4Thought Marketing Disaster Recovery Plan
Table of Contents
Statement of Intent
This document outlines our policies and procedures for disaster recovery, both technical and physical, as well as our process-level plans for recovering critical systems and processes. This document summarizes our recommended guidelines. In an emergency, the security officer may modify this document to ensure the physical safety of our team members, systems, and data.
Our mission is to ensure information system uptime, data integrity and availability, and business continuity.
Policy Statement
Corporate management has approved the following policy statement:
- The company shall develop a comprehensive IT disaster recovery plan.
- The security team will perform a formal risk assessment to determine the requirements for the disaster recovery plan.
- The disaster recovery plan should cover all essential and critical infrastructure elements, systems, and networks to maintain crucial business activities.
- The security officer should conduct periodic tests of the disaster recovery plan in a simulated environment to ensure plan execution is possible in an emergency and that the management and staff understand how the program will work.
- All team members must know the disaster recovery plan and their respective roles in the disaster recovery process.
- The security team will regularly review the disaster recovery plan to consider potential updates for new requirements.
Objectives
The principal objective of the disaster recovery plan is to develop, test, and document a well-structured and easily understood process, which will help the company recover as quickly and effectively as possible from an unforeseen disaster or emergency that interrupts information systems and business operations. Additional objectives include the following:
- The need to ensure that all team members fully understand their duties in implementing such a plan
- The need to ensure that operational policies are adhered to within all planned activities
- The need to ensure that proposed contingency arrangements are cost-effective
- The need to consider implications on other company sites
- Disaster recovery capabilities as applicable to critical customers, vendors, and others
Remote Work Model
Since going fully remote in March 2020 following COVID-19 and the closure of our facilities in Costa Rica and India, 4Thought Marketing moved to fully cloud-based systems and multi-channel communication across our global team.
Key Personnel and Vendor Contact Information
4Thought Marketing maintains a roster of critical internal and vendor contacts, including primary and alternative email addresses, work and mobile phone, and other contact methods, and a calling tree in Appendix A – Key Contact . The disaster recovery team members receive copies both electronically and in hard copy.
Plan Overview
Plan Updating
The process for updating the Disaster Recovery Plan (DRP) must be appropriately organized and regulated. Whenever changes are required, the plan and training materials must be thoroughly tested and modified under the supervision of the Security Officer to ensure that they are accurate and up-to-date.
Plan Documentation Storage
The plan is stored electronically and managed on our cloud-based Egnyte server. Senior management members receive a digital copy of the plan on their computers. A physical copy of the plan is also distributed to the Disaster Recovery Team (DRT) after it is revised. The copies distributed to DRT members will include unredacted appendices not included in this document for security reasons.
Backup Strategy
Critical business processes and the agreed backup strategy for each are listed below. The approach prioritizes cloud-based systems where the service provider provides redundancy, emergency access, and failover solutions.
| KEY BUSINESS PROCESS | BACKUP STRATEGY |
| Tech Support – Software | Cloud-based hosting with remote backup |
| Phone, Email, and Collaboration | Cloud-based hosting with remote backup |
| Finance | Cloud-based hosting with remote backup |
| Contracts Admin | Cloud-based hosting with remote backup |
| Sales & Marketing Systems | Cloud-based hosting with remote backup |
| Human Resources | Off-site data storage facility |
| Web Sites | Cloud-based hosting with remote backup |
Risk Management
In our risk assessment, we’ve evaluated a range of potential disruptions across the diverse geographic locations of our remote workforce. The data indicates that the distributed nature of our team substantially lowers the risk of widespread business impact from a single disruptive event. Our primary vulnerability lies in potential communication gaps with key individual employees during localized incidents. However, our core systems are cloud-based and engineered for high availability, reducing the risk of system-wide failures. These factors suggest our operational setup is resilient, mitigating key risks and supporting business continuity.
Our cloud-based applications run in data centers engineered to safeguard our business data from hardware issues and environmental hazards. Servers operate in a rigorously controlled environment for peak performance and security. Each is built to endure events like fires and earthquakes up to a magnitude of 8.0. Our servers have backup electrical systems for continuous data access to guard against unexpected power failures and surges. Many of these can pull power from dual grids and have extra UPS modules and a generator to handle broader outages.
We’ve instituted a multi-person redundancy strategy to ensure uninterrupted access to our cloud-based. Specifically, at least two team members receive training to operate each of our critical cloud-based platforms and systems. This approach mitigates the risk associated with a team member unable to participate in recovery efforts in an affected region. By cross-training personnel across different geographic locations, we can quickly activate alternate access, maintaining operational integrity and continuing business functions with minimal disruption.
Emergency Response
Alert, escalation, and plan invocation
Plan Triggering Events
Key trigger issues that would lead to activation of the DRP are:
- Regional Disaster or Health Crisis
- Key system outage
Activation of Emergency Response Team
The Emergency Response Team (ERT) must be activated when an incident occurs. The ERT will then decide how much the DRP is required. All employees must be issued a Quick Reference card containing ERT contact details for use in the event of a disaster. Responsibilities of the ERT are to:
- Respond immediately to a potential catastrophe and call emergency services;
- Assess the extent of the disaster and its impact on the business data center;
- Decide which elements of the DR Plan should be activated;
- Establish and manage a disaster recovery team to maintain vital services and return to regular operation;
- Ensure employees are notified and allocate responsibilities and activities as required.
