Business Continuity Policy
Purpose
This policy defines the requirements for developing, testing, and maintaining the Uncanny Software business continuity plan.
Scope
This policy applies to all Uncanny Software information assets and facilities, with a target audience of Uncanny Software management, Information Technology employees and partners.
Policy
Business Impact Analysis
Business Impact Analysis - The Information Security team or its designee must perform a business impact analysis (BIA) each two years after the annual organization-wide risk assessment. At the very least, this BIA must result in the specification of: the maximum period that Uncanny Software can go without critical information processing services, the time period in which management must decide whether to move to an alternative processing site, and the minimum acceptable production information systems recovery configuration.
Business Impact Analysis – Individual Production Systems - As part of the systems development cycle, all computer information systems must be evaluated by information security specialists to determine the minimum set of controls, the cost/benefit of such controls and the budget required to mitigate and maintain risk at a level acceptable to the business process(es) involved. This BIA will be performed in the preliminary design phase for any new system and before any significant changes to any production system.
Business Impact Analysis – Financial and Residual Risk Criteria - When performing a business impact analysis (BIA), the process will include not only a specification of the maximum period that Uncanny Software can go without the information processing services involved, it will also include analysis of the financial losses potentially incurred during the outage, a qualitative residual risk assessment and an asset criticality analysis.
Multi-User Application Criticality Rating - In conjunction with the Information Owners, Information Technology personnel must periodically prepare or revise an assessment of the degree of criticality of all production multi-user computer applications.
Development
Business And Computer Continuity Planning - A standard organization-wide process for developing and maintaining both business contingency plans and computer contingency plans must be documented and maintained by Information Technology personnel.
Reversion To Manual Procedures - If Uncanny Software critical business activities could reasonably be performed with manual procedures rather than computers, a manual computer contingency plan must be developed, tested, periodically updated, and integrated into computer and communication system contingency plans.
Occupant Emergency Plan (OEP) - An Occupant Emergency Plan will be included as part of overall business continuity planning within Uncanny Software. This plan will focus on personnel safety in the face of physical threats, which include, but are not limited to, exposure to hazardous materials (whether chemical or biological), sudden weather events (tornadoes, severe thunderstorms, etc.), bomb threats, violence at the workplace, and fires. These procedures will include directions for either evacuation or sheltering-in-place.
Testing
Contingency Plan Testing - To the extent practical and feasible, computer and communication system contingency plans must be tested on a biannual basis to assure that they are still relevant and effective. Each such test must be followed by a brief report to top management detailing the results of the test and any remedial actions that need to be taken.
Telephone Number Testing – Human Resources team must test and revise a call tree indicating every available telephone number for every worker involved in information-systems-related contingency planning, as well as disaster and emergency response. In the event business offices are vacated during an emergency cell phone numbers will be traced but primary contact will be through an internal messaging platform that is available on far more platforms than just cell phone.
Slack - Slack is our primary means of communication and should utilized when possible. In addition, calling those individuals via the Emergency Contact number stored in the ADP application should be done.
Crisis Team Members
This team is tasked with the responsibility for contacting all employees to determine during a short term crisis whether all employees are able to get to safety or to provide services.
People & Culture - The People and Culture team is comprised of members from Human Resources such as an HR Generalist, HR director, or Chief of Staff.
Department Heads - Sales, Customer Support, Engineering, Quality Assurance, Site Reliability, SCRUM, Marketing, Finance department heads are responsible for coordinating with People and Culture to assist in contacting employees.
Executive Team - The CEO, CFO, CTO, CMO, Sr VP of Product, VP of Sales and VP of Customer Support are to be briefed on any Crisis Team actions on a daily basis during the crisis.
Recovery & Restoration
Work At Home Requirements For Staff Performing Critical Tasks - In the interests of providing staff with more flexibility in the performance of their jobs, and also to allow greater responsiveness to crises and business problems, all workers performing business critical tasks must be equipped and trained to perform their assigned duties in a work at home arrangement.
Data Synchronization During System Restoration - In the event of multiple production system failure, the data inputs and outputs of interdependent systems must be carefully synchronized and verified before returning these systems to production status.
Return To Normal (Production) Status - Before returning any computer system which falls under the aegis of legal or regulatory requirements back to production, the system must be validated or certified according to those requirements. The proper management must sign off on the validation or certification as specified by the applicable requirements.
Key Events
The following events triggered reviews of this process.
No events listed
Violations
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Uncanny Software reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Uncanny Software does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Uncanny Software reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy. Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.
Definitions
Business Continuity Plan (BCP) - The documentation of a predetermined set of instructions or procedures that describe how an organization’s business functions will be sustained during and after a significant =disruption.
Business Impact Analysis (BIA) - A management level analysis, which identifies the impacts of losing company resources. The BIA measures the effect of resource loss and escalating losses over time, in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning.
Information Asset - Any Uncanny Software data in any form, and the equipment used to manage, process, or store Uncanny Software data, that is used in the course of executing business. This includes, but is not limited to, corporate, customer, and partner data.
Partner - Any non-employee of Uncanny Software who is contractually bound to provide some form of service to Uncanny Software.
References
ISO/IEC 27002:2013 - 17. Security Continuity Management
Related Documents
No documents listed
Revision History
Last updated