Professional Documents
Culture Documents
10 Reference 18
Document Information
Company SFL Coimbatore
Classification Confidential
Document Owner
Name Title
Dr N Raveendran
Document History
Date Version Name Notes
12-5-2018 1.0 Initial Draft
The Information Technology (IT) group mitigates risks to reduce potential issues and
impacts by developing plans that provide the ability to recover from situations including
man made and natural disasters. Accordingly they develop Disaster Recovery (DR)
plans.
2 PURPOSE AND SCOPE
The purpose of this document is to establish the policy in the activities related to
business continuity process. The purpose of BCP and DR plan are to formalize business
continuity, establish recovery process and to provide guidelines for developing,
maintaining and exercising business continuity.
This policy is applicable to all users of SFL and relevant third party contractors.
3 OBJECTIVES
The objective of this document is to give guidance as to the continuity of business in the
event of a disruption and subsequent recovery. It addresses the risks to the business
pertaining to non-availability of Information / IT resources due to any short or long-term
disruptions.
BCM is the process by which an organization prepares for future incidents or crises that
could jeopardize the organization’s core mission and its short and long-term ability to
continue operations and meet stakeholder expectations. The involvement of board and
the senior management become essential and integral to the effective governance of
BCM practices. The board and senior management is responsible to provide resources
and guidance for development, maintenance, enforcement and endorsement of
business continuity plan and disaster recovery.
The board of directors and senior management of SFL possess the ultimate
responsibility for the effectiveness of BCP. SFL should develop policies, standards and
processes to manage BCP, which are reviewed and approved by the board. The senior
management shall take measures to ensure the BCP is adopted at all levels of the
employees without exception.
Regular and periodic reports to the board and senior management should be submitted.
The reports contain details regarding the steps taken as preventive measures, periodic
assessments, tests conducted as specified to validate the effectiveness of BCP, results
and lessons learned during testing. Any major changes to the business, technology,
process, client services that affects the BCP shall be reported.
Periodic audit shall be conducted either by having internal resource or achieved through
outsources resources on the BCM practices and the adherence to policy. The outcome
in the form of report shall be shared with the Board.
Yearly review of the impact to the business, risks, and sufficiency of the recovery
strategies with the test results (of the recovery capability) shall be placed before the
board for acceptance and clearance to continue the practices.
If business continuity plan and disaster recovery are effectively implemented and
practiced, the organizations ability to run the business in the event of disruption is
higher and can build great confidence amongst the stakeholders
Recovery Point Objective (RPO) is the point in time to which systems and data must be
recovered after an outage (e.g., end of previous day’s processing). RPOs often are used
as the basis for developing backup strategies and to determine the amount of data that
may need to be recreated after the systems or functions have been recovered.
The first step is to associate the business owners and other stakeholders for whom the
business continuity plans are developed. The business owners should identify the
critical business processes, Impact to the business, the time in which the process to be
recovered and the point from which they need the recovery.
Business impact analysis is carried out to identify the critical business functions and the
The identified risks are to be mitigated by having adequate controls to prevent and
manage. By having layers of physical security and educating the users, man made
disruptions like sabotage etc., can be prevented.
Providing adequate access control, timely backups, periodical testing of backups, testing
BCP plans, making calls to the critical users an validating their contacts as part of testing
process, periodical vulnerability assessment, conducting reviews of existing controls,
reassessing business criticality, review of access control, upgrade of software and data
security are some of the preparatory measures.
Network outage, application errors, virus infections can be prevented by periodic
reviews and testing. Use of expertise of external agencies can easily be called upon to
The business continuity plan Coordinator, in conjunction with other teams will
determine which Teams/Team members are responsible for each function during each
phase. As tasking is assigned, additional responsibilities, teams, and task lists need to be
created to address specific functions during a specific phase.
