SlideShare ist ein Scribd-Unternehmen logo

Disaster Recovery Policy .docx

Als DOCX, PDF herunterladen
C
CharliePhan

Policy

Internet
1 von 7
DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 1 of 7 Supersedes: N/A Classification: Internal Document Name: Disaster Recovery Policy Document Type: Information Security Policy Document status Released Document code Parent: Author: Issued by: Approved by: Security Classification Version Next revision Date Version Date Description Author Details 1.0
DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 2 of 7 Supersedes: N/A Classification: Internal CONTENTS 1. Introduction.................................................................................................... 3 1. Purpose.......................................................................................................... 3 2. Scope and applicability..................................................................................... 3 2. Responsibilities................................................................................................ 3 3. Classification of processes and systems .............................................................. 4 4. Disaster recovery planning................................................................................ 4 5. Organization and information ............................................................................ 5 6. Evaluation and testing of DR plans..................................................................... 5 7. Outsourcing considerations ............................................................................... 6 8. Exceptions ...................................................................................................... 6
DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 3 of 7 Supersedes: N/A Classification: Internal 1. Introduction It is essential that critical business processes, and systems that support them, are protected from the effects of major failures or disasters to ensure their timely recovery. This document is part of the Information Security Policy and Standard Framework and follows the prescriptions of the Information Security Policy Statement. 1. Purpose The purpose of this Policy is to ensure preparedness for major failures or disaster involving information systems in order to minimize the impact on business processes and to ensure their timely resumption. 2. Scope and applicability This Policy applies to all IT and assets (enterprise Applications, network systems, servers, IOT, Smart systems, OT technologies) that support XXX business, no matter if they are under responsibility of the IT department, other XXX internal department or Third Party1 . Disaster Recovery at XXX and in the industry refers to the actions to be taken in order to recover IT/OT systems after a disruption. Critical systems (in terms of availability) are identified in XXX following the indication of the IT Asset Management Policy. It is reasonable and prudent to guard against potential disasters and prepare plans that will enable the business to recover from such disruptions and resume business functions in a timely fashion. Each OC shall identify critical and sensitive systems and create recovery plans in order to meet business objectives. Those plans shall be tested on a regular basis. Business Continuity shall include those plans and actions that the business (outside of Global IT) should have in place to fulfil their responsibility if the access to critical systems is unavailable. Each local/regional and global business entity is responsible for determining how they would continue operating in the event od disruption or unavailability of IT Systems. IT Management or any other organizational unit responsible for operating and managing information processing facilities is responsible for collecting business continuity requirements from each Business process owners. As Business Continuity is outside the responsibility of IT, it is not addressed in this Policy. The concepts and requirements outlined in this Policy for IT assets are also applicable to OT critical assets (OT assets that support Business critical processes) 2. Responsibilities Any subject in XXX owner of IT systems (ref. IT Asset Management Policy) classified as critical (C, N) is responsible for the implementation disaster recovery plans. 1 Third Party means any third party (including but not limited to contingent workers, sub-consultants etc) that may access, process and/or store PVM Information on behalf of PVM. PVM should include suitable clauses in the written contract between PVM and the Third Party that oblige them to comply with obligations consistent with this Standard
DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 4 of 7 Supersedes: N/A Classification: Internal Business process owners in XXX are responsible of executing a Business Impact Analysis (BIA) for identifying the critical processes for XXX business. The BIA helps in identifying the IT Systems that support critical processes and the requirements for their recovery in case of interruption or disaster. XXX management shall determine, on the basis of the risk analysis and its risk appetite, for which risks preventive and/or corrective measures should be taken, which risks should be insured, and which risks will be accepted (without specific measures). In the following paragraphs, there is the assumption that all IT Systems are managed by the IT department or by a Third Party on its behalf, but the stated principles can be applied to any other entity in XXX owner or IT and OT systems. 3. Classification of processes and systems Based on the risk analysis and following the IT Asset Management Policy, IT System Owners shall provide the IT systems with the Availability classification. XXX has defined the following Availability Classification schema: About the availability requirements, the IT systems can be classified as Critical, Necessary or Supporting (Ref. IT Asset Management Policy):  Critical: Without the IT system or application, the business process cannot be continued, and may result in a major impact on revenue and results.  Necessary: Without the IT system or application, the business process can function, although it is seriously hindered.  