TEMPLATE BY

ORGANIZATION NAME

Disaster Recovery Policy

Disaster Recovery Policy TEMPLATE BY

Identifier: TBD (e.g. IT-001) Policy Group: Information Technology

Revision Date: Month, Date, Year Effective Date: Month, Date, Year

Approved by: TBD Approved on date: Month, Date, Year

Table of Contents
Purpose.................................................................................................................................................................................. 4

Scope...................................................................................................................................................................................... 4

Policy Statement................................................................................................................................................................... 4

Roles and Responsibilities................................................................................................................................................... 5

Disaster Recovery Plan........................................................................................................................................................ 6

Planning Activities......................................................................................................................................................... 6

Organization Personnel................................................................................................................................................ 7

Address (Office, Home, Email).....................................................................................................................................7

Application Profile......................................................................................................................................................... 8

Disaster Recovery Procedures..................................................................................................................................... 8

Assurance.............................................................................................................................................................................. 8

Exceptions and Deviations.................................................................................................................................................. 9

Violations............................................................................................................................................................................... 9

Frequency of Policy Review................................................................................................................................................. 9

References............................................................................................................................................................................. 9

External References...................................................................................................................................................... 9

Internal References....................................................................................................................................................... 9

Document History.............................................................................................................................................................. 10

Organization Proprietary & Confidential Page 2 of 9

Disaster Recovery Policy TEMPLATE BY

Purpose
The purpose of the Disaster Recovery Policy is to define the activities associated with the provision of disaster

recovery (DR) plans and programs that protect the organization’s information systems, networks, data,

databases and other information assets. IT disaster recovery plans provide step-by-step procedures for

recovering disrupted systems and networks, and help them resume normal operations. The goal of these

processes is to minimize any negative impacts to company operations. The IT disaster recovery process

identifies critical IT systems and networks; prioritizes their recovery time objective; and delineates the steps

needed to restart, reconfigure, and recover them. The disaster recovery plan also includes all the relevant

supplier contacts, sources of expertise for recovering disrupted systems and a logical sequence of action steps

to take for a smooth recovery.

Scope
The scope of the disaster recovery plan applies to all stakeholders (e.g., employees, contractors, consultants,

vendors, and others) who may have responsibilities of ensuring information systems and business operations

can recover from any disruptions.

Policy Statement
The objective of having a Disaster Recovery Plan and associated controls is to ensure that the organization can

still accomplish its mission and that it would not lose the capability to process, retrieve and protect information

maintained in the event of an interruption or disaster leading to temporary or permanent loss of computer

facilities. The management intent is to ensure this policy provides guidance for departments and help them

take a risk-based approach to emergency preparedness. This policy provides guidance for the procedures

needed that will help the organization to quickly respond and determine the appropriate actions to take in the

event of an interruption of service or disaster.

Organization Proprietary & Confidential Page 3 of 9

Disaster Recovery Policy TEMPLATE BY

Roles and Responsibilities

This section sets the minimum level of responsibilities for the following individuals and/or groups.

Primary Role Responsibilities

Application recovery is the process of restoring your business system

Application Recovery software and data. This is done after restoring your hardware and

operating system.

The disaster recovery plan should be an element of an overarching

Business Continuity business continuity plan. Business continuity looks at how you continue to

keep your business operating in any disruptive situation.

The duties of Information Security Administrators or those who provide

security administration of user ids, permissions and access rights and/or

Business Impact Analysis those that provide technical security administration are responsible for the

implementation of policies and overall application of Information Security

for their area of responsibility.

This is the team of individuals who are responsible for bringing your

system back online. Every member should be listed in your DRP, together

with their contact details and each one should have a clearly defined role.
Disaster Recovery Team
The team may include both internal and external members, so besides

employees, you may have software developers, web host technical support

and other consultants.

Organization Proprietary & Confidential Page 4 of 9

Disaster Recovery Policy TEMPLATE BY

Disaster Recovery Plan

The disaster recovery policy provides necessary information in creating procedures for recovering disrupted

systems and networks to resume normal operations. The goal of the processes associated with the disaster

policy is to plan for the minimization of any negative impacts to company operations. The disaster recovery

process identifies:

 Critical IT systems and networks;

 Prioritizes recovery time objectives; and

 Delineates the steps needed to restart, reconfigure, and recover.

