Successfully reported this slideshow.
Your SlideShare is downloading. ×

Disaster Recovery Policy .docx

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 1 of 7
Supersedes: N/A
Classification:...
DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 2 of 7
Supersedes: N/A
Classification:...
DISASTER RECOVERY POLICY
Issued by: Information Security Date Issued: 12-2020 Page: 3 of 7
Supersedes: N/A
Classification:...
Advertisement
Loading in …3
×

Check these out next

1 of 7 Ad

More Related Content

Recently uploaded (20)

Advertisement

Disaster Recovery Policy .docx

  1. 1. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 1 of 7 Supersedes: N/A Classification: Internal Document Name: Disaster Recovery Policy Document Type: Information Security Policy Document status Released Document code Parent: Author: Issued by: Approved by: Security Classification Version Next revision Date Version Date Description Author Details 1.0
  2. 2. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 2 of 7 Supersedes: N/A Classification: Internal CONTENTS 1. Introduction.................................................................................................... 3 1. Purpose.......................................................................................................... 3 2. Scope and applicability..................................................................................... 3 2. Responsibilities................................................................................................ 3 3. Classification of processes and systems .............................................................. 4 4. Disaster recovery planning................................................................................ 4 5. Organization and information ............................................................................ 5 6. Evaluation and testing of DR plans..................................................................... 5 7. Outsourcing considerations ............................................................................... 6 8. Exceptions ...................................................................................................... 6
  3. 3. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 3 of 7 Supersedes: N/A Classification: Internal 1. Introduction It is essential that critical business processes, and systems that support them, are protected from the effects of major failures or disasters to ensure their timely recovery. This document is part of the Information Security Policy and Standard Framework and follows the prescriptions of the Information Security Policy Statement. 1. Purpose The purpose of this Policy is to ensure preparedness for major failures or disaster involving information systems in order to minimize the impact on business processes and to ensure their timely resumption. 2. Scope and applicability This Policy applies to all IT and assets (enterprise Applications, network systems, servers, IOT, Smart systems, OT technologies) that support XXX business, no matter if they are under responsibility of the IT department, other XXX internal department or Third Party1 . Disaster Recovery at XXX and in the industry refers to the actions to be taken in order to recover IT/OT systems after a disruption. Critical systems (in terms of availability) are identified in XXX following the indication of the IT Asset Management Policy. It is reasonable and prudent to guard against potential disasters and prepare plans that will enable the business to recover from such disruptions and resume business functions in a timely fashion. Each OC shall identify critical and sensitive systems and create recovery plans in order to meet business objectives. Those plans shall be tested on a regular basis. Business Continuity shall include those plans and actions that the business (outside of Global IT) should have in place to fulfil their responsibility if the access to critical systems is unavailable. Each local/regional and global business entity is responsible for determining how they would continue operating in the event od disruption or unavailability of IT Systems. IT Management or any other organizational unit responsible for operating and managing information processing facilities is responsible for collecting business continuity requirements from each Business process owners. As Business Continuity is outside the responsibility of IT, it is not addressed in this Policy. The concepts and requirements outlined in this Policy for IT assets are also applicable to OT critical assets (OT assets that support Business critical processes) 2. Responsibilities Any subject in XXX owner of IT systems (ref. IT Asset Management Policy) classified as critical (C, N) is responsible for the implementation disaster recovery plans. 1 Third Party means any third party (including but not limited to contingent workers, sub-consultants etc) that may access, process and/or store PVM Information on behalf of PVM. PVM should include suitable clauses in the written contract between PVM and the Third Party that oblige them to comply with obligations consistent with this Standard
  4. 4. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 4 of 7 Supersedes: N/A Classification: Internal Business process owners in XXX are responsible of executing a Business Impact Analysis (BIA) for identifying the critical processes for XXX business. The BIA helps in identifying the IT Systems that support critical processes and the requirements for their recovery in case of interruption or disaster. XXX management shall determine, on the basis of the risk analysis and its risk appetite, for which risks preventive and/or corrective measures should be taken, which risks should be insured, and which risks will be accepted (without specific measures). In the following paragraphs, there is the assumption that all IT Systems are managed by the IT department or by a Third Party on its behalf, but the stated principles can be applied to any other entity in XXX owner or IT and OT systems. 3. Classification of processes and systems Based on the risk analysis and following the IT Asset Management Policy, IT System Owners shall provide the IT systems with the Availability classification. XXX has defined the following Availability Classification schema: About the availability requirements, the IT systems can be classified as Critical, Necessary or Supporting (Ref. IT Asset Management Policy):  Critical: Without the IT system or application, the business process cannot be continued, and may result in a major impact on revenue and results.  