Supporting: The IT system or application only contributes marginally to the functioning of the business process. 4. Disaster recovery planning Based on the risk analysis, XXX management shall develop DR Plan for critical IT Systems (C, N). IT System owners must assure that there is a current documented IT Disaster Recovery Plan (“DR Plan”) including conditions for activating any part of the plan, and the responsible parties involved in plan activation. This plan will be approved by the CIO or designee for IT systems under the responsibility of the IT department, or by any other XXX function responsible for IT systems. The DR Plan for a specific IT system or solution shall address the following:  Business processes and their classification (scope and relations)  Defined Recovery Time Objectives (RTO)  Defined Recovery Point Objective (RPO)  Connected IT systems and application  DR Organization (business and IT; Crisis Team and responsible management)
DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 5 of 7 Supersedes: N/A Classification: Internal  Escalation procedure (activation criteria, escalation path and responsibilities)  Awareness and communication  Evaluation & testing (planning and conditions) The Recovery Time Objectives (RTO) is the agreed/established target time after an IT system should be recovered after a disruption in order avoid main impacts to the Business. The Recovery Point Objectives (RPO) is the agreed/established maximum amount of data that can lost due to a disruption. RPO is an important indicator for setting the right backup frequency. The DR Plan will also cover the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, stakeholder communication, resumption procedures, etc. The Disaster Recovery Team, as outlined in the DR Plan, will ensure that all concerned understand IT recovery times and the efforts necessary to support the business recovery and resumption needs. The DR Plan should ensure systems, applications, data and documentation maintained or processed by Third Party are adequately backed up or otherwise secured. 5. Organization and information The CIO (or any other Senior Manager owner of IT Systems in XXX ) shall direct that employees of XXX , vendors and suppliers who have a role in the Disaster Recovery Team, that is charged with the execution of the DR Plan, are well trained. This means that employees receive appropriate training and that each change in the DR Plan is reviewed for the need of supplemental training. Attention should be paid to making the plans accessible to the DR team under all disaster scenarios. The CIO (or any other Senior Manager owner of IT Systems in XXX ) shall direct that employees of XXX , vendors and suppliers who do not have a specific role in the Disaster Recovery Team are aware and informed of the escalation procedure and of the general content of the DR Plan and changes thereof. The DR Plan classification is CS2 as defined in the Information Classification Policy, as it contains in-depth information about XXX information systems and system configurations and access. Therefore, it will be distributed to the authorized members of the Disaster Recovery Team only and Information Security. 6. Evaluation and testing of DR plans The DR Plan must be subject to periodic re-evaluation by the System Owner (for example, IT department).
DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 6 of 7 Supersedes: N/A Classification: Internal Annual reconsideration and review will be performed including strategy updates to keep the DR Plan in alignment with business requirements. Based on the scope definition and the relations as described in the DR Plan, the DR Plan must be updated regularly with changes to processes, applications and IT infrastructure. Re-evaluation of the DR Plan may be triggered by the occurrence of major changes to information systems or configurations as recorded in the Change Management repository. The DR Plan must be tested at planned intervals at least once annually to verify its correctness and viability and the usability of resources. These tests should be a simulation of a projected disaster. Periodic testing and evaluation of the DR Plan is essential to ensure that:  Personnel are skilled and trained in how to implement the DR Plan (training on the job)  The Recovery RPO and RTO can be met  Normal system changes in the period (updates, etc.) do not affect the procedures. The DR Plan is adequately documented, and that the necessary steps are clearly set out  Backups are enough and self-contained and be ready to be executed independent of any existing infrastructure The conclusions of the evaluations and tests shall be recorded and reported to IT Senior management (or Senior Management who owns the IT System), be updated consequently. During the test of DR Plans not only the plans and procedures are tested, but also the correct recovery of data, IT systems with their operating systems, database management systems and applications and the presence of backup instructions and manuals. Special attention should be taken to ensure that in the test no actions are performed that could not be executed in case of a real disaster. This should be an explicit responsibility of the Disaster Recovery Manager. The Disaster Recovery Manager is a role that may be assigned by the CIO (or usually is the System Owner or its assignee) and is made responsible for coordination of all activity including testing of the disaster recovery plan. On successful resumption of the IT function after a disaster, the Disaster Recovery Manager will ensure that procedures for assessing the adequacy of the DR Plan are followed and the plan is updated accordingly. 7. Outsourcing considerations For IT services performed by third party, the responsible XXX internal Departments remains accountable for enforcement and compliance with all elements of this Policy. 8. Exceptions While every exception to a Policy potentially weakens protection mechanisms for XXX systems and underlying data, occasionally exceptions may exist for specific Operating Companies or Function. Such exceptions need to be notified to Global IT and Information Security department.
DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 7 of 7 Supersedes: N/A Classification: Internal

