Coimbatore

Business Continuity Planning

and
Disaster Recovery
1 Introduction 3
2 Purpose and scope 3
3 Objectives 3
4 Board and senior management oversight 3
4.1 Establishment of policies and procedures 4
4.2 Monitoring and reporting 4
4.3 Continual improvement 4

5 Business Continuity Management 4

5.1 Business Impact Assessment (BIA) 5
5.2 Risk Assessment (RA) 6
5.3 Risk Treatment 7

6 Business Continuity phases 8

6.1 Response Phase 8
6.2 Resumption and Recovery Phase 8
6.3 Restoration Phase 8
6.4 Business continuity models 9
6.5 Vital record management 9
6.6 Communication of event 10

7 Business continuity plaN 10

7.1 Plan Management 11

8 Emergency Response Procedures 13

9 Disaster Recovery 14
9.1 Plan overview 14
9.2 Awareness and Training 15
9.3 Testing 16
9.4 Maintenance 17
9.5 IT recovery Team 18

10 Reference 18

Business Continuity Planning and Disaster Recovery 1

DOCUMENT CONTROL

Document Information
Company SFL Coimbatore

Document Title Business Continuity Planning and Disaster Recovery

Classification Confidential

Document Owner
Name Title
Dr N Raveendran

Document History
Date Version Name Notes
12-5-2018 1.0 Initial Draft

Business Continuity Planning and Disaster Recovery 2

1 INTRODUCTION

Business Continuity Management (BCM) forms a significant part of an organization’s

overall Business Continuity Plan (BCP), which includes business continuity policy,
standards and Disaster Recovery (DR) procedures to ensure continuity, resumption and
recovery of critical business processes. BCP shall be designed to minimize the
operational, financial, legal, reputational and other material consequences arising from
a disaster.

The Information Technology (IT) group mitigates risks to reduce potential issues and
impacts by developing plans that provide the ability to recover from situations including
man made and natural disasters. Accordingly they develop Disaster Recovery (DR)
plans.
2 PURPOSE AND SCOPE

The purpose of this document is to establish the policy in the activities related to
business continuity process. The purpose of BCP and DR plan are to formalize business
continuity, establish recovery process and to provide guidelines for developing,
maintaining and exercising business continuity.
This policy is applicable to all users of SFL and relevant third party contractors.

3 OBJECTIVES

The objective of this document is to give guidance as to the continuity of business in the
event of a disruption and subsequent recovery. It addresses the risks to the business
pertaining to non-availability of Information / IT resources due to any short or long-term
disruptions.

4 BOARD AND SENIOR MANAGEMENT OVERSIGHT

BCM is the process by which an organization prepares for future incidents or crises that
could jeopardize the organization’s core mission and its short and long-term ability to
continue operations and meet stakeholder expectations. The involvement of board and
the senior management become essential and integral to the effective governance of
BCM practices. The board and senior management is responsible to provide resources
and guidance for development, maintenance, enforcement and endorsement of
business continuity plan and disaster recovery.

Business Continuity Planning and Disaster Recovery 3

4.1 ESTABLISHMENT OF POLICIES AND PROCEDURES

The board of directors and senior management of SFL possess the ultimate
responsibility for the effectiveness of BCP. SFL should develop policies, standards and
processes to manage BCP, which are reviewed and approved by the board. The senior
management shall take measures to ensure the BCP is adopted at all levels of the
employees without exception.

4.2 MONITORING AND REPORTING

Regular and periodic reports to the board and senior management should be submitted.
The reports contain details regarding the steps taken as preventive measures, periodic
assessments, tests conducted as specified to validate the effectiveness of BCP, results
and lessons learned during testing. Any major changes to the business, technology,
process, client services that affects the BCP shall be reported.
Periodic audit shall be conducted either by having internal resource or achieved through
outsources resources on the BCM practices and the adherence to policy. The outcome
in the form of report shall be shared with the Board.
Yearly review of the impact to the business, risks, and sufficiency of the recovery
strategies with the test results (of the recovery capability) shall be placed before the
board for acceptance and clearance to continue the practices.

