environment to identify gaps between
internal policies and external requirements;
⇒ Create, disseminate, and document policies using a risk-based
approach, track user acceptance, and manage exceptions and
waiver requests; and
⇒ Translate imprecise regulatory mandates into actionable IT
policies through an effective control framework.
Control the Environment by Implementation and Management

The enterprise DRP/BC team needs to establish controls that can be easily
managed and monitored in order to assess compliance and remediate any
problems.
A key strategy for reducing the risk and cost associated with implementing
controls as they are associated with the DRP/BCP is to define policies and
procedures that support the compliance process. By minimizing costly and
error‐prone un‐defined process, you can eliminate the fragmentation and
duplication of effort and transform your controls environment into a proactive
risk management system.
4
This section is for informational purposes and can be excluded from the plan.

⇒ Implement controls, policies, procedures and document

operational management process to meet policy and business
requirements;
⇒ Assess controls compliance for all major operating systems and
identify and remediate deviations to proactively sustain the
control environment; and
⇒ Maintain a secure control environment, assess security threats,
and receive early warning to take proactive countermeasures.
Audit and Examine the Control Processes

Lastly, the enterprise needs to analyze the effectiveness of controls, optimize
them when required, and demonstrate due diligence to both internal and
external constituencies.
A key challenge organizations face in today’s compliance environment is how to

tie all the tools and information together to provide a universal view of
compliance—across all relevant regulations and a common set of actionable IT
controls.
⇒ Audit and examine the control environment on a continuing

basis;
⇒ Author and publish reports to measure the effectiveness of
security controls in meeting a variety of standards and
regulations and demonstrate due care of compliance;
⇒ Map control information to specific policies in order to provide
recommendations for improvements to the control
environment; and
⇒ Collect, integrate, and retain trend analyses and evidentiary
information from disparate control mechanisms for audits and
documentation requests.

Types of Backups
Type of Backups Description Appropriate Use
A full backup creates a copy of every file Annual (verified) Backup
on a storage device. It is also the most Monthly Backup
Full Backup
costly in terms of effort, time and dollar Weekly Backup
output. Daily Backup
An incremental backup creates copies of
only those files or records on a storage
device that have changed since the last
Weekly Backup
Incremental Backup backup. It is also more complex to
Daily Backup
restore when a complete files needs to
be restored but it takes less effort to
create.
A transaction log backup creates copies
of only those records (in some cases
before and after images of records) on a
Transaction Log storage device that are changed since
Daily Backup
Backup the last backup. It requires a version of
the application program to run the all of
the transactions since the last full
backup
Minimal Backup Policy
Type of Data Minimal Backup Policy Backup Retention Policy

System software Latest Version plus patches Annual (verified) Backup
At Least Weekly Monthly Generations
Weekly Generations
Application software Latest Version plus patches Annual (verified) Backup
At Least Weekly Monthly Generations
Weekly Generations
System data Daily Annual (verified) Backup
Monthly Generations
Weekly Generations
Daily Generations
Application Data Daily with real time Annual (verified) Backup
transaction files Monthly Generations
Weekly Generations
Daily Generations
Software licenses, Weekly Annual (verified) Backup
encryption keys, & Monthly Generations
Protocol Data Weekly Generations

Enterprise logo here
ENTERPRISE
Business and IT Impact Questionnaire
The purpose of this questionnaire is to determine the criticality of the applications used at ENTERPRISE. The information
provided will be used to develop a Application Inventory that can be used in the Disaster Recovery Plan that minimizes
the impact of the loss of this application in the event of a disaster. (PLEASE USE ADDITIONAL BLANK PAPER OR
ATTACHMENTS WHEREVER NECESSARY)
Facility / Business Function / Application
Name: _____________________________________________________________________________________________________________
Provide a brief description/purpose – mission: ______________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
What are the main functions? ___________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
Was this developed in-house or purchased from a vendor? If purchased from a vendor, do you hold the plans,
source code etc. _____________________________________________________________________________________________________
__________________________________________________________________________________________________________________
If the application is a purchased package, are there extensive modifications to this application (briefly describe modifications): ______________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
What programming language was used to create the application? ______________________________________________________________
__________________________________________________________________________________________________________________
How old is this application (maturity)? _____________________________________________________________________________________
Who is the owner of this application (i.e. Joe Smith of Accounting)? ____________________________________________________________
__________________________________________________________________________________________________________________