Empfohlen

You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
shantayjewison
 
Network Strategy and Design Final assignment disaster rec
Network Strategy and Design Final assignment disaster recNetwork Strategy and Design Final assignment disaster rec
Network Strategy and Design Final assignment disaster rec
rosu555
 
Section 1 describe the process (steps) you would use in any organiz
Section 1 describe the process (steps) you would use in any organizSection 1 describe the process (steps) you would use in any organiz
Section 1 describe the process (steps) you would use in any organiz
SHIVA101531
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docx
christiandean12115
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management Planning
Cognizant
 
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
joellemurphey
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
rhetttrevannion
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
juliennehar
 

Empfohlen

You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
shantayjewison
 
Network Strategy and Design Final assignment disaster rec
Network Strategy and Design Final assignment disaster recNetwork Strategy and Design Final assignment disaster rec
Network Strategy and Design Final assignment disaster rec
rosu555
 
Section 1 describe the process (steps) you would use in any organiz
Section 1 describe the process (steps) you would use in any organizSection 1 describe the process (steps) you would use in any organiz
Section 1 describe the process (steps) you would use in any organiz
SHIVA101531
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docx
christiandean12115
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management Planning
Cognizant
 
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
joellemurphey
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
rhetttrevannion
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
juliennehar
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
herthalearmont
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
Absar Husain
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
Vivek Maurya
 
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx (CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
joyjonna282
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response Plan
Matthew J McMahon
 
Task 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaiTask 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remai
alehosickg3
 
During week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docxDuring week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docx
jacksnathalie
 
2-2b-contingency-planning-swanson-nist.pdf
2-2b-contingency-planning-swanson-nist.pdf2-2b-contingency-planning-swanson-nist.pdf
2-2b-contingency-planning-swanson-nist.pdf
SuriaRao2
 
Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301
mascot4u
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
oswald1horne84988
 
DISASTER RECOVERY 14Disaster RecoveryStude.docx
DISASTER RECOVERY 14Disaster RecoveryStude.docxDISASTER RECOVERY 14Disaster RecoveryStude.docx
DISASTER RECOVERY 14Disaster RecoveryStude.docx
salmonpybus
 
Running Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docx
Running Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docxRunning Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docx
Running Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docx
susanschei
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
Manuel Guillen
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
Happiest Minds Technologies
 
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docxCyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
GamalAbdelshafy
 
Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016
Amgad Magdy
 
Contingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMContingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATM
Wajahat Ali Khan
 
MIT BUSINESS CONTINUITY PLAN This is an external rele.docx
MIT BUSINESS CONTINUITY PLAN This is an external rele.docxMIT BUSINESS CONTINUITY PLAN This is an external rele.docx
MIT BUSINESS CONTINUITY PLAN This is an external rele.docx
annandleola
 
Case Study
Case StudyCase Study
Case Study
lneut03
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 

