- Identifying business processes
- How critical are they to the business?
- What are the RTO's for them?
- What is the supply RTO for them from IT?
- Are they relying on the applications, or could be done manually in case of disaster?
- If there are gaps within Supply / Demand RTO --> negotiate with the Sr. Mgmt to either implement the changes or sign off on accepting the risk
- Assess the potential external / internal risks for the company
- What are the disruptions to the business? (i.e. natural disasters, flu pandemic, building not available, e.t.c.)
- What are the internal risks? (i.e. access privilege violation, information theft, e.t.c.)
- Create "Criticality Matrix" to assess the probability of each of the risks happening to an organization. This could be on a High/Medium/Low basis
- Review all DR/BCP Plans
- Start off with the Tier 1's critical applications and go down the list
- Conduct plan review called "Tabletop" with plan builder to review and update the document
- Then conduct "Walkthru" with the plan builder presenting the plan in front of all stakeholders. You can also invite internal/external audit to assess the process
- Conduct a functional test
- Vendor management
- How often were the vendors reviewed?
- How often are the vendors visited? Top 10 critical vendors must be visited on an annual basis. This could be merged with the Security Assessment.
- Obtain information on data center locations, disaster recovery tests, contact persons, as well as dates and times of the past and future tests
- Record information within plans and ensure that each plan requiring vendor application to be available possesses this vendor information
- Functional Testing
- How often are the critical applications tested?
- Is the testing methodology aligned with the corporate goals? Are you getting service disruptions during the tests?
- How often are Tier 2,3,4 applications tested?
- Were multiple concurrent tests conducted at once? (e.x. testing 20 applications as a bundle in datacenter failover test).
- Review the Test Certifications to ensure they possess critical information, such as: test times, applications tested, hardware tested, issues are logged, resolutions are found, physical signatures of the testers are obtained, Sr. Mgmt approvals