Business Continuity Plan

 

Purpose

To operate a successful business, and meet the requirements of our stakeholders, our organisation has to identify the services that are most critical, and put in place plans for managing possible disruptions to these services. We also need to manage information security risks that may arise with any disruptions to services and recovery efforts, and ensure our information security controls are not compromised during the disruption. Failure to meet our requirements for the confidentiality, integrity, and availability (CIA) of our services and associated information assets may put the information of our employees, customers, and third-parties, at risk, and breach our SLAs. This document details how our organisation responds to service disruptions.

Scope

This business continuity plan (BCP) shall be applied to our business critical information systems and services that fall within the scope of our ISMS.

Audience

All employees, contractors, and third-parties who have responsibility for planning and initiating business continuity activities shall adhere to this BCP. These include, but may not be limited to:

For the purposes of this document, the employees, contractors, and third-parties who carry out these roles shall be collectively referred to as “continuity managers”.

Communication

This BCP shall be communicated to all employees and agency staff as part of the relevant department training programme, and periodically following any changes to the procedure, or prior to any BCP training exercises. All contractors and third-parties providing BCP and continuity services, or outsourced incident monitoring and response, shall be provided with a copy of this procedure as part of the process for contracting services. Contractors and third-parties shall be re-issued with updated versions of this procedure periodically, and following any changes. Contractors and third-parties shall also be re-issued with the latest version of this procedure when engaging in BCP training exercises. Members of the BCP Team shall retain offline copies of this document for reference in the event that our information systems become unavailable during an incident.

Improvement

This document is reviewed for improvement in several ways. They are:

Management also endeavours to plan business continuity activities so that our information and information systems are not misused, either intentionally or unintentionally. This is done by identifying and assigning separate duties and responsibilities to guard against misuses such as fraud, or malicious insider activities, etc. Where a continuity manager identifies potential conflicts or misuse of information systems due to improper planning and assignment of duties when carrying out business continuity activities, continuity managers should raise their concern immediately with their line manager, or the ISMS Manager.

1. Procedure

The diagram below illustrates the overall procedure for our BCP. Incidents are typically raised and managed in line with our Incident Response Procedure, and where business operations are disrupted, the required business continuity and disaster recovery activities would take place during the mobilisation of the Incident Response Team (IRT) and recovery stage of the Incident Response Procedure (section 1.3 and section 1.5).

The procedure consists of the following steps:

  1. Determine what areas and functions are impacted;
  2. Determine if third-party involvement is required for disaster recovery activities;
  3. Determine if the incident requires evacuation or other health and safety considerations;
  4. Initiate the relevant disaster recovery plan and restore the systems, locations, and services as required;
  5. Document any issues encountered as lessons learned.

BCP Diagram

2. Key Business Areas

The following are the key business areas we have identified that impact the continuity of our services and business operations, and that fall within the scope of this BCP. These areas have been identified through the development of our Critical Asset Register and associated risk assessment activities in line with our Risk Management Process.

2.1 Personnel

The ability to ensure the health and safety of our personnel, carry out core business activities, and initiate recovery activities is critical to our BCP. The following personnel are teams or individuals who play a key role in business continuity activities. A contact list of relevant continuity managers is maintained in the Business Continuity Plan Contact Sheet.

 

Department/Team 

No. of contacts 

Location

IT & Devs

3

Remote

Incident Response Team 

5

2 in HQ and 3 remote 

HR

2

1 in HQ and 1 remote

COO

1

In HQ

Site Ops

4

Warehouse locations in HQ, GE, UK, USA

 

2.2 Physical Sites

Where a physical location is necessary to carry out crucial business operations and recovery activities the buildings become key business areas, and appropriate redundancy measures should be put in place where that location becomes unavailable. The following buildings are identified as facilitating key infrastructure and services.

