Review the IT Disaster Recovery Planning Process

C

Csarat

#1
Hi,

Currently, I am working on the project review over IT Disaster Recovery Planning process for a client in Banking sector.
Does anyone have experience around IT Disaster Recovery Planning process review?

Please help to share me any ideas such as:
- What are the area that we need to review in DRP?
- Are there any standard or guideline for DRP?


Many thanks,

Sarat
 
Elsmar Forum Sponsor

mihzago

Trusted Information Resource
#2
ISO 27002 may be a good place to get some info.

Wikipedia reference-linkISO/IEC_27002

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques – Code of practice for information security management.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#3
Good day Sarat, welcome to the Cove!

Computer Weekly has published an article on IT disaster recover plan writing. Tech News World describes it as a process. While dated, the SANS Institute white paper provides more detail about a structured approach to creating your own plan; I think the approach is durable though the technology may have changed. Information Week's article about a cloud-based disaster recovery plan is more modern, and interesting in my view. I would be interested to learn what the cloud providers supply to customers in terms of process for document retrieval. None of my clients has managed to get such a procedure out of their could service providers, which we thought was odd and unfortunate.

I hope this helps!
 
Last edited:

Marc

Hunkered Down for the Duration
Staff member
Admin
#4
Thanks, Jen.

If anyone has any examples that can be shared here, it will be appreciated.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#5
Thanks, Jen.

If anyone has any examples that can be shared here, it will be appreciated.
I would like to add a cautionary word about sharing an existing plan. Some can be found on Google, like one for PMPA (whoever that is), because as MBAF points out, disaster recovery plans are specific to the man-material-machine-method-mother nature risk factors that can be quite variable between sectors and geographic locations.

The best source I found is a DR Risk Assessment Whitepaper that has the type of detail a planner could use as a guide to creating their plan. The paper even includes an example instruction for recovery of a specific piece of equipment.

I am not affiliated with the authors of these papers or their organizations.
 
C

Csarat

#6
Hi Jen,

Thank for your sharing and it really help me to get some idea as I am a newly start with IT Audit and Consultant. :)
 
#7
You may be able to come up with the best disaster recovery (DR) plan, assign responsibilities to various personnel involved and ensure everything is in place. However, the critical part is maintaining the plan, testing it and ensuring that it is aligned with the changing business needs and increasing risks..

A set of practices that need to be followed in case of the occurrence of risks or incidents. ‘The Business Process responsible for managing Risks that could seriously impact the Business. BCM safeguards the interests of key stakeholders, reputation, brand and value creating activities. The BCM process involves reducing risks to an acceptable level and planning for the recovery of business processes should a disruption to the business occur. BCM sets the objectives, scope and requirements for IT service continuity management.’

BCM is a process by which a set of best practices are put in place so that business processes run despite incidents. It is not only about putting reactive measures for continuing ongoing processes, but also, establishing proactive measures so that the risks of the future occurrence of a disaster are reduced.
BCM involves a set of actions:
  • Identifying the business to be recovered and prioritizing it
  • Assessing each of the IT processes and identifying the threats and vulnerabilities within them
  • Formulating the key recovery options and evaluating them
  • Formulating the contingency plan
  • Testing the plan
Service life cycle can enhance the disaster recovery process in your organization in a number of ways, some of which are described below.
  • Service Level Management (SLM):
    Service Level Management has a set of activities which ensure that business processes are in line with best practice guidance. When determining the business strategy, its effect on disaster recovery needs to be taken into account. While drafting the service level agreements, the business should understand how it can recover in times of disaster.

  • Incident Management:
    An incident is the occurrence of an event that disrupts the services of an organization temporarily. Incidents that go beyond control take the shape of a disaster. Disasters require organizations to follow a set of established practices to restore services to an agreed upon level. The process of detecting incidents, recording and resolving them must be established through IT service continuity management, so that the incident can be handled with efficiency.

  • Service Desk:
    The service desk is an efficient tool to document an incident and establish the workflow to be followed thereafter. The service desk’s standard template will be used to assign responsibilities to everyone involved so that the disaster recovery process can be accelerated.