4.3 CONTINUAL IMPROVEMENT

The effective ness of effectiveness of the BCM practices shall be continually improved.
The best practices suggests that this may be achieved through:
 The review of the business continuity policy and objectives
 Audit results
 Analysis of monitored events
 Preventive and corrective action
 Management review

5 BUSINESS CONTINUITY MANAGEMENT

Business continuity management plan consists of preventive and reactive measures
executable by any organization to effectively mitigate and manage risks created by a
crisis or event. BCM is practice driven by risk management approach and business
impact assessment. It aligns business continuity capabilities with risks and impact. The
goal of BCM is to enable any organization to restore critical operational activities,
manage communications, and minimize financial and other effects of a disaster,

Business Continuity Planning and Disaster Recovery 4

 business disruption, or other major event.

If business continuity plan and disaster recovery are effectively implemented and
practiced, the organizations ability to run the business in the event of disruption is
higher and can build great confidence amongst the stakeholders

Major components are:

Management support to appropriately prepare, maintains, and exercises a business

continuity plan (BCP) by assigning adequate resources, people, and budgeted funds.
Risk assessment and risk mitigation due to natural threats or man made threats to
ensure that the risks are understood and managed appropriately.
Business Impact Analysis (BIA) is carried out to identify business processes that are
integral to keeping the business unit functioning in a disaster and to determine how
soon these integral processes should be recovered following a disaster.
Business recovery and continuity strategy narrates the steps, people, and resources
required to recover critical business processes.
Planning awareness and training of the BCP are critical to the executionof BCM.
Training also may include performance of exercises and/or practice drills for portions of
the BCP.
Keeping records up-to-date to ensure that they remain effective and aligned with
business priorities.
Recovery Time Objective (RTO) is the period of time within which systems, applications,
or functions must be recovered after an outage (usually defined in business day).

Recovery Point Objective (RPO) is the point in time to which systems and data must be
recovered after an outage (e.g., end of previous day’s processing). RPOs often are used
as the basis for developing backup strategies and to determine the amount of data that
may need to be recreated after the systems or functions have been recovered.

The first step is to associate the business owners and other stakeholders for whom the
business continuity plans are developed. The business owners should identify the
critical business processes, Impact to the business, the time in which the process to be
recovered and the point from which they need the recovery.

5.1 BUSINESS IMPACT ASSESSMENT (BIA)

Business impact analysis is carried out to identify the critical business functions and the

Business Continuity Planning and Disaster Recovery 5

 losses and effects if the business cannot be continued.
BIA collects the input from the business owners in order to assess the impact by arriving
the criticality of the function in terms of the overall business strategy, the period of time
during which the function could be inoperative without any impact or losses, the effect
of non functioning affecting other business functions, the financial impact due to
outage, if it would result in to breach of SLA, legal, regulatory, contractual liabilities. The
maximum or acceptable outage is arrived at.
To determine the requirements for recovery, the resources and records that would be
required to continue the function, the requirements of minimum level of resource are
determined. The level of dependency of business functions with internal and external
resources is also determined. The SLA requirements, backup needs, time to recreate
from the backup, system restoration time etc are part of recovery requirement.
Business functions are categories into critical, essential, necessary and desirable
functions, based on their availability and continuity.
# Function Description Recovery
Criteria time
frame
1 Critical If these functions are not available, they can jeopardize 1-4 hours
the business and cause heavy damages to the business
2 Essential If these functions are not available, they can seriously 8 hours
affect the organization’s ability to function for long.
3 Necessary If these functions are not available, they would limit 24 hours
their effectiveness, to a great extent.
4 Desirable If these functions are available, it would be advantages 3 days / 1
for the business week
SFL can determine the recovery time windows such as 4 hours, 8 hours, 24 hours, 3 days
or 1 week. Also the percentage level of process that needs to be recovered over the
period of time should be mentioned. The recovery priority for processes can be
determined based on the assessment carried out.

5.2 RISK ASSESSMENT (RA)

Risk assessment is the exercise of identifying and analysing the potential vulnerabilities
and threats. The components of RA process are threat, vulnerability, impact to the
business and the probability of the event

Business Continuity Planning and Disaster Recovery 6

 During risk assessment process the vulnerability (the inherence weakness), threats that
can exploit the weakness, the probability of occurrence in which the event is likely to be
repeated and the over all risk level for a process is arrived at. The risk impact, which is
calculated, is used to determine the nature and type of treatment of the risk to ensure
continuity of operations.

