Hand pointing to laptop screen

Guideline for Completing Disaster Recovery Plans for SaaS and PaaS Applications (Yale-MSS-3.1 GD.02)

Guide

Guideline for Completing Disaster Recovery Plans for SaaS and PaaS Applications (Yale-MSS-3.1 GD.02)

SaaS stands for Software-as-a-Service. PaaS stands for Platform-as-a-Service. When writing a Disaster Recovery (DR) plan for a SaaS or PaaS service, there are extra details to consider. The questions below serve to help you think through your DR plan completely. If you answer "yes" to these questions, you have thought through the details for your SaaS/PaaS DR Plan.

Does your contract contain information about the risk classification for the IT System? This includes:

  • Data Classification (low, moderate, high)
  • Availability Requirements (RTO). This is the length of time a Yale IT System can be down before incurring a significant impact to operations.
  • External Obligation Requirements (NA or specify)

Does your contract contain information about backup/recovery requirements (RPO)? This is how much data can be lost before Yale is significantly affected.

Does your contract specify how the following will be maintained and penalties if they are not? Attach the contract and the equivalent of a SOC21 to the DR Plan. Verify the company has a certified recovery plan.

  • Availability Requirements (RTO) measured in hours.
  • Backup/Recovery Requirements (RPO) measured in hours.
  • Acceptable Maintenance Windows – days/months/time and length.
  • Protection of your data’s confidentiality and integrity.

Does your contract require the vendor to provide proof of annual DR plan testing?

  • You can attach the annual findings in the SOC2 report or its equal, to the DR Plan each time it is provided.

Does your contract contain how to communicate with the vendor when there is an issue with the IT System? This should include:

  • The method of communication (e.g. phone, URL for ticketing, email addresses).
  • The vendor names/roles of individuals and an escalation procedure.
  • Who at Yale is able to communicate with the vendor.
  • Does the contract include details on how often the Yale Data is backed up? Is the vendor able to restore within your specified RPO?

1SOC 2 is an auditing procedure that ensures your service providers work securely. This includes managing your data to protect the interests of your organization. It also ensures the service providers respect the privacy of its clients. When choosing a secure SaaS provider, SOC2 compliance should be a minimal requirement.

Need help?

For questions about completing your SaaS or PaaS DR Plan, email us.