AL Refs: REC07, GOV39
Purpose and Scope
The objective of the Disaster Recovery Plan is to document the planned procedure for recovery of the critical systems and infrastructure in the event of a major adverse event. This may include a system security breach, loss of integrity or availability of the production databases, a system or third-party vendor failure that causes corruption or outage of the critical production systems, or other major incident where recovery of the systems and infrastructure is required. It should be used in conjunction with the Incident Management Policy, Incident Response Plan and Business Continuity Plan. The disaster Recovery Plan focuses on the operational steps for system recovery, where the Incident Response Plan includes the operational steps for managing the event, and the Business Continuity Plan for ensuring continued business operations.
Example Disaster Recovery Plan
Responsibilities
Incident Management Owner
Responsible for all aspects of the implementation and management of the Incident Management Policy, Incident Response Plan, and Disaster Recovery Plan including readiness to respond to events, revisions and communication of the plans, and allocation of responsibilities. Responsible for decision making in relation to major events including when to enact this plan.
Emergency Response Team
The Emergency Response Team are required to oversee and coordinate the incident response and ensure all appropriate steps are taken until the matter can be closed and retrospectively reviewed for lessons learned. The team is responsible for ensuring appropriate awareness and readiness to respond to major incidents including disaster recovery requirements.
Information Security Manager
The Information Security Manager is responsible for assessing incidents and responses to ensure information security implications are considered and mitigated appropriately.
Important Contacts
ERT Contacts:
|
Name |
Title |
Contacts |
|
John Billings |
CTO |
M: |
|
|
Operations Manager |
|
|
|
CEO |
|
|
|
COO |
|
|
|
General Counsel |
|
The Board &. Senior Leadership Team
|
Name |
Title |
Contacts |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
External Parties
|
Name |
Responsibility |
Contacts |
|
CyberLead |
Emergency security response and advisory |
Alireza |
|
|
Legal counsel on products liability |
|
|
|
Public relations consultancy |
|
System Components and Recovery
Each system component has a backup and recovery process included in the table below. These identify whether backups are performed and where those backups are located to source in the event that recovery is required. The Recovery Time Objectives (RTOs) are based on the criticality of each system, and accordingly the level of priority and target time to have those systems returned to live. The recovery steps include a step-by-step guide on what’s required to compete the recovery for each system or system component.
|
System component |
Backup |
RTO* |
Recovery steps |
|
MongoDB Database |
Yes: EC2 |
2 hours |
- Log into AWS Management Console - Download the backup data required - Use MongoDB mongorestore to recover the data |
|
Application servers |
Yes: EC2 |
2 hours |
- Log into AWS Management Console - Delete existing instances of the application servers - Run the cloudformation to rebuild the application servers |
|
GitHub source code |
Yes: EC2 |
24 hours |
- |
|
Website
|
Yes: EC2 |
24 hours |
|