The Smart Cube Document Release History Version Review Date Effective Date Description Change of Chapter/ Section/ Page Prepared By Reviewed by 1.0 30-Apr- 1-May-2010 ISO CISO MD 2010 1.1 19-Jul-2011 19-Jul-2011 Document header Page 1 ISO CISO MD changed 1.2 08-May- 15-May- Annual Review ISO CISO MD 2012 2012 1.3 08-Aug- 2013 18-Aug-2013 Annual Review ISO CISO MD Approved by Document Custodian Version Document Type (Printed/ Electronic) Custodian of Document 1.3 Electronic and Printed Maharishi Shandilya Document Distribution Name Title Department Version Document Type Effective Date (Printed/ Electronic) Sameer Walia MD Management 1.2 Electronic and Printed 15-May-2012 Maharishi ISO Management 1.2 Electronic and Printed 15-May-2012 Shandilya Maharishi Shandilya ISO Management 1.3 Electronic and Printed 18-Aug-2013 Prepared By: Information Security Officer Approved By: Managing Director Page 1, Total 6
1.0 PURPOSE The purpose of this policy is to formalize the Business Continuity program of TSC and to provide guidelines for developing, implementing, rehearsing, maintaining and exercising Business Continuity Plans (BCPs). This policy establishes the basic principles and framework necessary to ensure emergency response, resumption and recovery, restoration and permanent recovery of TSC s operations and business activities during a business interruption event either man-made or natural. 2.0 SCOPE This policy is applicable to TSC staff & others personnel, facilities and IT systems at all its locations. TSC shall be prepared for scenarios including, but not limited to, natural disaster, power outage, hardware/telecommunications failures, data corruption, explosives and chemical, biological and nuclear hazards. These events may be local in nature, rendering only a single TSC facility inaccessible, or could have regional impact, with multiple TSC facilities in a geographic region becoming inaccessible. This policy provides guidance for the Resumption and Recovery of time sensitive business operations in accordance with pre-established timeframes as well as ensuring that adequate plans are in place for the less time sensitive business operations. Prepared By: Information Security Officer Approved By: Managing Director Page 2, Total 6
3.0 POLICY A business continuity management process is implemented to reduce the disruption caused by disasters and security failures to an acceptable level through a combination of preventive and recovery controls. The following steps are involved in the Business Continuity Management procedure: Business Impact Analysis Develop strategy plan to determine the overall approach to business continuity Management endorsement of the plan Test, Maintain and Implement the Plan Testing, maintaining and re-assessing business continuity plans Business Impact Analysis: The various business services and the their criticality levels are identified as Vital / Essential / Necessary / Desirable Vital: Any disruption in service that would stop the business or function or services completely; with SLA of 4-6 hrs and needs update of the recovery process on hourly basis. Essential: Any disruption in service that would stop the business or function or services but bare minimum activities can be carried out; with SLA of 2 days and needs update of the recovery process on half day or stage wise basis. Necessary: Any disruption in service that would cause inconvenience to function or service; with SLA of few days and needs update of the recovery process on a daily basis. Desirable: This would not cause downtime to service or services; with few weeks of SLA and needs update of the recovery process on a daily basis or stage wise basis. The various business services are identified and the their criticality levels are given as Vital / Essential / Necessary / Desirable The threats associated with the service are identified; Threats specific to BCP/DR can be referred to Appendix I The likelihood of occurrences is given in terms of High, Medium and Low as per definition provided in Appendix II Prepared By: Information Security Officer Approved By: Managing Director Page 3, Total 6
The Impact in terms of Highly Critical, Major, Moderate, Minor and Low is obtained from the impact-probability matrix as per the matrix defined in Appendix III The existing controls and the required additional controls are identified. These activities are documented in Appendix IV: Attached Template Impact Analysis Report.XLS Develop strategy plan to determine the overall approach to Business Continuity A solution plan (Business Continuity Plan - BCP) is prepared for each of the threat associated with the services depending on the identified Minimum Service Level and Maximum Permissible Recovery Time and documented in Impact Analysis Report.XLS. The responsibilities for the implementation of the plans are allotted to the Recovery Team (BCDRT) Test, Maintain and Implement the Plan The proposed solution is tested for implementation Based on the testing performed, the plans are updated as required. The test activities are performed as per the Steps provide aid to carry out testing of BCM Plans Appendix V The effectiveness of the plan is reviewed every six months as part of the Management Review Meeting. 4.0 POINT OF CONTACT For clarification or further information on this policy, contact Designated Authority/ CISO Appendix I BCP/DR Related Threat List, this is a live list and will be updated on regular basis from the various sources and BCP/DR test results Man Made Disasters Failures Natural Prepared By: Information Security Officer Approved By: Managing Director Page 4, Total 6
Probabilit y of Likelihood TSC-ISMS Disasters Bomb threats AC Failure Earthquake Fire DG Failure Floods Nuclear accident Power Failure Lightning Civil disturbance UPS Failure Food poisoning Fire wall failure Building structural failure Network equipment failure Theft of equipment Server failure Data Piracy Unauthorized access of data External Sabotage by terrorist Unauthorized access to secured area sabotage by disgruntled employees Unauthorized handling of backup data Human error Security breach Misuse by end users Software malfunction Procedural errors Software virus Programming bugs Widespread erroneous data input Appendix II Likehood of Occurance of a Threat can be defined based on the following parameter: High: Likely to happen once in week Medium: Likely to happen once in month Low: Likely to happen once in quarter Appendix III Impact Probability Matrix: Defines and aid team for the value of Threat Impact and Probability during the BIA activity : High Mo Mj Hc Hc Medium Mi Mo Mj Hc Low L Mi Mo Mj Desirable Necessary Essential Vital Prepared By: Information Security Officer Approved By: Managing Director Page 5, Total 6
Severity Hc; Highly Critical Mj: Major Mo: Moderate Mi: Minor L: Low Appendix IV Impact Assessment Report Template aid team to carry out Impact Assessment on all the critical services and provide the necessary inputs for development of robust BCP/DR plan. Impact Analysis Report Template.xls Appendix V Business continuity plans could fail on being tested, often because of incorrect assumptions, oversights, or changes in equipment or personnel. At TSC they are tested regularly (as documented in TSC-ISMS-POL-019-Business Continuity Plan ) to ensure that they are up to date and effective. Such tests also ensure that all members of the recovery team and other relevant staff are aware of the plans. The document TSC-ISMS-POL-019-Business Continuity Plan provide detailed step by step activities to be carried out by TSC team. The test schedule for business continuity plans is part of the impact analysis report and indicates when each element of the plan is tested. The test cases are carried out as per scheduled and results documented as part of the testing report. Snapshot the Impact Analysis Report highlighting the Test Result is: Test Test Status Expected Actual Service Test ID Date Time Process (Open/Closed) Result Result Internet Sr/1/BCP/1 To ensure Alternate Prepared By: Information Security Officer Approved By: Managing Director Page 6, Total 6
Service Power Supply Communication Devices Generic Software Servers Email Sr/1/BCP/2 Sr/1/BCP/3 Sr/1/BCP/4 Sr/1/BCP/5 with ISP down with breakdown of local loop. with damaged network equipment. with UPS down with failure of power ISP problem is resolved within 5 mins To ensure restoration within 5 mins. To ensure restoration within 24 hrs. Power will be restored within 5 min. 5 min. backup dialup line was provided in 4 mins. Alternate dialup line was provided in 4 mins. The damaged equipment was restored within 10 hrs. Power was restored within 2 mins More than 10 min. backup Prepared By: Information Security Officer Approved By: Managing Director Page 7, Total 6