Question Title

* 1. Please provide your name, role at the organization, and email address.

Question Title

* 2. Briefly describe how your organization identifies mission-critical systems.

Question Title

* 3. Do you feel your current disaster recovery plan (DRP) adequately addresses the impact and magnitude of loss resulting from an interruption of these critical systems? Please describe.

a. Have you considered any alternative methods for addressing this requirement?

Question Title

* 4. Are allowable outage times defined for critical systems as part of the business impact analysis?

Question Title

* 5. Do all parts of your DRP include step-by-step implementation instructions?

Question Title

* 6. Does your current DRP provide restoration priorities and metrics?

Question Title

* 7. Has your organization defined and documented a requirement for periodic review of the DRP?

Question Title

* 8. Has your organization defined and documented a requirement for periodic approval of the DRP?

Question Title

* 9. Has your organization defined and documented the individual(s) responsible for approval of the DRP?

Question Title

* 10. Has your organization defined and documented a distribution list for copies of the DRP?

a. If yes, what key personnel and/or departments is your DRP distributed to?

Question Title

* 11. Has your organization defined and documented a frequency of testing of the DRP?

a. If yes, what is the defined frequency?

Question Title

* 12. Has your organization defined and documented the expectations of this testing to include what type of tests and for which critical systems?

a. If yes, please describe.

Question Title

* 13. What analysis or documentation is done for test results?

Question Title

* 14. Who is responsible for initiating corrective actions?

Question Title

* 15. How do you document lessons learned?

Question Title

* 16. Is any training provided to users with an assigned role in disaster recovery?

a. If yes, how soon after assuming the role or responsibility does the user undergo training?

b. If yes, describe the type of training and who is responsible for conducting the training.

Question Title

* 17. Are any of your mission-critical applications hosted by a third-party or vendor?

a. If yes, is there an agreement in place in regards to standards for backups and disaster recovery between the vendor and the organization?

b. If yes, describe the agreement and the vendor’s responsibilities.

Question Title

* 18. What areas of your DRP do you think need to be improved?

Question Title

* 19. What challenges or barriers does your organization face in order to improve or address these areas?

Question Title

* 20. Prior to this audit, were you aware of the upcoming changes to TAC 202 and the addition of the security controls catalog standards?

Question Title

* 21. Do you have any concerns about your organization’s preparedness for the new security controls catalog standards? If so, please explain.

T