Disaster recovery & business continuity
Understanding and controlling risk
This information is an overview to demonstrate that we have considered the risks and planning for disaster recovery and business continuity. Specific detail has been left out for security reasons.
We consider disaster to be:
- Fire, flood or destruction of office workspace
- Wilful destruction or theft of IT hardware and/or hardcopy documents
- Unlawful interference – successful attempts to control digital files or business-critical systems
- Incapacity of key staff.
Rouge is an ISO27001 (information security management) and Government Cyber Essentials certified company. Education and training are provided to all employees, which is reviewed regularly. The certification covers the IT hardware and behaviours for the office and employees’ home setups.
Our cybersecurity approach includes the following (but isn’t limited to):
- regular review of employee admin access, and their access to all systems
- regular reviews of password strength
- all admin access has two-factor authentication
- anti-malware installed on all machines and devices
- admin accounts are not used for day-to-day production use
- regular training for all staff
Rouge is an ISO9001 (quality management) accredited company. We have an approval process for new and existing suppliers, which is reviewed regularly. Our suppliers of business-critical software and systems are established, industry-leading vendors, with proven backup and resotoration processes.
Fire, Flood and Destruction
Assuming total destruction or loss of the studio and all IT equipment and hardcopy documents, the following has been considered.
- All employees have a home workstation setup that mirrors their office workstation setups
- All file storage is cloud-based. Production work (design, development and project management) can be carried out in the office or the employees’ home without the need to move files or data manually between locations
- There are no physical servers in our office. Our file management vendor provides backup and restoration functionality in the event of file deletion or intrusion
- All production software can be installed from the cloud. No physical installation media exists
- All business-critical management software (email, accounts, client management, project management etc.) is cloud-based. Our software/service vendors provide backup and restoration functionality in the event of file deletion or intrusion
- All website/web app hosting environments are cloud-based. There are no physical servers in our office
- All business-critical hardcopy documents are scanned and stored in the cloud. Archive hardcopy documents are stored offsite.
Our hosting and software vendors for all business-critical systems have been chosen for their approach to data security and proven backup and restoration processes.
Periodic backups of business-critical data and files are taken and stored on physical media offsite.
In the event of a successful intrusion attempt, we would work with our suppliers to restore our systems.
Our client’s websites are built with the latest best practice development approach and maintained with the latest security patches and updates. Monitoring systems are in place to report suspicious activity. Our hosting accounts come with complete backup and restoration systems.
Our hosting vendors have their own proven backup systems in the event of a disaster.
We have a proven website hack resolution process that involves:
- Restoration – get the website live as a matter of priority
- Analysis – why did the hack occur?
- Fix – apply the necessary fix (technology/behaviour)
- Monitor – continue to monitor, maintain and update the website.
Incapacity of Staff
The primary production team consists of:
- Design team – four designers
- Development team – five developers
- Project management team – three project managers.
Every website project and client account has a primary lead with a backup team member. All project documentation and communication is shared with the whole team.
No one person has exclusive admin access to business critical systems.