DRP & PEN Tests

Part of you Business Continuity plan is the Disaster Recovery Plan, how to act in case of disaster.  

Exercise for defining your crisis/disaster 

DRP: Define what you (for you business) consider: 

1. an event 
2. an incident
3. a disaster / crisis

In your Documentation Toolkit you can find procedures to address the events and incidents: 

• For an event we have the Log and Monitor Procedure in place. 
• For the incident we have addressed in the Improvement Procedure.  
  
• The procedure during disaster / crisis, you will need to compile your self – as this is a very customized procedure. How do you recover your (eg source code and database) during a disaster? Define Recovery Time Objective (RTO): The maximum acceptable time that your application can be offline. Define Recovery Point Objective (RPO): The maximum targeted period in which data might be lost from an IT service due to a major incident; ie, the amount of time that an application or data store can tolerate data loss.

An event and incident will occur probably more often then a disaster / crisis – so you will need to define a contingency plan (disaster recovery plan) – who does what in case of disaster. If you have defined you will need to test this plan (at least once a year) – make sure you have a control in place for this. Review all the steps of our DRP and also think of a second of third plan – in this case you can improve your DRP every year. 

During defining this procedure, you might come up with topics that you want to improve immediately. Make sure that you add this improvement in Compleye Online. 

Also findings from PEN Test will deliver valuable information for defining your Disaster Recovery Plan (DRP). In this section you can provide evidence and document the findings of PEN tests.