a. The purpose of this policy is to define the organization’s procedures to recover Information Technology (IT) infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incident. The objective of this plan is to complete the recovery of IT infrastructure and IT services within a set Recovery Time Objective (RTO).
b. This policy includes all resources and processes necessary for service and data recovery, and covers all information security aspects of business continuity management.
c. This policy applies to all management, employees and suppliers that are involved in the recovery of IT infrastructure and services within the organization. This policy must be made readily available to all whom it applies to.
Background
a. This policy defines the overall disaster recovery strategy for the organization. The strategy describes the organization’s Recovery Time Objective (RTO), which is defined as the duration of time and service level for critical business processes to be restored after a disaster or other disruptive event, as well as the procedures, responsibility and technical guidance required to meet the RTO. This policy also lists the contact information for personnel and service providers that may be needed during a disaster recovery event (Included in internal policy document)
b. The following conditions must be met for this plan to be viable:
i. All equipment, software and data (or their backups/failovers) are available in some manner.
ii. If an incident takes place at the organization’s physical location, all resources involved in recovery efforts are able to be transferred to an alternate work site (such as their home office) to complete their duties.
iii. The Information Security Officer is responsible for coordinating and conducting a bi-annual (at least) rehearsal of this continuity plan.
c. This plan does not cover the following types of incidents:
i. Incidents that affect customers or partners but have no effect on the organization’s systems; in this case, the customer must employ their own continuity processes to make sure that they can continue to interact with the organization and its systems.
ii. Incidents that affect cloud infrastructure suppliers at the core infrastructure level, including but not limited to Google, Heroku, and Amazon Web Services. The organization depends on such suppliers to employ their own continuity processes.
Policy
a. Critical Services, Key Tasks and, Service Level Agreements (SLAs)
i. The following services and technologies are considered to be critical for business operations, and must immediately be restored (in priority order):
1. Primary database for API (Cassandra)
2. Backend prediction API
3. Backend API service
4. SSL certificates for API service
5. Application frontend
ii. The following key tasks and SLAs must be considered during a disaster recovery event, in accordance with the organization’s objectives, agreements, and legal, contractual or regulatory obligations:
1. Nanonets will use commercially reasonable efforts to make each Service available with an uptime of 99.5% of each calendar month
b. The organization’s Recovery Time Objective (RTO) is 8 hours. Relocation and restoration of critical services and technologies must be completed within this time period.
c. Notification of Plan Initiation
i. The following personnel must be notified when this plan is initiated:
1. (Included in internal policy document)
ii. Manager for the business system for which this plan is initiated is responsible for notifying the personnel listed above.
d. Plan Deactivation
i. This plan must only be deactivated by the Manager for the business system for which this plan is initiated.
ii. In order for this plan to be deactivated, all relocation activities and critical service / technology tasks as detailed above must be fully completed and/or restored. If the organization is still operating in an impaired scenario, the plan may still be kept active at the discretion of Mr. Prathamesh Juvatkar (CTO).
iii. The following personnel must be notified when this plan is deactivated:
1. (Included in internal policy document)
e. The organization must endeavor to restore its normal level of business operations as soon as possible.
f. A list of relevant points of contact both internal and external to the organization is enclosed in Appendix A (Included in internal policy document).
g. During a crisis, it is vital for certain recovery tasks to be performed right away. The following actions are pre-authorized in the event of a disaster recovery event:
i. Software Engineer must take all steps specified in this disaster recovery plan in order to recover the organization’s information technology infrastructure and services.
ii. Software Engineer is authorized to make urgent purchases of equipment and services up to (Included in internal policy document).
iii. Software Engineer is authorized to communicate with clients.
iv. Software Engineer is authorized to communicate with the public.
v. Software Engineer is authorized to communicate with public authorities such as state and local governments and law enforcement.
h. Specific recovery steps for information systems infrastructure and services are provided in Appendix B (Included in internal policy document).
