Disaster Recovery Plan and Disaster Recovery

Management
Title of SOP Disaster Recovery Plan and Disaster Recovery
Management
Version 1.0
Prepared by Bhagwan Singh
Reviewed by
Approved by

SOP Review Yearly

FINOVA CAPITAL PRIVATE

LIMITED
Version Control Table

Versio Date Author Description

n

1.0 April-2024 Bhagwan Singh Initial Creation

1.0

1.0

1.0

1.0

1.0

1
Date of Next Revision April-2025

INDEX:
Section Section Title Page
No. No.

1 Purpose 3

2 Scope 3

3 Roles and Responsibilities 3

4 Backup Personnel 4

5 Strategy 4

6 Business Continuity and Disaster Recovery Needs 6

7 General Business Continuity Prerequisites 6

8 Disaster Recovery Activities 6

9 Scenarios 7

10 Recovery Point Objective (RPO) & Recovery Time 7

Objective (RTO)

11 Communication Channels 8

12 Change, Review, and Update 9

13 DR Drill Outcomes and Reports 9

14 DC-DR Site Infrastructure and Application Version 10

2
1. Purpose

This document provides a framework to counteract interruptions to critical

business activities and protect essential processes of business from the
adverse effects of business disruptions.

2. Scope

The scope of this document includes all users who have access to company-
owned or company-provided computers or require access to the corporate
network and systems. This plan applies to employees, contractors, business
partners and anyone needing access to the corporate systems.

3. Roles and responsibilities

In case of a disaster, the Business Continuity Committee is gathered to

discuss the future actions needed for the system recovery. All key
stakeholders of Finova Capital Private Limited will be informed about the
systems’ current state during the recovery from a disaster.

The Business Continuity Committee includes key members from

departments across the organization.

Role Contact Responsibility

3
4. Backup personnel

In this section is kept a list of backup personnel to cope with the

responsibilities of the Business Continuity Committee if for any reason the
key member is not able to represent the BC Committee interests:

Role Contact Responsibility

5. Strategy

The strategy of Finova Capital Private Limited business continuity plan to

develop, implement, and manage a robust and effective Business Continuity
Plan (BCP) to protect Finova Capital Private Limited operations, including its
employees, contractors, sub-contractors, and interested third parties.

There are three primary aspects that Finova Capital Private Limited
considers for its business continuity plan concerning key applications and
processes:

 High availability: Providing the capability and processes so that a

business has access to applications regardless of local failures. These
failures might be in the business processes, physical facilities, or IT
hardware or software.

4
  Continuous operations: Safeguard the ability to keep things running
during a disruption, as well as during planned outages such as
scheduled backups or planned maintenance.

 Disaster recovery: Establishing a way to recover a data center at a

different site if a disaster destroys the primary site.

Plan Objectives

 Serves as a guide for Finova Capital Private Limited and its recovery
teams.
 Reference any relevant data that resides outside this document.
 Provide procedures and resources needed to assist in recovery.
 Identify notification procedures in the event of a disaster.
 Identify, assess, and minimize risks.
 Assist in avoiding confusion experienced during a disaster by
documenting, testing, and reviewing recovery procedures.
 Document storage, safeguarding, and retrieval procedures for vital
information and data.

The IT Security team has created a Business Continuity Plan in conjunction

with the Disaster Recovery Committee. The Disaster Recovery Committee is
responsible for maintaining the BCP.

The BCP will be implemented to maintain or restore critical operations within

agreed timescales.

The BCP will include a reference to:

 Critical Finova Capital Private Limited systems.

 Business continuity roles and responsibilities.
 Performed risk assessments.
 Compliance with customers’ security requirements and contractual
agreements.

5
  Compliance with Finova Capital Private Limited information security
management system (ISMS).
 Operational procedures that will ensure recovery and restoration of
business operations and availability of information within agreed
timescales.
 Education of relevant staff on pre-defined procedures.
 Testing and updating of plans and procedures.

Identification and management of risks

The IT Security team will perform an annual business impact analysis to

identify issues that will affect the ability to provide services to its customers.

