Re: DR/BC Planning

[Kimberly Heimbrock <heimbrockk () NKU EDU>]

We are in-progress in development of a full DR plan, including policies,
templates, etc.   We are heavily dependent upon the use of Sharepoint as
our secure document repository.  It is formatted to follow the plan
'outline' and can be secured down to the document level.  Our major
categories include:

*         Overview and Policy

*         Planning procedures and emergency documentation (emergency
contacts, BIA, RTO, RPO, Risk Assessment, Emergency Response teams
defined, etc)

*         Recovery procedures and Emergency response team plans (each
recovery team has a section - secured to select members for read,
update, etc))

*         Off-site recovery sites, infrastructure testing sites

*         Testing & Maintenance 

*         Vendor Contacts

*         Templates (see below)

*         Misc, appendixes, etc

 

Our plan includes self-developed templates:

*         Technical/infrastructure (Servers, network, cabling, backups,
telecom, etc.) 

*         Employee/staff emergency template (each manager to complete
the template for team members, which then rolls into a master emergency
contact document)

*         Services/Support (for use in help desk, office support, etc.
to resume services for user support during and after disruptions)

*         Application recovery (application recovery for web, server,
3rd party software, assumptions, dependencies, test plans)

 

 

Getting the content from all IT areas involved has proven difficult, but
we plan on handing a hard copy to each recovery team lead (and our CIO)
to show where the major gaps still remain - especially if they were to
actually need to work from it in the event of a major disruption.
Updates will be done about twice annually; plan to work DR into our
Change Management procedures, and hopefully test annually (likely
'tabletop' due to budgets).

 

We have made good progress, but have a ways to go still.   If you would
like copies of any of this or would like to discuss in more detail,
contact me at heimbrockk () nku edu.  

 

Kim

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel
Sent: Sunday, May 09, 2010 10:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DR/BC Planning

 

Hi All,

 

To what degree do you conduct disaster recovery and business resumption
planning? Do you test your plans? If so, how (I.E.: table top testing,
call trees, fail over testing?) Are you using software or templates to
write your plans?

 

And finally, how do you ensure departments have completed and tested
their plans? How do you ensure they are kept up to date. 

 

Any BRP policies/procedures you can share would be helpful. 

 

Thanks

 

 

:: Daniel Sarazen, CISSP, CISA

:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558

:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/>