Disaster recovery & business continuity

Understanding and controlling risk

This information is an overview to demonstrate that we have considered the risks and planning for disaster recovery and business continuity. Specific detail has been left out for security reasons.

We consider disaster to be:

Fire, flood or destruction of office workspace
Wilful destruction or theft of IT hardware and/or hardcopy documents
Unlawful interference – successful attempts to control digital files or business-critical systems
Incapacity of key staff.

Our Approach

Rouge is a Government Cyber Essentials certified company. Education and training are provided to all employees, which is reviewed regularly. The certification covers the IT hardware and behaviours for the office and employees’ home setups.

Our cybersecurity approach includes the following (but isn’t limited to):

regular review of employee admin access, and their access to all systems
regular reviews of password strength
all admin access has two-factor authentication
anti-malware installed on all machines and devices
admin accounts are not used for day-to-day production use
cybersecurity insurance.

Rouge is an ISO9001 (quality management) accredited company. We have an approval process for new and existing suppliers, which is reviewed regularly. Our suppliers of business-critical software and systems are established, industry-leading vendors.

Rouge is in the process of gaining accreditation for ISO27001 (information security management).

Fire, Flood and Destruction

Assuming total destruction or loss of the studio and all IT equipment and hardcopy documents, the following has been considered.

All employees have a home workstation setup that mirrors their office workstation setups
All file storage is cloud-based. Production work (design, development and project management) can be carried out in the office or the employees’ home without the need to move files or data manually between locations
There are no physical servers in our office. Our file management vendor provides backup and restoration functionality in the event of file deletion or intrusion
All production software can be installed from the cloud. No physical installation media exists
All business-critical management software (email, accounts, client management, project management etc.) are cloud-based. Our software/service vendors provide backup and restoration functionality in the event of file deletion or intrusion
All website/web app hosting environments are cloud-based. There are no physical servers in our office
All business-critical hardcopy documents are scanned and stored in the cloud. Archive hardcopy documents are stored offsite.

Unlawful interference

Business systems

Our hosting and software vendors for all business-critical systems have been chosen for their approach to data security and proven backup and restoration processes.

Periodic backups of business-critical data and files are taken and stored on physical media offsite.

In the event of a successful intrusion attempt, we would work with our suppliers to restore our systems.

Websites/webservers

Our clients’ websites are built with the latest best practice development approach and maintained with the latest security patches and updates. Monitoring systems are in place to report suspicious activity. Our hosting accounts come with complete backup and restoration systems.

Our hosting vendors have their own proven backup systems in the event of a disaster.

We have a proven website hack resolution process that involves:

Restoration – get the website live as a matter of priority
Analysis – why did the hack occur?
Fix – apply the necessary fix (technology/behaviour)
Monitor – continue to monitor, maintain and update the website

Incapacity of Staff

The primary production team consists of:

Design team – three designers
Development team – three developers
Project management team – One full-time project manager, with support from design and development directors

In the event of the incapacity of any one of the production team members, the design and development teams can cover the initial loss of a team member.

The two Directors can cover the incapacity of the full-time project manager in the short term.

If incapacity is medium or long-term, a freelancer (approved supplier) will be brought in to cover.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non-necessary".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".

Cookie	Duration	Description
aka_debug	session	This cookie is set by the provider Vimeo.This cookie is essential for the website to play video functionality. The cookie collects statistical information like how many times the video is displayed and what settings are used for playback.
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_L7B3QLPPKX	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_1479209_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.