Disaster Recovery Team
The team will be contacted and assembled by the ERT. The team’s responsibilities include:
- Establish communication with key DRP team members within 2.0 business hours;
- Restore affected critical services within 4.0 business hours of the incident;
- Recover to business as usual within 8.0 to 24.0 hours after the incident;
- Coordinate activities with disaster recovery team, first responders.
- Report to the emergency response team.
Emergency Alert, Escalation, and DRP Activation
This policy and procedure ensure that personnel clearly understand whom to contact during a disaster or crisis. Guidelines outline how to establish communication quickly when activating disaster recovery.
The DR plan will rely principally on key members of management and staff who will provide the technical and leadership skills necessary to achieve a smooth technology and business recovery. Suppliers of critical goods and services will continue to support the recovery of business operations as the company returns to normal operating mode.
Emergency Alert
The person discovering the incident calls a member of the Emergency Response Team in the order listed in Appendix A – Key Contact :
The Emergency Response Team (ERT) is responsible for activating the DRP for disasters identified in this plan and any other occurrence affecting the company’s ability to perform normally.
During the early stages of the emergency, one of the tasks is to notify the Disaster Recovery Team (DRT) that an emergency has occurred. The notification will request DRT members assemble at the problem’s site and will involve sufficient information to communicate this request effectively. The Business Recovery Team (BRT) will comprise senior representatives from the central business departments. The BRT Leader will be a senior member of the company’s management team responsible for taking overall charge of the process and ensuring that the company returns to normal working operations as early as possible.
DR Procedures for Management
Management team members will keep a hard copy of each employee’s name and contact numbers on their company-provided computers. In addition, management team members will have a hard copy of the company’s disaster recovery and business continuity plans in their homes.
Contact with Employees
Managers will serve as the focal points for their departments, while designated employees will call other employees to discuss the crisis/disaster and the company’s immediate plans. Employees who cannot reach staff on their call list should call the staff member’s emergency contact to relay information on the disaster.
Backup Staff
If a manager or staff member designated to contact other staff members is unavailable or incapacitated, the designated backup staff member will perform notification duties.
Recorded Messages / Updates
For the latest information on the disaster and the organization’s response, staff members can call a toll-free hotline listed on the DRP wallet card. Messages will include data on the nature of the disaster, assembly sites, and updates on work resumption.
Personnel and Family Notification
If the incident has resulted in a situation that would cause concern to an employee’s immediate family, such as hospitalization of injured persons, it will be necessary to notify their immediate family members quickly.
Media
Media Contact
Assigned staff will coordinate with the media, working according to guidelines that have been previously approved and issued for dealing with post-disaster communications.
Media Strategies
- Avoiding adverse publicity
- Take advantage of opportunities for helpful publicity
- Have answers to the following fundamental questions:
- What happened?
- How did it happen?
- What are you going to do about it?
Media Team
- Refer to Appendix A – Key Contact
Rules for Dealing with Media
Only the media team is permitted direct contact with the media; anyone else contacted should refer callers or in-person media representatives to the media team.
Insurance
We have issued several insurance policies for the company’s disaster recovery and business continuity strategies. These include errors and omissions, directors’ and officers’ liability, general liability, and business interruption insurance.
For insurance-related assistance following an emergency out of regular business hours, please get in touch with the security officer:
Refer to Appendix B – Insurance Information for details.
Financial and Legal Issues
Financial Assessment
The emergency response team shall prepare an initial assessment of the impact of the incident on the company’s financial affairs. The evaluation should include:
- Loss of revenue
Financial Requirements
The controller and CEO must address the financial needs of the company. These can include:
- Cash flow position
- Temporary borrowing capability
- Upcoming payments for taxes, payroll taxes, and Social Security.
- Availability of company credit cards to pay for supplies and services required post-disaster
Legal Actions
The company’s legal representation and ERT will jointly review the aftermath of the incident and decide whether there may be legal actions resulting from the event, particularly the possibility of claims by or against the company for regulatory violations.
DRP Exercises
Disaster recovery plan exercises are an essential part of the plan development process. In a DRP exercise, no one passes or fails; everyone who participates learns from exercises – what needs to be improved and how to implement improvements. Plan exercising ensures that emergency teams are familiar with their assignments and, more importantly, are confident in their capabilities.
Successful DRP plans launch into action smoothly. But it only happens if everyone with a role in the plan rehearses their part multiple times, simulating the potential issues and confirming that the team takes proper steps to resolve them.
Appendix A – Key Contact Information
The list includes but is not limited to the following:
- CEO/President
- CTO
- Security Officer
- IT Manager
- Operations Director
- Marketing Operations Manager
- Telco/Conferencing vendor
- Insurance provider
- Other key vendors
Redacted in the public version
Appendix B – Insurance Information
Details policy names, coverage types, period, amount of coverage, the person responsible for coverage, and subsequent renewal date
Redacted in the public version
Appendix C – Technology Disaster Recovery Plan Templates
Templates include the following:
System Name
Vendor(s)
Key Contacts
Administrators
Backup strategy and restore instructions
Redacted for the public version
Appendix D – Forms and Documents
All forms and documents are kept and updated on our Engyte remote system. In the case of an emergency, all records are accessible by responsible staff members through this external storage system as long as a network connection is available.