Comprehensive disaster recovery activities also includes all the relevant supplier contacts, sources of expertise

for recovering disrupted systems and a logical sequence of action steps to take for a smooth recovery. The

major goals for a successful disaster recovery planning are to:

 Minimize interruptions to normal business operations;

 Limit the extent of disruption and damage;

 Minimize economic impact of interruption;

 Establish alternative means of operation in advance;

 Train personnel on emergency procedures; and

 Provide a plan for smooth and rapid restoration of services.

Planning Activities

The organization will outline technology disaster recovery activities, along with business continuity

management guidelines, that includes:

 Planning and design of technology disaster recovery activities, which include

technology disaster recovery plans;

 Identification of disaster recovery teams, defining their roles and responsibilities and

ensuring they are properly trained and prepared to respond to incidents;

Organization Proprietary & Confidential Page 5 of 9

Disaster Recovery Policy TEMPLATE BY

 Scheduling of updates to disaster recovery business impact analysis;

 Scheduling of updates to disaster recovery risk assessments;

 Planning and delivery of awareness and training activities for employees and disaster

recovery team members;

 Planning and design of incident response activities;

 Planning and execution of disaster recovery plan exercises;

 Designing and implementing a disaster recovery program/plan maintenance activity

to ensure that all plans are up to date and ready for use;

 Preparing for management review and auditing of disaster recovery plans;

 Planning and implementation of continuous improvement activities for the disaster

recovery program and plans.

Organization Personnel

This section lists resources that have leadership responsibility for ensuring the disaster recovery plan is

effectively implemented.

Name Position Address Contact Numbers

(Office, Home, Email) (Mobile, Office, Home)

Organization Proprietary & Confidential Page 6 of 9

Disaster Recovery Policy TEMPLATE BY

Application Profile

The application profile lists business owners with the responsibilities of evaluating their designated

systems and establishing a criticality rating for each system in accordance with organizational

standards.

Application Profile

Application Name Critical Fixed Manufacturer Comments

Yes / No Asset Yes
/ No

Comment legend:
1. Runs daily.
2. Runs weekly on ____________.
3. Runs monthly on ____________.

Disaster Recovery Procedures

The organization will ensure that each business unit prepares comprehensive procedures, which is a

part of the business continuity plan, based on the results of their criticality rating. This will identify the

process and steps to restore normal business functions, and it will be tested and updated at least

annually. The Information Technology Department along with the business units will establish and

document and prioritize each enterprise level mission critical system or component.

Assurance
In order to ensure continued compliance with this policy, this organization will train all relevant workforce

members on their responsibilities that align with this policy. This training will consist of an initial education

upon affiliating with this organization as well as continued education events on a regular basis in accordance

with this organization’s standards for training and education.

Organization Proprietary & Confidential Page 7 of 9

Disaster Recovery Policy TEMPLATE BY

Exceptions and Deviations

Any exception to the policy must be approved by the Information Security team in advance. Requests for

exceptions to any information security policy must be reviewed and may be granted for Information Systems

with compensating controls in place to mitigate risk. Any requests must be submitted to the CISO (Chief

Information Security Officer) for review and approval pursuant to the exception procedures published by the

CISO.

Violations
Violations of this policy or any sub-policies and processes established pursuant to this policy may result in

disciplinary action, up to and possibly including termination of employment or legal action. All breaches of

information security, actual or suspected, shall be reported to and investigated by Information Security and/or

Compliance and Internal Audit

Frequency of Policy Review

The CISO must review information security policies and procedures annually, at minimum. This policy is subject

to revision based upon findings of these reviews.

References

External References

 Document or Link Number 1

 Document or Link Number 2

Internal References

 Business Applications Security Policy

 Business Continuity and Disaster Recovery Policy

 Incident Response Policy

 Privacy Policy

 Security and Awareness and Training

Organization Proprietary & Confidential Page 8 of 9

Disaster Recovery Policy TEMPLATE BY

Document History

Date Version Author Change Description

mm/dd/yyyy 0.0

Organization Proprietary & Confidential Page 9 of 9