1. Glossary of terms
IT | Information Technologies |
2. Introduction
This document outlines policies and procedures of HIRETT LIMITED (further in the text – the Company) for technology disaster recovery, as well as our process-level plans for recovering critical technology platforms and the telecommunications infrastructure. This document summarizes the Company recommended procedures. In the event of an actual emergency situation, modifications to this document may be made to ensure physical safety of the Company personnel, its systems, and its data.
The mission is to ensure information system uptime, data integrity and availability, and business continuity.
3. Policy Statement
Directors have approved the following policy statement:
• The Company shall develop a comprehensive IT Disaster Recovery Plan (further in the text – DRP);
• A formal risk assessment shall be undertaken to determine the requirements for the DRP;
• The DRP should cover all essential and critical infrastructure elements, systems and networks, in accordance with key business activities;
• The DRP should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed;
• All staff must be made aware of the DRP and their own respective roles;
• The DRP is to be kept up to date to take into account changing circumstances.
4. Objectives
The principal objective of the IT DRP is to develop, test and document a well-structured and easily understood plan which will help the Company recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts information systems and business operations. Additional objectives include the following:
• Ensure that all employees fully understand their duties in implementing such a plan;
• Ensure that operational policies are adhered to within all planned activities;
• Ensure that proposed contingency arrangements are cost-effective;
• Disaster recovery capabilities as applicable to key customers, vendors and other stakeholders.
DRP exercises are an essential part of the plan development process. In a DRP exercise, no one passes or fails; everyone who participates learns from exercises – what needs to be improved, and how the improvements can be implemented. DRP exercises ensure that emergency teams are familiar with their assignments and more importantly are confident about their capabilities.
5. Plan overview
5.1 Plan updating
It is necessary for the IT DRP updating process to be properly structured and controlled. Whenever changes are made to the DRP they should be fully tested and suitable amendments should be made to the training materials. This will involve the use of formalized change control procedures under the control of the CEO.
5.2 Plan documentation storage
Copies of this DRP, and hard copies will be stored in secure locations to be defined by the Company. Each member of senior management will be issued a hard copy of this plan to be filed at home. Each member of the Disaster Recovery Team will be issued a hard copy of this plan. A master protected copy will be stored on specific resources established for this purpose.
5.3 Backup Strategy
Currently the Company has a double backup solution, the production data is being stored on a RAID 10 HP server, all data is being daily backed up to the outstanding streamer.
KEY BUSINESS PROCESS | BACKUP STRATEGY |
IT Operations | RAID 10 + Streamer |
Tech Support – Hardware | RAID 10 + Streamer |
Tech Support – Software | RAID 10 + Streamer |
RAID 10 + Streamer | |
Disaster Recovery | RAID 10 + Streamer |
Finance | RAID 10 + Streamer |
Human Resources | Off-site data storage facility |
Testing Fully Mirrored Recovery site – | RAID 10 + Streamer |
Workshop Fully Mirrored Recovery site – | RAID 10 + Streamer |
Web Site | RAID 10 + Streamer |
5.4 Risk Management
There are many potential disruptive threats which can occur at any time and affect the normal business process. The Company has considered a wide range of potential threats and the results of such deliberations are included in this section. Each identified potential environmental disaster or emergency situation has been examined. The focus here is on the level of business disruption which could arise from each type of disaster.
Potential disasters have been assessed as follows:
Potential Disaster | Probability
1=Very High, 5=Very Low |
Impact Rating
1=Very High, 5=Very Low |
Brief Description Of Potential Consequences & Remedial Actions |
Flood | 5 | 5 | Servers are located in data centre with hith avalaibility (99.85%), all mentioned risks becomes to 0. |
Fire | 5 | 5 | |
Lightning Strike | 5 | 5 | |
Electrical power failure | 5 | 5 | |
Equipment overheating | 5 | 5 | |
Loss of communications network services | 4 | 3 | |
Accidental deletion of data | 3 | 4 | Backups are in place which allows data to be recovered within a short period of time. All the data backups run in the real-time with RAID10. In addition all data back ups to the outstanding streamer. |
Malicious deletion of data | 5 | 3 | Backups are in place which allows data to be recovered within a short period of time. All the data backups run in the real-time with RAID10. In addition all data back ups to the outstanding streamer. |
6. Emergency Response
It is necessary for the DRP updating process to be properly structured and controlled. Whenever changes are made to the DRP they should be fully tested and suitable amendments should be made to the training materials. This will involve the use of formalized change control procedures under the control of the Managing Director.
6.1 Alert, escalation and plan invocation DRP Triggering Events
Key trigger issues at the headquarters that would lead to activation of the DRP are:
• Loss of all or a significant portion of the Company’s communications capabilities for a period longer than one hour during office hours;
• Total loss of power for a period longer than one hour during office hours;
• Loss of essential equipment which does not allow normal operations to continue for a period longer than one hour during office hours;
• Loss of use of the Company’s building.
