4Thought Marketing Logo

4Thought Marketing Disaster Recovery Plan

Table of Contents

image_pdfimage_print

Security Policy Home

Last Update:

Statement of Intent

This document outlines our policies and procedures for disaster recovery, both technical and physical, as well as our process-level plans for recovering critical systems and processes. This document summarizes our recommended guidelines. In an emergency, the security officer may modify this document to ensure the physical safety of our team members, systems, and data.

Our mission is to ensure information system uptime, data integrity and availability, and business continuity.

Policy Statement

Corporate management has approved the following policy statement:

  • The company shall develop a comprehensive IT disaster recovery plan.
  • The security team will perform a formal risk assessment to determine the requirements for the disaster recovery plan.
  • The disaster recovery plan should cover all essential and critical infrastructure elements, systems, and networks to maintain crucial business activities.
  • The security officer should conduct periodic tests of the disaster recovery plan in a simulated environment to ensure plan execution is possible in an emergency and that the management and staff understand how the program will work.
  • All team members must know the disaster recovery plan and their respective roles in the disaster recovery process.
  • The security team will regularly review the disaster recovery plan to consider potential updates for new requirements.

Objectives

The principal objective of the disaster recovery plan is to develop, test, and document a well-structured and easily understood process, which will help the company recover as quickly and effectively as possible from an unforeseen disaster or emergency that interrupts information systems and business operations. Additional objectives include the following:

  • The need to ensure that all team members fully understand their duties in implementing such a plan
  • The need to ensure that operational policies are adhered to within all planned activities
  • The need to ensure that proposed contingency arrangements are cost-effective
  • The need to consider implications on other company sites
  • Disaster recovery capabilities as applicable to critical customers, vendors, and others

Remote Work Model

Since going fully remote in March 2020 following COVID-19 and the closure of our facilities in Costa Rica and India, 4Thought Marketing moved to fully cloud-based systems and multi-channel communication across our global team.

Key Personnel and Vendor Contact Information

4Thought Marketing maintains a roster of critical internal and vendor contacts, including primary and alternative email addresses, work and mobile phone, and other contact methods, and a calling tree in Appendix A – Key Contact . The disaster recovery team members receive copies both electronically and in hard copy.

Plan Overview

Plan Updating

The process for updating the Disaster Recovery Plan (DRP) must be appropriately organized and regulated. Whenever changes are required, the plan and training materials must be thoroughly tested and modified under the supervision of the Security Officer to ensure that they are accurate and up-to-date.

Plan Documentation Storage

The plan is stored electronically and managed on our cloud-based Egnyte server. Senior management members receive a digital copy of the plan on their computers. A physical copy of the plan is also distributed to the Disaster Recovery Team (DRT) after it is revised. The copies distributed to DRT members will include unredacted appendices not included in this document for security reasons.

Backup Strategy

Critical business processes and the agreed backup strategy for each are listed below. The approach prioritizes cloud-based systems where the service provider provides redundancy, emergency access, and failover solutions.

KEY BUSINESS PROCESSBACKUP STRATEGY
Tech Support – SoftwareCloud-based hosting with remote backup
Phone, Email, and CollaborationCloud-based hosting with remote backup
FinanceCloud-based hosting with remote backup
Contracts AdminCloud-based hosting with remote backup
Sales & Marketing SystemsCloud-based hosting with remote backup
Human ResourcesOff-site data storage facility
Web SitesCloud-based hosting with remote backup

Risk Management

In our risk assessment, we’ve evaluated a range of potential disruptions across the diverse geographic locations of our remote workforce. The data indicates that the distributed nature of our team substantially lowers the risk of widespread business impact from a single disruptive event. Our primary vulnerability lies in potential communication gaps with key individual employees during localized incidents. However, our core systems are cloud-based and engineered for high availability, reducing the risk of system-wide failures. These factors suggest our operational setup is resilient, mitigating key risks and supporting business continuity.

Our cloud-based applications run in data centers engineered to safeguard our business data from hardware issues and environmental hazards. Servers operate in a rigorously controlled environment for peak performance and security. Each is built to endure events like fires and earthquakes up to a magnitude of 8.0. Our servers have backup electrical systems for continuous data access to guard against unexpected power failures and surges. Many of these can pull power from dual grids and have extra UPS modules and a generator to handle broader outages.

We’ve instituted a multi-person redundancy strategy to ensure uninterrupted access to our cloud-based. Specifically, at least two team members receive training to operate each of our critical cloud-based platforms and systems. This approach mitigates the risk associated with a team member unable to participate in recovery efforts in an affected region. By cross-training personnel across different geographic locations, we can quickly activate alternate access, maintaining operational integrity and continuing business functions with minimal disruption.

Emergency Response

Alert, escalation, and plan invocation

Plan Triggering Events

Key trigger issues that would lead to activation of the DRP are:

  • Regional Disaster or Health Crisis
  • Key system outage

Activation of Emergency Response Team

The Emergency Response Team (ERT) must be activated when an incident occurs. The ERT will then decide how much the DRP is required. All employees must be issued a Quick Reference card containing ERT contact details for use in the event of a disaster. Responsibilities of the ERT are to:

  • Respond immediately to a potential catastrophe and call emergency services;
  • Assess the extent of the disaster and its impact on the business data center;
  • Decide which elements of the DR Plan should be activated;
  • Establish and manage a disaster recovery team to maintain vital services and return to regular operation;
  • Ensure employees are notified and allocate responsibilities and activities as required.

Disaster Recovery Team

The team will be contacted and assembled by the ERT. The team’s responsibilities include:

  • Establish communication with key DRP team members within 2.0 business hours;
  • Restore affected critical services within 4.0 business hours of the incident;
  • Recover to business as usual within 8.0 to 24.0 hours after the incident;
  • Coordinate activities with disaster recovery team, first responders.
  • Report to the emergency response team.

Emergency Alert, Escalation, and DRP Activation

This policy and procedure ensure that personnel clearly understand whom to contact during a disaster or crisis. Guidelines outline how to establish communication quickly when activating disaster recovery.

The DR plan will rely principally on key members of management and staff who will provide the technical and leadership skills necessary to achieve a smooth technology and business recovery. Suppliers of critical goods and services will continue to support the recovery of business operations as the company returns to normal operating mode.

Emergency Alert

The person discovering the incident calls a member of the Emergency Response Team in the order listed in Appendix A – Key Contact :

The Emergency Response Team (ERT) is responsible for activating the DRP for disasters identified in this plan and any other occurrence affecting the company’s ability to perform normally.

During the early stages of the emergency, one of the tasks is to notify the Disaster Recovery Team (DRT) that an emergency has occurred. The notification will request DRT members assemble at the problem’s site and will involve sufficient information to communicate this request effectively. The Business Recovery Team (BRT) will comprise senior representatives from the central business departments. The BRT Leader will be a senior member of the company’s management team responsible for taking overall charge of the process and ensuring that the company returns to normal working operations as early as possible.

DR Procedures for Management

Management team members will keep a hard copy of each employee’s name and contact numbers on their company-provided computers. In addition, management team members will have a hard copy of the company’s disaster recovery and business continuity plans in their homes.

Contact with Employees

Managers will serve as the focal points for their departments, while designated employees will call other employees to discuss the crisis/disaster and the company’s immediate plans. Employees who cannot reach staff on their call list should call the staff member’s emergency contact to relay information on the disaster.

Backup Staff

If a manager or staff member designated to contact other staff members is unavailable or incapacitated, the designated backup staff member will perform notification duties.

Recorded Messages / Updates

For the latest information on the disaster and the organization’s response, staff members can call a toll-free hotline listed on the DRP wallet card. Messages will include data on the nature of the disaster, assembly sites, and updates on work resumption.

Personnel and Family Notification

If the incident has resulted in a situation that would cause concern to an employee’s immediate family, such as hospitalization of injured persons, it will be necessary to notify their immediate family members quickly.

Media

Media Contact

Assigned staff will coordinate with the media, working according to guidelines that have been previously approved and issued for dealing with post-disaster communications.

Media Strategies

  1. Avoiding adverse publicity
  2. Take advantage of opportunities for helpful publicity
  3. Have answers to the following fundamental questions:
    • What happened?
    • How did it happen?
    • What are you going to do about it?

Media Team

  • Refer to Appendix A – Key Contact

Rules for Dealing with Media

Only the media team is permitted direct contact with the media; anyone else contacted should refer callers or in-person media representatives to the media team.

Insurance

We have issued several insurance policies for the company’s disaster recovery and business continuity strategies. These include errors and omissions, directors’ and officers’ liability, general liability, and business interruption insurance.

For insurance-related assistance following an emergency out of regular business hours, please get in touch with the security officer:

Refer to Appendix B – Insurance Information for details.

Financial Assessment

The emergency response team shall prepare an initial assessment of the impact of the incident on the company’s financial affairs. The evaluation should include:

  • Loss of revenue

Financial Requirements

The controller and CEO must address the financial needs of the company. These can include:

  • Cash flow position
  • Temporary borrowing capability
  • Upcoming payments for taxes, payroll taxes, and Social Security.
  • Availability of company credit cards to pay for supplies and services required post-disaster

The company’s legal representation and ERT will jointly review the aftermath of the incident and decide whether there may be legal actions resulting from the event, particularly the possibility of claims by or against the company for regulatory violations.

DRP Exercises

Disaster recovery plan exercises are an essential part of the plan development process. In a DRP exercise, no one passes or fails; everyone who participates learns from exercises – what needs to be improved and how to implement improvements. Plan exercising ensures that emergency teams are familiar with their assignments and, more importantly, are confident in their capabilities.

Successful DRP plans launch into action smoothly. But it only happens if everyone with a role in the plan rehearses their part multiple times, simulating the potential issues and confirming that the team takes proper steps to resolve them.

Appendix A – Key Contact Information

The list includes but is not limited to the following:

  • CEO/President
  • CTO
  • Security Officer
  • IT Manager
  • Operations Director
  • Marketing Operations Manager
  • Telco/Conferencing vendor
  • Insurance provider
  • Other key vendors

Redacted in the public version

Appendix B – Insurance Information

Details policy names, coverage types, period, amount of coverage, the person responsible for coverage, and subsequent renewal date

Redacted in the public version

Appendix C – Technology Disaster Recovery Plan Templates

Templates include the following:

System Name

Vendor(s)

Key Contacts

Administrators

Backup strategy and restore instructions

Redacted for the public version

Appendix D – Forms and Documents

All forms and documents are kept and updated on our Engyte remote system. In the case of an emergency, all records are accessible by responsible staff members through this external storage system as long as a network connection is available.