Business Continuity Plan & Disaster Recovery Policy

Thank you for visiting https://computools.com/

Purpose

The purpose of this Plan is to ensure preventive measures and that the organization has a documented and fully functional set of procedures to enable the reinstatement of work within 24-48 hours after starting a disaster/emergency/incident/war.

The objective is to coordinate the recovery of critical business functions in managing and supporting the business recovery in the event of a disaster/emergency/incident/war.

Definitions
  • A disaster – is defined as any event that renders a business facility inoperable or unusable, so that it interferes with the organization’s ability to deliver essential business services.
  • An emergency – an actual or impending situation that may cause injury, loss of life, destruction of property, or cause the interference, loss, or disruption of an organization’s normal business operations to such an extent it poses a threat.
  • An incident – is any event that may be or may lead to, a business interruption, disruption, loss, and/or crisis.
  • A war –  is acts of terrorism, sabotage, war, theft, arson, industrial action, that is acts pulling loss of utilities (loss or shortage of electricity, gas, water, petrol, oil, communications services, drainage, waste removal) or\and equipment or system failure (failure or internal power, air conditioning, production line, cooling plant, equipment (excluding IT hardware)) or\and serious information security incidents (cybercrime, loss of records or data, disclosure of sensitive information, IT system failure), or\and other emergency situations (workplace violence, public transport disruption, neighborhood hazards, health and safety regulations, employee morale, negative publicity, mergers and acquisitions, legal problems).

Scope

This Plan will illustrate how the business can reduce the potential impact of a disaster/emergency/incident/war by being prepared to maintain services in the event of the:

  • Loss of internal infrastructure;
  • Loss of key staff;
  • Loss of IT / data;
  • Loss of telecommunications;
  • Loss of utilities (electricity, water, gas);
  • Disruption due to industrial action;
  • Disruption due to severe weather.

When can we invoke this Plan?

Depending on the location and the type of disaster/emergency/incident/war, the plan may be invoked in isolation of departments, teams, locations, or in full.

The Business Continuity Team is made up of
  • Senior Management;
  • Head of Departments.

Business continuity coordinators

The business continuity coordinators will be made up of members of staff that have been identified as site representatives and have the responsibility for managing the implementation of the business continuity plan during an emergency or a disruptive event.

Activating the plan

The Chief Executive Officer will delegate to the business continuity managers responsible for the activation of the Plan.

Notification of a business interruption may originate from any source. The following activation sequence will normally be used when informing personnel of the activation of this plan, staff will be advised of the process via a number of available methods, text messaging service, email communications, updates on the site, and or phone calls from managers.

PREVENTION

As important as having a disaster recovery plan is, taking measures to prevent a disaster or to mitigate its effects beforehand is even more important. This portion of the plan reviews the various threats that can lead to a disaster, where our vulnerabilities are, and the steps we should take to minimize our risk. The threats covered here are both natural and human-created:

Loss of internal infrastructure

In the event of the main offices being unavailable users would be able to log in and work from home where appropriate. These arrangements will need to be confirmed so we ensure the resources such as connectivity arrangements for all staff is available. Since we use the Atlasin server and AWS with adjacent SAL. U-turn. plans are available to offices in nearby regions.

Insider leak (code, developers switched to a new job)

SSH-access management. We use teleport to work with access. Personalized server accounts, account management. We use a single entry point operated by a company. Authentication happens through corporate email. Monitoring basic configurations on servers We use automated reversal tools (docker Kubernetes), configurations always go through a review and get to the server only as part of the deployment process.

Loss of key personnel

All information is recorded electronically. Work is in accordance with internal standards and processes. A mandatory knowledge transfer process is foreseen. The company always has a reserve for each of the positions so that the work does not stop.

External and internal attacks on infrastructure

Using updated software from reliable vendors. Tracking the vulnerability of the software used. The configuration of network interfaces where everything is closed by default and only what we know and use is open. SSL protection and modified ports for connection management (SSH) work only on a key basis. Traffic monitoring Internal threat prediction system based on public information analysis.

For internal documentation and communications, we use cloud services (Google Drive, Docs and Sheets, Slack). Every employee has a personal Google Account with two-factor authentication and these accounts use like login to other corporative cloud services. Also, the overwhelming majority of our staff use laptops which allows them to work anywhere in the world.

Computer Crime

Computer crime is becoming more of a threat as systems become more complex and access is more highly distributed. All systems have security products installed to protect against unauthorized entry.

All systems are protected by passwords. All users are required to change their passwords on a regular basis. All systems should log invalid attempts to access data, and the system administrator reviews these logs on a regular basis. All systems are backed up on a periodic basis. Physical security of the data storage area for backups is implemented. Standards have been established on the number of backup cycles to retain and the length of their retention. Policies and procedures are strictly enforced when violations are detected. Operators are regularly told the importance of keeping their passwords secret.