Some of the risks are given below

Natural and environmental threats Technology threats

Fire Cyber attacks / ransom ware

Earthquake Inadequate storage management

Severe Storm / Cyclone / Flood Disastrous application error / migration error

Major power outage Improper data / server / application management

Physical location insecurities Untrained manpower

Vandalism, riots, damage Failure in network / systems / software

Absence of critical resources Improper data back-up / no testing

5.3 RISK TREATMENT

The identified risks are to be mitigated by having adequate controls to prevent and
manage. By having layers of physical security and educating the users, man made
disruptions like sabotage etc., can be prevented.
Providing adequate access control, timely backups, periodical testing of backups, testing
BCP plans, making calls to the critical users an validating their contacts as part of testing
process, periodical vulnerability assessment, conducting reviews of existing controls,
reassessing business criticality, review of access control, upgrade of software and data
security are some of the preparatory measures.
Network outage, application errors, virus infections can be prevented by periodic
reviews and testing. Use of expertise of external agencies can easily be called upon to

Business Continuity Planning and Disaster Recovery 7

 analyse, devise and put in place some of the preventive measures.
All these exercises are carried out based on the risks that identified to the critical
resources. Periodical reporting of the exercises carried out shall be report to the board,
which is part of the objectives set out in RBI MD.

6 BUSINESS CONTINUITY PHASES

The business continuity plan Coordinator, in conjunction with other teams will
determine which Teams/Team members are responsible for each function during each
phase. As tasking is assigned, additional responsibilities, teams, and task lists need to be
created to address specific functions during a specific phase.

6.1 RESPONSE PHASE

 To establish an immediate presence at the incident site.
 To conduct a preliminary assessment of incident impact, known injuries, extent
of damage, and disruption to the services and business operations.
 To find and disseminate information on if or when access to the operations
facility will be allowed.
 To provide management with the facts necessary to make informed decisions
regarding subsequent resumption and recovery activity.

6.2 RESUMPTION AND RECOVERY PHASE

 To mobilize and activate the support teams necessary to facilitate and support
the resumption process.
 To notify and appraise time-sensitive business operation resumption team
leaders of the situation.
 To prepare and implement procedures necessary to facilitate and support the
recovery of time-sensitive business operations.
 To alert and coordinate with employees, vendors and other internal and external
individuals and organizations.
 To transport employees to alternate locations
 To commence operation in an alternate location
 Initiate the full recovery of operations

6.3 RESTORATION PHASE

 To prepare procedures necessary to facilitate the relocation and migration of
business operations to the new or repaired facility.
 Implement procedures necessary to mobilize operations, support and
technology group’s relocation or migration.

Business Continuity Planning and Disaster Recovery 8

  Manage the relocation/migration effort as well as perform employee, vendor,
and customer notification before, during, and after relocation or migration.
 Technology Recovery Phase
 To identify the critical technical resource, get vendor support if need be
 To mobilise the technical resource, recalling people to resume duty if they not in
office
 To recover applications, hardware equipment and network infrastructure
 To recover electronic records
 To recover business and support functions on the basis of criticality and
dependency
 To restore support utilities such as UPS, cooling system and subsequent
monitoring

6.4 BUSINESS CONTINUITY MODELS

Based on the need and requirement of the business process the following can be
selected as continuity model
 Active / passive (out two nodes one of them is active – other one is standby)
 Active – active model (Two nodes – both of them are active – load balancing)
 Cloud backup
 Alternate locations, within organisation or using co-located with external vendor
 Split operations mode – business operations in two or more active sites

6.5 VITAL RECORD MANAGEMENT

The protection and retention of vital records is an IT normal business operation. Some
records need to be stored in their original form. The IT data center provides a secure
storage area for organization records.
The data center regularly backs up data to magnetic tape cartridge(s) and transports
them to the off-site location.
Some of the key aspects in relation to vital record management are given below:
 Identification critical business records which are vital for recovery by business
functions
 Identification of records related to support functions
 Identify whether it is in electronic and non-electronic media
 Availability of vital records at off-site location
 Availability of emergency retrieval procedure for vital records that are backed-up
 Controlled access to back-up vital records

Business Continuity Planning and Disaster Recovery 9

  Ensure restoration for valid business resumption purposes.
 Establish priority criteria during vital record retrieval or recreation
 Identify the need for real-time / mirroring back-up process