Based on the need and requirement of the business process the following can be
selected as continuity model
Active / passive (out two nodes one of them is active – other one is standby)
Active – active model (Two nodes – both of them are active – load balancing)
Cloud backup
Alternate locations, within organisation or using co-located with external vendor
Split operations mode – business operations in two or more active sites
The protection and retention of vital records is an IT normal business operation. Some
records need to be stored in their original form. The IT data center provides a secure
storage area for organization records.
The data center regularly backs up data to magnetic tape cartridge(s) and transports
them to the off-site location.
Some of the key aspects in relation to vital record management are given below:
Identification critical business records which are vital for recovery by business
functions
Identification of records related to support functions
Identify whether it is in electronic and non-electronic media
Availability of vital records at off-site location
Availability of emergency retrieval procedure for vital records that are backed-up
Controlled access to back-up vital records
The following are the essential record that shall be kept at off-site
Information security policy, procedure, circulars, publications etc
Complete hardware and software listings
Detailed IT architecture schematics (logical/physical, network, devices)
Network cable routing schematics (on floor overlay)
System testing plans/procedures, system configurations
Changes made to the system configuration
Evaluation of changes for security implications
Technical standards
Business continuity plans, incident response procedures and backup operations
Reports of security related incidents
Sensitivity and criticality determination
Baseline security checklist for each system
Software licensing information
The objective of BCM process is to ensure that it includes all functions needed to
develop, test and maintain a Business Continuity Plan (BCP) and the skills and
BCP Coordinator
Alternate site
Based on the business continuity model, alternate site is selected or the recovery
strategy is determined. An alternate site contains pre-configured IT assets including
infrastructure for activation in a business continuity operation mode. This site should be
kept ready with relevant assets and services such as power, communication, office
furniture, space and information technology equipment to serve the need for business
continuity operations.
Should a regional event take place that renders facility systems ineffective and the
inability for physical access, a relocation site would serve the needs for business
continuity operations.
Teams
The following are the teams that will be assigned to execute the business continuity
plan. Each team will have a roster and task list of actions and responsibilities, which are
included in an appendix.
Project/Operations Team
The operations team consists of project co-ordination heads for providing the support
necessary for production of critical applications systems during recovery. This team is
also responsible for coordinating with backup team to ensure that applications system
data and operating instructions are correct, and with the systems support Team to
advise of the production status and any unusual problems requiring assistance.
Systems Support Team
The system support Team is composed of SFL’s technology team members responsible
for restoring hardware and software facility, data backup, and voice and
Admin Team
The admin team coordinates primary and alternate site security and specialized clerical
and administrative support for the business continuity plan coordinator and all other
teams during disaster recovery proceedings. The admin team may also assist groups
outside the information resources area as needed. The admin team is responsible for
arranging for transportation of staff, equipment, supplies, and other necessary items
between sites.
Backups
The important asset in SFL is its data and information. Data and information processing
are a major reason for the existence of projects. Moreover, all of the systems are
dependent on the preservation of data, including software manuals and documentation.
In order to minimize the impact of a disaster, it is extremely important to protect data
and information. Data backed up (full back, incremental back up) in a tape are kept at
offsite location, which are tested periodically.
Office equipment, furniture and supplies
SFL management shall review supply needs and coordinate with the admin department
to develop a revolving emergency inventory of workspace and survival supplies for
immediate use in the event of a disaster. The revolving inventory of workspace supplies
should include basic essential supplies and SFL’s specific forms and templates.
BCP/DRP Testing Procedures
The business continuity plan and disaster recovery procedures should be maintained
routinely and exercised/tested once in six months. Business continuity procedures must
be tested periodically to ensure the effectiveness of the plan. The scope, objective, and
measurement criteria of each exercise shall be determined and coordinated by the
Business continuity plan coordinator on a “per event” basis. The purpose of exercising
and testing the plan is to continually refine resumption and recovery procedures to
reduce the potential for failure.
The business continuity plan coordinator, team leaders, together with the SFL office
management will determine end-user participation.
