Disaster Recovery Planning involves the advance planning and arrangements necessary to minimize risk by ensuring the ability to recover time sensitive systems, applications, information, and business functions in the event of an interruption or disaster. Disaster Recovery Planning also involves defining, recommending, implementing, testing and administering recovery strategies.

It is the ultimate responsibility of the owner of business information to ensure that the recovery and contingent processing of such data is possible through tested and effective backup procedures, recovery planning and contingency processing capabilities. This will increase the ability to recover critical processes and restore critical data in a timely and cost effective manner.

Individual Business Recovery Plans must exist for all information processing systems that support critical business functions. Location management must test the plan annually. Location management is also responsible for reviewing and maintaining the plan on an annual basis or when any major change(s) occurs within the IT systems or configurations. The plan(s) must address a situation from partial to total loss (worst case) of a location to ensure the ability to recover and restore IT information as well as critical business information. The extent of detail required for each plan will depend on each of the location's critical functions and system restoration capabilities.

The objective of this policy is to:

• Establish alternative strategies to recover critical corporate information processing systems.
• Provide guidelines for ensuring the protection and recovery capabilities of corporate information in accordance with True Value's Information Security Policy and Standards.
• Ensure that necessary data can be recovered and processed so that critical business functions can be re-established.
• Provide a methodology for ensuring plans are developed, tested and maintained to minimize any inconvenience or interruption in the ability to continue operations and service the customer.
• Provide a means for situation assessment.
• Establish a methodology for ensuring notification to the appropriate management and support areas in the event of an interruption to operations.
• Establish a methodology for communicating emergency situations to affected employees, clients, customers, and agencies etc.

Location Managers

Managers are responsible for business continuity controls and must ensure a secure, recoverable environment that protects IT assets, and provides continuity for the critical business functions that they support. They will approve the recovery plans for their business needs once developed, and thereafter each time the plan is updated.

The plan should address the following:

• Identification of critical applications and processes.
• Identification of minimum recovery hardware configuration.
• Identification of required software and platforms.
• Prioritizing restoration of applications and verification steps to be performed prior to bringing up further applications.
• Target recovery times for each mission critical function as well as normal service functions.
• Actions to be taken during the four phases of business resumption:

1. Response (initial action following a disastrous event).

2. Resumption (establishing the alternative processing site and set up for resumption of business).

3. Recovery (resume processing for time-sensitive business functions).

4. Restoration (returning to the original processing site).

• Identification of critical personnel and event notification information.
• Descriptions of how to acquire necessary resources, such as vendor information, temporary employees and supplies.
• Access requirements concerning who is authorized for declaring a disaster, entering the off-site storage facility, gathering recovery resources, or accessing the location after police/fire/detectives have isolated the area.
• Persons authorized to purchase, what they can purchase and authorized spending limits.
• Security issues such as guards and premises protection.
• Communication needs, such as who will address the media in a disaster situation and what employees should NOT say to any outside person at this time.

Additionally, the plan should include the following information:

• Notification procedures for employees, vendors and customers.
• Teams, team leaders, and contact numbers.
• Action plans for each team (concise step-by step descriptions of actions required.
• Detailed instructions for Disaster Recovery Procedures and Contingency Procedures.
• Network documentation including telecommunications.
• Up-to-date equipment and software inventory by location.
• Building plans such as air, water and electrical system mappings.
• Evacuation procedures including safe meeting areas.
• Vendor agreements.
• Data classification sheets.
• Contingency plan.
• Vendor contact list including financial institutions.
• Key customer contact list.
• Maintenance schedule.
• Test/exercise schedule.
• Lists of police, fire, hospital, travel agency, airlines, and municipal emergency response team phone numbers.
• Facility Damage Assessment checklist.
• Offsite services and hot-site area maps.
• Disaster Alert Procedures.
• Established alternative headquarters location.
• Where to get emergency petty cash and sample expenditure procedure.

Backup and recovery procedures and practices provide a means to save and restore data for all data processing systems including mainframes, servers and workstations. It is the ultimate responsibility of the owner of the data and the systems support staff to ensure that the backup/recovery process is accurate, effective and well documented for recovery purposes. Failure to do so could result in the unrecoverable loss of critical information if a disruptive event occurs.