Weitere ähnliche Inhalte

Ähnlich wie Disaster Recovery Policy .docx

This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
herthalearmont
 
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx (CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
joyjonna282
 
Task 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaiTask 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remai
alehosickg3
 
During week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docxDuring week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docx
jacksnathalie
 
2-2b-contingency-planning-swanson-nist.pdf
2-2b-contingency-planning-swanson-nist.pdf2-2b-contingency-planning-swanson-nist.pdf
2-2b-contingency-planning-swanson-nist.pdf
SuriaRao2
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
oswald1horne84988
 
DISASTER RECOVERY 14Disaster RecoveryStude.docx
DISASTER RECOVERY 14Disaster RecoveryStude.docxDISASTER RECOVERY 14Disaster RecoveryStude.docx
DISASTER RECOVERY 14Disaster RecoveryStude.docx
salmonpybus
 
Running Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docx
Running Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docxRunning Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docx
Running Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docx
susanschei
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016
Amgad Magdy
 
Contingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMContingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATM
Wajahat Ali Khan
 
MIT BUSINESS CONTINUITY PLAN This is an external rele.docx
MIT BUSINESS CONTINUITY PLAN This is an external rele.docxMIT BUSINESS CONTINUITY PLAN This is an external rele.docx
MIT BUSINESS CONTINUITY PLAN This is an external rele.docx
annandleola
 
Case Study
Case StudyCase Study
Case Study
lneut03
 

Ähnlich wie Disaster Recovery Policy .docx (20)

This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
 
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx (CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response Plan
 
Task 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaiTask 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remai
 
During week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docxDuring week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docx
 
2-2b-contingency-planning-swanson-nist.pdf
2-2b-contingency-planning-swanson-nist.pdf2-2b-contingency-planning-swanson-nist.pdf
2-2b-contingency-planning-swanson-nist.pdf
 
Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301Business impact.analysis based on ISO 22301
Business impact.analysis based on ISO 22301
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
 
DISASTER RECOVERY 14Disaster RecoveryStude.docx
DISASTER RECOVERY 14Disaster RecoveryStude.docxDISASTER RECOVERY 14Disaster RecoveryStude.docx
DISASTER RECOVERY 14Disaster RecoveryStude.docx
 
Running Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docx
Running Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docxRunning Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docx
Running Head DECISION SUPPORT SYSTEM PLAN 1DECISION SUPPORT.docx
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docxCyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
 
Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016
 
Contingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMContingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATM
 
MIT BUSINESS CONTINUITY PLAN This is an external rele.docx
MIT BUSINESS CONTINUITY PLAN This is an external rele.docxMIT BUSINESS CONTINUITY PLAN This is an external rele.docx
MIT BUSINESS CONTINUITY PLAN This is an external rele.docx
 
Case Study
Case StudyCase Study
Case Study
 

Kürzlich hochgeladen

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 

Kürzlich hochgeladen (20)

