Search

Tuesday, April 6, 2010

Disaster Recovery Plan - TEST STEPS


*       Review disaster recovery plan.
*       Verify that the plan contains a date qualifier to ensure currency.
*       Verify that the plan has been updated within the past 12 months.
*       Verify that their is effective monitoring of the plan's state of readiness.
*       Verify storage location of the plan.
*       If different from above, verify the storage location of the implementation team contact list.
*       Verify that the implementation team list contains names of team members, job titles, location, office & home telephone numbers.
*       Validate that the implementation team list contains active associates, their present title and location, including current home and office telephone numbers.
*       Verify that team members are aware of their roles and responsibilities.
*       Verify that a testing and training schedule exists and is adequate (at least annually)..
*       Verify date of last drill.
*       Verify that the weaknesses identified in the last drill have been addressed and corrected.
*       Verify plans documented correspond to the Business Continuation plan.
*       Verify that the plan reflects the current system environment.
*       Verify that all mission critical programs, data files, computer resources (and operating systems) are covered.
*       Verify that the non-covered systems are noted.
*       Verify that the plan incorporates prioritization of critical applications and systems.
*       Verify that the plan covers procedures for disaster declaration, general shutdown and migration of operations to the backup facility site.
*       Verify that the plan includes time requirements for recovery/availability of each critical system, and that they are reasonable.
*       Review any agreements for use of backup facilities and related documents. Verify that the site is adequate.
*       Verify that the site has appropriate hardware and telecommunications devices to restore operations.
*       Verify the procedures for periodic evaluation of the backup facilities and equipment to ensure their adequacy including when the facilities last used.
*       Verify that the site is adequately secured from unauthorized access.
*       Verify that the proper security is in effect on the backup equipment and software.
*       Verify that the arrangements with the backup site are of a nature and at an organization level where there appears to be a substantial probability that they would and could be honored for substantial periods (e.g., 50 hours per week for two consecutive weeks).
*       Verify that the plan includes contingencies in case of prolonged adverse circumstances.
*       Verify that inventories noted in the plan reflect the current operating environment.
*       Verify that the plans contain written operating instructions and procedures including procedures to regenerate the system..
*       Verify storage location of the inventories.
*       Verify that the plan includes controlled procedures for restoration of the original site for normal operations.
*       Review the effectiveness of the backup procedures in general.
*       Verify that the critical program, data files and computer resources defined for backup are in fact created and sent offsite.
*       Verify that the same is true for procedure and job libraries (verify that the current media library maintained by the user area corresponds to the library at the offsite facility).
*       Verify that the same is true for operating instructions and other key documentation.
*       Verify that the same is true for papers relating to systems and programs under development.
*       Verify that the backup copies for onsite, offsite, and legal retention are appropriate.
*       For applications with on-line updating of databases, verify that procedures are in place to aid in database recovery to include a) tape/disk logging of input transactions; b) logging of before and after images of updated database records; c) ability to backup or nullify a transaction; d) use of checkpoint/restart software.
*       Review the arrangements for offsite storage of key data files and documents.
*       Verify that the offsite storage facilities are so located that a disaster could not destroy the records in both the D&B facility and the storage facility.
*       Verify the procedures to obtain offsite copies to the backup site is adequate, efficient and timely.

Disaster Recovery Plan - DOCUMENTATION


*       Obtain a copy of the organization's disaster recovery plan.
*       Obtain a list of implementation team members list.
*       Obtain a current copy of the organization chart.
*       Obtain current inventory list.
*       Obtain a copy of agreements relating to use of backup facilities.

Disaster Recovery Plan - QUESTIONNAIRE



*       Is there a disaster recovery plan? If a plan exists, when was it last updated?
*       What are your procedures for updating the plan?
*       Who is responsible for administration or coordination of the plan?
*       Is the plan administrator/coordinator responsible for keeping the plan up-to-date?
*       Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)?
*       Where is the disaster recovery plan stored?
*       Where are the implementation team contacts list stored?
*       Where is the backup facility site? Are there alternate sites?
*       What is your schedule for testing and training on the plan?
*       When was the last drill performed?
*       Did the drill include use of the backup facilities? If not, when were the backup facilities last used? If over 1 year, how has the organization determined that its programs can still run on the backup equipment?
*       What was the outcome of the drill? How did it improve preparedness?
*       What critical systems are covered by the plan?
*       What systems are not covered by the plan? Why not?
*       Does the plan operate under any assumptions?
*       What are the procedures for activation of the plan?
*       Are inventories as they relate to your critical systems kept (including LAN servers and communication devices)?
*       If inventories are kept, where are they stored?
*       Are there formal procedures that specify backup procedures and responsibilities?
*       What functions/systems/components are covered under such procedures?
*       What training has been given to personnel in using backup equipment and established procedures?
*       Where is the off-site storage site?