Disaster Recovery Plan Policy

1. Overview

Since disasters happen so rarely, management often ignores the disaster recovery planning process.  It is essential to realize that having a contingency plan in the event of a disaster gives eCuras a competitive advantage.   This policy requires management to financially support and diligently attend to disaster contingency planning efforts.  Disasters are not limited to adverse weather conditions.   Any event that could likely cause an extended delay of service should be considered.  The Disaster Recovery Plan is often part of the Business Continuity Plan.

2. Purpose

This policy defines the requirement for a baseline disaster recovery plan to be developed and implemented by eCuras that will describe the process to recover IT Systems, Applications, and Data from any type of disaster that causes a significant outage.

3. Scope

This policy is directed to the IT Management Staff who is accountable to ensure the plan is developed, tested, and kept up-to-date.  This policy is solely to state the requirement to have a disaster recovery plan. It does not provide requirements around what goes into the plan or sub-plans.

4. Policy

4.1 Contingency Plans

The following contingency plans must be created:

• Computer Emergency Response Plan: Who is to be contacted, when, and how? What immediate actions must be taken in the event of certain occurrences?
• Succession Plan: Describe the flow of responsibility when normal staff is unavailable to perform their duties.
• Data Study: Detail the data stored on the systems, its criticality, and its confidentiality.
• Criticality of Service List: List all the services provided and their order of importance.
• It also explains the order of recovery in both short-term and long-term timeframes.
• Data Backup and Restoration Plan: Detail which data is backed up, the media to which it is saved, where that media is stored, and how often the backup is done.  It should also describe how that data could be recovered.
• Equipment Replacement Plan: Describe what equipment is required to begin to provide services, list the order in which it is necessary, and note where to purchase the equipment.
• Mass Media Management: Who is in charge of giving information to the mass media?
• Also provide some guidelines on what data is appropriate to be provided.
• After creating the plans, it is essential to practice them to the extent possible.   Management should set aside time to test the implementation of the disaster recovery plan.  Tabletop exercises should be conducted annually. During these tests, issues that may cause the plan to fail can be discovered and corrected in an environment with few consequences.

The plan, at a minimum, should be reviewed and updated on an annual basis.

5. Policy Compliance

5.1  Compliance Measurement

The Infosec team will verify compliance with this policy through various methods, including but not limited to periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

The Infosec Team must approve any exception to the policy in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Revised: March 14th, 2018

Table of Content

1. Acceptable Encryption Policy
2. Acceptable Use Policy
3. Clean Desc Policy
4. Data Breach Response Policy
5. Disaster Recovery Plan Policy
6. Digital Signature Acceptance Policy
7. Email Policy
8. Ethics Policy
9. Pandemic Response Planning Policy
10. Password Construction Guidelines
11. Password Protection Policy
12. Security Response Plan Policy
13. End User Encryption Key Protection Policy
14. Acquisition Assessment Policy
15. Bluetooth Baseline Requirements Policy
16. Remote Access Policy
17. Remote Access Tools Policy
18. Router and Switch Security Policy
19. Wireless Communication Policy
20. Wireless Communication Standard
21. Database Credentials Policy
22. Technology Equipment Disposal Policy
23. Information Logging Standard
24. Lab Security Policy
25. Server Security Policy 
26. Software Installation Policy
27. Workstation Security (For HIPAA) Policy
28. Web Application Security Policy
29.  Analog/ISDN Line Security Policy
30. Anti-Virus Guidelines
31. Server Audit Policy
32. Automatically Forwarded Email Policy
33. Communications Equipment Policy
34. Dial In Access Policy
35. Extranet Policy
36. Internet DMZ Equipment Policy
37. Internet Usage Policy
38. Mobile Device Encryption Policy
39. Personal Communication Devices and Voicemail Policy
40. Removable Media Policy
41. Risk Assessment Policy
42. Server Malware Protection Policy
43. Social Engineering Awareness Policy
44. DMZ Lab Security Policy
45. Email Retention Policy
46. Employee Internet Use Monitoring and Filtering Policy
47. Lab Anti Virus Policy
48. Mobile Employee Endpoint Responsibility Policy
49. Remote Access Mobile Computing Storage
50. Virtual Private Network Policy