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 

Disaster Recovery Policy .docx

  • 1. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 1 of 7 Supersedes: N/A Classification: Internal Document Name: Disaster Recovery Policy Document Type: Information Security Policy Document status Released Document code Parent: Author: Issued by: Approved by: Security Classification Version Next revision Date Version Date Description Author Details 1.0
  • 2. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 2 of 7 Supersedes: N/A Classification: Internal CONTENTS 1. Introduction.................................................................................................... 3 1. Purpose.......................................................................................................... 3 2. Scope and applicability..................................................................................... 3 2. Responsibilities................................................................................................ 3 3. Classification of processes and systems .............................................................. 4 4. Disaster recovery planning................................................................................ 4 5. Organization and information ............................................................................ 5 6. Evaluation and testing of DR plans..................................................................... 5 7. Outsourcing considerations ............................................................................... 6 8. Exceptions ...................................................................................................... 6
  • 3. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 3 of 7 Supersedes: N/A Classification: Internal 1. Introduction It is essential that critical business processes, and systems that support them, are protected from the effects of major failures or disasters to ensure their timely recovery. This document is part of the Information Security Policy and Standard Framework and follows the prescriptions of the Information Security Policy Statement. 1. Purpose The purpose of this Policy is to ensure preparedness for major failures or disaster involving information systems in order to minimize the impact on business processes and to ensure their timely resumption. 2. Scope and applicability This Policy applies to all IT and assets (enterprise Applications, network systems, servers, IOT, Smart systems, OT technologies) that support XXX business, no matter if they are under responsibility of the IT department, other XXX internal department or Third Party1 . Disaster Recovery at XXX and in the industry refers to the actions to be taken in order to recover IT/OT systems after a disruption. Critical systems (in terms of availability) are identified in XXX following the indication of the IT Asset Management Policy. It is reasonable and prudent to guard against potential disasters and prepare plans that will enable the business to recover from such disruptions and resume business functions in a timely fashion. Each OC shall identify critical and sensitive systems and create recovery plans in order to meet business objectives. Those plans shall be tested on a regular basis. Business Continuity shall include those plans and actions that the business (outside of Global IT) should have in place to fulfil their responsibility if the access to critical systems is unavailable. Each local/regional and global business entity is responsible for determining how they would continue operating in the event od disruption or unavailability of IT Systems. IT Management or any other organizational unit responsible for operating and managing information processing facilities is responsible for collecting business continuity requirements from each Business process owners. As Business Continuity is outside the responsibility of IT, it is not addressed in this Policy. The concepts and requirements outlined in this Policy for IT assets are also applicable to OT critical assets (OT assets that support Business critical processes) 2. Responsibilities Any subject in XXX owner of IT systems (ref. IT Asset Management Policy) classified as critical (C, N) is responsible for the implementation disaster recovery plans. 1 Third Party means any third party (including but not limited to contingent workers, sub-consultants etc) that may access, process and/or store PVM Information on behalf of PVM. PVM should include suitable clauses in the written contract between PVM and the Third Party that oblige them to comply with obligations consistent with this Standard
  • 4. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 4 of 7 Supersedes: N/A Classification: Internal Business process owners in XXX are responsible of executing a Business Impact Analysis (BIA) for identifying the critical processes for XXX business. The BIA helps in identifying the IT Systems that support critical processes and the requirements for their recovery in case of interruption or disaster. XXX management shall determine, on the basis of the risk analysis and its risk appetite, for which risks preventive and/or corrective measures should be taken, which risks should be insured, and which risks will be accepted (without specific measures). In the following paragraphs, there is the assumption that all IT Systems are managed by the IT department or by a Third Party on its behalf, but the stated principles can be applied to any other entity in XXX owner or IT and OT systems. 3. Classification of processes and systems Based on the risk analysis and following the IT Asset Management Policy, IT System Owners shall provide the IT systems with the Availability classification. XXX has defined the following Availability Classification schema: About the availability requirements, the IT systems can be classified as Critical, Necessary or Supporting (Ref. IT Asset Management Policy):  Critical: Without the IT system or application, the business process cannot be continued, and may result in a major impact on revenue and results.  Necessary: Without the IT system or application, the business process can function, although it is seriously hindered.  Supporting: The IT system or application only contributes marginally to the functioning of the business process. 4. Disaster recovery planning Based on the risk analysis, XXX management shall develop DR Plan for critical IT Systems (C, N). IT System owners must assure that there is a current documented IT Disaster Recovery Plan (“DR Plan”) including conditions for activating any part of the plan, and the responsible parties involved in plan activation. This plan will be approved by the CIO or designee for IT systems under the responsibility of the IT department, or by any other XXX function responsible for IT systems. The DR Plan for a specific IT system or solution shall address the following:  Business processes and their classification (scope and relations)  Defined Recovery Time Objectives (RTO)  Defined Recovery Point Objective (RPO)  Connected IT systems and application  DR Organization (business and IT; Crisis Team and responsible management)