Activation of Emergency Response Team
When an incident occurs, the Emergency Response Team (ERT) headed by IT Director A.Higdon and IT Security Department must be activated. The ERT will then decide the extent to which the DRP must be invoked. All employees must be issued IT Director’s contact details to be used in the event of a disaster. Responsibilities of the ERT are to:
• Respond immediately to a potential disaster and call emergency services;
• Assess the extent of the disaster and its impact on the business, data centre, etc.;
• Decide which elements of the DR Plan should be activated;
• Establish and manage disaster recovery team to maintain vital services and return to normal operation;
• Ensure employees are notified and allocate responsibilities and activities as required.
6.2 IT Disaster Recovery Team
The IT disaster recovery team (“DRT”) will be contacted and assembled by the ERT. The team’s responsibilities include:
• Establish facilities for an emergency level of service within two business hours;
• Restore key services within four business hours of the incident;
• Recover to business as usual within eight to twenty-four hours after the incident;
• Coordinate activities with disaster recovery team, first responders, etc.
• Report to the emergency response team.
6.3 Emergency Alert, Escalation and DRP Activation
This policy and procedure has been established to ensure that in the event of a disaster or crisis, personnel will have a clear understanding of who should be contacted and in what order of priority. Procedures have been addressed to ensure that communications can be quickly established while activating disaster recovery.
The DRP will rely principally on key members of management and staff who will provide the technical and management skills necessary to achieve a smooth technology and business recovery. Suppliers of critical goods and services will continue to support recovery of business operations as the Company returns to normal operating mode.
Emergency Alert
The person discovering the incident calls a member of the Emergency Response Team in the order listed. The person discovering the incident calls a member of the Emergency Response Team, which include members of management. If the members are not available a Backup Emergency Response Team has also been assigned.
Emergency Response Team:
• IT Director
• IT Security Department
If not available try a Backup emergency team:
• Finance Director
• System Administrator
The ERT is responsible for activating the DRP for disasters identified in this plan, as well as in the event of any other occurrence that affects the company’s capability to perform normally.
One of the tasks during the early stages of the emergency is to notify the DRT that an emergency has occurred. The notification will request DRT members to assemble at the site of the problem and will involve sufficient information to have this request effectively communicated. The Business Recovery Team (BRT) will consist of senior representatives from the main business departments. The BRT Leader will be a senior member of the company’s management team, and will be responsible for taking overall charge of the process and ensuring that the company returns to normal working operations as early as possible.
DR Procedures for Management
Members of the management team will keep a hard copy of the names and contact numbers of each employee in their departments. In addition, management team members will have a hard copy of the The Company disaster recovery and business continuity plans on file in their homes in the event that the headquarters building is inaccessible, unusable, or destroyed.
Contact with Employees
Managers will serve as the focal points for their departments, while designated employees will call other employees to discuss the crisis/disaster and the company’s immediate plans. Employees who cannot reach staff on their call list are advised to call the staff member’s emergency contact to relay information on the disaster.
Backup Staff
If a manager or staff member designated to contact other staff members is unavailable or incapacitated, the designated backup staff member will perform notification duties.
Personnel and Family Notification
If the incident has resulted in a situation which would cause concern to an employee’s immediate family such as hospitalisation of injured persons, it will be necessary to notify their immediate family members quickly.
7. Media
7.1 Media Contact
Assigned staff will coordinate with the media, working according to guidelines that have been previously approved and issued for dealing with post-disaster communications.
7.2 Media Strategies
Avoiding adverse publicity; Take advantage of opportunities for useful publicity; Have answers to the following basic questions:
• What happened?
• How did it happen?
• What are you going to do about it?
7.3 Media Team
• Marketing Manager
7.4 Rules for Dealing with Media
Only the media team is permitted direct contact with the media; anyone else contacted should refer callers or in-person media representatives to the media team.
8. Financial and Legal Issues
8.1 Financial Assessment
The emergency response team shall prepare an initial assessment of the impact of the incident on the financial affairs of the Company. The assessment should include:
• Loss of financial documents;
• Loss of revenue;
• Theft of check books, credit cards, etc.; and
• Loss of cash.
8.2 Financial Requirements
The immediate financial needs of the Company must be addressed. These can include:
• Cash flow position;
• Temporary borrowing capability;
• Upcoming payments for taxes, payroll taxes, Social Security, etc.; and
• Availability of company credit cards to pay for supplies and services required post- disaster.
8.3 Legal Actions
The Company legal department and ERT will jointly review the aftermath of the incident and decide whether there may be legal actions resulting from the event; in particular, the possibility of claims by or against the Company for regulatory violations, etc.
9. DRP Exercising
DRP exercises are an essential part of the plan development process. In the DRP exercise no one passes or fails; everyone who participates learns from exercises – what needs to be improved, and how the improvements can be implemented. DRP exercising ensures that emergency teams are familiar with their assignments and, more importantly, are confident in their capabilities.
Successful DRP launches into action smoothly and effectively when it is needed. This will only happen if everyone with a role to play in the plan has rehearsed the role one or more times. The plan should also be validated by simulating the circumstances within which it has to work and seeing what happens. The DRP should be exercised every 12 months and when a change within the DRP is applied.