You should have a disaster recovery plan when a data breach occurs within your Company. SAS 70 audits mostly will require you to have a plan documented, but the details of the plan are usually not adequately reviewed. Every disaster recovery plan should have basic requirements which include:
- Who to call when an Exchange server malfunctions?
- What do you do when a fire occurs in your Datacenter? Do you use the fire extinguisher? Pull the fire alarm? Or run out the front door and call the fire department on your cell phone. There are many tasks that must be done to prevent a catastrophe and each has to be assigned.
- Where do you report when the Datacenter is flooded? Do you meet at the local coffee shop or the CIO’s home? You need to designate a safe site so that you are quickly able to establish communication and implement the disaster recovery plan.
- When does the disaster plan take effect? Is it implemented when a laptop is lost? Or an i-Phone is missing? Or is it when a more serious virus causes your network to go down? You have to know when to ring the disaster bells or the CEO, CIO, CFO will not take you seriously if you call him daily about the missing cell phone.
- How do stop a virus from causing your entire network from disruption or just your access to internet or emails? Do you unplug the network or do you call third party services and report the issue?
If a disaster occurs – consider it like your home were burning….your most critical asset….a disaster recovery plan requires forethought and an impact analysis to make sure that your Company can still function on a day to day basis. Make sure you have a Disaster Recovery Plan ready for your SAS70 audit and so that you can come to work the next day. Sas70Expert@gmail.com