The following are the essential record that shall be kept at off-site
 Information security policy, procedure, circulars, publications etc
 Complete hardware and software listings
 Detailed IT architecture schematics (logical/physical, network, devices)
 Network cable routing schematics (on floor overlay)
 System testing plans/procedures, system configurations
 Changes made to the system configuration
 Evaluation of changes for security implications
 Technical standards
 Business continuity plans, incident response procedures and backup operations
 Reports of security related incidents
 Sensitivity and criticality determination
 Baseline security checklist for each system
 Software licensing information

6.6 COMMUNICATION OF EVENT

 Communication of the business disruption to be made within organisation using the

available mode such as email, website, intranet, mobile phone, messages using
phone.
 Communication of the business disruptions to the external stakeholders such as
regulators, investors, business partners, service providers, clients, customers and
public if necessary shall be done through an authorized employee for this purpose.
 Communication shall be clear and contain up-to-date information.
 If necessary periodical communication to give steps taken and updates.
 Updated contact details of the external stakeholders shall be easily accessible
 Communication should aim to give an assurance and not to create panic

7 BUSINESS CONTINUITY PLAN

The objective of BCM process is to ensure that it includes all functions needed to
develop, test and maintain a Business Continuity Plan (BCP) and the skills and

Business Continuity Planning and Disaster Recovery 10

 techniques employed in a crisis situation to effectively execute the BCP as a strategic
tool in the recovery process. The following sub-sections narrate the steps to be taken /
methods to achieve the above objective.

7.1 PLAN MANAGEMENT

BCP Coordinator

A coordinator and an alternate should be appointed by SFL’s management and system

owners to monitor and coordinate the BCP, training and awareness, exercises, and
testing. Additionally, this person will coordinate closely with different business
continuity teams.

Alternate site

Based on the business continuity model, alternate site is selected or the recovery
strategy is determined. An alternate site contains pre-configured IT assets including
infrastructure for activation in a business continuity operation mode. This site should be
kept ready with relevant assets and services such as power, communication, office
furniture, space and information technology equipment to serve the need for business
continuity operations.

Should a regional event take place that renders facility systems ineffective and the
inability for physical access, a relocation site would serve the needs for business
continuity operations.

Teams
The following are the teams that will be assigned to execute the business continuity
plan. Each team will have a roster and task list of actions and responsibilities, which are
included in an appendix.
Project/Operations Team
The operations team consists of project co-ordination heads for providing the support
necessary for production of critical applications systems during recovery. This team is
also responsible for coordinating with backup team to ensure that applications system
data and operating instructions are correct, and with the systems support Team to
advise of the production status and any unusual problems requiring assistance.
Systems Support Team
The system support Team is composed of SFL’s technology team members responsible
for restoring hardware and software facility, data backup, and voice and

Business Continuity Planning and Disaster Recovery 11

communications links between users, computers and client systems in the event of a
loss or outage.
Off-Site Team
The off-site storage team is responsible for retrieving backup copies of operating
systems applications, systems, applications data, and ensuring security of the data,
backup facilities, and original facilities. The team is composed of members of SFL
familiar with vital records archival and retrieval. This team is responsible for
reassembling of all the documentation, procedures as required at backup site.

Admin Team
The admin team coordinates primary and alternate site security and specialized clerical
and administrative support for the business continuity plan coordinator and all other
teams during disaster recovery proceedings. The admin team may also assist groups
outside the information resources area as needed. The admin team is responsible for
arranging for transportation of staff, equipment, supplies, and other necessary items
between sites.
Backups
The important asset in SFL is its data and information. Data and information processing
are a major reason for the existence of projects. Moreover, all of the systems are
dependent on the preservation of data, including software manuals and documentation.
In order to minimize the impact of a disaster, it is extremely important to protect data
and information. Data backed up (full back, incremental back up) in a tape are kept at
offsite location, which are tested periodically.
Office equipment, furniture and supplies
SFL management shall review supply needs and coordinate with the admin department
to develop a revolving emergency inventory of workspace and survival supplies for
immediate use in the event of a disaster. The revolving inventory of workspace supplies
should include basic essential supplies and SFL’s specific forms and templates.
BCP/DRP Testing Procedures
The business continuity plan and disaster recovery procedures should be maintained
routinely and exercised/tested once in six months. Business continuity procedures must
be tested periodically to ensure the effectiveness of the plan. The scope, objective, and
measurement criteria of each exercise shall be determined and coordinated by the
Business continuity plan coordinator on a “per event” basis. The purpose of exercising
and testing the plan is to continually refine resumption and recovery procedures to
reduce the potential for failure.

