Disaster Recovery Policy
DISASTER RECOVERY POLICY
The disaster recovery policy must be reviewed at least annually to assure its relevance. Just as in the development of such a
policy, a planning team that consists of upper management, and personnel from information security, information technology,
human resources, or other operations should be assembled to review the disaster policy. Roles and responsibilities of the
planning team should be as follows:
• Perform an initial risk assessment to determine current information systems vulnerabilities.
• Perform an initial business impact analysis to document and understand the interdependencies among
business processes and determine how the business would be affected by an information systems outage.
• Take an inventory of information systems assets such as computer hardware, software, applications, and
Identify single points of failure within the information systems infrastructure.
Identify critical applications, systems, and data.
• Prioritize key business functions.
Company personnel will carry out the following procedures in the implementation of a disaster recovery policy
• Setup and maintain offsite facilities for data backup storage and electronic vaulting as well as redundant
and reliable standby systems if necessary.
• Ensure that critical applications, systems, and data are distributed among facilities that are reasonably easy
to get to but not so close that they could be affected by the same disaster.
• Establish written policies, contracts, and service level agreements with third party hosting, collocation,
telecommunications, and Internet service providers that facilitate prompt recovery and continuity.
• Create an incident response team that consists of information security, IT, marketing, HR, legal, and other
• Define the roles and responsibilities of the incident response team.
• Obtain each incident response team member’s contact information.