The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.
I would suggest that you include essential areas in your document:
(1) Network configuration;
(2) Current operations procedures;
(3) Offsite data storage.
(4) Disaster recovery program..
Also, you should ask a manager about the Disaster Recovery objectives and the business continuity plan. if she/he's unable to provide you that, there isn't a plan for BCP and DR. The Management should look at business risks and technical risks and should be able to make the main BCP, take the following points/questions inconsideration:
1) During the course of a disaster or significant disruption, does your organization have written plans for business continuity and IT disaster recovery?
YES/No
2) If you answered “Yes” to question (1) do the established plans cover critical business functions with recovery priorities?
YES/NO
3) Have you performed a business impact analysis including Recovery Time Objective and Recovery Point Objective?
YES/NO
4) Does your Business Impact Analysis calculate and classify the financial risk of disturbances to all vital functions?
YES/NO
5) Have you taken actions to mitigate known risks and single points of failure (e.g. power loss, physical access, etc.)?
YES/NO
6) Do you have a dedicated team of professionals focused on business continuity and/or IT disaster recovery?
YES/NO
7) If you answered “No” to question (6), is there an established external business continuity and disaster recovery service provider to handle your planning needs?
YES/NO
8) Is senior management fully committed to disaster recovery and business continuity?
YES/NO
9) Are your disaster recovery costs, options, and disaster declaration procedures understandable?
YES/NO
10) Do you have a sufficient budget to support your disaster recovery program?
YES/NO
11) Is your business continuity plan updated regularly to keep it current with hardware, software, business and staffing changes?
YES/NO
12) Is there an organized training and awareness program for your employees?
YES/NO
13) Does your disaster recovery centre have an operation centre?
YES/NO
14) Is there remote accessibility to your disaster recovery centre?
YES/NO
15) If you answered “Yes” to question (1), is the plan periodically tested?
YES/NO
16) If you answered “Yes” to question (15), how often is the plan tested?
Annually -----------------------
Semi-annually -----------------------
Other (Please specify) -----------------------
17) Did you test the plan in 2008 and first half of 2009?
YES/NO
18) If you answered “Yes” to question (17), please specify the test dates and whether the tests were satisfactory or not?
Test Dates Yes No
(1) ------------------ …… ……
(2) ------------- …… …...
(3) ---------------- …… …...
(4) --------------- …… ……
(5) ---------- …… ……
(6) --------- …… ……
18.1) Who rates the success criteria of the executed tests?
Internally Rated
Other
19) Do the tests include market participants who have direct or indirect relations with your organizations?
YES/NO
19.1) Do you practice spontaneous tests to recover from a Disaster Recovery Site and resume the day from that location?
YES/NO
20) Have you tested your plan using a worst-case scenario?
YES/NO
21) Has your plan been tested for the possibility of facility loss?
YES/NO
22) If you answered “Yes” to questions (20) or (21), did testing prove that you can follow all Recovery Time Objective and Recovery Point Objective?
YES/NO
23) In the event of any disaster case how long does it take for you to stand up your system? (Please specify)
……………………………………………………………………
24) Does your organization have a documented crisis management process?
YES/NO
25) If you answered “Yes” to question (24), during the event of a crisis does the process cover internal and external communications?
YES/NO
26) In the case of a disaster are you prepared to address liabilities and responsibilities?
YES/NO
27) In the event of an outage or emergency do you provide detailed contact information?
YES/NO
28) Do you have a recovery strategy?
YES/NO
29) If you answered “Yes” to question (28), what is your organization recovery strategy?
Hot Sites
Warm Sites
Cold sites
Duplicate information processing facilities
Mobile sites
Reciprocal arrangements with other organizations
30) Where is your disaster recovery centre and please specify how many kilometers further away is it from your organization?
……………………………………………………………………
31) Do you have a backup strategy?
YES/NO
32) Do you have written backup and archive procedures?
YES/NO
33) Do you have industry-standard back-up solutions? (media, tape drives, library, software etc.)
YES/NO
34) To ensure sufficient permanent access do you have a migration policy to "refresh" tape technology and data formats every three to five years to?
YES/NO
35) Do you always use the "verify" option to ensure that your system backups are working?
YES/NO
36) Do you periodically test your back-up media?
YES/NO
37) Can you access to your past data with your back-up strategy?
YES/NO
38) Are backups fully automated for unattended operation (autoloaders, etc.)?
YES /NO
39) If your backups are manual, do you follow a sound process and written procedures?
YES/NO
40) If your backups are not manual, do you have online backup?
YES/NO
41) Does your current backup and recovery methodology fulfill management’s business uptime needs?
YES/NO
42) Do you regularly send your backup copy to a safe, off-site archive?
YES/NO
43) Do you have retention period on backup data for legal obligations?
YES/NO
44) Is media properly taken care of when shipped, handled, stored, and used?
YES/NO
45) Is your archive system designed to facilitate data format standards and an archive tape tracking method?
YES/NO
Links for reading:
http://searchstorage.bitpipe.com/
http://iase.disa.mil/index2.html
http://www.redbooks.ibm.com/redbooks/pdfs/sg246844.pdf
http://www.experts-exchange.com/Networking/Network_Management/Disaster_Recovery/Q_28081599.html
http://www.experts-exchange.com/Software/Backup_Restore/Q_27781899.html
http://www.isaca.org/cobit