Effective from Feb 28 2017 - Feb 27 2017 To view other versions open the versions tab on the right
Principle
The Member Organization should define, approve, implement and maintain a IT DRP for its critical activities and related technology infrastructure.
Objective
To ensure the Member Organization has IT DRP and up-to-date list of critical activities in place, in case of a disruptive incident
Control considerations
1.
An IT DRP to recover and restore technology services and infrastructure components (Data, systems, network, services and applications) should be defined, approved, implemented and maintained in alignment with business impact analysis.
2.
The Member Organization should establish an alternative data center at an appropriate location. The location should be identified based on:
a.
A risk assessment to confirm that the location does not share the same risks of the main data center (e.g., geographical threat)
b.
Upon approval from Saudi Central Bank
3.
Data, system, network and application configurations, and capacities in the alternative data center should be commensurate to such configurations and capacities maintained in the main data center.
4.
Member Organization should implement the same logical, physical, environmental and cyber security controls for the alternative data center as for the primary data center.
5.
The Member Organization should define and implement a backup and recovery process.
6.
The Member Organization should have offsite location for storing backups.
7.
Formal contracts should be signed with third parties to ensure the continuity of outsourced services or delivery of replacing hardware or software within the agreed timelines in case of a disaster. Include guidelines to ensure that the contracts signed with external service providers are aligned with the BIA and RA outcomes.
8.
The IT manager should be responsible to maintain and keep the disaster recovery plans and arrangements up to date with an overall accountability of integration within the BCM Program on the BCM Manager.
9.
The compliance with the disaster recovery plan should be monitored.
10.
The effectiveness of the IT DRP should be measured and should be evaluated on a yearly basis as minimum.
