I- Policy Statement
To meet the enterprise business objectives, respond to a major incident or disaster, and restore the organization’s critical business functions, App4Legal adopt and follow well-defined and time-tested plans and procedures. Disaster recovery policy is required to respond to a major incident or disaster by implementing a plan to restore App4Legal's critical business functions.
II- Purpose
The purpose of this policy is to ensure that IT resource investments made by App4Legal are protected against service interruptions, including large scale disasters, by the development, implementation, and testing of disaster recovery/business continuity plans (DR/BCP).
III- Scope
IT Assets
This policy applies to all facilities of App4Legal that operate, manage, or use IT services or equipment to support critical business functions.
Documentation
The documentation consists of Disaster Recovery Policy, and related procedures and guidelines.
Document Control
The Disaster Recovery Policy document and all other referenced documents are controlled. Version control is to preserve the latest release and the previous version of any document. However, the previous version of the documents is retained only for a period of two years for legal and knowledge preservation purpose.
Records
Records being generated as part of the Disaster Recovery Policy is retained for a period of two years. Records are in hard copy or electronic media. The records are owned by the respective system administrators and is audited once a year.
Distribution and Maintenance
The Disaster Recovery Policy document is made available to all the employees covered in the scope. All the changes and new releases of this document is made available to the persons concerned. The maintenance responsibility of the document is with the CISO and system administrators.
Privacy
The Disaster Recovery Policy document is considered as “confidential” and is made available to the concerned persons with proper access control. Subsequent changes and versions of this document is controlled.
Policy
- Plans for disaster recovery/business resumption/business continuity is developed by organizational management.
- Disaster recovery/business resumption plans are updated at least annually and following any significant changes to computing of App4Legal
- Employees of App4Legal is trained to execute the disaster recovery plan.
- Annual certification, updating and testing of the disaster recovery/business resumption plan is done.
- A competent auditor audits disaster recovery/business resumption plan.
IIII- Strategies
ALERT PHASE – A Crisis Is Discovered
- A crisis is defined as any unplanned event that significantly threatens the health and well-being of App4Legal employees or assets, causes operational disruption, physical or environmental damage, or harm to the company’s public image or reputation.
- For the purpose of this plan, crises can include, but are not limited to:
- natural disasters;
- fires or explosions with damage;
- life-threatening injuries;
- hazardous material release; or
- major utility failure.
- When a crisis is discovered, the person discovering the crisis promptly notify all members of the CMT (crisis management team). When reporting an incident to the CMT, the reporter is prepared to answer the following questions:
- What appears to have happened?
- Are there any injuries?
- When was the incident detected? (day, time)
- Who is involved? (Emergency Response Team, other associates, etc.)
- What is being done, why, and by whom?
- Who is aware of the crisis, and who else needs to be notified?
- After initially assessing damage to their areas, members of the CMT will assemble at the designated location.
- The DR Lead and Backup DR Lead will then determine, based on the initial damage assessment, whether or not to implement the Disaster Recovery Plan.
CRISIS PHASE – The Disaster Recovery Plan Is Implemented
- The primary alternate site from a DR perspective will be for all employees to work from home or an alternate operating location of App4Legal
- A secondary alternate site may be designated at some point during a crisis by the DR Lead or designee.
- During a crisis, all members of the CMT will:
- Maintain an activity log to track events relating to their role during the crisis period.
- Monitor responses from emergency service agencies and notify other personnel, as needed.
- Revise damage assessment as the situation develops and assist the DR Lead and Backup DR Lead, as needed.
- The DR Lead and Backup DR Lead will:
- Notify the Business DR Lead or Corporate Administration Team of the implementation of the DR Plan.
- Revise the overall damage assessment, as new information develops, and determine the appropriate level and method of response.
- Provide periodic communications reporting changes in the status of the crisis.
- Work with the Business DR Led to decide whether to close the normal operational facility temporarily or indefinitely, if justified.
- Decide when to open the facility on a limited basis or a full-service basis once the effects of the crisis have been remedied.
- If necessary, decide in consultation with the Business DR Lead whether to move operations to an alternate facility.
RECOVERY PHASE – Normal Operations Are Resumed
- During Recovery, all members of the CMT furnish an IT Crisis Management report to the Business DR Lead.
- The DR Lead and Backup DR Lead will:
- Notify Business DR Lead regarding all IT Crisis Management and Recovery efforts.
- Address any questions employees have about what to expect in the future for IT.
- Provide a consistent “core message” about what has occurred.
- Capture lessons learned from the experience and changes to be made in policies and procedures.
IT Disaster Recovery Plan Activities
In the event of a disaster that prevents access to App4Legal and support data processing systems at its processing centers, App4Legal’s return time objective (RTO) is to return to a minimum level of processing capability within 12 hours of a major incident. Data recovery protection objective (RPO) or maximum data loss due to a major outage is 24 hours. In order to protect itself from the possible loss of data in its electronic records, App4Legal performs the following:
- All backup media is to be stored offsite using a secure transport.
- Application and database environments have the following backups:
- Offsite restoration of the most recent backup has been tested and verified, and could occur at any App4Legal location with network connectivity.
- Application services are restored to the new location
- CMT team verifies the new environment
- Traffic is directed the new location