Each key business system must have a documented DRP to provide guidance when hardware, software, or networks become critically dysfunctional or cease to function (short and long term outages).
Each DRP must include an explanation of the magnitude of information or system unavailability in the event of an outage and the process that would be implemented to continue business operations during the outage Where feasible, the DRP must consider the use of alternative, off-site computer operations (cold, warm, hot sites).
Each plan must be reviewed against the organization’s strategy, objectives, culture, and ethics, as well as policy, legal, statutory and regulatory requirements.
Each DRP must include:
An emergency mode operations plan for continuing operations in the event of temporary hardware, software, or network outages.
A recovery plan for returning business functions and services to normal on-site operations.
Procedures for periodic testing, review, and revisions of the DRP for all affected business systems, as a group and/or individually.
Data Backup and Restoration Plans
Each system owner must implement a data backup and restoration plan.
Each data backup and restoration plan must identify:
The data custodian for the system.
The backup schedule of each system.
Where backup media is to be stored and secured, as well as how access is maintained.
Who may remove backup media and transfer it to storage.
Appropriate restoration procedures to restore key business system data from backup media to the system.
The restoration testing plan and frequency of testing to confirm the effectiveness of the plan.
The method for restoring encrypted backup media.