The frequency of backup information should be determined based on the criticality of the data, the system, location and departmental needs.

A routine schedule for off-site rotation of backup information must be established. Depending on the threat of a regional disaster, the off-site location should be outside of the regional area to avoid total loss of information.

The following backup information should always be available in current status to business users:

• Historical and current system processed information required by law.
• Copies of current versions of the operating system and other significant software used within the organization. This software must be stored off-site unless compatible versions are easily available and customizing/reconfiguring is a minor task.
• Priority listings concerning the restoration of applications in a logical order based on sequences dictated by the system or by management decision. These decisions are made jointly by IT operations, applications managers and business users and should be reviewed annually.
• Maximum expected time which would be required to complete the installation of replacement hardware and software should be clearly stated (recovery lead times).
• Equipment and network layouts (network and software configuration diagrams) and any other information vital to restoration of the current system or necessary for setting up a new system(s).

Non-system related backup information that is very important, and should be held at off-site locations, includes, but is not limited to:

• Hardware and software inventory, including serial numbers and detailed information that would be useful for identifying needed items such as makes, model numbers, engineering release levels and types of equipment used to process transactions. This listing should also include alternatives to equipment in case of unavailability.
• Copies of current operational manuals and procedures or access to (i.e., from other site, vendor or offsite data storage).
• Important legal/originals of critical documents
• Unique critical supplies.
• Vendor listings that could be used to expedite the replacement of hardware, software or important supplies that need to be purchased quickly.
• Important business forms and documentation such as purchase orders, invoices and blank checks that may be required in a disaster situation.
• Information particular to the functionality of a department that would be vital for the continuation of critical business processes.

Backup requirements and recovery strategies for transmitted and received data (electronic media) must be considered.

Review and updating of all items maintained in an off-site storage area should take place on an annual basis.

It is essential that Disaster Recovery Plans be tested on an annual basis. If an agreement exists for an alternative site, it is desirable that exercising the plan takes place utilizing the actual recovery facility. After an exercise, all recovery personnel are responsible for submitting a written report indicating problems encountered and plans for resolution. The plan should be updated to reflect those recommendations.

A management review of the plan should take place at least annually or more frequently when significant changes are made to the applications, hardware or software at a location.

Each employee should be aware of their role and responsibilities in a recovery effort and should participate in plan tests when possible.

All primary and alternate key personnel responsible for participation in the business recovery should maintain a copy of the plan, both at work and at home. (Depending on their assigned roles, it may not be necessary to distribute the entire plan to all individuals.)

True Value’s Internal Audit will also maintain a current copy of all Disaster Recovery Plans in the corporation.

Where no corporate strategy exists and it is beyond reasonable cost to justify redundancies, agreements must be made with vendors who offer services such as temporary and permanent hardware/software replacement, office space and furniture, and supplies, etc., in advance. This will guarantee quick response in a disaster situation. The distance of recovery sites from a True Value location is important to consider since key employees are expected to be present for both actual recovery and testing.

Annually, a review of recovery service vendor contracts must be done to ensure compatibility. Testing system recovery will ensure present system configurations are recoverable at the alternate computer site and that operating systems and business function software is appropriately backed up. In addition, the number of workspace areas should be analyzed to avoid deficiencies at time of need. Other contractual considerations that must be given are options to void contracts when special circumstances exist, i.e. acquisitions, sale of existing business, etc.

A risk analysis is the process of identifying risks, assessing the critical functions necessary to continue operations, defining the controls that are in place to reduce exposure, and evaluating the cost for such controls. The risk analysis often involves an evaluation of the likelihood of an occurrence, the risk analysis will be performed on computer/network environments to identify and evaluate risks and determine any disaster mitigation requirements. The risk analysis is generally a collaborative effort of various departments including IT, Facilities Management, Infrastructure Management, General Management, Internal Audit, along with any public utilities and services which support the corporation.

Evaluations of existing systems to determine whether the system complies with the corporate policy will be performed by True Value’s Internal Audit. If not in compliance, the location is responsible for determining recovery strategies and documenting a recovery plan that must be tested and maintained annually.

Recovery considerations must be provided within the project charter for all new/upgraded IT systems intended for critical business functions. True Value’s Internal Audit, along with business units and IT development areas, will ensure that any system/application being considered for purchase is evaluated for' compliance this policy.