  • Defining Individual Roles:
    While formulating the DR plan, it is important that roles of individual personnel are clearly defined. The Each individual should work on key recovery areas based on business impact analysis (BIA) and risk assessment.

  • Conducting Risk Analysis:
    Risk analysis identifies the possibilities of risks and the frequency of their occurrences. Management of Risk (MOR) for assessing risks: This method advocates the creation of risk profiles on the basis of their severity and possibility of occurrence. While performing the analysis, risk acceptance criteria should also be formulated following which the key measures to reduce risks can be planned.

  • Conducting BIA:
    For Business Impact Analysis (BIA), the key disaster areas should be identified, following which the impact on business processes should be measured. A BIA should measure both financial and non-financial aspects of a disaster, such as impact of revenue loss, data loss, and reputation loss after a disaster.

  • Recovering from Disaster:
    Two concepts – Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is the minimum time within which services should be recovered to normal state and RPO is the acceptable amount of loss in data after a disaster. Once the RTO and RPO are set, a crisis management team needs to be appointed to put the DR plan to action.

  • Develop Resiliency:
    Resiliency is the ability of a set of configuration items (CIs) to continue to function, given a circumstance of the failure of a few other CIs.

  • Update or Change and Train:
    Disaster Recovery plans need to be updated and changed as per the situation. This can be done in line with change management guidelines.

  • Training of Staff:
    Regular tests and training of staff speed up the process of DR. Regular training schedule needs to be established for staff members so that they are prepared to take the immediate steps in case of the occurrence of a disaster. In order to measure the effectiveness of the tests, use KPIs.

  • Implementing a DR plan and IT Recovery:
    The list of people to be contacted during DR should be planned in advance. The service desk should be equipped with this information so that it becomes the Single Point of Contact (SPOC) to mobilize personnel and distribute tasks. Once the DR process is completed, the recovery site should be evacuated and operations should resume in the primary site to minimize downtime.

  • Updating Business Processes:
    Service Strategy - List of Services offered: The business impact of services and the return on investment (ROI). It is crucial that regular research is carried out to ensure that DR services offered are up to date.

Occurrence of incidents, problems and disasters are not uncommon in organizations. However, the crucial part is how a disaster is dealt with. Best practices and tested methodologies guarantee speedy recovery after a disaster.

I hope it will be helpful to you guys.
 
Last edited by a moderator:
#8
Hi Jen,

Thank for your sharing and it really help me to get some idea as I am a newly start with IT Audit and Consultant. :)
Hello Csarat, I'm also new to IT Audit, do you have any insight on the kind of interview questions to ask the auditee during a BCDR audit?
 

Tagin

Trusted Information Resource
#9
NIST has a free document, 800-34 Contingency Planning Guide for Federal Information Systems, which provides comprehensive guidance for DR. Although it says 'federal', it can be used for any kind of organization, and it also elaborates on 8 different types of plans, such as DR, BCP, Incident Response, etc., which each have different use and scope.

The Supplemental Information on the right-hand side includes multiple templates, based on low/mid/high impact systems.

NIST's CyberSecurity Framework also includes DR under the "Recover" section.

Finally, DHS has a well-written free downloadable software program called CSET (Cyber Security Evaluation Tool) that can be used for self-assessment. I include CSET as an annual exercise to assist in risk mgmt of our IT.
 
