The Backup and Disaster Recovery document offered reassurance that business and information systems continuity and recovery plans are documented, approved, tested, maintained, and reviewed at least once every 12 months or if there are changes. The business continuity plan includes the disaster recovery section. Reliability, availability, and recoverability of essential IT systems were necessary for business continuity management, and IT controls were implemented to safeguard customer data from unauthorised access or disclosure.
Business requirements, operational demands, and information technology requirements of the clients are used to design and manage a disaster recovery strategy and business continuity plan. The DR plan included processes like activation and escalation, and clients participated in DR and BCP testing as needed.
A DR strategy takes into account a variety of situations, including large system outages, hardware malfunctions, security events, as well as a complete failure of the primary system control centre. The capacity for recovery as negotiated with clients could be accommodated at the DR facilities. SFIT regularly updated the Clients on any modifications to EcoXplore’s BCP plans, any risk developments that would affect the ability to offer client service, and any updated test results.
Action plans to address problems and retest procedures are documented with DR exercises (i.e., testing plans and outcomes). The Clients are informed of the outcomes of the BCP and DR exercises.
To make it easier to track IT resources, a current master list of the software and hardware components utilised in the production and disaster recovery environments supporting Clients is kept. The master list contained all pertinent supporting agreements and warranties for the hardware and software products.
To get almost zero system downtime for the most important systems. In order to minimise commercial and operational disruption caused by a serious incident, contingency procedures are tested and practised.
|RTO||Recovery time objective. It indicates how much time the system must be available.|
|RPO||Recovery Point Objective. It indicates how much data is allowed to be loss.|
|DR||Disaster Recovery (“DR”) refers to disaster recovery capabilities as a whole for client services and not specific to information technology (“IT”) disaster recovery only.|
|Azure||Azure Site Recovery, protect the critical applications running in clients’ datacenter with flexible recovery plans and low RPOs/RTOs.|
|BCM||Business Continuity Management|
|BCP||Business Continuity Plan|
In order to improve the clients’ ability to recover, recovery techniques and real-time data replication technologies were investigated.
In order to be ready for security threats brought on by terrorism, reliable emergency response protocols were put in place.
A security incident response plan offers enough assurance that the right essential persons will be contacted and prompt action will be taken.
Plans for contingencies take into account events like widespread disruptions in the central business district, problems with the public transport system and the inability to use mobile phones for communication. EcoXplore is able to quickly mobilise teams to respond to emergency recovery activities, contact personnel, and account for them.
Define Key Measures and Procedures:
- Recovery point objectives, RPO, stands for the allowed percentage of data loss for an IT system in the event of a catastrophe. RPOs should be rigorous and in line with the client’s business requirements, defined as such:
- If RPO is low, the data loss is at the lowest point.
- Recovery time objectives, RTO, stands for the amount of time needed to restore an IT system after a disruption. An RTO of four hours or fewer should be established and maintained for key systems.
- If RTO is low, the Recovery site considered as highly available.
For the purpose of early notification of warnings and outages in its storage systems, as well as data replication processes, an internal Email and SMS alert and monitoring capability was built.
The architecture of the duplicate system can transfer from the primary production site to a backup site in the case of a significant site outage in order to fulfil recovery time objectives (RTOs) and recovery point objectives (RPOs).
Failover and fallback capabilities were routinely examined in order to increase the recoverability of important services.
Since data replication technology offers high availability, logical data corruption caused by human error or malicious intent could have an impact on both primary and replicated data sets. So, there were point-in-time copies or snapshots of the data that could be restored.
The information and communication component of internal control include the following:
The information systems’ documentation of the starting, granting access to, and documenting client transactions for suitable accountability.
Communication outlined the roles and responsibilities of EcoXplore, significant issues pertaining to the services offered to the clients, as well as communication within its organisation, with the clients, and with regulatory agencies. Clients were informed of any concerns affecting the performance of the main site.