During the emergency the first priority is to ensure the safety of people inside the office
at the time and an orderly evacuation is required. Once all the employees, contractors
and others in SFL have been safely evacuated, the business continuity management
team will take control. The following are the evacuation procedures:
General Evacuation Instructions
Remain calm.
Turn off all hazardous operations.
Follow instructions.
Assist disabled people.
Leave the area in an orderly fashion.
Follow the established evacuation route.
Move away from the building. Go directly to the assembly area and report to the
evacuation coordinator for a ‘head count’.
9 DISASTER RECOVERY
The operational environment of the SFL includes services from the following general-
support to critical-function systems. These systems and services are supported and
maintained by the IT department.
SFL IT is serving to various departments and business processes. All these should be
described with regard to the environment that they run in, workstations and servers in
each division, and functional areas within each division.
SFL IT department should implement an IT continuity initiative as an ongoing part of
their day-to-day activities. IT managers and staff must make sure they understand their
role in the event of a major event or disaster. This will ensure that the response is
coordinated, controlled and efficient.
The details of systems, network, application etc. are collected and maintained by which
can be used during disaster recovery phase. Using the template given in Annex A to this
policy the above details can be collected. In addition to this, using the template given in
IT DR training for the IT recovery team is essential for effective resumption and recovery
of operations. IT recovery team shall ensure training to keep current in the business
9.3 TESTING
TYPE DEFINITION
This is a facilitated group analysis of an emergency situation in an
informal, stress-free environment.
The Tabletop Exercise is designed for examination of operational plans,
problem identification, and in-depth problem solving.
Table Top Test
A more “reality-based” experience
Planning cycle: once in 6 months Duration: 90-120 minutes
Debriefing time: 30 minutes
Assesses the allocation of resources and manpower
Evaluates communication across the different groups
Assesses the adequacy of current procedures and policies
Component Test Participants perform actual activities
Involves more participants: simulators, evaluators, larger design team
Planning cycle: 3-6 months Duration: 90 min – 4 hours
Evaluates the operational capability of systems in an interactive manner
over a substantial period of time
Presents complex and detailed events in real-time
Full-recovery Test Mobilizes personnel and resources and movement of emergency response
teams, equipment and resources
Can be expensive; may be disruptive to normal operations
Planning cycle: 4 months minimum Duration: 2-8 hours
The above steps and out come can be recorded in the Annex B also.
9.4 MAINTENANCE
As part of the IT recovery program and to ensure its continued validity, all
documentation, recovery capability and facilities must be kept up-to-date.
IT recovery plan should be updated after every exercise/test. Irrespective of the update,
the plan should be reviewed and updated at least one in a year.
IT recovery team is responsible for carrying out the instruction detailed below. The IT
recovery program requires that individuals adopt new roles and responsibilities and
work together as a team to ensure IT department ability to survive major events that
damage the ability to deliver IT services and applications. IT management should ensure
that IT recovery is formally managed and controlled.
The roles and responsibilities of the IT recovery team are as follows:
Ensure alignment of the technical recovery capability with business processes
Initiate and manage tests periodically
Maintain the event logs and act as observers during the exercises and tests
Ensure plan updates are done, post incident
Ensure all IT recovery plans are maintained and kept up to date
Ensure updated soft/hard copies of IT recovery plans are available at DR location
Be responsible for the ongoing training programs in business continuity
Establish, monitor, measure and maintain the IT recovery program effectively
Embed the IT recovery / continuity into the culture of SFL IT
Consider interdependencies across the IT services while developing the recovery
strategies.
It is important to note that the BCP governing body will act as the governing body for DR
and exercise the functions through Head of IT.
10 REFERENCE
RBI MD #7
ISO 27001:2013 A:17
Network Team
Voice
Communications
Team
PC Team
Internet Team
Systems
Programming Team
Computer
Operations Team
Disaster Recovery steps Table Top Test Component Test Full Recovery Test
A Network
B Voice Communications
C Internet
E File Server
F Desktop
Enterprise Server
G
Support
H Operations