Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Disaster Recovery Policy .docx
1. DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 1 of 7
Supersedes: N/A
Classification: Internal
Document Name: Disaster Recovery Policy
Document Type: Information Security Policy
Document status Released
Document code
Parent:
Author:
Issued by:
Approved by:
Security Classification
Version
Next revision Date
Version Date Description Author Details
1.0
2. DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 2 of 7
Supersedes: N/A
Classification: Internal
CONTENTS
1. Introduction.................................................................................................... 3
1. Purpose.......................................................................................................... 3
2. Scope and applicability..................................................................................... 3
2. Responsibilities................................................................................................ 3
3. Classification of processes and systems .............................................................. 4
4. Disaster recovery planning................................................................................ 4
5. Organization and information ............................................................................ 5
6. Evaluation and testing of DR plans..................................................................... 5
7. Outsourcing considerations ............................................................................... 6
8. Exceptions ...................................................................................................... 6
3. DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 3 of 7
Supersedes: N/A
Classification: Internal
1. Introduction
It is essential that critical business processes, and systems that support them, are protected
from the effects of major failures or disasters to ensure their timely recovery.
This document is part of the Information Security Policy and Standard Framework and follows
the prescriptions of the Information Security Policy Statement.
1. Purpose
The purpose of this Policy is to ensure preparedness for major failures or disaster involving
information systems in order to minimize the impact on business processes and to ensure
their timely resumption.
2. Scope and applicability
This Policy applies to all IT and assets (enterprise Applications, network systems, servers,
IOT, Smart systems, OT technologies) that support XXX business, no matter if they are under
responsibility of the IT department, other XXX internal department or Third Party1
.
Disaster Recovery at XXX and in the industry refers to the actions to be taken in order to
recover IT/OT systems after a disruption. Critical systems (in terms of availability) are
identified in XXX following the indication of the IT Asset Management Policy.
It is reasonable and prudent to guard against potential disasters and prepare plans that will
enable the business to recover from such disruptions and resume business functions in a
timely fashion. Each OC shall identify critical and sensitive systems and create recovery plans
in order to meet business objectives. Those plans shall be tested on a regular basis.
Business Continuity shall include those plans and actions that the business (outside of Global
IT) should have in place to fulfil their responsibility if the access to critical systems is
unavailable.
Each local/regional and global business entity is responsible for determining how they would
continue operating in the event od disruption or unavailability of IT Systems. IT Management
or any other organizational unit responsible for operating and managing information
processing facilities is responsible for collecting business continuity requirements from each
Business process owners. As Business Continuity is outside the responsibility of IT, it
is not addressed in this Policy.
The concepts and requirements outlined in this Policy for IT assets are also applicable to OT
critical assets (OT assets that support Business critical processes)
2. Responsibilities
Any subject in XXX owner of IT systems (ref. IT Asset Management Policy) classified as critical
(C, N) is responsible for the implementation disaster recovery plans.
1
Third Party means any third party (including but not limited to contingent workers, sub-consultants
etc) that may access, process and/or store PVM Information on behalf of PVM. PVM should include
suitable clauses in the written contract between PVM and the Third Party that oblige them to comply
with obligations consistent with this Standard
4. DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 4 of 7
Supersedes: N/A
Classification: Internal
Business process owners in XXX are responsible of executing a Business Impact Analysis (BIA)
for identifying the critical processes for XXX business. The BIA helps in identifying the IT
Systems that support critical processes and the requirements for their recovery in case of
interruption or disaster.
XXX management shall determine, on the basis of the risk analysis and its risk appetite, for
which risks preventive and/or corrective measures should be taken, which risks should be
insured, and which risks will be accepted (without specific measures).
In the following paragraphs, there is the assumption that all IT Systems are managed by the
IT department or by a Third Party on its behalf, but the stated principles can be applied to
any other entity in XXX owner or IT and OT systems.
3. Classification of processes and systems
Based on the risk analysis and following the IT Asset Management Policy, IT System Owners
shall provide the IT systems with the Availability classification.
XXX has defined the following Availability Classification schema:
About the availability requirements, the IT systems can be classified as Critical, Necessary
or Supporting (Ref. IT Asset Management Policy):
Critical: Without the IT system or application, the business process cannot be
continued, and may result in a major impact on revenue and results.
Necessary: Without the IT system or application, the business process can
function, although it is seriously hindered.
Supporting: The IT system or application only contributes marginally to the
functioning of the business process.
4. Disaster recovery planning
Based on the risk analysis, XXX management shall develop DR Plan for critical IT Systems (C,
N).
IT System owners must assure that there is a current documented IT Disaster Recovery Plan
(“DR Plan”) including conditions for activating any part of the plan, and the responsible parties
involved in plan activation.