There are two categories of testing: announced and unannounced. In an announced

test, personnel are instructed when testing will occur, what the objectives of the test

Business Continuity Planning and Disaster Recovery 12

 are, and what the scenario will be for the test. Announced testing is helpful for the
initial test of procedures. It gives teams the time to prepare for the test and allows
them to practice their skills. Once the team has had an opportunity to run through the
procedures, practice, and coordinate their skills, unannounced testing may be used to
test the completeness of the procedures and sharpen the team’s abilities.
Unannounced testing consists of testing without prior notification. The use of
unannounced testing is extremely helpful in preparing a team for disaster preparation
because it focuses on the adequacy of in-place procedures and the readiness of the
team. Unannounced testing, combined with closely monitored restrictions, will help to
create a simulated scenario that might exist in a disaster. This more closely measures
the teams’ ability to function under the pressure and limitations of a disaster. Once it
has been determined whether a test will be announced or unannounced, the actual
objective(s) of the test must be determined. There are several different types of tests
that are useful for measuring different objectives

The following are the testing type and schedules:

 Desktop testing once in two months

 One structured walk-through every quarter
 One integrated business operations/information systems exercise per half-year

The business continuity plan coordinator, team leaders, together with the SFL office
management will determine end-user participation.

8 EMERGENCY RESPONSE PROCEDURES

During the emergency the first priority is to ensure the safety of people inside the office
at the time and an orderly evacuation is required. Once all the employees, contractors
and others in SFL have been safely evacuated, the business continuity management
team will take control. The following are the evacuation procedures:
General Evacuation Instructions
 Remain calm.
 Turn off all hazardous operations.
 Follow instructions.
 Assist disabled people.
 Leave the area in an orderly fashion.
 Follow the established evacuation route.
 Move away from the building. Go directly to the assembly area and report to the
evacuation coordinator for a ‘head count’.

Business Continuity Planning and Disaster Recovery 13

  Do not block the street, driveway or building entrances.
 Stay in the designated assembly area until instructed otherwise.

For specific instructions for various scenarios refer Annex A

9 DISASTER RECOVERY

Disaster Recovery (DR) is the process of responding to an interruption in services by

implementing the disaster recovery plan to restore the SFL's critical business technology
functions. This includes the tasks and activities designed to return the Organization to
an acceptable operational level. As part of DR process, the disaster recovery plan (DRP)
for SFL is developed.
DRP consists of detailed written practices and procedures to mitigate interruptions to
“critical information systems” and/or the “loss of data and services” from the effects of
natural or man-made disasters. This DRP applies both to major, usually catastrophic,
events that deny access to the normal facility for an extended period, and to less
catastrophic events that may deny access to only portions of the facility or certain
systems. The DRP is an IT-focused plan and therefore may also be referenced as a
technology recovery plan, which has been designed to restore operability of the
designated systems, and applications in SFL’s data center facility at an alternate site (or
within the existing facility if not a total loss) after an emergency.

9.1 PLAN OVERVIEW

The operational environment of the SFL includes services from the following general-
support to critical-function systems. These systems and services are supported and
maintained by the IT department.
SFL IT is serving to various departments and business processes. All these should be
described with regard to the environment that they run in, workstations and servers in
each division, and functional areas within each division.
SFL IT department should implement an IT continuity initiative as an ongoing part of
their day-to-day activities. IT managers and staff must make sure they understand their
role in the event of a major event or disaster. This will ensure that the response is
coordinated, controlled and efficient.
The details of systems, network, application etc. are collected and maintained by which
can be used during disaster recovery phase. Using the template given in Annex A to this
policy the above details can be collected. In addition to this, using the template given in

