To operate a successful business, and meet the requirements of our stakeholders, our organisation has to identify the services that are most critical, and put in place plans for managing possible disruptions to these services. We also need to manage information security risks that may arise with any disruptions to services and recovery efforts, and ensure our information security controls are not compromised during the disruption. Failure to meet our requirements for the confidentiality, integrity, and availability (CIA) of our services and associated information assets may put the information of our employees, customers, and third-parties, at risk, and breach our SLAs. This document details how our organisation responds to service disruptions.
This business continuity plan (BCP) shall be applied to our business critical information systems and services that fall within the scope of our ISMS.
All employees, contractors, and third-parties who have responsibility for planning and initiating business continuity activities shall adhere to this BCP. These include, but may not be limited to:
For the purposes of this document, the employees, contractors, and third-parties who carry out these roles shall be collectively referred to as “continuity managers”.
This BCP shall be communicated to all employees and agency staff as part of the relevant department training programme, and periodically following any changes to the procedure, or prior to any BCP training exercises. All contractors and third-parties providing BCP and continuity services, or outsourced incident monitoring and response, shall be provided with a copy of this procedure as part of the process for contracting services. Contractors and third-parties shall be re-issued with updated versions of this procedure periodically, and following any changes. Contractors and third-parties shall also be re-issued with the latest version of this procedure when engaging in BCP training exercises. Members of the BCP Team shall retain offline copies of this document for reference in the event that our information systems become unavailable during an incident.
This document is reviewed for improvement in several ways. They are:
Management also endeavours to plan business continuity activities so that our information and information systems are not misused, either intentionally or unintentionally. This is done by identifying and assigning separate duties and responsibilities to guard against misuses such as fraud, or malicious insider activities, etc. Where a continuity manager identifies potential conflicts or misuse of information systems due to improper planning and assignment of duties when carrying out business continuity activities, continuity managers should raise their concern immediately with their line manager, or the ISMS Manager.
The diagram below illustrates the overall procedure for our BCP. Incidents are typically raised and managed in line with our Incident Response Procedure, and where business operations are disrupted, the required business continuity and disaster recovery activities would take place during the mobilisation of the Incident Response Team (IRT) and recovery stage of the Incident Response Procedure (section 1.3 and section 1.5).
The procedure consists of the following steps:
BCP Diagram
The following are the key business areas we have identified that impact the continuity of our services and business operations, and that fall within the scope of this BCP. These areas have been identified through the development of our Critical Asset Register and associated risk assessment activities in line with our Risk Management Process.
2.1 Personnel
The ability to ensure the health and safety of our personnel, carry out core business activities, and initiate recovery activities is critical to our BCP. The following personnel are teams or individuals who play a key role in business continuity activities. A contact list of relevant continuity managers is maintained in the Business Continuity Plan Contact Sheet.
|
Department/Team |
No. of contacts |
Location |
|
IT & Devs |
3 |
Remote |
|
Incident Response Team |
5 |
2 in HQ and 3 remote |
|
HR |
2 |
1 in HQ and 1 remote |
|
COO |
1 |
In HQ |
|
Site Ops |
4 |
Warehouse locations in HQ, GE, UK, USA |
2.2 Physical Sites
Where a physical location is necessary to carry out crucial business operations and recovery activities the buildings become key business areas, and appropriate redundancy measures should be put in place where that location becomes unavailable. The following buildings are identified as facilitating key infrastructure and services.
|
Building address |
Critical Functions Supported |
Environmental Considerations |
|
Head Office Building: 6-7, Granby Row, Rotunda, Dublin 1, D01 FW20 |
Communications equipment, hard drives (back up media), ISP and connectivity to the cloud environment. Storage of customer harddrives. |
None |
|
Third Party Data Centre in Germany: Hetzner: Am Datacenter-Park 1, 08223 Falkenstein/Vogtland, Germany |
Data Server where the client data is stored/processed |
None |
|
Third Party Data Centre in Ireland: AWS: Burlington Rd, Dublin 4, D04 HH21, Ireland |
Data Server where the client data is stored/processed |
None |
|
Warehouse (EU): Paderborner Strasse 2 b 10709 Berlin Germany |
Warehouse for the storage and assembly of Evercam Hardware in Continental Europe. Storage of customer harddrives |
None |
|
Warehouse (UK): Unit 3c, Castle Close Industrial Estate, CROOK, DL15 8LU |
Warehouse for the storage and assembly of Evercam Hardware in the UK. Storage of customer hard drives. |
None |
|
Warehouse (US): 4600 Allegheny River Blvd, Verona PA 15147, USA |
Warehouse for the storage and assembly of Evercam Hardware in the USA. Storage of customer hard drives. |
None |
2.3 Customer & Third-Party Services
The services we provide to our customers are critical to the continuation of our business. Failure to meet our SLAs with our customers may result in reputational damage, penalties, and may cause our business to cease operating. Additionally, failure to meet our agreements with our service providers may result in critical services being terminated. The following is a list of the services we provide to our customers and third-parties.