This plan will be approved by the CIO or designee for IT systems under the responsibility of
the IT department, or by any other XXX function responsible for IT systems. The DR Plan for
a specific IT system or solution shall address the following:
Business processes and their classification (scope and relations)
Defined Recovery Time Objectives (RTO)
Defined Recovery Point Objective (RPO)
Connected IT systems and application
DR Organization (business and IT; Crisis Team and responsible management)
5. DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 5 of 7
Supersedes: N/A
Classification: Internal
Escalation procedure (activation criteria, escalation path and responsibilities)
Awareness and communication
Evaluation & testing (planning and conditions)
The Recovery Time Objectives (RTO) is the agreed/established target time after an IT
system should be recovered after a disruption in order avoid main impacts to the Business.
The Recovery Point Objectives (RPO) is the agreed/established maximum amount of data
that can lost due to a disruption. RPO is an important indicator for setting the right backup
frequency.
The DR Plan will also cover the actions to be taken for the period when IT is recovering and
resuming services. This may include activation of backup sites, initiation of alternative
processing, stakeholder communication, resumption procedures, etc. The Disaster Recovery
Team, as outlined in the DR Plan, will ensure that all concerned understand IT recovery times
and the efforts necessary to support the business recovery and resumption needs.
The DR Plan should ensure systems, applications, data and documentation maintained or
processed by Third Party are adequately backed up or otherwise secured.
5. Organization and information
The CIO (or any other Senior Manager owner of IT Systems in XXX ) shall direct that
employees of XXX , vendors and suppliers who have a role in the Disaster Recovery Team,
that is charged with the execution of the DR Plan, are well trained. This means that employees
receive appropriate training and that each change in the DR Plan is reviewed for the need of
supplemental training. Attention should be paid to making the plans accessible to the DR team
under all disaster scenarios.
The CIO (or any other Senior Manager owner of IT Systems in XXX ) shall direct that
employees of XXX , vendors and suppliers who do not have a specific role in the Disaster
Recovery Team are aware and informed of the escalation procedure and of the general content
of the DR Plan and changes thereof.
The DR Plan classification is CS2 as defined in the Information Classification Policy, as it
contains in-depth information about XXX information systems and system configurations and
access. Therefore, it will be distributed to the authorized members of the Disaster Recovery
Team only and Information Security.
6. Evaluation and testing of DR plans
The DR Plan must be subject to periodic re-evaluation by the System Owner (for example, IT
department).
6. DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 6 of 7
Supersedes: N/A
Classification: Internal
Annual reconsideration and review will be performed including strategy updates to keep the
DR Plan in alignment with business requirements. Based on the scope definition and the
relations as described in the DR Plan, the DR Plan must be updated regularly with changes to
processes, applications and IT infrastructure. Re-evaluation of the DR Plan may be triggered
by the occurrence of major changes to information systems or configurations as recorded in
the Change Management repository.
The DR Plan must be tested at planned intervals at least once annually to verify its correctness
and viability and the usability of resources. These tests should be a simulation of a projected
disaster. Periodic testing and evaluation of the DR Plan is essential to ensure that:
Personnel are skilled and trained in how to implement the DR Plan (training on the
job)
The Recovery RPO and RTO can be met
Normal system changes in the period (updates, etc.) do not affect the procedures. The
DR Plan is adequately documented, and that the necessary steps are clearly set out
Backups are enough and self-contained and be ready to be executed independent of
any existing infrastructure
The conclusions of the evaluations and tests shall be recorded and reported to IT Senior
management (or Senior Management who owns the IT System), be updated consequently.
During the test of DR Plans not only the plans and procedures are tested, but also the correct
recovery of data, IT systems with their operating systems, database management systems
and applications and the presence of backup instructions and manuals.
Special attention should be taken to ensure that in the test no actions are performed that
could not be executed in case of a real disaster. This should be an explicit responsibility of
the Disaster Recovery Manager. The Disaster Recovery Manager is a role that may be assigned
by the CIO (or usually is the System Owner or its assignee) and is made responsible for
coordination of all activity including testing of the disaster recovery plan.
On successful resumption of the IT function after a disaster, the Disaster Recovery Manager
will ensure that procedures for assessing the adequacy of the DR Plan are followed and the
plan is updated accordingly.
7. Outsourcing considerations
For IT services performed by third party, the responsible XXX internal Departments remains
accountable for enforcement and compliance with all elements of this Policy.
8. Exceptions
While every exception to a Policy potentially weakens protection mechanisms for XXX systems
and underlying data, occasionally exceptions may exist for specific Operating Companies or
Function. Such exceptions need to be notified to Global IT and Information Security department.
7. DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 7 of 7
Supersedes: N/A
Classification: Internal