Please note confidential information has been removed. If further detail is need please contact us.
Purpose
The purpose of this document is to explain how Expansive Solutions manages major incidents or extended services outages caused by factors beyond our control (e.g: accidents, natural disasters, man-made events).
For the detail of how we restore services are available in the annexed documents
Risks associated with this policy are documented in our Risk Register [confidential]
Scope
This policy covers all services provided to and by Expansive Solutions.
Principles
The principles of the policy are to:
-
Preserve life
-
Prevent conditions from deteriorating
-
Promote recovery
-
Ensure safety of casualties & self
-
Preserve reputation
Objectives
The objectives of the policy are to:
-
Ensure Expansive Solutions staff know their priorities during an incident
-
Ensure staff know the correct steps to take during an incident
-
Provide procedures and resources needed to assist in recovery
-
Identifies key partners that must be notified in the event of a disaster
Assumptions
It is assumed:
-
Key people will be available following a disaster
-
This document and all vital related documents are stored in a secure location and survive the disaster to remain accessible immediately following or during a major incident
-
Each support organization will have its own plan consisting of unique recovery procedures, critical resource information and procedures
Communication
When staff are unable to attend work due to a major incident they are required to contact a line manager or business leadership team within a reasonable time period. Manager will attempt to contact the staff we’ve not heard from within 2 working hours of the incident.
Communication can be made by business communication tools and personal mobile.
Commination to stakeholders will take place as set out in the management process below.
Disaster Definition
Expansive Solutions draws clear distinction between Incident Management & Business Continuity:
-
Incident Management: occurs from the time that incident happens until critical business operations begin to be restored
-
Business Continuity Management: starts when plans are invoked and ends when business operations are restored.
Staff should also be aware of the following terms:
-
Maximum Tolerable Period of Disruption: duration after which the company’s viability will be irrevocably threatened if services cannot be resumed.
-
Recovery Time Objective:
-
Resumption of service after incident; or
-
Resumption of performance of activity after an incident; or
-
Recovery of an IT system or application after an incident
-
-
Incident Response: occurs within minutes or hours of an incident occurring
-
Business Continuity: occurs within hours or days after an incident occurring
-
Back to Normal: occurs days or weeks after an incident.
Responsibilities
A dedicated disaster response team (“DR team“) is responsible for carrying out the procedures set out in this policy. The team are:
-
CTO - leads implementation of the procedures and invocation of policies
-
COO - leads on client communication and staff welfare
-
Lead Engineer - supports restoration of technical services
Each team member will designate an alternative
All staff should keep an updated call list of their staffs’ contact details
All DR team members must keep this plan available home for reference in the event of a disaster occurring
During a disaster all staff should assume the resolution and mitigation of the incident is their top priority and seek written permission from the DR team lead to continue with BAU or other activities.
Declaring a Disaster
The leadership are responsible for declaring a disaster and for activating the DR team outlined above
Expansive recognizes two distinct incident types: Crisis & Disaster. The below table indicates the basic criteria for assessing where on this scale an incident should be positioned.
|
Incident Category |
Crisis |
Disaster |
|
Characteristics |
|
|
Reporting an Incident
Person receiving notification shall try to gather the following information as applicable:
-
Establish the nature of the incident (fire collapse, data loss, media interest, etc)
-
Ascertain whether any injuries have been sustain (how many and how serious)
-
Is there any damage to property (e.g. data centre)
-
Is the incident ongoing – or does this report refer to an event that has completed
-
The address of the incident (with postcode) if applicable
-
Obtain contact numbers to respond to the person and which ones.
-
Are emergency services already on the scene and which ones.
-
If the person reporting the incident is not a Staff member – request information as to who they are & how they have come to be reporting an incident.
-
Record the time the incident was reported
-
Report the Incident to the Local Emergency Services if this has not already been done.
-
Document all information collected above and send to the emergency team leader
Manage an Incident
The lead of the DR team should follow the steps defined in Managing DR Incidents [confidential]. This includes details of:
-
Actions to take
-
Stakeholders to notify
-
Expectations on updates, communications etc
-
Procedures for capital expenditure related to management of an incident
-
Closing an incident
Managing a Pandemic
In the event of a pandemic related incident supplemental steps are defined in Managing Pandemics [confidential]
Managing IT Service Disruption
In the event of significant, extended loss of IT service provision supplemental steps are defined in Managing IT Service Interruption [confidential]
Using the Business Continuity Plan
This plan becomes effective when the DR incident (i.e. crisis or disaster) occurs and will remain in effect until operations are resumed at the original location or replacement location and control is returned to appropriate staff.
Full steps can be found in the Business Continuity Plan [confidential]