Disaster recovery & business continuity
Understanding and controlling risk
This information is an overview to demonstrate that we have considered the risks and planning for disaster recovery and business continuity. Specific detail has been left out for security reasons.
We consider disaster to be:
- Fire, flood or destruction of office workspace
- Wilful destruction or theft of IT hardware and/or hardcopy documents
- Unlawful interference – successful attempts to control digital files or business-critical systems
- Incapacity of key staff.
Rouge is a Government Cyber Essentials certified company. Education and training are provided to all employees, which is reviewed regularly. The certification covers the IT hardware and behaviours for the office and employees’ home setups.
Our cybersecurity approach includes the following (but isn’t limited to):
- regular review of employee admin access, and their access to all systems
- regular reviews of password strength
- all admin access has two-factor authentication
- anti-malware installed on all machines and devices
- admin accounts are not used for day-to-day production use
- cybersecurity insurance.
Rouge is an ISO9001 (quality management) accredited company. We have an approval process for new and existing suppliers, which is reviewed regularly. Our suppliers of business-critical software and systems are established, industry-leading vendors.
Rouge is in the process of gaining accreditation for ISO27001 (information security management).
Fire, Flood and Destruction
Assuming total destruction or loss of the studio and all IT equipment and hardcopy documents, the following has been considered.
- All employees have a home workstation setup that mirrors their office workstation setups
- All file storage is cloud-based. Production work (design, development and project management) can be carried out in the office or the employees’ home without the need to move files or data manually between locations
- There are no physical servers in our office. Our file management vendor provides backup and restoration functionality in the event of file deletion or intrusion
- All production software can be installed from the cloud. No physical installation media exists
- All business-critical management software (email, accounts, client management, project management etc.) are cloud-based. Our software/service vendors provide backup and restoration functionality in the event of file deletion or intrusion
- All website/web app hosting environments are cloud-based. There are no physical servers in our office
- All business-critical hardcopy documents are scanned and stored in the cloud. Archive hardcopy documents are stored offsite.
Our hosting and software vendors for all business-critical systems have been chosen for their approach to data security and proven backup and restoration processes.
Periodic backups of business-critical data and files are taken and stored on physical media offsite.
In the event of a successful intrusion attempt, we would work with our suppliers to restore our systems.
Our clients’ websites are built with the latest best practice development approach and maintained with the latest security patches and updates. Monitoring systems are in place to report suspicious activity. Our hosting accounts come with complete backup and restoration systems.
Our hosting vendors have their own proven backup systems in the event of a disaster.
We have a proven website hack resolution process that involves:
- Restoration – get the website live as a matter of priority
- Analysis – why did the hack occur?
- Fix – apply the necessary fix (technology/behaviour)
- Monitor – continue to monitor, maintain and update the website
Incapacity of Staff
The primary production team consists of:
- Design team – three designers
- Development team – three developers
- Project management team – One full-time project manager, with support from design and development directors
In the event of the incapacity of any one of the production team members, the design and development teams can cover the initial loss of a team member.
The two Directors can cover the incapacity of the full-time project manager in the short term.
If incapacity is medium or long-term, a freelancer (approved supplier) will be brought in to cover.