Disaster Recovery Policy

Requirements for developing and implementing IT disaster recovery plans

Disaster Recovery Policy

Field Value
Document ID POL-012
Classification Internal
Owner CTO (interim CISO)
Effective Date April 2026
Review Cycle Annual

1. Overview

Disasters occur infrequently; therefore, disaster recovery planning is often overlooked. However, having a well-defined contingency plan provides Wealthy with a competitive advantage by ensuring continuity of services during unexpected events.

This policy requires management to financially support and actively participate in disaster recovery planning efforts. Disasters are not limited to adverse weather conditions. Any event that could cause an extended service disruption must be considered.

The Disaster Recovery Plan (DRP) is typically a component of the Business Continuity Plan (BCP).

2. Purpose

This policy defines the requirement for Wealthy to develop and implement a baseline disaster recovery plan that outlines the process to recover IT systems, applications, and data from any disaster that causes a major outage.

3. Scope

This policy applies to IT Management Staff responsible for ensuring that the disaster recovery plan is developed, tested, and maintained.

This policy establishes the requirement to maintain a disaster recovery plan but does not prescribe detailed implementation requirements for sub-plans.

4. Policy

4.1 Contingency Plans

The following contingency plans must be created and maintained:

Computer Emergency Response Plan

Defines who should be contacted, when, and how. It also outlines immediate actions to be taken in the event of specific incidents.

Succession Plan

Describes the chain of responsibility when key personnel are unavailable to perform their duties.

Data Study

Identifies data stored on systems, including classification, criticality, and confidentiality requirements.

Criticality of Service List

Lists all services provided and defines their order of importance. It also establishes the recovery sequence for both short-term and long-term timeframes.

Data Backup and Restoration Plan

Details:

  • Data that is backed up
  • Backup frequency
  • Storage media and location
  • Retention period
  • Restoration procedures

Equipment Replacement Plan

Describes equipment required to restore services, the order of replacement, and procurement sources.

Mass Media Management

Identifies personnel responsible for communication with media and provides guidelines on information that may be disclosed.

4.2 Testing and Review

After creating the plans, they must be tested periodically to ensure effectiveness.

  • Management must allocate time to test disaster recovery plan implementation
  • Tabletop exercises should be conducted annually
  • Testing should identify gaps and allow improvements in a controlled environment

The disaster recovery plan must be reviewed and updated at least annually.

5. Recovery Procedures

5.1 Initial Response

In the event of a disruption, the organization performs basic assessment and response actions:

  • Identify the nature and impact of the incident
  • Notify relevant internal stakeholders
  • Check availability of core infrastructure and services
  • Verify backup availability
  • Initiate restoration activities where required

5.2 Service Restoration

Recovery efforts focus on restoring essential services:

  • Restore critical applications and infrastructure
  • Recover data from available backups
  • Validate system functionality after restoration
  • Apply temporary workarounds if needed
  • Coordinate with cloud providers or vendors if required

5.3 Full Recovery

Once critical services are restored:

  • Gradually restore remaining systems
  • Validate data integrity and configurations
  • Resume normal operations
  • Perform basic review of the incident
  • Update recovery approach if necessary

5.4 Recovery Priorities

Critical Services (High Priority)

  • Core application services
  • Authentication and access systems
  • Databases and storage
  • Payment or transaction services

Important Services (Medium Priority)

  • Reporting and analytics
  • Monitoring and logging
  • Internal tools

Non-Critical Services (Standard Priority)

  • Development environments
  • Testing systems
  • Archive data and support tools

6. Policy Compliance

5.1 Compliance Measurement

The Infosec team will verify compliance with this policy using various methods, including:

  • Internal audits
  • External audits
  • Business tool reports
  • Feedback to policy owners

5.2 Exceptions

Any exception to this policy must be approved in advance by the Infosec team.

5.3 Non-Compliance

Employees found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.