|
Service |
Hosted Location / Dependency |
Customers / Third-Parties Impacted |
Service SLA / Compliance Requirement |
|
Github (code) |
Cloud in USA (Seattle and Northern Virginia) |
Customer |
Team Plan (Github Team) Github Customer Terms (link) |
|
Evercam software services |
Cloud, Hetzner and AWS Data Centres |
Customers |
SLA |
|
Footage from the client site |
Cloud, Hetzner and AWS Data Centres, Hard Drives |
Customers |
Data Protection Act 2018 and GDPR |
|
Invoice payment |
Cloud-based third-party expenses service, banking provider |
Service providers |
Services contract and payment agreement |
2.4 Business Services
Along with our services to customers, we may also need to ensure continuity for critical internal services. The following is a list of the internal services we provide to our employees and other departments which are critical to meeting compliance requirements and any internal service agreements.
|
Service |
Hosted Location / Dependency |
Departments Impacted |
Internal SLA / Compliance Requirement |
|
Payroll |
Zoho Suite, Cloud-based payroll service, banking services, finance team logins/accounts |
All employees |
Legally required to meet requirements in employee contracts |
|
Access to critical software systems |
Zoho Suite and Google Suite |
All employees |
Internal communications availability agreement |
The roles and responsibilities for carrying out our BCP are defined below. Depending on the type of disruption and services impacted, different continuity managers may be required to step into these roles. The below roles and their descriptions should not be considered exhaustive:
|
Role |
Description & Responsibilities |
|
Incident Response Team (IRT) |
When a potential incident is identified, the IRT shall initiate our Incident Response Procedure. The IRT shall be responsible for:
|
|
BCP Team |
Where an incident has resulted in the unavailability or disruption of services, the BCP Team forms to execute the relevant continuity activities. The BCP Team shall consist of continuity managers that are relevant to the services impacted, and not all members of the BCP Team may be required to participate. For example, where services in a third-party data centre are impacted, it would not be necessary for the HR Lead to carry out any evacuation or health and safety activities. In some situations, members of the BCP Team may also be members of the IRT. In these cases, the Incident Response Lead shall ensure that the team member’s duties are appropriately prioritised and supported to reduce potential conflict. The BCP Team is responsible for:
|
|
Technology Lead |
The Technology Lead is familiar with disaster recovery procedures for all technology services provided to customers, third-parties, and internally as documented in section 2 of this document. The Technology Lead should be a person with suitable authority and expertise in the operations team, and should also be able to facilitate emergency access to systems and technology resources, should this become necessary during the incident. The Technology Lead is responsible for:
|
|
Information Security Lead |
The Information Security Lead provides guidance and information regarding our business’ requirements for information security, and assists with identifying potential risks, during BCP activities. |
|
Data Protection Lead |
The Data Protection Lead provides guidance and information where disruption of services may impact our ability to meet regulatory requirements such as making personal data available. For example, in an emergency situation where paper records need to be moved from a site, the Data Protection Lead would provide advice and assistance with moving the personal records to ensure their safety, security, and accessibility. Another example may be where recovery of cloud-based services require infrastructure and data to be moved to a different region. In this situation, the Data Protection Lead would provide guidance on the legal requirements of moving the data to the new region. |
|
HR Lead |
The HR Lead is responsible for carrying out business continuity activities that involve the health and safety of personnel and visitors during emergency events. The HR Lead should be a person with suitable authority in the HR department, and should have expert knowledge of health and safety requirements, and emergency contact procedures. |
|
Facilities Lead |
The Facilities Lead manages the physical security of our physical sites and is responsible for providing access to our recovery sites and/or alternative working areas where our primary offices may become unavailable. The Facilities Lead may also need to advise on physical security and access requirements to ensure physical security requirements are maintained in the alternative sites, where available. The Facilities Lead should be a person with the appropriate levels of authority in their area so that emergency access is facilitated and managed, where required. |
In line with the procedure documented in section 1, the following BCP activities should be carried out prior to initiating any disaster recovery procedures. The activities carried out during an incident will vary depending on the criticality of the incident, and the key areas affected. The activities listed below are not in order of priority; the BCP Team shall determine the priority of the activities as part of the incident assessment.
Once all relevant personnel, third-parties, and resources have been organised, disaster recovery procedures for the affected services should be initiated as required.
|
Activity |
Continuity Manager/s Responsible |
|
Identify the key business areas impacted (section 2 above) |
Technology Lead HR Lead Information Security Lead |
|
Identify required Disaster Recovery procedures |
Technology Lead HR Lead Information Security Lead |
|
Contact emergency services |
HR Lead |
|
Contact technology managed services providers (third party providers: GitHub, GitLab, data centres) |
Technology Lead |
|
Contact key personnel involved in health and safety procedures |
HR Lead |
|
Contact access key holders at affected sites (warehouses in EU, UK, USA and HQ) to facilitate access and/or evacuation |
Facilities Lead, Site Ops leaders |
|
Contact key personnel involved in disaster recovery procedures |
Technology Lead Information Security Lead |
|
Organise emergency remote access to sites and services |
Technology Lead Information Security Lead |
|
Organise emergency equipment for key personnel (laptop, mobile phone, access cards, security tokens, etc.) |
Technology Lead Information Security Lead |
Where our BCP is untested, our organisation may fail to carry out the plan as expected, resulting in unacceptable disruption to the key systems and services identified in section 2 of this document, possible risk to personnel, and/or loss of information. To ensure our BCP, and relevant disaster recovery procedures, are accurate and work as expected, the following is required:
