Business Continuity and Disaster Recovery (BC/DR) Policy
Purpose
This policy ensures [OMNI GAME LABS PTE. LTD.] can:
Continue critical business operations during and after disruptions (e.g., cyber incidents, cloud outages, power failures, pandemics, natural events in Singapore like flooding/haze).
Recover data and systems quickly with minimal loss.
Protect personal data integrity and availability per PDPA obligations (avoiding breaches due to unavailability or loss).
Minimize financial/reputational damage and support contractual commitments (e.g., limited TikTok USDS support).
It focuses on practical, low-cost measures suitable for a small, cloud-based operation.
Scope
Covers:
All employees, contractors, and remote workers.
Critical IT systems/tools (e.g., Google Workspace/Microsoft 365, AWS/GCP if used, email, core apps/files).
Business processes (e.g., client support, development, admin).
Any personal data handled (including limited U.S. User Data under contracts).
Excludes non-critical activities (e.g., non-urgent marketing).
Management / CEO — Approves policy, allocates budget/resources, reviews tests.
BC/DR Coordinator (often the DPO) — [Name / Position, e.g., Operations Lead]Email: [admin@igrush.com]Leads planning, testing, activation, and post-event review.
All Staff — Report disruptions immediately, follow recovery steps, participate in tests/awareness.
IT/Technical Lead (or outsourced support) — Handles technical recovery (backups, restores).
4.Business Impact Analysis (BIA)
Critical functions and targets:
Core service delivery (e.g., client consulting/support): RTO < 4–24 hours; RPO < 1–24 hours.
Email & communication (Google Workspace/Slack): RTO < 4 hours; RPO < 1 hour.
Data/files storage (cloud drives): RTO < 24 hours; RPO < 24 hours.
Key risks: Ransomware/cloud provider outage, phishing/data loss, staff illness/quarantine, Singapore-specific (power grid issues, internet disruption).
Use reputable cloud providers with built-in redundancy (e.g., multi-region backups if available).
Enable automatic backups (daily for critical data; retained 30–90 days).
Implement MFA, antivirus/endpoint protection, secure access (no shared passwords).
Regular password changes, staff awareness training (annual basics).
Review vendor SLAs (e.g., uptime guarantees) annually.
Data Recovery: Restore from cloud backups. Test restores quarterly.
System/Access Recovery: Use secondary accounts, alternate devices (personal laptops as backup), or manual processes (phone/email for urgent client comms).
Alternate Operations: Remote work continuation; shift to WhatsApp/Slack for critical coordination if primary tools fail.
Communication: Use predefined group chat/email template to update staff/clients.
Detection/Activation — Any disruption causing >4-hour critical outage triggers activation by Coordinator/Management.
Immediate Response — Assess impact (1–2 hours), notify team, activate backups/comms.
Recovery — Restore data/systems, verify functionality, resume operations step-by-step.
Return to Normal — Monitor for 24–48 hours, document event.
Post-Event — Root cause review, update policy/controls, log lessons.
Annual tabletop exercise.
Quarterly backup restore test (verify sample data/files recoverable).
Basic staff awareness — Include in annual PDPA/training session.
Policy review — Annually or after tests/incidents/changes.
Documentation
Maintain a simple BC/DR Checklist & Log (Google Sheet/Excel),Retain records for at least 12 months.
This policy is designed to be realistic for a small team — no dedicated DR site or expensive tools required. It supports PDPA compliance by ensuring data availability and quick recovery to prevent secondary breaches.