Connor Group Information Technology

 

Business Continuity / Disaster Recovery

 

 

Sept 2022

 

v.1.0


Introduction

Connor Group IT operates and maintains services, systems and information critical for business. While significant effort and planning is undertaken to ensure these services do not undergo outages or downtime, adverse events such as natural disasters or mass data loss necessitate the creation and testing of Disaster Recovery or Business Continuity plans.

 

This standard codifies expectations for business continuity and disaster recovery practices at Connor Group. This standard is one in a set of documents that together, form Connor Group's Information Security Management System (ISMS). 

 

Purpose

The purpose of this Standard is to establish base requirements and security of Business Continuity and Disaster Recovery for production systems.

 

Scope

All formal Business Continuity and Disaster Recovery plans for production systems are within scope for this Standard.

All staff and Third Parties responsible for the management of IT Systems must understand and follow the requirements herein. 

 

In the event of uncertainty regarding the applicability of this Standard, contact the Information Technology team for clarification and/or guidance at helpdesk@ConnorGp.com.  

 

Definitions

References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://bookstack.soldenservices.com/books/policies-processes-procedures/page/glossary-of-definitions)

 

Standard

Adherence to requirements in this standard is mandatory.

 


 

 

1. Production BC/DR Requirements 

 

Ref

Requirement

1.1

All production systems shall have BC and DR plans maintained containing the following, at a minimum: 

  1. System Name 
  2. List of computers and applications that constitute the holistic System. 
  3. System dependencies 
  4. Business agreed upon RPOs and RTOs for the System 
  5. Documented recovery processes, including personnel roles, for both DR and BC events 
  6. Documentation of required equipment 
  7. Status of the last BC/DR test of the System  

 

1.2

BC/DR plans shall exist in repositories capable of existing during any outage or BC/DR event.

1.3

High criticality production Systems and their dependencies shall include high-availability configurations, and geographic redundancy, where possible.

 

1.4

BC/DR implementations shall have the same classification as their production equivalent. Confidential Data in production shall be protected as Confidential data in the BC/DR environment.

 

1.5

BC/DR plans shall be updated annually or when the System experiences significant changes

 

1.6

BC/DR equipment may be maintained at worst, 1 revision behind production, but still must meet the RTO/RPO requirements.  

 

 

2. Business Continuity / Disaster Recovery Testing 

 

Ref

Requirement

2.1

BC/DR plans shall be tested annually at a minimum with pass/fail results reported to executive management. 

 

2.2

When tested, BC/DR recovery plans shall include dependency recovery and network separation testing to confirm functionality. 

2.3

On executive request, BC/DR testing shall include scenarios presented by Information Security to validate security controls as part of the BC/DR process. 

 

2.4

System and application backups shall be tested and restored regularly to ensure data integrity and completeness. 

 

Compliance

Information Security team shall verify compliance to this policy through various methods, including but not limited to, walk-throughs, environment sampling, process review, monitoring, business tool reports, internal and external audits, and through feedback to the policy owner. 

 

Any exceptions to this Standard require a formally approved exemption documenting justification and approval against compliance to this Standard. Exemption approvals are required prior to the System entering live operation.

 

The following are required to adhere to this Standard, except where a formal exception has been granted as above: 

  • All Connor Group Systems and employees, independent contractors, and subcontractors. Any individual found to have violated this Standard may be subject to disciplinary actions including termination and legal recourse. 
  • Any Third-Party System that is used to support Connor Group data and/or Services. Any Third Party that violates this Standard will be considered to have breached their contract with the Connor Group. 

 


 

 

Revision History

Revisions require approval by the Director of Information Security and dissemination to applicable business units prior to release.

 

Version 

Detail 

Author 

Date 

1.0

Initial Version

Connor Group Information Technology

Sept 2022