1.        Purpose

Company relies extensively on large and complex information systems for its daily operations and value creating processes. Disruption of these systems will have serious negative implications for our business. The purpose of this document is to outline the set of appropriate policies and procedures that is necessary for the management of system disruption scenarios that potentially affect our most critical information systems. This procedure allows us to minimize the impact of disruption to our most critical systems and to restore the systems to full functionality in an efficient and effective way.

2.        Scope

The Business Continuity – Information Systems is applicable to all major information system areas that affect business continuance. Specifically, this document covers the following three major areas that are critical for sustaining our overall business competitiveness:

  1. Critical Applications Sustainability
  2. Network Sustainability
  3. Security Sustainability

These core areas enlisted above will be highlighted in chapter 7. Procedurally, this document governs all business continuity/disaster recovery, network operation, and security procedures for all the areas mentioned above.

3.        Owner

Company, IT.

4.        Policy

  • For all critical systems (chapter 7.1), IT must have (at least) one procedure on disaster recovery.
  • For all critical systems (chapter 7.1), IT must have an executable disaster drill plan and schedule (both hard-copy) available.
  • For all critical systems (chapter 7.1), IT must have an executable disaster recovery plan (hard-copy) available.
  • For all critical systems (chapter 7.1), IT must have a list (hard-copy) of relevant contact persons, their (cell)phone numbers, and their distance (in minutes) from their home to factory.
  • For all critical systems (chapter 7.1), IT must have records and evidence (hard-copy) available of actual execution of the disaster drill plan.
  • All documents mentioned above must be integrated in the disaster recovery procedure for the individual system.
  • Regarding network sustainability, all (third-party) contracts and agreements must be available in both hard- and soft-copy.
  • Regarding security sustainability, all security scan and monitoring logs must be recorded and available in both hard- and soft-copy.
  • More specific policy guidelines can be found in the respective procedures (see chapter 8).

5.        Roles and Responsibilities

The information systems department of Company is responsible for adhering to the policies specified in this document and in the associated procedures (e.g. ERP Disaster Recovery Procedure). More specifically, the IT manager is responsible for defining the policies and also the periodical review and adjustment of this procedure, whether or not involving other IT staff.

6.        Definition and Abbreviations

6.1.     Definitions

N/A.

6.2.    Abbreviations

N/A.

7.        Procedure details

7.1.    Critical Application Sustainability

Company deploys two major information systems for operations: ERP and SFC. The following section briefly introduces both systems, their main functionality, and the procedures and policies IS has in place for ensuring their sustainability.

7.1.1.     ERP

ERP is currently the central manufacturing enterprise resource planning system in use by Company. ERP runs on the production server hosted in server room, whereas a testing server (with production server settings) is readily available in another site, second floor. The servers are located from each other at an approximate distance of 200 meters.

ERP’s contributing value to our business should not be underestimated. Therefore it is necessary to have the proper procedures and policies in place that will safeguard ERP’s continuancy. The disaster recovery procedure and plan are covered in the ERP Disaster Recovery Procedure. This disaster recovery plan provides solutions to several anticipated disaster scenarios.

The solutions to disaster cases involve setting up the ERP system on the testing server in case the production server fails. IT also has an agreement in place with the IT department of Company in Hong Kong. They have agreed to provide us a cold-standby in case of any system failures at the Shanghai plant.

The procedure also includes a disaster recovery drill plan in order these solutions to be executable in real-life cases. IT’ policy requires biannual execution of the disaster recovery drill in a testing environment in order for the IT department and other key stakeholders to prepare for potential real-life disasters.

The first drill run has been scheduled for execution in Date xxx.

7.1.2.     SFC

SFC is the main Lot tracking and traceability system deployed by Company. The system covers the whole process from Semi-finish, Finish, to Module Assembly. Currently, a cluster of two servers is dedicated to hosting the SFC system. This two-server cluster has a fail-over capability that allows the system to automatically switch to the backup server in case of system failure of the first server.

SFC’s sustainability is covered by the SFC Disaster Recovery Procedure, and similar to ERP, provides solutions and a recovery plan for responding to disaster scenarios. Responding to these disaster scenarios generally involves setting up a testing server at either Shanghai sites, and subsequently, recovering the system functionality on the respective server.

The disaster recovery drill plan for SFC is executed in a testing environment on a biannual basis.

The first drill run has been scheduled for execution following the ERP drill run in date xxx.

7.1.3.     Backup of data for all applications

On a daily basis, IT staff performs backups of system data. These backups cover all systems, including ERP and SFC. After running the backup process, these backups are stored in a fire-proof safe located at Shanghai site.

Specific backup tapes are removed from the cycle and send on a monthly basis to Shenzhen for storage in Hong Kong.

7.2.    Network Sustainability

SFC, ERP, and many other systems rely on the information network for their basic functionality. This is why network sustainability is an important topic for IT business continuity. Our current network consists of optical fiber connecting three sites.

Failure of routers and switches will affect the functionality of this network. In order to minimize the disruption when it occurs, IT requires that spare router and switch are readily available in the IT equipment storage (IT Computer Room, Shanghai, second floor). In case of emergency, IT staff will replace the defect router or switch with the corresponding backup part.

In addition, IT manager is currently negotiating a 24×7 network maintenance contract with its network equipment vendor. This will allow us to minimize the average network outage to less than four hours, in the event of a major outage. Network failure of the WAN, however, is not within the scope of our control.

More details on network sustainability can be found in the IT Backbone System Disaster Recovery Procedure.

7.3.    Security Sustainability

The development of Internet technology has originated a surge of new application solutions to improve business practices in corporations. This technology has allowed companies to be more competitive on a global scale and changed the way people do business.

However, as businesses worldwide place increasing reliance on interconnected systems and electronic data, the risks of fraud, inappropriate disclosure of sensitive data, and disruption of critical operations and services increase. The same factors that benefit business operations also make it possible for individuals and organizations to inexpensively interfere with or eavesdrop on these operations from remote locations for purposes of fraud or sabotage, or other mischievous or malicious purposes.

Evidently, security and privacy protection are key issues for companies nowadays. Maintaining security and privacy requires corporate planning, training, implementing controls properly, monitoring the effectiveness of controls and taking necessary corrective action. Company IT addresses this issue in its Security Vulnerability Scanning and Correction Procedure.

Basically, in order to sustain its IT security, IT has deployed two firewalls at Shanghai 1 & 2 sites to filter out all unauthorized access to the network. Also, IT staff runs security checks on a weekly basis, which cover the whole network and are based on the industry benchmark.

Any issues found are addressed immediately and with proper resources. In addition, the IS department holds weekly security review meetings on each Friday to discuss the security agenda and current critical security issues.

8.        References

N/A