Necessary: Without the IT system or application, the business process can function, although it is seriously hindered.  Supporting: The IT system or application only contributes marginally to the functioning of the business process. 4. Disaster recovery planning Based on the risk analysis, XXX management shall develop DR Plan for critical IT Systems (C, N). IT System owners must assure that there is a current documented IT Disaster Recovery Plan (“DR Plan”) including conditions for activating any part of the plan, and the responsible parties involved in plan activation. This plan will be approved by the CIO or designee for IT systems under the responsibility of the IT department, or by any other XXX function responsible for IT systems. The DR Plan for a specific IT system or solution shall address the following:  Business processes and their classification (scope and relations)  Defined Recovery Time Objectives (RTO)  Defined Recovery Point Objective (RPO)  Connected IT systems and application  DR Organization (business and IT; Crisis Team and responsible management)
  5. 5. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 5 of 7 Supersedes: N/A Classification: Internal  Escalation procedure (activation criteria, escalation path and responsibilities)  Awareness and communication  Evaluation & testing (planning and conditions) The Recovery Time Objectives (RTO) is the agreed/established target time after an IT system should be recovered after a disruption in order avoid main impacts to the Business. The Recovery Point Objectives (RPO) is the agreed/established maximum amount of data that can lost due to a disruption. RPO is an important indicator for setting the right backup frequency. The DR Plan will also cover the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, stakeholder communication, resumption procedures, etc. The Disaster Recovery Team, as outlined in the DR Plan, will ensure that all concerned understand IT recovery times and the efforts necessary to support the business recovery and resumption needs. The DR Plan should ensure systems, applications, data and documentation maintained or processed by Third Party are adequately backed up or otherwise secured. 5. Organization and information The CIO (or any other Senior Manager owner of IT Systems in XXX ) shall direct that employees of XXX , vendors and suppliers who have a role in the Disaster Recovery Team, that is charged with the execution of the DR Plan, are well trained. This means that employees receive appropriate training and that each change in the DR Plan is reviewed for the need of supplemental training. Attention should be paid to making the plans accessible to the DR team under all disaster scenarios. The CIO (or any other Senior Manager owner of IT Systems in XXX ) shall direct that employees of XXX , vendors and suppliers who do not have a specific role in the Disaster Recovery Team are aware and informed of the escalation procedure and of the general content of the DR Plan and changes thereof. The DR Plan classification is CS2 as defined in the Information Classification Policy, as it contains in-depth information about XXX information systems and system configurations and access. Therefore, it will be distributed to the authorized members of the Disaster Recovery Team only and Information Security. 6. Evaluation and testing of DR plans The DR Plan must be subject to periodic re-evaluation by the System Owner (for example, IT department).
  6. 6. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 6 of 7 Supersedes: N/A Classification: Internal Annual reconsideration and review will be performed including strategy updates to keep the DR Plan in alignment with business requirements. Based on the scope definition and the relations as described in the DR Plan, the DR Plan must be updated regularly with changes to processes, applications and IT infrastructure. Re-evaluation of the DR Plan may be triggered by the occurrence of major changes to information systems or configurations as recorded in the Change Management repository. The DR Plan must be tested at planned intervals at least once annually to verify its correctness and viability and the usability of resources. These tests should be a simulation of a projected disaster. Periodic testing and evaluation of the DR Plan is essential to ensure that:  Personnel are skilled and trained in how to implement the DR Plan (training on the job)  The Recovery RPO and RTO can be met  Normal system changes in the period (updates, etc.) do not affect the procedures. The DR Plan is adequately documented, and that the necessary steps are clearly set out  Backups are enough and self-contained and be ready to be executed independent of any existing infrastructure The conclusions of the evaluations and tests shall be recorded and reported to IT Senior management (or Senior Management who owns the IT System), be updated consequently. During the test of DR Plans not only the plans and procedures are tested, but also the correct recovery of data, IT systems with their operating systems, database management systems and applications and the presence of backup instructions and manuals. Special attention should be taken to ensure that in the test no actions are performed that could not be executed in case of a real disaster. This should be an explicit responsibility of the Disaster Recovery Manager. The Disaster Recovery Manager is a role that may be assigned by the CIO (or usually is the System Owner or its assignee) and is made responsible for coordination of all activity including testing of the disaster recovery plan. On successful resumption of the IT function after a disaster, the Disaster Recovery Manager will ensure that procedures for assessing the adequacy of the DR Plan are followed and the plan is updated accordingly. 7. Outsourcing considerations For IT services performed by third party, the responsible XXX internal Departments remains accountable for enforcement and compliance with all elements of this Policy. 8. Exceptions While every exception to a Policy potentially weakens protection mechanisms for XXX systems and underlying data, occasionally exceptions may exist for specific Operating Companies or Function. Such exceptions need to be notified to Global IT and Information Security department.
  7. 7. DISASTER RECOVERY POLICY Issued by: Information Security Date Issued: 12-2020 Page: 7 of 7 Supersedes: N/A Classification: Internal

×