6. Business Continuity and Disaster Recovery Needs

 The technical environment should be recovered within the specified

timelines.

 The business process should be fully recovered within specified

timelines.

 All the information processed during the failure should be reconciled

with the information in the system after the Recovery.

7. General Business Continuity Prerequisites

1. Internet access should be provided by two separate providers, with a

main and a backup Internet connection.

2. Data backups should be stored on-site and off-site.

3. Power Supply should be provided by two different UPS systems, to

avoid a single power source failure.

4. Employees should have corporate laptops configured adequately with

a sufficient level of security.

6
 5. All business point of view critical employees should be able to work
outside of the company office in case of a Critical Situation.

8. Disaster Recovery Activities

1. Finova Capital Private Limited employees and clients should be notified

as soon as possible.

2. Finova Capital Private Limited employees and clients should be

provided with periodic updates during the Critical Situation and its
Recovery.

3. Notification should be done via an e-mail message and a phone call.

4. The Recovery efforts should be coordinated with the key stakeholders.

5. The most recent usable backup should be used to restore data and
files.

6. The document Recovery efforts should be appropriate to the value of

the losses.

7. The integrity of restoring systems and data should be verified by

respective SOP owners before re-releasing into production.

8. All the other necessary Recovery activities should be taken according

to the circumstances.

9. Scenarios

Any declared Disaster:

 Power failure at primary Site.

 Connectivity failure at primary site.

7
  Critical infrastructures components failure.

 Fire

 Natural calamities.

 Cyber Attack.

10. Recovery Point Objective (RPO)

RPO: Recovery point objective. The maximum age of a backup before it

ceases to be helpful.

RTO: Recovery time objective. The maximum amount of time should be

allowed to elapse before the backup is implemented and normal services are
resumed.

RTO and RPO are defined as the most critical assets.

Application RPO RTO

LOS 15 Min 8 Hours

LMS & Collection 15 Min 8 Hours

MS Dynamics -- --

Testing of the Business Continuity Plan

 The reason for testing Business Continuity Plan is to simulate situations

to find out the gaps during real problems.
 The Business Continuity Plan is tested every six months but can occur
more frequently in the case of significant changes.

8
  Once the exercising and testing are performed, the person who
coordinates business continuity reviews the result, compares them
with the objectives set, and reports them to top management.
 DR testing shall involve switching over to the DR / alternate site and
thus using it as the primary site for sufficiently long period where usual
business operations of at least a full working day.

11. Communication Channels

The primary communication channel is mobile phones.

The secondary way of communication is by Google Meet/WhatsApp.

For any crisis event, as described throughout this continuity plan, the
following order of communication should be applied:

 Use Google Meet common channels to inform all team members of the
situation and advise on actions (@all to trigger notifications).

 Use email to duplicate communication messages.

 IT Manager/VP-IT/CTO/CISO is assigned the role of Incident Commander

and coordinates point-to-point communication across the team.

 The “I’m-ok” procedure is established in case of significant disaster

situations, such as natural disasters. Each team member informs the
HR Generalist regarding their whereabouts and well-being.

 The company’s Team List is used to mark off safe team members.

12. Change, Review, and Update

This plan shall be reviewed once every year unless the owner considers an
earlier review necessary to ensure that the plan remains current. Changes to

9
this plan shall be exclusively performed by the ISMS Manager and approved
by the board level ITSC Committee.

13. DR Drill Outcomes and Reports

 Resolving major issues observed during DR drill and testing it again.

 Having documented methodology for reconciliation of data for non-zero

Recovery Point Objective.

 Reports should include learning from DR drill and improvement plan if

any.

 It will be presented to the Board Level ITSC committee.

 Reports should detail about achieved RTO/RPO, if desired RPO/RTO not

achieved Reason with improvement plan.

14. DC-DR Site Infrastructure and Application Version:

Datacenter Operations and Application team ensure that the configurations

of information systems and deployed security patches at the Data Centre
(DC) and Disaster Recovery (DR) are identical.

10
11