Thread starter Similar threads Forum Replies Date
J ISO 13485 System 'soft start' - How to best reflect this in initial audits, management review minutes and other records? ISO 13485:2016 - Medical Device Quality Management Systems 3
M Forms review Manufacturing and Related Processes 5
V Quality review Meeting with Customer for complaints we received Customer Complaints 6
C Contract Review with Multiple Line items ISO 13485:2016 - Medical Device Quality Management Systems 7
O ISO 13485 - Is management review required before stage 1? ISO 13485:2016 - Medical Device Quality Management Systems 6
G ISO 17025-2017 Management Review reporting items - Inputs ISO 17025 related Discussions 1
I Management review in conformity assessment standards - Certification Bodies Management Review Meetings and related Processes 6
D CSV - Periodic Review Qualification and Validation (including 21 CFR Part 11) 1
qualprod To set frequency to review documents in ISO 9001 7.5? Document Control Systems, Procedures, Forms and Templates 13
S Has anybody done IMS - Management Review Meeting ISO 14001:2015 Specific Discussions 8
T Management review meeting workflow ISO 13485:2016 - Medical Device Quality Management Systems 9
M What to be careful about/focus on when doing a Technical File review EU Medical Device Regulations 4
Watchcat Anyone had an MDR technical file review/audit yet? EU Medical Device Regulations 13
B Label Review for Class II Device US Food and Drug Administration (FDA) 0
A Help with Drawing Review - ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
Casana ISO 9001 - 9.3.1 Management Review - Attendees in a flat organization Management Review Meetings and related Processes 6
C Management Review Agenda Management Review Meetings and related Processes 20
A Literature review/HACCP validation of metal detection Food Safety - ISO 22000, HACCP (21 CFR 120) 0
Q Do Management Review records have to be on a controlled form? ISO 13485:2016 - Medical Device Quality Management Systems 30
J ISO 9001:2015 Small Operation Management Review General Auditing Discussions 6
F Process Review - What is the ISO requirement for reviewing SOPs and quality documentation? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
N MDR review process by notified body - How many steps exist in the review process EU Medical Device Regulations 0
W ISO 9001:2015 Management Review Input Template wanted ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
M Informational US FDA paper – Epidemiological Evidence on the Adverse Health Effects Reports in Relation to Mercury from Dental Amalgam: Systematic Literature Review Medical Device and FDA Regulations and Standards News 0
M Informational TGA Consultation: Review of the regulation of certain self-testing IVDs in Australia Medical Device and FDA Regulations and Standards News 0
M Informational US FDA Final Guidance – Acceptance Review for De Novo Classification Requests Medical Device and FDA Regulations and Standards News 1
C Design Transfer Review - Before or after PQ validation? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
M Setting deadlines (ex. 45 days) for Document Registration & Review Cycle Document Control Systems, Procedures, Forms and Templates 3
G ISO 9001 - 9.3.1 Management Review - Content and Frequency Management Review Meetings and related Processes 12
Nicole Desouza Contract / Customer Order Review Checklist Needed Manufacturing and Related Processes 12
M Informational Updated US FDA Resources for Third Party Review Organizations Medical Device and FDA Regulations and Standards News 0
D Document review on already approved registrations requested by China's NMPA? China Medical Device Regulations 3
J Literature Review (marketing etc) ISO 13485:2016 - Medical Device Quality Management Systems 1
M Informational US FDA – Requests for Supervisory Review of Certain Decisions Made by the Center for Devices and Radiological Health – Final Rule Medical Device and FDA Regulations and Standards News 0
S ISO 9001:2015 Clause 9.3.2 - MR (Management Review) - Adequacy of resources ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Q How to run a Management Review Management Review Meetings and related Processes 10
W Scope of MRB (Material Review Board) Responsibilities Misc. Quality Assurance and Business Systems Related Topics 5
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
D Engineering Drawing Review and Approval Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
S List of requirements for Management Review in IATF 16949 IATF 16949 - Automotive Quality Systems Standard 9
M Informational ISO 13485:2016 under systematic review Medical Device and FDA Regulations and Standards News 5
M Informational USFDA – Review framework for artificial intelligence-based medical devices Medical Device and FDA Regulations and Standards News 1
M Informational USFDA Draft Guidance – Review and Update of Device Establishment Inspection Processes and Standards Medical Device and FDA Regulations and Standards News 0
S Post Market Surveillance and Annual Product Review in ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 2
M Dynamic Control Plan Draft - need review FMEA and Control Plans 2
D EMS Management review outputs - Strategic direction of the organization Miscellaneous Environmental Standards and EMS Related Discussions 1
A A purpose of a Stage 1 audit - Off site document review Registrars and Notified Bodies 3
M Informational EU Review and assessment of market surveillance activities 2014-2016 – Medical devices sector Medical Device and FDA Regulations and Standards News 0
B How to comply with IATF 16949:2016 9.3.2.1k - Management review IATF 16949 - Automotive Quality Systems Standard 2
E Template of a Management Review Agenda or Report in compliance with ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 6

Similar threads

Top Bottom