Disaster Recovery Plan
Breakout Learning Inc.
Purpose
This policy establishes procedures to recover Breakout Learning Inc following a disruption resulting from a disaster. The Disaster Recovery Plan is maintained by the Breakout Learning Inc Chief Information Security Officer (CISO).
Background
The following objectives have been established for this plan:
- Maximize the effectiveness of contingency operations through an established plan consisting of three phases:
- Notification/Activation Phase: Detect and assess damage and activate the plan.
- Recovery Phase: Restore temporary operations and recover damage to systems.
- Reconstitution Phase: Restore system processing capabilities to normal operations.
- Identify the activities, resources, and procedures needed to carry out Breakout Learning Inc's processing requirements during prolonged interruptions.
- Assign responsibilities to designated personnel and provide guidance for recovering systems during extended downtime.
- Ensure coordination with other Breakout Learning Inc staff and external points of contact and vendors for recovery.
Policy
Breakout Learning Inc. defines two categories of systems from a disaster recovery perspective:
- Critical Systems:
Systems hosting application and database servers required for core functionality. These must be restored immediately upon becoming unavailable. - Non-Critical Systems:
Systems that do not prevent critical operations but should be restored once critical systems are functional.
Types of Disasters:
Examples of disasters that initiate this plan include natural disasters, political disturbances, man-made disasters, external human threats, and internal malicious activities.
Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
Breakout Learning Inc. defines the following for each system:
- Critical Systems:
- RTO: 4 hours
- RPO: 15 minutes
These systems must be restored within 4 hours, with no more than 15 minutes of data loss.
- Non-Critical Systems:
- RTO: 24 hours
- RPO: 1 hour
These systems can be restored within 24 hours, with up to 1 hour of data loss acceptable.
Threat and Risk Assessment
Potential threats that can disrupt normal business processes are continuously assessed and documented in the Breakout Learning Inc IT Risk Assessment. This includes natural disasters, human threats, and infrastructure failures.
Testing and Maintenance
The CISO is responsible for validating and testing the Disaster Recovery Plan at least annually. Testing includes:
- Tabletop Testing:
Ensures personnel are trained to respond to crises according to the plan. - Technical Testing:
Validates that communication, data storage, and recovery can function at alternate sites.
Disaster Recovery Procedures
Notification and Activation Phase
This phase addresses the initial actions to detect and assess damage caused by a disruption. Based on the assessment, the Disaster Recovery Plan may be activated by the CISO.
Notification Sequence:
- The first responder notifies the CISO.
- The CISO informs the team and begins the assessment.
- Damage is assessed, and the recovery plan is activated if necessary.
Step-by-Step Failover Procedures
- Activate Failover Environment:
Initiate failover to backup servers in a secondary cloud environment. - Validate Backup Integrity:
Verify the integrity of backups using automated verification scripts. - Reconfigure Network:
Update DNS to point to the backup environment. - Test Connectivity:
Ensure all systems are connected and functioning as expected. - Notify Stakeholders:
Inform internal teams and clients of the failover. - Monitor Systems:
Actively monitor performance and security in the backup environment.
Recovery Phase
The goal is to rebuild Breakout Learning Inc infrastructure at an alternate site:
- Contact affected partners and customers.
- Begin replication using automated scripts.
- Test the new environment and ensure logging, security, and alerting functionality are working.
- Deploy to production and update DNS records.
Reconstitution Phase
Once operations are restored, Breakout Learning Inc will transition back from the alternate site:
- Replicate the environment to the original or new site.
- Test the environment and ensure full functionality.
- Update DNS to the original environment.
- If transitioning back, hardware at the alternate site must be disposed of according to policy.
Natural Disaster Management
For natural disasters (e.g., earthquakes, floods, hurricanes), Breakout Learning Inc will implement the following:
- Pre-Disaster Preparation:
- Daily offsite backups to prevent data loss from physical damage.
- Regular disaster recovery drills for readiness.
- Emergency Response:
- Evacuate personnel and remotely initiate recovery procedures.
- Assess system accessibility and initiate recovery steps.
- Post-Disaster Recovery:
- Restore critical operations from offsite locations within 24 hours.
- Evaluate physical damage and initiate repairs.
Revision History
Version |
Date |
Editor |
Approver |
Description of Changes |
1.1 |
2024/10/01 |
Nikita Rogatnev |
Joshua Oster-Morris |
Standardized role titles across all relevant policies, replacing previous variations |
1.0 |
2024/01/01 |
Joshua Oster-Morris |
Jake Shepherd |
Initial version |