How SOX Affects Your Disaster Recovery Plan
If you’re looking for a sentence in SOX 2002 that mandates a disaster recovery plan, you won’t find it. As far as I’m aware, the Sarbanes-Oxley Act of 2002 doesn’t mandate that a company have such a plan. Yes, you read that correctly. Then why, you might ask, are the terms Sarbanes-Oxley and disaster recovery plan used almost in the same sentence in many organizations? To answer this question, consider all the new exposures that management faces these days with the advent of the new law, including potential jail time. Now ask yourself how you would feel if you had to provide such reporting—only to be told by technical staff the equivalent of, "My dog ate the data."
If you ever want to contemplate a career-ending move, try telling your boss that the data he or she needs to meet these stringent new requirements is gone due to some disaster. That’s why disaster recovery planning is so closely entwined with SOX 2002.
Ultimately, your boss (or your boss’ boss) is personally responsible if something goes wrong that prevents compliance with the new law. That’s why recovery planning has taken on such new urgency. And, in case you hadn’t noticed, these things roll downhill. That’s why this issue is probably on your desk at this moment. You have the job of covering your boss’s posterior, and a workable disaster recovery plan is part of that responsibility.