DRP & PEN Tests
Part of you Business Continuity plan is the Disaster Recovery Plan, how to act in case of disaster.
This section consists of 2 steps.
Step 1: Perform the DRP Assessment
Step 2: Process your findings in this DRP Assessment section.
Exercise for defining your crisis/disaster
DRP: Define what you (for your business) consider:
- an event
- an event
- a disaster / crisis
In Template section you can find procedures to address the events and incidents:
- For an event we have the Log and Monitor Procedure in place.
- Incidents can be addressed in the Improvement Procedure.
- You will need to compile the procedure during disaster / crisis, yourself, as this is a very customised procedure. How do you recover your (eg source code and database) during a disaster? Define Recovery Time Objective (RTO): the maximum acceptable time that your application can be offline. Define Recovery Point Objective (RPO): the maximum targeted period in which data might be lost from an IT service due to a major incident; ie, the amount of time that an application or data store can tolerate data loss.
Events and incidents will probably occur more often than disasters/crises, so you will need to define a contingency plan (Disaster Recovery Plan) – who does what in case of disaster. If you have defined that you will need to test this plan (at least once a year), make sure you have a control in place for this. Review all the steps of your DRP and think of a second or third plan – this way you can improve your DRP every year.
Whilst defining this procedure, you might come up with topics that you want to improve immediately. Make sure that you add this improvement in Compleye Online.
Findings from a PEN test will deliver valuable information for defining your Disaster Recovery Plan (DRP). In this section you can provide evidence and document the findings of PEN tests.
Now that the actual work has been done — performing the DRP Assessment — it’s time to process the findings and turn them into actual improvements. This is the final step for DRP and will need to be done by a compliance officer. To make this job easier, you can make use of the suggestion for improvement (owner, title of improvement) during the session. We advise you to do this with the entire ISMS team the first time that you do it so that everyone understands the process and ownership.
- You can simply click on the “Create New DRP” button at the bottom-left of the page.
- It will open a new tab where you can upload the DRP document. This document can’t be deleted, but only downloaded once it’s attached. The DRP card will be named by the date it’s uploaded. You can upload multiple documents; make sure you upload the main document first.
- After creating the DRP you can add the findings. You can also attach other relevant documents in the tab Attachments. This isn’t mandatory.
- When adding a finding, an option to create an improvement will automatically appear in blue.
NOTE: if you don’t create an improvement, you will need to justify to the external auditor why you did not address that finding. Perhaps you have already solved the improvement and added the evidence in Attachments. If so, please make sure that you have addressed this in the finding (e.g., by adding ‘Already solved by… Evidence can be found in attachment.) We strongly advise creating an improvement for each finding. Improvements will become part of the Management Review and show that you are able to improve and mature your ISMS.
When you create an improvement a new pop-up screen will appear.
The finding will already be filled in, with the tag DRP, to identify where this improvement came from.
You will need to assign an owner who will be responsible for the Improvement
- Due Date: estimated date for expected first results.
- Once every field is addressed, you can push the ‘create improvement’ button and it will automatically create an improvement with ID in the Improvements section. It will also show in the current ISRA section as ‘Improvement has been created’ .
Now , 2 things are needed:
The owner will need to work on the improvement. Please make sure that the owner has access to the board and add an email address in the @people section to ensure that they receive notification on the deadlines for improvements.
Make sure that the owner reads the wiki on the improvement and he/she starts working on the improvement.
- Once the improvement is closed it will be indicated as a ‘green check-box tick’ in the tab along with the date and the person that closed the improvement. Remember that, in the DRP Procedure, it’s noted that with every new DRP performed you will need to check if the previous findings have been addressed. So, first make sure that you check that all the findings of the last DRP have been addressed by a closed improvement when you perform the next DRP.
|Improvement Title||Define a name for the Improvement – this is not the finding, but eg, the name of a project/plan that is easily recognisable to the ISMS Team||If finding is ‘Two factor authentication is not enabled’, the improvement could be ‘Enable two factor authentication’ .|
|Owner||Person responsible for the improvement||One of your ISMS Team members|
|Finding||Findings of the DRP ==> this will automatically be filled in the pop-up menu once defined in the section.||Two-factor authentication is not enabled|
|due date||Always start with a due date when you want to have your first Improvement milestone ready eg, when the project plan, proposal or first step needs to be finalised. To be used as a reminder (owner can receive notification 3 days prior to the due date).||Select the date|
|Origin||This will be filled in automatically, according to the section.||DRP|