Appendix C: Assessment Checklist
N/A IP Yes No
Pre-Planning Phase
1. Has the IT Disaster Recovery plan been integrated with other
applicable plans (e.g., Business Continuity or Resumption
Plan, Occupant Evaluation Plan, etc.)? (Reference 1.7)
2. Has the Agency Head ensured that the disaster recovery
planning policies and procedures are consistent with State
Policy? (Reference 1.8)
3. Has the Agency Head ensured the development of a disaster
recovery plan that documents how business functions will be
performed in the event that their IT systems are unavailable
(short and long-term unavailability)? (Reference 1.8)
4. Are all vendors/contractors aware that they must comply with
the Disaster Recovery Planning Guidelines? (Reference 1.8)
5. Is the access to the Disaster Recovery plan restricted to only
the appropriate personnel? (Reference 1.9)
6. Have the Business Owners defined recovery priorities based
on the information from the BIA, RTO, and RPO? (Reference
2.1)
7. Has a BIA been conducted? (Reference 2.1.2)
8. Have the Business Owners completed or assisted in the
completion of a BIA? (Reference 2.1.1)
9. Have the Business Owners defined the maximum amount of
tolerable downtime (recovery time objective) for each of the
functions identified in the BIA? (Reference 2.1.1).
10. Does the BIA identify business functions that are necessary to
carry out State or Agency missions and mandated functions?
(Reference 2.1.1)
11. Does the BIA identify the RTO and RPO for each business
function? (Reference 2.1.1)
12. Does the BIA identify the hardware resources needed to
support the business functions? (Reference 2.1.1)
13. Does the BIA identify the software resources needed to
support the business functions? (Reference 2.1.1)
14. Does the BIA identify all other resources needed to support
the business functions? (Reference 2.1.1)
15. Has a Risk Assessment been performed on each IT system
identified in the BIA? (Reference 2.1.2)
16.
17. Does the Risk Assessment document risks and identify the
threats to the business functions? (Reference 2.1.2)
18. Has an analysis been performed for each risk identified to
determine the likelihood and impact of occurrence?
(Reference 2.1.2).
19. Have controls that mitigate or eliminate the risks identified in
the above steps been developed? (Reference 2.1.2)
20. Have controls that mitigate or eliminate the risks identified in
the above steps been implemented? (Reference 2.1.2)
21. Have the implemented controls reduced the level of risk to the
State of Maryland Information Technology (IT)
Disaster Recovery Guidelines Version 4.0
18