12-3.2 Application Disaster Recovery Plan Requirements

The Application Disaster Recovery Plan (ADRP) Requirements are as follows:

  1. Each application that is registered in the Enterprise Information Repository (EIR) must have an ADRP.
  2. The requirements for the plan are determined based on the Criticality results of the Business Impact Assessment (BIA). See 3-2.3 of this document for requirements of Criticality determination. The ADRP must be designed to achieve the recovery time objectives (RTO) required to meet the business requirements as specified in the BIA.
  3. The ADRP does not include the recovery plans for the infrastructure that it’s depend upon.
  4. The ADRP documentation is stored in the Technical Solution Life Cycle (TSLC) IT Artifact Library systems documentation testing section of the application as a Program-Level Artifacts and is considered “Sensitive”.
  5. The ADRP must be reviewed, tested, and the results certified by the development organization and the executive sponsor. Evidence of the testing and certification must be kept in the TSLC IT Artifact Library as a Program-Level Artifacts and is considered “Sensitive”. Test results are also recorded in the EIR system.
  6. ADRP’s Critical-High and Critical-Moderate applications must be tested within 180 days of the application going into production and within 180 days of changes which would invalidate previous tests.
  7. Applications designated as Critical-High must be tested within 18 months of the last successful test.
  8. Applications designated as Critical-Moderate must be tested within 36 months of the last successful test and within 12 months of changes which would invalidate previous tests.
  9. Non-Critical (Low) applications can conduct a tabletop evaluations of the ADRP or can conduct a test of the ADRP. These test must be repeated as least once every 5 years.
  10. Failed tests must be re-attempted within 90 days of the failed test.
  11. All recovery documents must be protected as restricted information.