Disaster Recovery and Business Continuity Policy - Business Enablement

Disaster Recovery

Development and Implementation – Management will develop and implement a Disaster Recovery Plan (DRP) to help ensure the availability of information and services without deterioration of security measures. 

Responsibility and Oversight – Organization workforce members assigned the responsibility of developing, maintaining, and testing DRP. They will work with the Security Officer, Human Resources, Information Technology (IT) department designated workforce members, third party vendors, and other entities or individuals as deemed appropriate. Together they will oversee and coordinate the development, maintenance, and testing of the disaster recovery plan, plan distribution, and ongoing updates of the disaster recovery plan.

Review and Update – Organization will implement a set of standard steps to be followed for the document control of the disaster recovery plan. And will designate workforce members who will be responsible for ongoing and regularly scheduled full plan reviews, tests, and updates. The plan will be reviewed and updated when any changes occur in workforce members who are assigned specific tasks related to the plans. The plan will be tested, reviewed, and updated at least annually.

Plan Development

  • The Security Officer or designee will work with senior management to allocate the necessary resources to develop a disaster recovery plan that addresses the recovery of the technical and business environment in the event of a disaster.

  • Plan development will commence following the creation of a prioritized inventory of assets e.g., hardware, software, facilities, workforce members, equipment, etc. For more information regarding a prioritized inventory see the Risk Analysis Policy.

  • The DRP development team will review the prioritized inventory and document resources required to recover from a disaster, the order in which recovery will occur, and the workforce members responsible for each phase of disaster recovery.

  • The purpose of the DRP is to map out how organization will recover from the disaster. The DRP team will forward information about the maintenance of mission critical activities during the disaster to the emergency mode operations plan development team.

  • The DRP shall include the following:

    • Identify roles and responsibilities

    • Required capacity for restoration of data and services

    • Definitions of critical missions and business functions

    • Definitions of recovery objectives and priorities

    • Time frames in which data will be recovered and made available according to the business objectives defined by the Management

  • The plan will include documentation of the steps necessary to recover:

    • The business environment

    • The facility/physical environment

    • The technical environment/recovery of data

  • Following plan development, the DRP team will at least conduct a tabletop test of the plan and amend the plan based on test results.

  • Following plan development, testing, and amendment, affected workforce members will be trained regarding their responsibilities in the event of a disaster.

Plan Maintenance and Management

  • Each identified “Plan Owner” and alternate will be provided copies of the complete disaster recovery plan.

  • Copies will contain the general plan and, where appropriate, a copy of specific facility/department plans. One copy will be stored on-site and one will be stored at a secure location off-site.

  • A master set including the general disaster recovery plan and facility/department specific plans will be maintained by the designated workforce member in a secure location.  

  • Copies of all plans will be kept at the designated emergency operations center.

  • The section of the disaster recovery plan associated with data recovery will be stored securely with data backups.  

  • When the DRP team membership changes, the plan owner will update the DRP to reflect these changes within two weeks of the change and distribute to affected workforce members.

Certification of Plans

  • The DRP will be reviewed, tested, and updated if required, no less than semi-annually.

  • A full DRP test will occur at least once annually. 

  • The DRP will be reviewed and re-certified by the designated disaster recovery and emergency mode operations organizational “owner.”  

  • Re-certification will occur when a significant change in DRP processes are required.    

  • It is the Plan Owner’s responsibility to notify the organizational owner if recertification is required.

  • Recertification is also required following DRP operations plan tests where such tests identify sections of the plan that failed the test.

Recovery of Plan Documentation when Team Member Transfers or Terminates

  • Human Resources is responsible for the collection of the DRP when staff changes occur.

  • The assigned plan manager or director is responsible for the distribution of full or partial copies to new members of the DRP team.  

  • The assigned plan manager or director is responsible for obtaining signed acknowledgment of receipt of the DRP or part of the plan from new team members.

  • The assigned plan manager or director shall forward a copy of the signed acknowledgment of receipt of the plan or applicable parts of the plan to Human Resources to be filed in workforce member personnel records.

Facility/Department Management Responsibility

  • The assigned plan manager or director is responsible for coordinating or managing plan reviews and updates.

  • This includes updates related to any facilities physical or technical changes (i.e. server room security changes, access lock changes, backup generator replacement, etc.).

  • Facilities/department management is responsible for reasonably ensuring that the assigned plan manager or director is informed when changes occur that impact the DRP and that require plan updates.

  • Such notification will occur within two weeks from the date any change occurs that impact the DRP. This includes staff changes that impact workforce members with assigned duties relating to the DRP.

  • Any update to facilities level plans will be incorporated in the full DRP.

Testing of the Disaster Recovery Plan

  • The DRP will be tested on an annual basis. 

  • The Chief Technology Officer(CTO) is responsible for conducting the test, and updating the plan accordingly to reflect any identified weaknesses.

  • Test results will be documented and signed off by Management.