ENTERPRISE
Business and IT Impact Questionnaire
Application / File Servers

Provide the following information for each application and file server:
• Host name
• IP address and mask for the server
• Administrative contact for the server and security contact (i.e. primary user or department head name and phone number)
• User Types
• Operating system including version number
• Application Software including version number
• Review status (Yes/No, Date. Reviewer)
• Connectivity (Internet, Intranet, modem In, modem out, other
• Physical location (Address / phone number for contact
Host Name: _________________________ Reviewer Name: _______________________________ Date: _________________
IP Address / Mask User Types Administrative Contact Connectivity Physical Location
Public Name: _______________________ Internet Address: __________________

___.___.___.___
Customers Intranet
Employees Email: _______________________ Modem In Bound Contact::__________________
___.___.___.___ Groups Employees Modem Out Bound
(mask) Specific Employees Phone: ______________________ Other: ____________ Phone: ___________________
_______________
IP Address Range Operating System Version / Reviewed Application Version / Reviewed

___.___.___.___
Windows WS Ver: ____________ Yes No _________________ Ver: _________ Yes No
Windows Server Ver: ____________ Yes No _________________ Ver: _________ Yes No
to Unix Ver: ____________ Yes No _________________ Ver: _________ Yes No
___.___.___.___ Lynx Ver: ____________ Yes No _________________ Ver: _________ Yes No
Other Ver: ____________ Yes No _________________ Ver: _________ Yes No
_______________ _________________ Ver: _________ Yes No
Comments: ________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________

ENTERPRISE
Vendor Disaster Recovery Planning Questionnaire
DRP and Business Continuity Strategy
1 In the event of a disaster or significant Yes ________ or No ________

disruption, does your organization have
documented plans for business continuity
and IT disaster recovery? (NOTICE: if
your firm has no plan in place and has not
intention of implementing a plan then your
firm should be aware that our vendor /
partnership relationship is subject to
cancellation)
2 What type of failure scenarios or outages ______________________________________________________

do you plan for? ______________________________________________________
_____________________
3 What duration of time is assumed for each ___________________________(please specify # and hours, days,
type of failure scenario or outage you plan weeks, months, etc. for each type)
for?
4 Does the plan establish critical business Yes ________ or No ________

functions with recovery priorities?
0 – 4 hours _____
5 If you answered “Yes” to Question (4), 4 – 8 hours _____
what is the expected recovery time for Within one day _____
your critical business functions? 1 – 2 days _____
More than 2 days _____
Other (please specify) _____
N/A _____
6 Does the plan account for Yes ________ or No ________

interdependencies both internal and
external to your organization?

ENTERPRISE
Vendor Disaster Recovery Planning Questionnaire
Testing (cont’d)
8 If you answered “Yes” to Question (1) Applications ______

what components of your systems and Middleware ______
infrastructure are tested? Databases ______
Data networks ______
(internal and external)
Voice networks ______
(internal and external)
Desktop ______
Facilities ______
Voice equipment ______
Prior DRP and BCP Plan Activations
1 Did your organization invoke its business Yes ________ or No ________

continuity or IT disaster recovery plan(s)
as a result of the September 11 tragedy?
2 Has your organization enhanced its Yes ________ or No ________

business continuity planning initiative, or is
in the process of enhancing its plans in
light of September 11?
3 Has your DRP and BCP been activated in Yes ________ or No ________
the last 24 months?
4. If you answered “Yes” to Question (3)

provide a description of the reasons for
activations, results of the activation
process, and success / failure of DRP and
BCP process. (attach as a separate
document)