 

Building address

Critical Functions Supported

Environmental Considerations

Head Office Building: 6-7, Granby Row, Rotunda, Dublin 1, D01 FW20

Communications equipment, hard drives (back up media), ISP and connectivity to the cloud environment. Storage of customer harddrives. 

None

Third Party Data Centre in Germany: Hetzner: Am Datacenter-Park 1, 08223 Falkenstein/Vogtland, Germany

Data Server where the client data is stored/processed

None

Third Party Data Centre in Ireland: AWS: Burlington Rd, Dublin 4, D04 HH21, Ireland

Data Server where the client data is stored/processed

None

Warehouse (EU): Paderborner Strasse 2 b 10709 Berlin Germany

Warehouse for the storage and assembly of Evercam Hardware in Continental Europe. Storage of customer harddrives

None

Warehouse (UK): Unit 3c, Castle Close Industrial Estate, CROOK, DL15 8LU

Warehouse for the storage and assembly of Evercam Hardware in the UK. Storage of customer hard drives. 

None

Warehouse (US): 4600 Allegheny River Blvd, Verona PA 15147, USA

Warehouse for the storage and assembly of Evercam Hardware in the USA. Storage of customer hard drives.

None

 

2.3 Customer & Third-Party Services

The services we provide to our customers are critical to the continuation of our business. Failure to meet our SLAs with our customers may result in reputational damage, penalties, and may cause our business to cease operating. Additionally, failure to meet our agreements with our service providers may result in critical services being terminated. The following is a list of the services we provide to our customers and third-parties.

 

Service 

Hosted Location / Dependency

Customers / Third-Parties Impacted

Service SLA / Compliance Requirement

Github

(code) 

Cloud in USA (Seattle and Northern Virginia)

Customer 

Team Plan (Github Team) 

Github Customer Terms (link

Evercam software services

Cloud, Hetzner and AWS Data Centres

Customers

SLA

Footage from the client site

Cloud, Hetzner and AWS Data Centres, Hard Drives

Customers

Data Protection Act 2018 and GDPR 

Invoice payment 

Cloud-based third-party expenses service, banking provider

Service providers

Services contract and payment agreement

2.4 Business Services

Along with our services to customers, we may also need to ensure continuity for critical internal services. The following is a list of the internal services we provide to our employees and other departments which are critical to meeting compliance requirements and any internal service agreements.

 

Service 

Hosted Location / Dependency

Departments Impacted

Internal SLA / Compliance Requirement

Payroll

Zoho Suite, Cloud-based payroll service, banking services, finance team logins/accounts

All employees

Legally required to meet requirements in employee contracts

Access to critical software systems 

Zoho Suite and Google Suite 

All employees

Internal communications availability agreement

 

3. Roles & Responsibilities

The roles and responsibilities for carrying out our BCP are defined below. Depending on the type of disruption and services impacted, different continuity managers may be required to step into these roles. The below roles and their descriptions should not be considered exhaustive:

 

Role 

Description & Responsibilities

Incident Response Team (IRT)

When a potential incident is identified, the IRT shall initiate our Incident Response Procedure. The IRT shall be responsible for:

  • Determining an initial criticality of the incident in line with the Incident Response Procedure
  • Where there is unavailability or disruption of services, notifying the BCP Team so that BCP activities can begin
  • Maintaining oversight of BCP activities to ensure they are carried out by the BCP Team as planned
  • Handling incident communications in line with the Incident Response Procedure
  • Ensuring the BCP Team document any issues for inclusion in the Incident Report

BCP Team

Where an incident has resulted in the unavailability or disruption of services, the BCP Team forms to execute the relevant continuity activities. The BCP Team shall consist of continuity managers that are relevant to the services impacted, and not all members of the BCP Team may be required to participate. For example, where services in a third-party data centre are impacted, it would not be necessary for the HR Lead to carry out any evacuation or health and safety activities. In some situations, members of the BCP Team may also be members of the IRT. In these cases, the Incident Response Lead shall ensure that the team member’s duties are appropriately prioritised and supported to reduce potential conflict. The BCP Team is responsible for:

  • Liaising with the IRT to communicate the status of BCP activities and estimated recovery times
  • Determining the priority of BCP activities once the incident is assessed
  • Ensuring BCP activities are carried out as planned
  • Documenting any issues with the execution of the planned activities such as recovery problems, unexpected dependencies, communication issues, etc.

