Overview
Policy Statement
This policy establishes the guidelines and procedures to recover from a possible disaster. Disasters can be short or may last for a long time, but your organization is ready for any adversity.
Business continuity and disaster recovery activities are led by the Chief Information Security Officer under the coordination of the Chief Operations Officer.
Scope
-
Critical - production environments with applications that store or process protected or confidential data, tampering its confidentiality, invalidating its integrity, or affecting its availability (see Data Classification).
-
Non-critical - anything which is not marked as critical will receive a lower priority and be recovered only when business operations have been fully restored.
Objectives
The main objective of the disaster recovery program is to develop, test, and document a well-structured and easily understood plan which will help the company recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts information systems and business operations. Additional objectives include the following:
- Identify and assess the damage
- Estimate the time required to resolve the incident
- Assess the business impact
- Assess if the Production environments and data are salvageable
- Identify and assign tasks, and offer guidance to designated teams
- Define communication channels and techniques with:
- Employees and staff
- Customers
- Media
Business Recovery Team (BRT)
| Name | Function | Email | Phone Number | Alternate | |-----------------------|-------------------|-----------------------|-------------------|-------------------| | Firstname Lastname| COO and Co-Founder| [email protected] | | Firstname Lastname| | Firstname Lastname| CTO | [email protected] | | Firstname Lastname|
Responsibilities
- IT managing the network/VPN infrastructure, servers, and IT Services. This team is led by the CTO/IT Manager;
- DevOps assuring cloud environments, applications, web services. This team is responsible for redeploying the services, perform data recovery and test that all systems are operational. This team is led by the CTO;
- Security responding to cybersecurity incidents. This team is led by the CISO;
- Operations coordinating the recovery plan and ensuring a fast response. This team is led by the COO; These teams are in charge of the recovery plan and have been trained to manage such situations.
Procedures
Procedures and mapped controls
Status
your organization uses a https://status.io page for the real-time status of each service. The status page is updated with details and root-cause analysis about the event that may cause service downtime (disaster or planned maintenance).
Downtime durations: short (< 30 minutes), moderate (< 4 hours), long (> 4 hours)
Activation
Good practice says that business continuity and disaster recovery plans should be activated by top-level management. your organization has appointed the COO as responsible for activating this procedure. If the event affecting the business is related to cybersecurity incidents, the recovery plan can also be activated by the CISO. Activation depends on the assessment results and projected downtime caused by the disaster:
- will the applications and customer-facing systems be unavailable for more than 2 hours?
- will the business be dysfunctional for more than 24 hours?
Infrastructure and Data Recovery
Production environment data must be stored across multiple Cloud Storage locations.
Query logic
These are the stored checks tied to this policy.
No stored query bodies are attached to this entry.
