Hi Joe,
In addition to the great info from Heather's response, one thing we do additionally is that in regard to the annual test of their Business Continuity / Disaster Recovery Plan, we ask to be able to participate in the test - at least to the limited extent that the test impacts our interaction with the vendor or impacts how we access the product or service provided by the vendor.
For example, one vendor provides us a product that requires us to be able to access it via a secure connection to a cloud environment. If the vendor has to change the connection path to that cloud environment as part of their BC / DR test, we want to be able to participate with that part of the test to ensure we can still access the cloud environment through the new connection path if the vendor implements its BC / DR plan in real life.
- Ivan
------------------------------
Ivan A. Martin
Senior Contract Administrator
Iowa Student Loan
------------------------------
Original Message:
Sent: 11-03-2020 12:37 PM
From: Joseph Ciccone
Subject: "Disaster Recovery/Business Continuity" clause
Hi all,
I'm looking for recommendations on the components of a well-formed disaster recovery clause. I have a few examples, and from what I can tell the more complete ones have the following provisions/requirements:
- Maintain a plan and procedures which will ensure Vendor's ability to meet obligations under the contract in the event of a disaster.
- As part of that plan,
- maintain backup capabilities and facilities. (I've sometimes seen this in separate 'backup management' clauses.)
- notify Company within <time> of a disaster.
- Test the plan annually and provide Company with copy of test results upon request.
Does the above look correct? Does anyone specify RPO and RTO in their DR clause?
Joe