Business Continuity Planning and Disaster Recovery 14

 Annex B can write down the steps for recovery can be capture. The same can be tested,
validated and corrected.
The IT continuity team shall develop IT continuity plan to recover from a crisis and
provide, at the very minimum, the ability to recover critical processes. During a business
interruption event, the IT continuity team shall activate the IT continuity plan. In some
cases, it may not be necessary to relocate staff to the alternative work area. To address
local crisis situations, alternate approaches for resumption including remote work,
working from other office buildings, etc., shall be identified.
The disaster recovery process consists of four stages.
A. Disaster declaration
The assessment of situation is carried out to declare disaster. Based on the assessment
done on the situation resulted due to natural / man-made disaster, collective decision is
taken by the IT head and IT recovery team to initiate the recovery process.
B. Disaster recovery activation
When the decision is made to move primary processing to another location, this phase
begins. The IT recovery team will assemble at the command center (a location to be
identified with basic infrastructure facility for conducting DR related activities to be
identified by SFL) and call upon team members to perform their assigned tasks. The
most important function is to fully restore operations at a suitable location and resume
normal functions. The objective of this stage is to establish normal operations at the
alternate location.
C. Operating from alternate Site / Rebuild main site
During this stage operations are continued at the alternate location. In addition, to this
the process of restoring the main site will be performed.
D. Return to normal
This phase involves the reactivation of the main site / data center at either the original
or possibly a new location. The activation of this site does not have to be as rushed as
the activation of the alternate recovery center. At the end of this stage, a thorough
review of the disaster recovery process should be taken. Any deficiencies in this plan can
be corrected by updating the plan.

9.2 AWARENESS AND TRAINING

IT DR training for the IT recovery team is essential for effective resumption and recovery
of operations. IT recovery team shall ensure training to keep current in the business

Business Continuity Planning and Disaster Recovery 15

 continuity industry and the SFL’s business processes, latest technologies, tools,
international standards and regulations that guide the development of IT recovery
plans.
Awareness is a critical component of the program that ensures commitment and
understanding when engaging with SFL staff. It is the responsibility of IT recovery team
to identify needs and develop responses in respect of awareness. Use should be made
of all resources available including but not limited to:
 Computer based training
 Web site
 Magazines and articles in publications
 Notice board posters
 Email
 Informative workshops directed at specific target audiences
 Presentations / Screen Savers
It is the responsibility of the IT recovery team to apply themselves to a structured
awareness program that is implemented over an agreed time frame. This must be
renewed and reviewed regularly through the steering committee.
Head of IT must ensure that this program is delivered according to agreed timetable and
content.

9.3 TESTING

DR testing is an activity designed to prepare to face emergency situation. The test

examines the performance of duties, tasks and operations in a way similar to the way
they would be performed in a real emergency.
IT DR plan should be tested at least once in a year to ensure credible recovery
preparedness. The scope, objectives, and measurement criteria of each test shall be
determined and coordinated by the IT recovery team on a per event basis. Test results
shall be shared with the Board.
Head of IT can organize the following knowledge transfer to the employees who are
associated with the DR
Orientation
 Introduces participants to the plans and procedures
 Introduce new plans or revise old plans
 Planning cycle: once in three months Duration: 60-90 minutes
Drill (Fire drill etc.,)

Business Continuity Planning and Disaster Recovery 16

  Test of individual emergency response functions
 Involves actual field response
 Practice or test under realistic conditions
 Involve all levels of responders
 Planning cycle: once in three months Duration: 10-60 minutes
Testing DR could be one of the following types:

TYPE DEFINITION
 This is a facilitated group analysis of an emergency situation in an
informal, stress-free environment.
 The Tabletop Exercise is designed for examination of operational plans,
problem identification, and in-depth problem solving.
Table Top Test
 A more “reality-based” experience
 Planning cycle: once in 6 months Duration: 90-120 minutes
 Debriefing time: 30 minutes
 Assesses the allocation of resources and manpower
 Evaluates communication across the different groups
 Assesses the adequacy of current procedures and policies
Component Test  Participants perform actual activities
 Involves more participants: simulators, evaluators, larger design team
 Planning cycle: 3-6 months Duration: 90 min – 4 hours
 Evaluates the operational capability of systems in an interactive manner
over a substantial period of time
 Presents complex and detailed events in real-time
Full-recovery Test  Mobilizes personnel and resources and movement of emergency response
teams, equipment and resources
 Can be expensive; may be disruptive to normal operations
 Planning cycle: 4 months minimum Duration: 2-8 hours

The above steps and out come can be recorded in the Annex B also.

