Skip to content
Shorebird Handbook

Business Continuity and Disaster Recovery Policy

Purpose and Scope

Section titled “Purpose and Scope”

The Business Continuity and Disaster Recovery (BCDR) Policy establishes procedures that will enable Code Town to restore business operations expediently following disruptions such as cyber incidents, system failures, or other unforeseen challenges

This policy applies to all employees, contractors, and third-party providers involved in business continuity and disaster recovery activities.

Policy Statements: Our Commitments

Section titled “Policy Statements: Our Commitments”

This policy outlines our approach to safeguarding critical functions and systems through effective business continuity and disaster recovery planning.

Business Impact Analysis (BIA)

Section titled “Business Impact Analysis (BIA)”

A Business Impact Analysis (BIA) is conducted regularly to:

  • Identify critical business functions, systems, and processes.
  • Assess potential financial, operational, and reputational impacts of disruptions.
  • Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical system and function, ensuring that downtime and data loss are minimized.

Business Continuity Planning

Section titled “Business Continuity Planning”

Business continuity plans (BCPs) are developed for all critical functions and processes identified in the BIA. These plans include:

  • Roles and Responsibilities: Clear assignment of personnel responsible for executing the plan.
  • Communication Protocols: Procedures for internal and external communication during an incident, including contact lists and communication templates.
  • Workaround Solutions: Temporary solutions to keep critical services running if normal operations are disrupted.
  • Resource Requirements: Details of resources (staff, equipment, facilities) required to execute the plan.

Disaster Recovery Planning

Section titled “Disaster Recovery Planning”

Disaster recovery plans (DRPs) are developed for all critical IT systems and data, and include:

  • Recovery Procedures: Step-by-step processes for restoring systems and data after an outage.
  • Backup Strategies: Details of backup schedules and storage locations, ensuring that all critical data is regularly backed up and securely stored.
  • RTO and RPO Alignment: Recovery procedures aligned with the defined RTO and RPO to restore critical systems within acceptable timeframes.
  • Testing of Recovery Procedures: At least annual testing to confirm that recovery processes work as expected in real-world scenarios.

Plan Maintenance and Review

Section titled “Plan Maintenance and Review”

Business Continuity & Disaster Recovery plans must be reviewed and updated annually or after any significant organizational or operational change. Additionally, after any major disruption the plan’s effectiveness has to be evaluated and any improvements have to be identified.

All updates must be documented and version-controlled for auditing purposes.

Incident Response and Escalation

Section titled “Incident Response and Escalation”

Business Continuity & Disaster Recovery plans are fully integrated with the Incident Response Plan to include elements such as incident escalation, coordination, and post-incident review.

Training and Awareness

Section titled “Training and Awareness”

All employees involved in Business Continuity & Disaster Recovery activities must undergo annual training to familiarize themselves with their roles and responsibilities.

Compliance and Enforcement

Section titled “Compliance and Enforcement”

Compliance with this policy is mandatory for all employees, contractors, and third parties with access to Code Town’s data.

In rare cases, business needs, local laws, or regulations may require exceptions. Management will approve any exceptions and define alternative solutions.

Non-compliance may lead to disciplinary action, including termination, as per Code Town’s policies.

Policy Review and Maintenance

Section titled “Policy Review and Maintenance”

This policy will be reviewed annually or when significant changes occur to maintain its continuing suitability, adequacy, and effectiveness.

Reviews must consider changes in the regulatory landscape.

Appendix

Section titled “Appendix”

Phase Definition

Section titled “Phase Definition”

  1. Notification/Activation Phase

    a. Incident Detection: Implement comprehensive monitoring systems to detect anomalies in real-time, including network activity, system performance, and application behavior.

    b. Assessment:

    • Once an incident is detected, immediately convene a response team to assess the severity, potential impact, and categorize the incident type (e.g., hardware failure, cyber-attack, natural disaster).
    • Communicate the incident assessment to all relevant stakeholders.

    c. Plan Activation:

    • Based on the assessment, activate the appropriate business continuity or disaster recovery procedure, specifying roles and responsibilities, and initiate the response protocol.
    • Notify customers, if necessary, based on the incident’s impact, adhering to any legal or regulatory requirements regarding breach notification.

  2. Recovery Phase

    a. Establish Temporary IT Operations:

    • Redirect network traffic to backup systems or utilize cloud-based services to maintain business operations.
    • Retrieve data from off-site backups or cloud storage to facilitate temporary operations.
    • Establish a temporary communication channel for users experiencing issues.

    b. Damage Recovery:

    • Initiate damage control measures to prevent further loss, such as isolating affected systems, applying emergency patches, or shutting down specific services.
    • Start system restoration processes using backups, ensuring data integrity and security.
    • Continuously communicate progress updates to stakeholders and customers as appropriate.
    • Prioritize system restoration based on the predefined RTO and RPO, focusing on critical systems, functions and processes first.
    • Continuously monitor the recovery progress against the RTO and RPO, and adjust the recovery strategy if necessary to meet the objectives.

  3. Reconstitution Phase

    a. System Restoration:

    • Once the ongoing disruption is mitigated, begin the process of restoring full services from the temporary operations to the primary systems.
    • Conduct a thorough system audit and verification to ensure all systems are secure and fully operational.
    • Confirm the integrity and confidentiality of data, ensuring no unauthorized alterations were made.

    b. Return to Normal Operations:

    • Formally document the return to normal operations and communicate this to all stakeholders.
    • Gradually phase out temporary measures and ensure users experience a smooth transition back to regular operations.

    c. Post-Incident Review:

    • Conduct a post-mortem analysis to understand the root cause of the incident, the effectiveness of the Business Continuity & Disaster Recovery plan, and areas that require improvement.
    • Update the Business Continuity & Disaster Recovery plan based on lessons learned and improve training, resources, and protocols as necessary.
    • Share relevant incident details and lessons learned with stakeholders and, where appropriate, the broader community to help prevent future incidents.