Disaster Recovery Plan (DRP) Management
Are all your disaster recovery plans up to par? Do they include everything they need to include? How can they be improved? Who is responsible for what? SAMMY can help you answer all of these questions and many more. Get clear visibility on the state of your disaster recovery plan.
NIST Guidance for contingency planning
SAMMY uses the NIST guidance formulated in special publication 800-34 rev 1. Using the SAMMY logic we turned the 150 page guidance into a set of maturity measuring questions and scoring system. Thus you can map your activities to the guidance and identify gaps in your DRPs.
What should be in your disaster recovery plan?
The content of the disaster recovery plan is divided into six sections.
- Supporting Information
- Concept of Operations
Where to find DRP management in SAMMY?
The default model in SAMM is OWASP SAMM. In order to start a DRP management instance you must login and go to scopes, there you create a DRP scope. Then you can enter this scope to enter DRP management mode.
Fill out a DRP assessment
The workflow starts with the filling out of the different questions. You can choose whether everything should be filled out by the same person, or whether different parts of the DRP are the responsibilities of different team members.
Validate a DRP assessment
Validation is done on an activity level. When done internally it is typically done by the person that is leading the overall assessment. He or she reviews the answers and the evidence presented, should he not be satisfied the activity returns to the assessment step with his comments. If the assessor approves, the activity moves to the improvement track. In some cases the validator may be an external expert.
Implement security roadmaps
When a score on an activity is validated the question arises: “Is this good enough”. If it is: great, then the activity is closed. If it is not good enough an improvement process is initiated, a new target score is set together with a target date. The process is assigned to a team member. At the end of the improvement process the stream returns to assessment to evaluate its situation.
Clear visualization of score
In SAMMY you have a quick overview of scores in the left navigation menu and there are more detailed scores in the reporting tab on top, these include:
- Overview of score per business function.
- Scores per practice.
- Scores per business function
- Comparison between scopes
- Historic growth per business function
Here you can also visualize the improvement roadmap and show the improvement targets.
Sammy can automatically create a report which includes an overview of the state of the DRP and the roadmaps for improvement.
Creating different scopes
You may have different DRPs with different scopes. However you define the scopes you can easily implement, compare and manage different scopes in SAMMY.
Setting target postures
You may choose different thresholds than the ones outlined by NIST. What your ambitions should be depend on many factors of your business, its context and the risk profile of your products. The best way to manage such goals is to set target postures that are tailored to your context. In SAMMY you can easily create such target postures. The target compliance level is then shown along the process to the different teams in the different scopes. The goal then becomes the elimination of the gap between the target compliance and current complaince.
User, role and team management
SAMMY is a collaborative tool. Tasks and responsibilities can be assigned on a team and an individual level. There is always clear ownership of any task. And individuals always have a clear overview of what they are expected to do.
As different tasks are assigned to different team members SAMMY is integrated with JIRA in order to automatically feed into their existing task management flow. Soon a similar integration will exist for Microsoft Teams.
If you don’t use JIRA or Teams and would like us to integrate with another tool, or if you have any other suggestions please reach out to us. The roadmap of this tool is community driven.