9.4 MAINTENANCE

As part of the IT recovery program and to ensure its continued validity, all
documentation, recovery capability and facilities must be kept up-to-date.
IT recovery plan should be updated after every exercise/test. Irrespective of the update,
the plan should be reviewed and updated at least one in a year.

Business Continuity Planning and Disaster Recovery 17

 The IT recovery plans should also be reviewed and updated after every BIA and RA
exercises. Update also carried out after major technology change, introduction of new
applications, infrastructure and change in the business process.

9.5 IT RECOVERY TEAM

IT recovery team is responsible for carrying out the instruction detailed below. The IT
recovery program requires that individuals adopt new roles and responsibilities and
work together as a team to ensure IT department ability to survive major events that
damage the ability to deliver IT services and applications. IT management should ensure
that IT recovery is formally managed and controlled.
The roles and responsibilities of the IT recovery team are as follows:
 Ensure alignment of the technical recovery capability with business processes
 Initiate and manage tests periodically
 Maintain the event logs and act as observers during the exercises and tests
 Ensure plan updates are done, post incident
 Ensure all IT recovery plans are maintained and kept up to date
 Ensure updated soft/hard copies of IT recovery plans are available at DR location
 Be responsible for the ongoing training programs in business continuity
 Establish, monitor, measure and maintain the IT recovery program effectively
 Embed the IT recovery / continuity into the culture of SFL IT
 Consider interdependencies across the IT services while developing the recovery
strategies.
It is important to note that the BCP governing body will act as the governing body for DR
and exercise the functions through Head of IT.

10 REFERENCE

 RBI MD #7
 ISO 27001:2013 A:17

Business Continuity Planning and Disaster Recovery 18

Annex A Evacuation Instructions – Scenario based
Fire
 Remain calm.
 Activate the fire alarm.
 Determine location and source, if this can be done quickly and safely
 Contact the fire service
 Give the name and location of the office to the fire service
 Always put the safety of people (including you) first.
 If the fire is small, try to extinguish it with the proper type of extinguisher or fire
blanket.
 Do not allow the fire to come between you and the exit.
 Turn off electrical equipment, which is smoking at the power point, if it is safe to do
so.
 Evacuate the building.
 Do not open a hot door
 Do not use elevators.
 Do not attempt to save possessions.
 Go directly to the assembly area.
 Do not return to the affected area until told to do so by the appropriate authorities.

Severe Storm / Cyclone / Flood

 Disconnect electrical equipment and appliances not in use.
 Secure outdoor items, where possible move them inside.
 If safe to do so check gutters and down pipes.
 Have battery powered equipment such as torches at hand.
 Only use the telephone for emergency calls.
 Tape across windows or attach plywood sheets.
 Put plastic sheeting over shelves, large items, and display cases.
 Backup software and data files
 Evacuate when instructed to do so.
 Limit access to the building to one door and secure the others.
 Try to seal any areas that would allow water access.
 Move items away from the windows.
 Leave low-lying areas that may be swept by high tides or storm waves.
Earthquake

Business Continuity Planning and Disaster Recovery 19

 Human safety is the first priority.
 Take cover in a supported doorway or under sturdy furniture.
 Stay away from glass windows, doors, display cabinet, bookcases.
 Do not use an open flame such as matches or a candle as there may be gas leaks.
 After the earthquake
 Be prepared for after shocks.
 Extinguish all fires with the proper type of fire extinguisher.
 Contact Emergency Services
 Turn off all electrical appliances at the power point.
 Open doors carefully and watch for falling objects.
 Do not use elevators.
 Carefully move outside and away from the building.
 Do not re-enter the building until instructed

Business Continuity Planning and Disaster Recovery 20

 Annex B - Equipment details

Functional Area Equipment Description Recovery Recovery

Team Name Rating Priority

Network Team

Voice
Communications
Team

File Server Team

PC Team

Internet Team

Systems
Programming Team

Computer
Operations Team

Business Continuity Planning and Disaster Recovery 21

Annex C - Recovery Steps

Disaster Recovery steps Table Top Test Component Test Full Recovery Test

A Network

B Voice Communications

C Internet

D Web Server / Site

E File Server

F Desktop

Enterprise Server
G
Support

H Operations

Applications Dev &

I
Support

************** END OF DOCUMENT **************

Business Continuity Planning and Disaster Recovery 22