Unfavorable political situation

Confirmation of a force majeure event in the CCI (chamber of commerce and industry). Organizing the movement of subcontractors to a safer place; Organizing property savings and moving it to a safer place.

Terrorist Actions/ Sabotage/Vandalism

Terroristic action and sabotage are a potential risk under the circumstances on all the offices in big cities. To prevent such occurrence Computools has a safety system in place whereby each office will permit entry on verification of code and due care is taken to provide adequate security.

Inclement weather

All critical services are located on cloud servers. Plans have been developed to launch work from offices in nearby regions. 

Flood

None of the offices are on the ground floor, thus the risk due to flood is very much limited. 

Cyclones and High Winds

The offices are located in Ukraine. Very severe cyclones can only have a marginal impact on operations. Due care and preventive measures appropriate are carried out. Protective plastic covers are available and also operators are trained how to properly cover the types of equipment.

Earthquake

The threat of an earthquake is low but should not be ignored. Buildings in our area are built to earthquake-resistant standards so we could expect the least damage from the predicted quake. An earthquake has the potential for being the most disruptive for this disaster recovery plan. Restoration of computing and networking facilities following a bad earthquake could be very difficult and require an extended period of time due to the need to do large-scale building repairs.

The preventative measures for an earthquake can be similar to those of a Cyclone. Even if the building survives, earthquakes can interrupt power and other utilities for an extended period of time.

Infectious Disease Outbreaks

Routine physical examinations and vaccinations. Paid sick leave. And going to work after permission from the doctor. The ability to work remotely over a secure backup connection using an encrypted VPN by providing access through IP configured corporate technology.

Fire

The threat of fire in office premises is real and poses a high risk. The building is filled with electrical devices and connections that could overheat or short out and cause a fire. The computers within the facility also pose a target for arson from anyone wishing to disrupt Computools operations.

The Building is equipped with a fire alarm system. Hand-held fire extinguishers are placed in visible locations throughout the building. All staff are trained in the use of fire extinguishers.

Recovery Procedure of disaster / emergency / incident / war

Process for activation

As soon as disaster/emergency/incident/war is reported the Plan will commence and we move into “standby mode”. 

Communication Plan

A number of ways have been identified to keep staff up to date with information about the disaster/emergency/incident/war scenario:

– We will use the corporate site once restored to broadcast information.

– We will use email/Slack/Telegram, Signal, etc. 

Evacuation of the office

If an incident occurs during normal working hours we may not be able to hold any risk assessments as it may be necessary to undertake an immediate evacuation of the office and the following procedure must be followed:

ACTION FURTHER INFO/DETAILS Obligation of action
Evacuate the building if necessary Evacuate the building in accordance with your building’s emergency evacuation procedures. Use the nearest stairwells. Do not use elevators in case of building collapse
Ensure all staff report to the Assembly Point Staff should gather at the designated assembly point. The designated fire officers are responsible for completing this action in case of building collapse
Check that all staff, contractors, and any visitors have been evacuated from the building and are present. Consider the safety of all staff, contractors, and visitors as a priority Quickly assess whether any person in your surrounding area is injured and needs medical attention. If you are able to assist them without causing further injury to them or without putting yourself in further danger, then provide what assistance you can and also call for help in case of building collapse
Forward details of any fatalities or injuries in the incident (depending on the scale of the incident) and agree on activities that will be taken The contact to forward this information to is the People Manager in case of building collapse
Consider whether the involvement of other teams, services, or organizations are required to support the management of the incident Depending on the incident the following may be approached to assist with the incident management:

  • Personnel
  • Health and Safety
  • Legal
  • Occupational Health
in case of building collapse
Communication Ensure that staff is updated as often as possible, ensure all staff has communication in case of building collapse
Management/Recovery process meeting

If possible, it will be necessary for the management and the business continuity team to meet to determine the cause, effects, and plans. If this meeting cannot be held in a suitable location then a conference call inviting all parties can be arranged.