Version History
9.0 Version Changes
Version 5.1 to 5.2 – Release date August 1, 2008

1. Updated style sheet to WORD 2007 format
2. Updated forms and charts
Version 5.0 to 5.1 – Release date July 1, 2008

1. Added sample Backup and Backup Retention Policy
2. Minor formatting changes
Version 4.5 to 5.0 – Release date February 21, 2008

3. Updated Disaster Recovery / Business Continuity Plan Audit Program to be compliant with
ISO 27000 Series (ISO 27001 and ISO 27002)
4. Added a section on Communication Strategy and Policy to be implemented when the
Disaster Recovery / Business Continuity Plan is activated
5. Added a section on Disaster Recovery / Business Continuity and Security basics
6. Added Personnel Location Report
7. Added Project Status Report Form
Version 4.4 to 4.5 – Release date November 2, 2007

1. Added Disaster Recovery / Business Continuity Plan Audit Program
2. Updated excel work plan to refer to sections versus pages
Version 4.3 to 4.4 – Release date September 1, 2007

1. Section added on implications of Sarbanes‐Oxley, Treadway Commission, and PCI DSS
requirements
2. Disaster Planning Branch Offices added
3. Backup strategy table added
4. Backup strategy for PDA’s updated to reflect smartphones
Version 4.2 to 4.3 – Release date July 26, 2007

1. Defined generic metrics for DR/BC success
2. Business & IT Impact Analysis Questionnaire Updated
3. Updated references to DRP card
4. Updated formatting to meet WORD 2007 requirements

Version History
Version 4.1 to 4.2 – Release date February 1, 2007

1. Added Section defining the ISO 17799 compliance requirements
2. Review and modified entire DRP/BCP template to ensure compliance with ISO 17799
3. Business & IT Impact Questionnaire updated to meet ISO 17799 compliance requirements
4. Corrected errata
5. Added Best Data Retention and Destruction Practices Section
Version 4.0 to 4.1 – Release date August 28, 2006

1. Department DRP / BCP Activation Workbook Updated in the appendix
2. Correct work plan formatting and numbering for project initiation
3. Web Site Disaster Recovery Planning Form added to the appendix
Version 3.1 to 4.0 Release date March 5, 2006

1. Vendor Disaster Recovery Planning Questionnaire added to the appendix
2. Department Disaster Recovery Planning Workbook added to the appendix
3. Vendor Phone List form updated
4. Key Customer Notification List form added
5. Critical Resources to be Retrieved form added
6. Business Continuity Off‐Site Materials form added
Version 3.0 to 3.1 Release date January 2, 2006

1. Site Strategy section added (Section 3.1) all other section numbers in Chapter 3 were
increased to adjust for this modification.
2. Audit Disaster Recovery Plan Process added (Section 8.13)
3. Manager Disaster Recovery and Business Continuity job description added
4. Entire template reviewed to validate compliance with Sarbanes‐Oxley

License Conditions
© 2008 Janco Associates, Inc. ‐ All Rights Reserved
If you have any suggestions please forward them to support@e‐janco.com or contact us directly via phone at 435 940‐9300
See http//www.e‐janco.com and http://www.it‐toolkits.com for additional offerings
Multi‐Site Licenses are available at http://www.e‐janco.com/drpmulti.php
License Conditions
This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this
template has acquired the rights to use it for a SINGLE Disaster Recovery Plan unless the purchaser has paid for a
multi‐use or worldwide license.
Anyone who makes an unlicensed copy of or uses the template or any derivative of it is in violation of United
States and International copyright laws and subject to fines that are treble damages as determined by the courts.
A REWARD of up to 1/3 of those fines will be paid to anyone reporting such a violation upon the successful
prosecution of such violators.
The purchaser agrees that derivative of this template will contain the following words within the first five pages of
that document. The words are:
Derived from the Disaster Recovery Plan Template of Janco Associates, Inc.
© 2001 ‐ 2008 Copyright Janco Associates, Inc. – ALL RIGHTS RESERVED
All Rights Reserved. No part of this book may be reproduced by any means without the prior written permission of
the publisher. No reproduction or derivation of this book shall be re‐sold or given away without royalties being
paid to the authors. All other publisher’s rights under the copyright laws will be strictly enforced.
Published by:
Janco Associates Inc.

