Recovery strategy summary: In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan introduction section. The following list comes from Sungard.
- Recovery tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section.
- Recovery personnel: Typically, a DR/BCP plan will also identify the specific people involved in the business continuity efforts.
- Plan timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart).
- Critical vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful.
- Critical equipment/resource requirements: A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc.
5 Change management
Purpose: to assure that changes are managed, approved and tracked.
Finally let's look at change management, all too often things are moving very fast in any corporate IT department. Systems and software are being updated, modified or replaced for a number of reasons. Without change management a firewall may be updated and suddenly stop business traffic from flowing or perhaps cause unexpected data loss or data leaks by not being restrictive enough. Unexpected things often happen when we go to make a change or update.
Change management forces us to slow down and make a plan, assure that we completely understand the change and its potential impacts to other corporate systems and data. Change management also puts a back-out plan in place in case the change goes bad or has unintended consequences. Change management helps assure that business impact is completely understood and approved by leadership before any changes are made.
Scope: The scope of this policy includes all personnel, including external vendors, who have access to or are responsible for defining, planning or designing the software for the production systems for any and all systems located at the Company XYZ facility.
Policy: Notification must be completed for each scheduled or unscheduled change following the steps contained in the Change Management Procedures.
- A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not.
- A Change Management Log must be maintained for all changes. All Company XYZ information systems must comply with an information systems change management process that meets the standards outlined above.
Sign up for CIO Asia eNewsletters.