The following actions should be considered. Note that all items may not be relevant. Following this meeting, all the actions decided upon will be divided between the first 24 hours and the next 24 hours.
Description of meeting’s tasks:

1. Arrange meetings of management and business continuity team. This could be a physical meeting or a virtual conference.
2. Confirm available all team members are present and have access to the Plan and the crises communication plan.
3. Overall situation report including nature and extent of the emergency. Summarize any immediate actions taken.
4. Assess the effect/impact of the situation, take into account:
4.1.Accommodation:
– What premises have been affected? Anything key stored in those building(s)? Alternative premises? Mutual aid arrangements?
4.2. Staff: Are staff affected? Consider the requirements and needs of vulnerable staff. Agree which staff are required immediately or their capacity to be available. Plan what to do with staff not immediately required. Ensure all staff are contactable and verify contact details.
4.3. Suppliers/Contractors/Key Customers:
Our key suppliers, contractors, partners, customers affected by the emergency? What alternatives are available?
4.4. What internal support activities have been affected?
4.5. Legal and contractual obligations.
4.6. Telephony:
– Has this been affected? Any impact?
4.7. Work
– What is the current status? What are we able to do? What are the current priorities? What key activities are affected?
4.8. Resources:
– What resources do we require immediately? To what do we have access? Alternatives? Mutual aid arrangements to borrow equipment?
4.9. Information Technology:
Is IT available? How long might the loss be of IT? What are the plans should there be short and long-term IT failures. The outage would need to be in excess of 48 hours to consider the move to the DR Centre worthwhile.
4.10. Transportation issues
Are there any problems with staff/customer/ supplier transportation; E.g. Fuel, weather or change of premises problems?
4.11. Health / Welfare issues
4.12. Utility issues:
– Has the emergency meant that facilities are affected; i.e. water, electricity, etc.? What contingency plans are in place for utilities/facilities failures?
5. Decide future actions/priorities
6. Communication to employees:
– Agree on the message to convey to staff
– Agree which staff required immediately or their capacity to be available and what to advise them.
– Agree on communication method to be used; i.e. cascade tree and/or separate line with answerphone or separate staff line/mobile into which they can call.
7. Media/Public information:
– agree on media message, see crisis communication plan
8. Any other business.
9. Chairperson to
– Summarize key points
– Re-affirm priorities/actions
– Decide if and when the next meeting/teleconference call is required.
10. Authorize the implementation of the BCP plan as per the agreed scenario or stand down and return to BAU.

The first 24 hours

After the initial BCP meeting and risk assessment is completed and it has been agreed to begin the BCP process:
1. Implementation tasks of meeting
2. Where possible if access can still be made to the relevant office, recover vital assets/equipment to enable the delivery of critical activities
3. Dependent upon the disaster situation we may need to invoke the disaster recovery plan and instigate recovery of systems alongside the BCP plans. ICT will be authorized to begin the ICT disaster recovery plan and DR company may need to be informed
4. The Company Secretary or designate to email the CEO outlining the situation and to keep him up to date with developments
5. Hold Managers’ meeting if possible or begin a chain of communication with Managers whereby each is notified with the facts.
6. Contact staff via bulk text, emails to company accounts, emails to personal accounts.
7. Managers to determine the level of staff availability in their team and begin the process of keeping staff updated with the disaster status and begin planning for staff to resume work at their main office or DR location.
8. Ensure contact numbers are available and the address details of the DR site, if necessary, are published on the BCP website
9. Agree on policy for extraordinary additional leave where necessary.
10. Ensure that the crisis communication plan is updated and all interested parties kept up to date.
11. At the end of the first day assess the next steps:
Can staff return to the office or do we continue with the DR implementation and staff planning
12. Start office relocation as needed.

The second 24 hours

ACTION:
1. Communicating with staff. As the scale of the incident becomes clearer and the BCP team formulates its plans it will be the responsibility of the BCP team to provide a clear message to managers and staff and this will be coordinated by the Communications manager.
2. Resource plans for the first day of resumption to be confirmed by managers to the BCP team.
3. The ICT will finish the restoration of key systems by the end of the 48 hour period.

After the first 48 hours

If the outage is confirmed as of a longer-term nature then the business continuity team will need to move the organization to as “business as usual” as possible.

Training

Training seminars addressing business continuity are conducted on a regular basis. Also, an awareness program is conducted to educate management and senior individuals who will be required to participate in the project.

The objectives of Business Continuity Planning training are:

  • Train employees and management who are required to help maintain the Business Continuity Plan
  • Train employees and management who are required to execute various plan segments in the event of a disaster

Testing and Evaluation

The response to each threat situation is tested periodically to assess the preparedness of the organization to execute the recovery plans. Some of the threats that occur frequently are tested in due course of business, hence are not tested specifically. Others, however, require testing and for them, a disaster scenario is assumed and the team representatives “walk through” the recovery actions checking for errors or omissions. Persons involved in the test include the Recovery Management Coordinator and members of various recovery teams.

An ongoing testing program is established. However, special testing is considered whenever there is a major revision to Computools operation or when significant changes in hardware or communications environments occur. The Recovery Management Coordinator is responsible for analyzing change, updating impacts on the plan, and making recommendations for plan testing.

The Team Leaders and the Recovery Management Coordinator review the test results, discuss weaknesses, resolve problems and suggest appropriate changes to the plan.