11 Eagle Landing Court
Park City, UT 84060
435 940‐9300
e‐mail ‐ support@e‐janco.com

BCPDRPTemplate

Uploaded by

Copyright:

Available Formats

You might also like

BCPDRPTemplate

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BCPDRPTemplate

Uploaded by

Copyright:

Available Formats

Disaster Recovery

Park City, UT 84060

Version 5.2 CONFIDENTIAL Page 2

2.0 Business Impact Analysis ......................................................................27

Version 5.2 CONFIDENTIAL Page 3

Wireless Network File Server Area ............................................................................ 51

Version 5.2 CONFIDENTIAL Page 4

5.2 Disaster Recovery Team ............................................................... 74

Version 5.2 CONFIDENTIAL Page 5

7.0 Plan Administration .............................................................................101

Version 5.2 CONFIDENTIAL Page 6

Historical Information .........................................................................................141

Version 5.2 CONFIDENTIAL Page 7

8.20 Departmental DRP and BCP Activation Workbook ..................... 169

Version 5.2 CONFIDENTIAL Page 8

9.0 Version Changes .......................................................................................187

Version 5.2 CONFIDENTIAL Page 9

1.0 Plan Introduction

• Identify Systems and Applications currently in use

Version 5.2 CONFIDENTIAL Page 11

1.1 Mission and Objectives

• Recover the physical network within the Critical Time Frames 2

Implication of Legislated and Industry Standards Requirements

In addition to the Security & Exchange Commission (SEC) requirements

Sarbanes‐Oxley Section 404 is an important aspect of managing a

Version 5.2 CONFIDENTIAL Page 12

objectives. A company’s processes, systems, and controls must make

The ability of a company to continue as a going concern is not a new

A company should have a responsive business continuity plan, including

In addition to the required quarterly certifications under SOX Section

Version 5.2 CONFIDENTIAL Page 13

The key financial reporting processes which are often affected by

• Capturing, authorizing and processing transactions;

Version 5.2 CONFIDENTIAL Page 14

• Build and Maintain a Secure Network

Version 5.2 CONFIDENTIAL Page 15

ISO 27000 Compliance Process

Define the Control Environment

This DRP/BCP template helps ENTERPRISE to:

⇒ Understand your business requirements, outline control

Control the Environment by Implementation and Management

Version 5.2 CONFIDENTIAL Page 16

This DRP/BCP template helps ENTERPRISE to:

⇒ Implement controls, policies, procedures and document

Audit and Examine the Control Processes

A key challenge organizations face in today’s compliance environment is how to

This DRP/BCP template helps ENTERPRISE to:

⇒ Audit and examine the control environment on a continuing

Version 5.2 CONFIDENTIAL Page 17

Minimal Backup Policy

Type of Data Minimal Backup Policy Backup Retention Policy

Version 5.2 CONFIDENTIAL Page 38

Facility / Business Function / Application

Provide a brief description/purpose – mission: ______________________________________________________________________________

What are the main functions? ___________________________________________________________________________________________

What programming language was used to create the application? ______________________________________________________________

How old is this application (maturity)? _____________________________________________________________________________________

Version 5.2 CONFIDENTIAL Page 130

Application / File Servers

Host Name: _________ Reviewer Name: _ Date: ___

Public Name: _____ Internet Address:

1 In the event of a disaster or significant Yes or No

4 Does the plan establish critical business Yes or No

6 Does the plan account for Yes or No

1 Did your organization invoke its business Yes or No

2 Has your organization enhanced its Yes or No

Version 3.1 to 4.0 Release date March 5, 2006

Version 3.0 to 3.1 Release date January 2, 2006