  • 5. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 5 of 7 Supersedes: N/A Classification: Internal  Escalation procedure (activation criteria, escalation path and responsibilities)  Awareness and communication  Evaluation & testing (planning and conditions) The Recovery Time Objectives (RTO) is the agreed/established target time after an IT system should be recovered after a disruption in order avoid main impacts to the Business. The Recovery Point Objectives (RPO) is the agreed/established maximum amount of data that can lost due to a disruption. RPO is an important indicator for setting the right backup frequency. The DR Plan will also cover the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, stakeholder communication, resumption procedures, etc. The Disaster Recovery Team, as outlined in the DR Plan, will ensure that all concerned understand IT recovery times and the efforts necessary to support the business recovery and resumption needs. The DR Plan should ensure systems, applications, data and documentation maintained or processed by Third Party are adequately backed up or otherwise secured. 5. Organization and information The CIO (or any other Senior Manager owner of IT Systems in XXX ) shall direct that employees of XXX , vendors and suppliers who have a role in the Disaster Recovery Team, that is charged with the execution of the DR Plan, are well trained. This means that employees receive appropriate training and that each change in the DR Plan is reviewed for the need of supplemental training. Attention should be paid to making the plans accessible to the DR team under all disaster scenarios. The CIO (or any other Senior Manager owner of IT Systems in XXX ) shall direct that employees of XXX , vendors and suppliers who do not have a specific role in the Disaster Recovery Team are aware and informed of the escalation procedure and of the general content of the DR Plan and changes thereof. The DR Plan classification is CS2 as defined in the Information Classification Policy, as it contains in-depth information about XXX information systems and system configurations and access. Therefore, it will be distributed to the authorized members of the Disaster Recovery Team only and Information Security. 6. Evaluation and testing of DR plans The DR Plan must be subject to periodic re-evaluation by the System Owner (for example, IT department).
  • 6. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 6 of 7 Supersedes: N/A Classification: Internal Annual reconsideration and review will be performed including strategy updates to keep the DR Plan in alignment with business requirements. Based on the scope definition and the relations as described in the DR Plan, the DR Plan must be updated regularly with changes to processes, applications and IT infrastructure. Re-evaluation of the DR Plan may be triggered by the occurrence of major changes to information systems or configurations as recorded in the Change Management repository. The DR Plan must be tested at planned intervals at least once annually to verify its correctness and viability and the usability of resources. These tests should be a simulation of a projected disaster. Periodic testing and evaluation of the DR Plan is essential to ensure that:  Personnel are skilled and trained in how to implement the DR Plan (training on the job)  The Recovery RPO and RTO can be met  Normal system changes in the period (updates, etc.) do not affect the procedures. The DR Plan is adequately documented, and that the necessary steps are clearly set out  Backups are enough and self-contained and be ready to be executed independent of any existing infrastructure The conclusions of the evaluations and tests shall be recorded and reported to IT Senior management (or Senior Management who owns the IT System), be updated consequently. During the test of DR Plans not only the plans and procedures are tested, but also the correct recovery of data, IT systems with their operating systems, database management systems and applications and the presence of backup instructions and manuals. Special attention should be taken to ensure that in the test no actions are performed that could not be executed in case of a real disaster. This should be an explicit responsibility of the Disaster Recovery Manager. The Disaster Recovery Manager is a role that may be assigned by the CIO (or usually is the System Owner or its assignee) and is made responsible for coordination of all activity including testing of the disaster recovery plan. On successful resumption of the IT function after a disaster, the Disaster Recovery Manager will ensure that procedures for assessing the adequacy of the DR Plan are followed and the plan is updated accordingly. 7. Outsourcing considerations For IT services performed by third party, the responsible XXX internal Departments remains accountable for enforcement and compliance with all elements of this Policy. 8. Exceptions While every exception to a Policy potentially weakens protection mechanisms for XXX systems and underlying data, occasionally exceptions may exist for specific Operating Companies or Function. Such exceptions need to be notified to Global IT and Information Security department.
  • 7. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 7 of 7 Supersedes: N/A Classification: Internal