cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bjonah
Newcomer I

RACI for Disaster Recovery Plan

Does anyone have a RACI for Disaster Recovery? Who owns the process? COBIT 5 for Information Security defines the CISO/ISM as contributors. I know it depends to a great extent on the risk framework that has been implemented but who takes the responsibility of ensuring the plan works?

3 Replies
dcontesti
Community Champion

 


@bjonah wrote:

Does anyone have a RACI for Disaster Recovery? Who owns the process? COBIT 5 for Information Security defines the CISO/ISM as contributors. I know it depends to a great extent on the risk framework that has been implemented but who takes the responsibility of ensuring the plan works?


So difficult question to answer.  It depends on a number of things:

 

1) how large an organization

2) is the a BCP person

3) have you assigned DR Coordinators

 

Typically Security would be contributors in their role as Security, however in an organization that places DR in the Security group (which I have seen), that person's role could be Responsible or Accountable. 

 

I have seen it both ways.

 

Regards

 

d

 

Steve-Wilme
Advocate II

It depends on the scope of your BCP/DR plan and the strategy you've chosen to recover from an interruption.  You really have to approach this top down rather than thinking immediately about a RACI matrix.

 

I don't know where you are in the programme but I'd start with BIA of the business processes affected if there was an interruption and how long you could run a viable business with interrupted processes.  Then look at what you have in place to reduce the impact of a disruption, for example, single site HA, fail-over to a backup site, systems in multiple cloud availability zones etc.  Only once you've done this groundwork can you look at the operational plan and RACI for continuing to operate and recovering from an interruption.

 

From an InfoSec perspective you simply need to ensure that the contingency measures used during the interruption does expose your organisation to further uneccessary risk.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
bjonah
Newcomer I

Thanks. It makes sense to have an assigned Coordinator at a senior level. In terms of the overall responsibility for its implementation, it should be the CRO/CEO and the board.