cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rob243
Viewer

Disaster Recovery Policy

Hi Everyone!

 

I'm looking at creating my first policy and putting some of my CISSP to use in the form of a disaster recovery policy for the local authority I work for. I'm wondering if there are any good resources to use and examples of these? I'm trying to make sure that this stays a policy and doesn't become a plan as this needs to be the broad direction that the organisation takes not any step by step.

 

Appreciate any pointers or resources that will help.


Rob

2 Replies
tmekelburg1
Community Champion

You can certainly go this route, as I'm sure people have created specific DR policies on this forum but this is typically covered in a Contingency Planning Policy, which encompasses BC and DR plans. Along with many other types of plans, e.g., Cybersecurity Incident Response Plans, Crisis Communications Plans, etc. 

 

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf 

NIST 800-34, Rev 1 Contingency Planning Guide for Federal Information Systems

 

Tagging @CISOScott because he has extensive experience in Government work. Some things to include if I were to create a specific DR policy in no particular order:

 

  • Purpose
  • Scope
  • Roles and responsibilities
  • Specific disasters that will be included in the DRP 
  • Defining recovery time objectives (Or at least say it's going to be included in the DR plan) 
  • BIA requirements
  • Communication plan or point to one that's already created

There's more but others can chime in with their thoughts.  

Rob243
Viewer

That sounds like a good place to start really appreciate it! There is already a BC policy in place but it only covers the business side of a situation and what IT is required and due to a data center cloud migration its no longer fit for purpose. I'm trying to create a policy that sits with IT so it can be updated and underpin a specific IT DR plan so when a system or DR event happens the policy states the direction the business is taking and the IT DR plan can be kept upto date with moving technologies and systems so the IT department has a play book for most eventualities.

Hope that makes sense