Vous êtes sur la page 1sur 5


Does the company possess a formal Disaster Recovery Plan (“DRP”)? (Note: the
scope of this review focuses only on information technology continuity, recovery
and restoration.)
If not, what procedures do the company employ to ensure the safety of staff and
the continuity of operations in the event of a disaster? (Attach any relevant


Has the plan or decision to develop a plan been discussed and approved by
executive management?
Has the objective of the DRP been formally defined and documented?
Has management reviewed all legal, regulatory, statutory and contractual
requirements, as well as insurance-related restrictions, in reference to disaster
recovery planning?
Has an owner(s) been given responsibility for the development and maintenance of
the plan?
Were key business and IT personnel involved in developing the plan?
Have adequate funding and resources been committed to the development and
maintenance of the DRP?

Has the business created process maps for its business functions?
Has the company made a comprehensive assessment of all key risks to the
business and how they affect the continuity of business operations? Does the
assessment include all critical Information Technology systems and computer-
controlled devices?
Were each of the following risks taken into consideration:
Work Area Fire
Data Center Fire
Power Interruption
Weather Event (Hurricane, Flooding etc.)
Industrial Sabotage
Civil Emergency (Riots, Strikes etc.)
Hardware Failures (Telecommunications or Electronic Data Processing)
Software Failure
Water Stoppage
Loss to Telecommunications Gateway Access
Computer Vandalism/Virus
Bomb Threats
Health Emergency
Loss Caused By External Dependencies

Were vulnerabilities experienced by vendors and business partners addressed?

Was the risk assessment exercise performed by a representative cross-section of
business process and Information Technology personnel?
What methodology and criteria were used to assess risk?
What were the steps in calculating the likelihood of risk occurrence?
Was the effectiveness of existing controls and safeguards evaluated? Were control
deficiencies documented during the risk evaluation?
Did the risk evaluation take into account the following key IT processes which affect
a timely business system recovery:
Performance monitoring
Capacity planning
Asset management
Incident response
Help desk
Virus protection
Patch application and tracking
Did the risk evaluation process address the following environmental controls:
Physical security
Fire protection
Water detection
Temperature control
Power backup (UPS / power generators)

Were IT employee considerations assessed during the risk evaluation, to include:

Employee turnover
Employee expertise
Employee availability
History of workplace violence
Excessive reliance on key employees or contractors
Were hardware fault tolerance solutions identified and assessed for the network
and major business application systems, to include the following:
Load balancing
Directory synchronization
Was the voice and data communications infrastructure assessed? Were the
following considerations addressed:
Single points of failure (local central office and interexchange carrier)
PBX failure
Threat of inadvertent cable cuts
Performance and scalability degradation
Usage of network diagnostic and/or troubleshooting software
Were all major communications methods addressed:
Did the DRP project team address threats to all systems and network components,
either internal or outsourced? Did the team address external and internal threats?
Were system configurations noted and reviewed against best practices? The
following list represents the major components that should be addressed in most
DRPs, as applicable:
Network servers
Web servers

Application and database servers (to include application and database security)
Peripheral devices
Storage Area Network technologies
Network devices (e.g. routers, switches, hubs, bridges, etc.)
Remote access servers
Digital certificate server
PKI solution
E-mail servers
FTP servers
LDAP/directory services
Intrusion detection systems
Wireless network devices

Were database data backup and recovery configurations assessed during the risk
evaluation? Are the DBAs making use of archive logs and journaling techniques?
Were security exposures taken into account during the risk evaluation phase of the
project, including the following specific categories of security risks:
physical security
information security
communications security
network security
Have the risks been prioritised in order of criticality?

Are there plans to re-perform the risk assessment on a regularly scheduled basis?
Were existing backup and restoration procedures reviewed, to include backup
frequency, methods utilized and backup media testing? Do feasible, cost-effective
backup and restoration procedures for all organizational forms and vital records
exist? Is off-site storage utilized?
Does the business have any reciprocal site provision agreements with similar
Does the company have comprehensive insurance?


Have potential interruptions been identified?
Has the business been able to quantify and/or qualify the impact that the risks
identified will have on the business?
Were recovery windows for critical business systems and support functions
identified based on their level of criticality (recovery time objectives – RTOs)? Did
the recovery window development process take into account parallel and
interdependent activities? Were the business process owners involved in validating
the RTOs developed for each business system?
Did the DRP project team identify maximum data loss thresholds (i.e., how much
data loss could be tolerated)? Do the recovery point objectives (RPOs) work in
terms of the data backup and recovery strategies currently in place?
Have the loss potentials been estimated?
If so, have the following costs been taken into account:
Replacement Costs
Reconstruction Costs
Loss of time
Loss of client confidence
Have additional risk mitigation strategies been proposed for implementation to
counter likely risks to which critical business processes are vulnerable?
What organizational level has participated in the impact analysis exercise? Did
executive management approve the results of the BIA?
Based on the impact analysis and resource limitations, has the business developed
a process for evaluating and prioritizing Disaster Recovery Planning related

Have business resources been identified for criticality in the event of a disaster?
Were minimum internal and external resource requirements for recovery and
resumption of critical systems and support functions documented? Are additional
resource requirements identified? Are resource requirements listed as owned or


Is a hot-site contract in use to recovery critical systems? Is the recovery scenario in
line with RTO requirements? If a hot-site contract is not in place, is an alternate site
available for systems recovery?
Have interruption and service levels been approved?
Were alternative recovery strategies identified for each IT support service? Was
the risk associated with each strategy taken into account? Was a formal
assessment of each alternative strategy compared against the results of a business
impact analysis?
Were multiple recovery / restoration strategies identified for each critical system or
support function and presented to IT senior management or executive management
for consideration?

Was a cost/benefit study performed to assess the feasibility of such strategies?

What steps have been taken/are planned to mitigate the risk of a disaster having an
impact upon the business, e.g. the use of a hot-site?
Has a response plan for critical technologies been developed?
Have damage assessment requirements been identified?
Have restoration procedures been developed?
Have disaster recovery team procedures been developed?
Have vendors and suppliers been contacted to discuss work-arounds?


Does the plan identify an IT disaster declaration authority?
Has the company identified and developed effective disaster avoidance and
recovery mechanisms?
Have these recovery mechanisms been prioritized and broken down into logical
stages? Are detailed recovery and restoration procedures documented?
Does the plan identify a recovery site for each critical business system or support
Has the plan been designed around a recovery team concept? If so, do the team
sections include a team description, organization, personnel, skill composition,
responsibilities, support staff and specific contact procedures?
Does the plan conform to regulatory and statutory requirements?
Have communications plans been established for essential groups, including
employees and their families, key customers, key suppliers, corporate /
headquarters management and other critical parties?
Have reasonable methods been used to estimate costs?

Have resource requirements in a disaster been assessed? If so, do they include:

Data/Vital Records
Facilities and

Are there any plan maintenance procedures in place?
Has the DRP been tested? If so, has feedback from the tests been documented
and incorporated into the plan?
What was the nature of the test (i.e. was the whole plan tested or individual
How often are tests performed? Has the DRP been verified and approved by a
Is the DRP reviewed regularly in order to reflect changes in key business
Do all key personnel have copies of the plan?
Is the plan available in hard copy at all critical sites in the event of systems
Has key staff been trained with the necessary skills and knowledge to perform in a
business interruption or disaster?
Are there sufficient trained personnel on-site in the event of an emergency,
particularly a systems related incident?
Is a DRP vendor used by the business?
If so, what services does the vendor provide?