Business Continuity Plan (BCP)

This page was last updated on 1st Feb 2024

Introduction to HashMove BCP

The Business Continuity Plan (BCP) for HashMove Inc. (hereafter referred to as HashMove) aims to guarantee the seamless continuation of business operations during and after any critical incident that disrupts normal operational capacity. In the event of a disaster affecting HashMove’s SaaS services, this document serves as a guide for responsible individuals to coordinate the system recovery. It is designed to include or reference all necessary information required for recovery, ensuring the uninterrupted provision of HashMove's SaaS services.

Business Continuity Management at HashMove

HashMove is dedicated to ensuring the uninterrupted continuity of its essential business processes and those of its valued clients. HashMove's ability to maintain high availability of its services during and after business disruptions is of utmost importance. To verify the effectiveness and preparedness of its business continuity management, HashMove conducts BCP/DR drills with auditable execution and integrates lessons learned. The customized BCP framework adheres to ISO 22301:2012 standards (previously BS25999) to enhance its adequacy and effectiveness.

This BCP, aligned with HashMove’s corporate BCMS policy, aims to prevent and mitigate potential service disruptions affecting its operations and impacting customers and associates. It outlines the necessary communication, escalation, and actions required during incidents or business disruptions. The plan provides a thoroughly researched approach and procedures for resuming services at acceptable levels within defined timeframes, minimizing business losses, and offering cost-effective alternative services.

Business Continuity Strategy

This section of the HashMove Business Continuity Plan outlines the strategy designed to sustain business operations in the face of any technical disruption to HashMove's SaaS services. Since HashMove's offerings are technology-driven, they are equipped to automatically recover from disasters.

Preventive Measures

This subsection outlines all measures implemented to ensure the high availability of HashMove's SaaS services.

Data Centre/Cloud Infrastructure

HashMove applications are hosted on AWS/Azure cloud platforms, utilizing multiple availability zones for enhanced reliability.

Application Load Balancer

The application load balancer serves as a single point of contact for clients, distributing incoming traffic across multiple application nodes. It is configured in high-availability mode to ensure uninterrupted services.

Application

Application nodes are set up in a clustering mode to ensure high availability and minimize reliance on any single node. Sufficient buffer resources are maintained across all application modes to prevent performance issues during peak times.

Database

The database is also configured in a clustering mode to ensure high availability. Adequate buffer resources are maintained to ensure it functions effectively, even during high load peak times.

Recovery Priority

This strategy emphasizes the recovery of HashMove's critical services. The recovery strategy is to be implemented by the DevOps/Technology teams. A list of key services and key customers should be maintained by the respective Technology Operation team. Priority should be given to services critical to HashMove and those that may impact the majority of clients.

Scope - Critical Process

This document covers the following areas:

  • HashMove Application System
  • Database System
  • Network Infrastructure
  • Server Infrastructure
  • Data Storage and Backup System
  • Integration Platform
  • Cloud Infrastructure

Note: This document does not cover HashMove's operations team and internal functions. Please refer to the process specific BCP plan for those details.

BCP/DR Drill

To evaluate the effectiveness of the Business Continuity Plan (BCP) and Disaster Recovery (DR) scenarios, HashMove has established a structured BCP/DR drill plan.

Drill Cycle

Drills are conducted on a semi-annual basis. These exercises are performed against the scenarios outlined in this document to assess the readiness and efficacy of the BCP/DR plan.

Soft BCP/DR Drill

Every six months, HashMove conducts soft drills for its application, during which the most recent backup of the database and file systems is restored and tested.

BCP/DR Reports

Reports from these drills are available to customers upon request.

Recovery Procedure for Critical Processes

This section covers procedures for recovering from complete failures and other disruptions affecting various business functions of the HashMove application.

Complete Application Crash

Although a complete application crash is highly unlikely due to the database running in a clustered mode across multiple availability zones, HashMove has robust Business Continuity Planning and Disaster Recovery processes to ensure uninterrupted services to clients and to support their own Business Continuity Planning.

In the event of a complete database crash, the maximum Recovery Time Objective (RTO) is 4 hours, and the Recovery Point Objective (RPO) is 24 hours. Recovery will utilize the latest transactional log backup from one or more locations following any unforeseen event. During this period, turnaround times (TATs) and service levels will be temporarily suspended. The Emergency Management Team will declare this scenario.

Other Scenarios

This section lists other failure scenarios of application and database services.

