Disaster Recovery and Business Continuity Plan
Last updated: October 6, 2021
This document has been scrubbed from confidential information, such as phone numbers and email addresses. To obtain the original version, please contact privacy@termlynx.com.
Print as PDFInformation Technology Statement of Intent
This Disaster Recovery and Business Continuity Plan (this “Plan”) delineates TermLynx Solutions Inc.’s (hereinafter referred to as “Company”, “our” or “we”) policies and procedures for recovering critical technology platforms and key business functions following the occurrence of a significant business disruption (the “BCP Program”). In the event of an actual emergency situation, modifications to this Plan and the BCP Program may be made to ensure the physical safety of our people, our systems, and our data.
A Disaster Recovery and Business Continuity Plan is the lynchpin of an overall business continuity strategy and is critical to maintaining a minimum level of service while restoring the organization to business as usual.
Simply stated, our mission is to ensure information system uptime, data integrity and availability, and business continuity.
Objectives
The principal objective of this Plan and the BCP Program is to develop, test and document a well-structured and easily understood plan which will help the company recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts information systems and business operations. Additional objectives include the following:
The need to ensure that all employees fully understand their duties in implementing this Plan and the BCP Program.
The need to ensure that operational policies are adhered to within all planned activities.
The need to ensure that proposed contingency arrangements are implementable and cost-effective.
The need to quickly recover and resume business operations after the occurrence of an unforeseen disaster or emergency and respond by safeguarding our employees and property and allowing our customers to access and use the service(s) we provide.
Key Personnel
- Adam Sternthal, Chief Executive Officer
- Olivier Sasseville, Chief Technology Officer
- Alessandro Caruso, Business Development
External Principal Supplier Contacts
- Linode
- Microsoft Azure
1. Plan Overview
1.1. Plan Updating
This Plan is to be kept up to date to take into account changing circumstances. In this connection, this Plan and the BCP Program provided herein will be updated periodically and at least annually on January 1 of each year to reflect any material change to our operations, infrastructure, business or business location(s).
1.2. Plan Testing, Escalation and Implementation
This Policy and the BCP Program have been established to ensure that in the event of a disaster or emergency, personnel will have a clear understanding of who should be contacted. Procedures have been devised to ensure that communications can be quickly established to facilitate the activation of the BCP Program.
This Plan will rely principally on key members of senior management and staff who will provide the technical and management skills necessary to achieve a smooth technology and business recovery. In this connection, each member of senior management will be issued hard copy of this Plan to be filed at home and all personnel will be made aware of this Plan, the BCP Program and their own respective roles.
This Plan and the BCP Program are to be tested periodically and at least annually on January 1 of each year in a simulated environment to ensure that it can be implemented in disaster or emergency situations and that management and personnel understand how it is to be executed.
1.3. Backup Strategy
The Company’s physical books and records (collectively, its “Records”) are systematically stored on Microsoft OneDrive on servers located in Ontario, Canada. If the Company is unable to access physical copies of the Records in the event of a disaster or emergency, the Company will nonetheless be able to access such Records from its Microsoft OneDrive from an alternate location.
1.4. Risk Management
There are many potential disruptive events which can occur at any time and affect the continued normal course operation of our business. We have considered a wide range of potentially disruptive events and threats and the results of our deliberations are included in this section. The following table sets out the potential disruptive events and threats that could affect the continued normal course of operation of our business, the likelihood of their occurrence and the level of business disruption which could result therefrom.
Potential Disruptive Events | Probability of Occurrence | Impact Rating | Brief Description of Potential Consequences & Risk Mitigation |
---|---|---|---|
Flood, fire or electrical power failure at principal place of business or loss of communications network services | 3 | 2 | Consequences: In the event equipment is damaged or rendered inaccessible by the incident or network services are interrupted, our ability to provide client support or respond to inbound client requests may be temporarily suspended. Risk Mitigation: All hardware is systematically backed up to the cloud. We have secured secondary workspaces which can be available on short notice. |
Physical injury of key personnel | 3 | 3 | Consequences: Potential for knowledge gaps and brief interruption of services provided by impacted personnel. Risk Mitigation: Systematic gap analysis, cross functional training, and continuous succession planning. |
Act of sabotage/hacking | 5 | 1 | Consequences: Depending on the nature of the act of sabotage or hack, an interruption of our service(s) could result, which interruption may range from temporary to more prolonged in nature. Risk Mitigation: Strict adherence to, and oversight of, our Data Security Policy and the risk mitigation measures contained therein. |
Linode server outage or business interruption | 5 | 2 | Consequences: Potential hours interruption of our services. Risk Mitigation: Implementation of plan to become platform agnostic (Kubernertes & Docker). |
Probability: 1=Very High, 5=Very Low Impact: 1=Total destruction, 5=Minor annoyance
2. Alert, escalation and BCP Program invocation
2.1. Plan Triggering Events
The following is a list of disaster or emergencies that that will trigger the activation of this Plan and the BCP Program (each a “Triggering Event”):
- Flood or fire affecting the principal place of business.
