Lock Disaster Recovery Plan away or not?

My organization has put together a Disaster Recovery Plan.  We are debating - should the DRP be locked away to prevent tampering or should it be stored in an unlocked area.  Any particular down sides to having one or the other?
Who is Participating?
rindiConnect With a Mentor Commented:
A disaster recovery plan is not something no one should know about. On the contrary, everyone should know what to do in case of disaster. I suggest you hang it up in the server room as well as some other places where it may be needed. This shouldn't be akept a secret!
What you would want to lock away and keep secret are passwords necessary.
gpriceeeConnect With a Mentor Commented:
A didaster recovery plan should also include within it alternatives to administer the plan.  If you lock away the plan and cannot get to it, what value does it have?

In our plan, we have binders with not only the plan but recovery CDs to ceate servers--assuming the building gets hit by a tornado or something else while the majority of IT is in it.

The Senior VPs have binders that they have locked in their homes and not places that only can be accessed during specified hours.  If the business goes down, it needs to be brought up--no matter what time it goes down.

If the Senior VPs can't be trusted, then why are they Senior VPs?  They can be trusted with the plans.  Some IT folks have a hard time with that, but then again, why should the business trust only us for its future?
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Ron MalmsteadInformation Services ManagerCommented:
It is recommended to keep your disaster recovery plan somewhere safe, with no access to those who aren't involved in the recovery or backup plan.  IT admins only.

If your backing up to tape drive for instance...only backup operators should have access to the tape drive and backup server.  A locked server room should be sufficient.  Your tapes should be rotated daily, and yesterday's tape should always be kept off-site in case of fire.  A fireproof safe should hold all of the other remaining tapes...I buy tapes ..one for every day of the month....labeled 1-30...makes finding your restore tape easier.

The fact that you have a backup/recovery plan should not be secret....It is conforting to users to know that their files are being backed up.  I would backup a user share and make a company policy that all user files be kept on that share "User Shared Folders"....instead of the habit of saving work to the My Documents folder.
I think your mixing something up. The Disaster recovery plan isn't the servers or tapes themselves.

It is a file or can be some piece of paper on  which is written what has to be done in which eventuality, ie what needs to be done if there was a fire or a flood or a server crashed etc. This info has to be known.

Of course the server room needs to be locked, the tapes (at least certain tapes) should be kept off site etc etc. In fact this is part of the info which belongs into the file or on that piece of paper which is described by the Disaster Recovery Plan itself.
simonenticottConnect With a Mentor Commented:

We keep serveral copies offisite - me, my colleague, and a few of the technical managers and a director.  We also have a dedicated offsite recovery centre on standby (in case the building goes up in flames etc.), we have a copy there, there is also a copy in our fire safe, which all internal systems people have access to.  All of the binders have the paper plans/contacts etc. as well CDs of info (DNS, server configs, serials etc.), we also include server and backup exec CDs to get the process going).

I wouldn't leave it available to just anyone as there will be operational senstive info in there that a hacker could use, though if you lock it away you risk not being able to get it when you need it.  Ideally it there should be an offsite copy with each person than can invoke the plan a copy secured in yoru server room and one other copy secured at work in a different location.

Its also important that you test your plan at least annualy, my predecessor spent 6 months backing up blank space :)

The recovery plan doesn't need any sensitive data inside, it just tells you how to do what in case of disaster. There should be mention where to look if you need serials or passwords etc, and those must be locked away, as well as the original CDs and their copies,

Of course the backup strategy should be included in the recovery plan, but a normal backup strategy of course includes regular restores to make sure you have backed up your blank space correctly (Alsways restore some of your blank space from your backup and compare it with the original blank space, if one of those balnk spaces is blanker than the other, the backup is a blank....)
are you talking about an IT DRP or a general DRP?

that's totally different
bboy77Author Commented:
Thanks for all the input thus far. Lots of good points on either side.   I'm talking about an IT DRP plan, the regular drp document is with the CEO andnot very detailed.  I have seen major institutions, like MIT post their IT DRP plan online available to anyone.  Our DRP plan does not have usernames or passwords of systems on it, but it does have an inventory of all critical applications and assets.  

I'm trying to view this from a security perspective and see if it makes sense to lock the DRP plan to prevent tampering or any other caveats I might not know about. After reading all the responses I'm thinking it should be available so that everyone in the organization is familiar with it, but I'm not sure if that becomes a security threat by exposing too much information.  
You can create a plan in two or more stages. One displaying the general plan which would not have any critical info in it, but which would point the users in the correct direction for the rest of the info.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.