Technology Lead

The Technology Lead is familiar with disaster recovery procedures for all technology services provided to customers, third-parties, and internally as documented in section 2 of this document. The Technology Lead should be a person with suitable authority and expertise in the operations team, and should also be able to facilitate emergency access to systems and technology resources, should this become necessary during the incident. The Technology Lead is responsible for:

  • Determining which information systems and assets are impacted
  • Initiating and overseeing the relevant disaster recovery procedures
  • Liaising with the IRT to communicate the status of disaster recovery activities
  • Ensuring any issues are documented and provided to the IRT as required

Information Security Lead

The Information Security Lead provides guidance and information regarding our business’ requirements for information security, and assists with identifying potential risks, during BCP activities. 

Data Protection Lead

The Data Protection Lead provides guidance and information where disruption of services may impact our ability to meet regulatory requirements such as making personal data available. For example, in an emergency situation where paper records need to be moved from a site, the Data Protection Lead would provide advice and assistance with moving the personal records to ensure their safety, security, and accessibility. Another example may be where recovery of cloud-based services require infrastructure and data to be moved to a different region. In this situation, the Data Protection Lead would provide guidance on the legal requirements of moving the data to the new region. 

HR Lead

The HR Lead is responsible for carrying out business continuity activities that involve the health and safety of personnel and visitors during emergency events. The HR Lead should be a person with suitable authority in the HR department, and should have expert knowledge of health and safety requirements, and emergency contact procedures.

Facilities Lead

The Facilities Lead manages the physical security of our physical sites and is responsible for providing access to our recovery sites and/or alternative working areas where our primary offices may become unavailable. The Facilities Lead may also need to advise on physical security and access requirements to ensure physical security requirements are maintained in the alternative sites, where available. The Facilities Lead should be a person with the appropriate levels of authority in their area so that emergency access is facilitated and managed, where required.

 

4. Plan Execution

In line with the procedure documented in section 1, the following BCP activities should be carried out prior to initiating any disaster recovery procedures. The activities carried out during an incident will vary depending on the criticality of the incident, and the key areas affected. The activities listed below are not in order of priority; the BCP Team shall determine the priority of the activities as part of the incident assessment.

Once all relevant personnel, third-parties, and resources have been organised, disaster recovery procedures for the affected services should be initiated as required.

 

Activity 

Continuity Manager/s Responsible

Identify the key business areas impacted (section 2 above)

Technology Lead

HR Lead

Information Security Lead

Identify required Disaster Recovery procedures

Technology Lead

HR Lead

Information Security Lead

Contact emergency services

HR Lead

Contact technology managed services providers (third party providers: GitHub, GitLab, data centres)

Technology Lead

Contact key personnel involved in health and safety procedures

HR Lead

Contact access key holders at affected sites (warehouses in EU, UK, USA and HQ) to facilitate access and/or evacuation

Facilities Lead, Site Ops leaders 

Contact key personnel involved in disaster recovery procedures

Technology Lead

Information Security Lead

Organise emergency remote access to sites and services

Technology Lead

Information Security Lead

Organise emergency equipment for key personnel (laptop, mobile phone, access cards, security tokens, etc.)

Technology Lead

Information Security Lead

 

5. Continuity Testing

Where our BCP is untested, our organisation may fail to carry out the plan as expected, resulting in unacceptable disruption to the key systems and services identified in section 2 of this document, possible risk to personnel, and/or loss of information. To ensure our BCP, and relevant disaster recovery procedures, are accurate and work as expected, the following is required: