Business Continuity Plan (BCP) Policy
Document Name: | Business Continuity Plan |
|
|
Classification: | Internal |
|
|
Document Owner: | CISO/MR- |
|
|
Document Approver: | Top Management |
|
|
Original Document Issue Date: | 10/10/2023 |
|
|
Current Edition: | Version 2.0 |
|
|
Revision History: |
|
|
|
S. No. | Description of Change | Date of Change | Version No. |
1 | Initial Release | 10/10/2023 | 1.0 |
2 | Second Release | 10/10/2024 | 2.0 |
Scope
IT Department Shall ensure continuous IT services in terms of developing, maintaining and testing IT continuity plans, offsite backup storage and periodic continuity plan training to minimize the probability and impact of a major IT service interruption on key business functions and processes.
PURPOSE
To ensure continuous service by way of ensuring minimum business impact in the event of a IT service interruption by focusing on building resilience into automated solution and developing, maintaining and testing IT continuity plans.
GUIDELINES
The policy shall be met by
Developing and maintaining/improving IT contingency
Training on the testing IT contingency plan
Storing copies of contingency plans and data at offsite locations
Plan
Development of a framework for IT continuity to support enterprise-wide business continuity management with a consistent process. The framework shall address the following
The organizational structure for continuity management covering the roles, tasks and responsibilities of internal and external services providers, their management and their customers, and the rules and structure to document, test and execute the disaster recovery and IT continuity plans.
Identify critical resources, the monitoring and reporting of the availability of critical resources, alternative processing and the principles of backup and recovery.
Developing IT Continuity Plan based on the framework, designed to reduce the impact of a major disruption on key business functions and processes.
Focus shall be on items specified as most critical in the IT Continuity Plan to build in resilience and establish priorities in recovery situations.
Define response and recovery requirement tiers e.g. 1-4 hours, 4-24 hours, above 24 hours.
Define change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements.
Test the IT Continuity Plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant.
Ensure that all concerned parties receive regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster.
Determine that a defined and managed distribution strategy exists to ensure that the plans are properly and securely distributed and available to appropriately authorized interested parties when and where needed.
Ensure that the plans are accessible under all disaster scenarios.
Prepare actions to be taken for the period when IT is recovering and resuming services, which shall include, not limited to :
Activation of backup sites
Initiation of alternative processing
Customer and stakeholder communication
Resumption procedures etc.
Store all critical backup media, documentation and other IT resources necessary of IT recovery and business continuity plans offsite premises.
IT management shall ensure that offsite arrangement(s) are assessed at least semi annual, for content environmental protection and security.
Ensure compatibility of hardware and software to restore archived data and periodically test and refresh archived data.
Establish functions to assess the adequacy of the plan and update the same on successful resumption of the IT functions after a disaster.
LEGISTIFY SERVICES PRIVATE LIMITED:
BCP Plan
Contents
Background of the Business Continuity (BCP) Plan
Objectives of the BCP plan
Critical Function List
Critical Function – Cyber Attack
Critical Function – Office/Locations/Staff
Critical Function – Office/SharePoint
Critical Function – Customer’s Applications
Current Roles, and Contact List
Background of the Business Continuity (BCP) Plan
This plan has been designed to identify the key emergencies and critical problems, which could prevent the LEGISTIFY SERVICES PRIVATE LIMITED business from operating as normal. This plan does not cover management/day to day risks but focuses on larger areas and one-time events which could have critical impact to the on-going running of the business, or LEGISTIFY SERVICES PRIVATE LIMITED’s partners/customers business.
Objectives of the BCP plan
LEGISTIFY SERVICES PRIVATE LIMITED reviews its BCP plan, with its key stakeholders. Should there be any gaps/items which need to be addressed, we will include them within a revised version of this document.
The purpose of this plan, is to ensure that LEGISTIFY SERVICES PRIVATE LIMITED and its partners/team members: -
Are aware of the key risks/business continuity issues
Know how to respond to a disruptive incident
Are able to maintain delivery of critical activities/services
Are able to return to ‘business as usual’ as soon as possible.
Critical Function List
The following areas are covered in more detail within this plan, in the sections mentioned.
Priority | Critical function | Section |
1 | Cyber Attack
| 5 |
2 | Offices/Locations/Key Staff
| 5 |
3 | Company Data/Services
| 6 |
4 | Customers Products/Applications
| 7 |
5
| Company Solvency/Management | 8 |
Critical Function – Cyber Attack
Critical Function | Office/Locations |
Background | Cyber Attacks are a growing threat for all companies. |
Example Incident |
|
Responsibility: | External Security Team – responsible for external penetration testing, and regular Audits Internal Security Team – responsible for on-going Security Management Technical Lead – responsible for incident identification and management Account Manager – responsible for notifying and keeping customers updated Directors – responsible for oversight of the Security Team and management of Security |
Potential if interrupted: | High |
Likelihood of interruption: | Moderate |
Recovery timeframe: | To be identified at time of incident |
RESOURCES REQUIRED FOR RECOVERY |
|
Staff | Internal Security Team – responsible for on-going Security Management Technical Lead –responsible for incident identification and management Account Manager – responsible for notifying and keeping customers updated Directors – responsible for oversight of the Security Team and management of Security |
Key Measures and steps |
|
Critical Function – Office/Locations/Staff
Critical Function | Office/Locations/Staff |
Example Incidents |
|
Background | LEGISTIFY SERVICES PRIVATE LIMITED has 200 staff, in Indore, based in India. Team members can work remotely, and all company software/applications are available from a computer with internet connection. We do not maintain critical infrastructure, personnel, documentation in any single location, with trained personnel across the multiple offices. |
Responsibility: | The Managers/Office Managers, of each location are responsible for managing this part of the BCP plan |
Potential impact if interrupted:
| Given that no one location has critical infrastructure/personnel, as well as people being able to work remotely and from multiple locations – there would be negligible impact to the organisation should an office be unavailable, or the personnel from that office be unavailable. |
Likelihood of interruption: | Highly Unlikely |
Recovery timeframe: | Same Day/within day - In the extreme case, where an incident cause loss of service from one office, LEGISTIFY SERVICES PRIVATE LIMITED could operate services out on basis of work from home. |
RESOURCES REQUIRED FOR RECOVERY |
|
Staff
| Indore Office Team |
Premises | Team members can work remotely and/or in alternative providers offices. |
Equipment | Should any premises/equipment be made unavailable – Office Lead will purchase/organise. |
Critical Function – Office/SharePoint
Critical Function | Microsoft |
Example Incidents |
|
Background | LEGISTIFY SERVICES PRIVATE LIMITED stores all its data/services and information within the Microsoft Cloud. We use SharePoint/Office 365 for all work, and team members access the services from Microsoft via the Internet. We do not have any private networks, servers/physical equipment at any of the locations. |
Responsibility: | Microsoft Manage the Infrastructure/Data/Services LEGISTIFY SERVICES PRIVATE LIMITED Technical Manager manages relationship with Microsoft Directors/Office leads are the escalation point, on loss of service |
Potential impact if interrupted: | High |
Likelihood of interruption: | Unlikely - All data is backed up in different Microsoft Locations, so we have geo-redundancy of all services, the only risk would really be if Microsoft itself, were to no longer be in business. |
Recovery timeframe: | Within 1 hours – management would expect most services to be resumed within the hour |
RESOURCES REQUIRED FOR RECOVERY |
|
Staff | Technical Director responsible for liaising between Microsoft & internal team members |
Key Steps |
|
Communication | Team may use Phone/Mobile in case emails/company communications not available through Microsoft. |
8. Critical Function – Customer’s Applications
Critical Function | Office/Locations |
Background | All data is stored in database components & file storage systems, which are backed up and managed as part of Microsoft’s standard Cloud. LEGISTIFY SERVICES PRIVATE LIMITEDis responsible for the full configuration of these systems once deployed.
|
Example Incident |
|
Responsibility: | Technical Manager –responsible for managing service uptime/relationship with Microsoft Account Manager – responsible for notifying and keeping the customer updated of outages |
Potential if interrupted: | High |
Likelihood of interruption: | Unlikely |
Recovery timeframe: | Usually instantaneously (within seconds) due to active/active configuration |
RESOURCES REQUIRED FOR RECOVERY |
|
Staff | Technical Director responsible for liaising between Microsoft & internal team members Account Manager responsible for keeping Customers Informed |
Key Steps |
|
Communication | Regular updates would be provided by the LEGISTIFY SERVICES PRIVATE LIMITED Help Email, and the Account Managers would regularly be in contact with the customer to advice of what is happening. |
Back-up Data | Whilst we have done everything possible, to prevent the loss of data, and/or manage service uptime, the one risk we are left with is reliance on Microsoft, and the risk that their cloud services are unavailable. Whilst there have been slight outages over the last 5 years lasting but it is highly unlikely the system will be down for extended period of time beyond a day. |
Current Roles, and Contact List
Role | Contact Details |
|
|
|
|
Policy Revision History
Date | Version | Author | Reviewer | Approver | Comments |
10/10/2023 | 0.1 | ISMS Manager | CIO | LEGISTIFY SERVICES PRIVATE LIMITED Management | Draft Version of BCP |
|
|
|
|
|
|
|
|
|
|
|
|