Understanding the Sarbanes-Oxley Act
a) Disaster: An event, whether man-made or natural, that unexpectedly inhib-
its the company's ability to operate or deprives the company of access to its
key business systems.
b) Major disaster: An event that substantially destroys computing and data
infrastructure that the company requires to operate. Examples include a
fire in the server room, a large earthquake, a major structural failure of the
company's building, flooding of interior spaces in the building that impact
IT resources, and so forth.
c) Minor disaster: A short-term disruption of the company's ability to access
its key business systems. Examples include the loss of a critical data file
(whether through systems failure or accident), a power outage, or a temporary
operating problem in the computing chain of a key business system.
d) Remediation plan: A plan developed to remediate the key effects of a given
major disaster. The remediation plan includes necessary objectives, time-
lines, cost estimates, and acceptance criteria.
a) Pre-disaster planning:
i) The IT department will maintain a list of hardware resources on which
key business resources reside and their necessary configurations. This
list will be reviewed annually and updated as necessary, and is attached
to this document as Attachment IT-002-A.
ii) The IT department will maintain a list of software resources on which
key or important business processes rely, including vendor contact data,
account numbers, and any related serial or product ID numbers. This list
will be reviewed annually and updated as necessary, and is attached to
this document as Attachment IT-002-B.
iii) The IT department will set up a backup and off-site storage plan that
minimizes the risk of loss of data in the event of a disaster. The details
of the backup and off-site storage plan will be reviewed annually and
updated as necessary, and is attached to this document as Attachment
i) The IT department will annually test the ability of all backup systems to
successfully restore data. The general procedure is as follows:
(1) Select a recently created piece of backup media.
Using the backup software with which the media was created,
haphazardly select several files that are normally unchanging