- Physical injury of key personnel.
- Act of sabotage.
- Electrical power failure.
- Loss of communication network services.
- Linode outage or business interruption.
2.2. Activation of Emergency Response Team
The Emergency Response Team (“ERT”), lead by the Chief Technology Officer, is responsible for activating the BCP Program upon the occurrence of a Triggering Event or any other disaster, emergency or event that affects the company’s capability to perform normally (collectively, a “SBD”). The responsibilities of the ERT are to:
- Respond immediately to the SBD and call emergency services when necessary.
- Assess the extent of the SBD and its impact on the business.
- Decide which elements of the BCP Program should be activated.
- Establish and manage a disaster recovery team to maintain vital services and restore the business to normal operation.
- Ensure personnel is notified and allocate responsibilities and activities as required.
2.3. Disaster Recovery Team
A disaster recovery team (the “DRT”) will be assembled and contacted by the ERT. The DRT’s responsibilities include:
Establishing facilities for an emergency level of service within 2.0 business hours.
Restoring key services within 4.0 business hours of the SBD.
Returning to business as usual within 8.0 to 24.0 hours after the SBD.
Coordinating activities with the DRT, first responders, etc.
2.4. Reporting to the ERT.
The person that discovers the SBD must call a member of the ERT in the order listed below (based on availability):
- Olivier Sasseville, Chief Technology Officer
- Adam Sternthal, Chief Executive Officer
- Alessandro Caruso, Vice President Business Development
One of the tasks during the early stages of the SBD is to assemble the DRT and inform them that an SBD has occurred. The DRT will consist of senior representatives from the principal business departments. The DRT leader will be a member of the Company's management and will be responsible for taking overall charge of the process and ensuring that the Company returns to normal working operations as early as possible.
2.5. Disaster Recovery Procedures for Management
Members of the management team will keep a hard copy of the names and contact numbers of each employee in their departments. In addition, management team members will have a hard copy of this Plan on file in their homes in the event that the physical Records or Microsoft OneDrive are inaccessible, unusable, or destroyed (as applicable).
2.6. Contact with Employees
Members of the management team will serve as the focal points for their departments, while designated employees will call other employees to discuss the disaster or emergency and the immediate next steps. Employees who cannot reach staff on their call list are advised to call the staff member’s emergency contact to relay information on the SBD.
2.7. Backup Staff
If the member of the management team or staff member designated to contact other staff members is unavailable or incapacitated, the designated backup staff member will perform notification duties.
Personnel and Family Notification
If the SBD has resulted in a situation which would cause concern to an employee’s immediate family such as hospitalization of injured persons, it will be necessary to notify their immediate family members quickly.
3. Media
3.1. Media Contact
Assigned staff will coordinate with the media, working according to guidelines that have been previously approved and issued for dealing with post-disaster communications.
3.2. Media Strategies
- Avoiding adverse publicity.
- Take advantage of opportunities for useful publicity.
- Have answers to the following basic questions:
- What happened?
- How did it happen?
- What are you going to do about it?
3.3. Media Team
- Adam Sternthal, Chief Executive Officer
3.4. Rules for Dealing with Media
Only the media team is permitted direct contact with the media; anyone else contacted should refer callers or in-person media representatives to the media team.
4. Financial and Legal Issues
4.1. Financial Assessment
The ERT shall prepare an initial assessment of the impact of the SBD on the Company’s financial affairs. The assessment should include:
- Loss of Records.
- Loss of revenue.
- Loss of access to capital.
4.2. Financial Requirements
The immediate financial needs of the Company must be addressed. These can include:
- Cash flow position.
- Temporary borrowing capability.
- Upcoming payments for taxes, payroll taxes, suppliers etc.
- Availability of credit to pay for supplies and services required post-disaster.
4.3. Legal Actions
TermLynx’s appointed external counsel and the ERT will jointly review the aftermath of the SBD and decide whether there may be legal actions resulting therefrom.
5. BCP Program Exercises
Disaster recovery plan exercises are an essential part of the Plan development process. In a disaster recovery exercise no one passes or fails; everyone who participates learns from the exercise, namely, what needs to be improved and how the improvements can be implemented. Plan exercising ensures that emergency teams are familiar with their assignments and, more importantly, are confident in their capabilities.
Successful disaster recovery plans launch into action smoothly and effectively when they are needed. This will only happen if everyone with a role to play in the plan has rehearsed the role one or more times. The Plan should also be validated by simulating the circumstances within which it has to work and seeing what happens.