Scenario 1: Issue in Application

  • Recovery Procedure: Restoring a day-old HashMove application configuration from the backup server. BCP Activation Time: 15 minutes.
  • Recovery Time Objective (RTO): 4 Hours
  • Recovery Point Objective (RPO): 24 Hours
  • Recovery Location Office: HashMove, 7766 Yosef Al Bazaz St, 2750, Al Mathar Ash Shamali, Riyadh 12334, Saudi Arabia
  • Datacentre: AWS/Azure
  • Responsibilities: Respective Technology Leads, IT DevOps, Application Support.

Scenario 2: Issue in Application Database

This scenario covers business outages due to database issues (partial or complete damage).

  • Partial Damage: Partial damage (due to database corruption, deletion, etc.) impacting the database.
  • RTO for Partial Damage: 4 Hours
  • RPO for Partial Damage: 24 Hours
    Complete Damage: Scenarios covered in “Complete Failure Scenarios” impacting the database.
  • RTO for Complete Damage: 4 Hours
  • RPO for Complete Damage: 24 Hours
  • Recovery Location Office: HashMove, 7766 Yosef Al Bazaz St, 2750, Al Mathar Ash Shamali, Riyadh 12334, Saudi Arabia
  • Datacentre: AWS/Azure
  • Responsibilities: Respective Team Leaders, IT Cloud-Ops, DBA, Application Support.
Notification

EM (Event Management) Initiate call logging via Zendesk tool (support@hashmove.com) Support Team Support Team Manager Standard operating procedures and Vendor support directory DevOps, CISO TEAM, Other Impacted Function

  • CCP:
    • Notify vendors and internal SMEs Support Team Support Team Manager Process SME DevOps, CISO TEAM, Other Impacted Function
  • CCP
    • Notify vendors to activate supplier continuity plan for support provision and monitoring.
  • CoB
    • Conduct Technology Impact analysis for Support function and Service Delivery Unit Process Team, Information Security Team Process Lead DevOps lead- Service notification to all stakeholders.
  • CoB
    • Execute plan activation for Tech Infrastructure, DevOps, Service Delivery Unit, and supply chain providers Process Head, CISO DevOps Manager, Process Manager DevOps- SME, CISO TEAM, Business Head
  • EM
    • Communicate event details Support Team Process Lead DevOps- SME, CISO TEAM, Business Head
  • CoB
    • Conduct business impact assessment for Support units and initiate continuity/DR action plan activation Service Delivery Unit, Information Security Team Function Head Support Team Service Delivery Head, Stakeholders
  • EM
    • Establish Continuity event management ROTA for initial assessment of impacted business units Service Delivery Unit BCL, DevOps lead, CISO TEAM Service Delivery Head, DevOps Head, CISO TEAM SLA with vendors, RTO aligned to business needs and customer alignment Service Delivery Head, Function Head, Customer, Associates engaged in the event, Stakeholders.
  • PS
    • Ensure SMEs have access to transport and guest house facilities during extended outage periods Process Manager/Admin Manager Email Communication Process Head, Function Head, Admin Manager
  • AP
    • Conduct IT infrastructure damage assessment and handle Insurance Claims Location Finance/Admin Manager Location Finance/Admin Manager Process Lead, Admin, Finance Management
  • ES
    • Ensure HVAC at Premises is operational for operations recovery Location Admin Manager Location Admin Head Supply Chain Location PRACT Council, Business leaders, LC, MSACF
  • CoB
    • Monitor SLA adherence and recommend changes in post-event action plan DevOps, Service Delivery Unit Head, Information Security Team CISO TEAM BCL Team CISO and Service Delivery Head
  • CoB
    • Assess BIA, announce plan updates, and report weekly progress BCL, Function Heads, and Support Teams Function Heads Function Head and CISO TEAM Council, Admin, DevOps, CISO TEAM, Leadership Council
  • CoB
    • Execute Recovery and Restoration of operations Service Delivery Unit, Dev Ops Service Delivery Unit, Dev Ops BC Plans, customer priority if any, RTO and/or SLA Leadership Teams
  • CoB
    • Announce Return of business to normal Function Head Management Security and Continuity Forum Chair Service Delivery Unit Head MSACF Location Council
  • ATR
    • Conduct post-event meeting and track action items CISO TEAM Function Head Support and Business Teams Management
  • ATR
    • Track action items to closure CISO TEAM Function Head Support and Business Teams Management
  • ATR
    • Report risk exposures to Management Security Forum CISO TEAM Function Head Support and Service Delivery Unit Management
  • ATR
    • Track actions for Management Security Forum continuity improvement plan CISO TEAM Function Head Support and Service Delivery Team Management
Incident Reporting
  • The PM/BCL must promptly inform the ADMIN manager, CMT Leader, ERT of the location, and/or the IS team about any incident disruptions. Regular updates will be communicated to keep all stakeholders informed about the progress.
  • The PM/BCL will document the incident and share the report with relevant stakeholders, including the IS team. The incident management process will be followed to ensure timely alerts and handling of incidents. Incident escalations will adhere to the communication plan outlined in the BCP.
  • Incident Report for Emergency Template: Available at BMS/Web Qualify.
Incident Response Command Structure and Control Flow

Effective response management during disruptions requires a structured command hierarchy to carry out planned actions, make timely decisions, and implement contingency measures. The authority and division of accountability within the project or business unit's scope are outlined below to ensure efficient governance and execution of planned strategies.

Reporting incidents, recording them, and assessing their scope in terms of cybersecurity are vital steps in incident response. The severity of incidents, particularly those related to cybersecurity, is evaluated by teams responsible for IT infrastructure, DevOps, and service delivery. Following this, a review of severity assessments is conducted by the Cybersecurity (CISO) Team. Assessment calls, led by the CISO Team, involve discussions on the impact on various environments, including infrastructure, applications, databases, and business operations. Decisions regarding the activation of business continuity plans are made based on these discussions. Stakeholders are notified accordingly, and business units communicate impact and readiness with partners, customers, and internal teams. The Cybersecurity Team oversees the monitoring of cybersecurity events until resolution, while ensuring proper documentation and governance through the Incident Management System (IMS).

Communication to Client and Stakeholder

The Communication team will be responsible for informing clients about the disaster and its impact. The best and/or most practical means of contacting all clients will be used with preference for the following methods (in order):

  • E-mail (via corporate email where that system still functions).
  • E-mail (via non-corporate or personal email).
  • Telephone to employee home phone number.
  • Telephone to employee mobile phone number.

Clients will need to be informed of the following:

  • Anticipated impact on service offerings.
  • Anticipated impact on delivery schedules.
  • Anticipated impact on the security of client information.
  • Anticipated timeline.
Communicating to Partners

Once all clients have been notified about the disaster, the Communication team will proceed to inform partners about the event and its consequences. Priority will be given to crucial partners, who will receive initial email notifications followed by phone calls to confirm receipt of the message. Essential assistance from partners will be sought to facilitate the restoration of regular operations during the crisis. Subsequently, other partners will be contacted once all crucial partners have been reached.

Communicating to Other Stakeholders

The task of informing the remaining stakeholders about the disaster and its effects will fall under the purview of the Communication team.

Post-Disaster Activities

After the disaster has been managed and business operations return to their usual state, the subsequent tasks should be executed as part of Post-Disaster Activities:

  • Return to normalcy after restoration services.
  • Lessons Learned/Key learnings to be updated in BCP, if required.
  • The PM/BCL shall create an incident report stating details of the disaster and its impact.
  • Identify impacted business functionality and recovery mechanisms, if any.
  • Identify impact on SLA adherence, if any.
  • Conduct root cause analysis for the disaster and action items for the team, if any.

    Mandatory Documents Needed
  • RA & RTP of the Project/Business Unit
  • Project-specific Installation & Configuration Procedures
  • BIA Assessment
  • Write-up/SOP on each of the Critical Processes declared.
  • BCP/DR Drill Evidence
  • Incident Response Procedures for Identified Threats
  • Incident Report Document
  • Critical Resource Contact List

    Acronyms and Their Expanded Forms
  • BCM: Business Continuity Management
  • DR: Disaster Recovery
  • RTO: Recovery Time Objective
  • MBCO: Minimum Business Continuity Objective
  • ERT: Emergency Response Team
  • CMT: Crisis Management Team
  • IT: Information Technology
  • IS: Information Security
  • BIA: Business Impact Analysis
  • BCP: Business Continuity Plan
  • MAO: Maximum Acceptable Outage
  • PM: Project Manager
  • DBA: Database Administrator

This document outlines a comprehensive framework aimed at enabling HashMove Inc. to sustain critical business operations amidst disruptions, thereby safeguarding client services and facilitating prompt recovery from any potential disaster scenarios.

Version History
Annual Review Vision Reviewed In Change Required (Y/N) Remarks
Version 1.0 01-02-2021 N OK
Version 1.0 01-02-2022 N OK
Version 2.0 01-02-2023 N OK
Version 3.0 01-02-2024 Y OK

Note: This plan does not address business continuity for HashMove's operations team.