Business Continuity & Disaster Recovery Policy

Business Continuity & Disaster Recovery Plan

Version 1.0

Effective Date: 01/11/2021

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

TABLE OF CONTENTS

Section Section Titles Page Number

1. OVERVIEW 2

2. SCOPE 2

3. BUSINESS CONTINUITY STRATEGY 4

4. SERVICES AVAILABILITY 4

5. LOSS OF INFORMATION 5

6. CYBERATTACKS 6

7. MALWARE AND VIRUSES 6

8. LOSS OF PREMISES 6

9. SUDDEN LOSS OF CRITICAL WORKFORCE 6

10. RESTORATION PLANS 7

11. IT DISASTER RECOVERY KIT 7

12. ROLES AND RESPONSABILTIES 7

13. RISKS CLASSIFICATION AND MITIGATION 9

14. RECOVERY STRATEGY 10

15. POLICY SIGN OFF 12

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

1. Overview

Obour Payments is primarily focused on processing payments and Platform as a Service (PaaS) for issuing, acquiring, and
e-payments. This necessitates an elaborate business continuity plan to commit to a high level of service levels and
continuity of critical functions.
OBOUR Business continuity plan also includes an elaborate IT Disaster recovery Plan, that covers the biggest risk posed
by the business.
The Disaster Recovery Plan is a guiding document containing the necessary instruction, guidelines, organization,
responsibilities, and information required for a department to be prepared for an emergency that would affect computer and
network services. The content of the document covers disaster procedures, responsibilities, and identification of essential
software applications and hardware, general procedures for potential interruptions, policies for reducing risk, contingency
planning parameters, disaster response, and testing & maintenance of the disaster recovery plan that are necessary to
guarantee the ongoing viability of the plan.
2. Scope

2.1 Purpose
The purpose of the Disaster Recovery Plan is to provide guidelines and procedures for an orderly and timely recovery from
an interruption of data processing and/or network services. Procedures to recover from a disaster are predicated on the
most serious occurrence possible.
The Business Continuity Plan is limited in scope to recovery and business continuance from a serious disruption in
activities due to non-availability of Obour’s facilities.
The Business Continuity Plan includes procedures for all phases of recovery as defined in the Business Continuity Strategy
of this document.
Unless otherwise modified, this plan does not address temporary interruptions of duration less than the time frame
determined to be critical to business operations.
The purpose of the Business Continuity Plan is to coordinate recovery of critical business functions in the event of a
facilities disruption or disaster. This can include short or long-term disasters or other disruptions, such as:
• . Service Availability

o Data Centre Facility

o High Availability configuration to address:

− Hardware/software failure

− Network & internet disruptions

• Loss of Information o Storage and Backups

o Cyberattacks
o Malware and viruses

• Loss of Premises (Data Centre and Processing Centre)

o Fire
o Natural disasters
o Severe weather
o Flooding (including pipe bursts)

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

o Terrorist attacks
o Office vandalism/destruction
o Sudden loss of critical workforce
o Workforce stoppages due to pandemics or political instability
o Single resource dependency

2.2 Objectives
The primary objectives of the Disaster Recovery Plan are to make sufficient agreed-upon preparations, and to design and
implement a sufficient set of agreed-upon procedures for responding to a disaster of any size in the departmental area of
responsibility.
The purpose of these procedures is to minimize the effect of a disaster upon the operations of the department. The
emphasis is on safeguarding the vital assets of the Obour Data Centre and ensuring the continued availability of critical IT
services. Other objectives of the plan are as follows:
• Ensure the safety of employees and visitors in datacentre/office buildings.

• Risk reduction and prevention to help avert any interruption in computing system, application, network
systems and services.

• Reduce confusion during any chaotic period by having a clearly defined course of action that will re-
establish services as soon as possible. Having documented plans and procedures are essential for
ensuring the quick & effective execution of recovery strategies for critical business functions.

• Identify critical functions with consideration of priority scheduling.

• Conclude formal backup arrangements with such sites as identified. Specify steps necessary to relocate
to the alternate site.

• Identify key personnel for each application, database or service so that they can be summoned without
delay when needed.

• Identify users of departmental services to be notified of delays and to be involved in the recovery
process. Establish the personnel responsible for all phases of Disaster Recovery

2.3 Plan and Goals

The following organizational goals can be pursued:
• Assignment of Internal Staff for Planning and Training.

• Obtaining the Interest and support of all Administrators.

• Getting Cooperation from the User Departments.

• Involving all Related Departments both internal and external.

• Setting Priorities for the Planning Effort.

• Reviewing the Plan during Its Development.

• Considering the Use of Consulting Support.

• Ensuring Continuing Commitment once the Plan is in Place.

• Periodic Testing of the Plan.

• Integration of the Plan in the Normal Business Process.

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

3. Business Continuity strategy

3.1 RISKS RELATED TO BCP & DR

Obour BC and DR planning take into consideration the following critical risks that may cause the plan to fail:
• Assuming team members know their roles, and everyone will help during a crisis

• Thinking Obour has an effective communication strategy

• Believing Obour employees know what to do when they get an emergency alert

• Hoping our plans will work exactly as expected and documented

• Believing we have addressed all critical infrastructure issues

• Misjudging the disaster scale or large an impact it will have (example COVID and current resource constraints)

3.2 RISKS BASED BCP & DR DESIGN

Risks listed above are addressed by OBOUR BCP strategy through:
• Mandatory Annual training and refresh courses for all staff.

• An effective Emergency Response Communication process.

• Effective Incident Management checklists and dedicated teams.

• Inclusion of "Work-From-Home" as a contingency plan for Disruptions such as pandemics and political instability.

• Defined Business Continuity Metrics and KPI’s that are monitored and tested as part of the BCP and DR simulation

3.3 BCP & DR POLICY AND PRIORITIES

The OBOUR PCP strategy address following policy and priorities:
• Ensure the safety of employees and visitors in the office buildings.

• Mitigate threats or limit the damage that threats can cause through structured risk management.

• Have advanced tested preparations to ensure that critical business functions continue in case of exigencies.

• Have documented plans, procedures, and training for every department to ensure the quick, effective execution of recovery
strategies for critical business functions.

• Have a plan for testing the IT DR with the member banks being processed once a year and internal testing of DR including
above at-least twice a year.

4. Services availability

Service availability focuses on eliminating the limiting single points of failure at all levels (from network adapters to data
centres). The solution is fault-tolerant to different kind of failures that are possible in a typical IT data centre.
4.1 DATA CENTRE FACILITY
This section provides details of the OBOUR data center facility and touches briefly on the high availability setup that
provides a fault-tolerant processing environment. Detailed coverage of the IT DR setup is available in a separate Disaster
recovery Plan document.
Obour IT infrastructure is hosted in tier 4 certified primary data centers in Libya. The facility is characterized by 24/7
continuous monitoring, and multiple redundancies comprising of:
• Dedicated Primary and DR Datacentres Locations in Libya

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

• Zero single points of failure, multiple redundancies for all resources such that no single outage or error can shut down the
system.

• 99.995% uptime per year in the primary site (Tier 4 uptime)

• 96-hour power outage protection

• No more than 26.3 minutes of data center downtime per annum

• Multiple communication service providers

4.2 HIGH AVAILABILITY ARCHITECTURE

Obour uses high availability architecture to host the processing platform that effectively uses server clustering to build
redundancy into a cluster to eliminate single points of failure, including multiple network connections and data storage
which is multiply connected via Storage Area Networks (SAN). This has been implemented across all layers of
infrastructure including the network, application servers, and database.
In addition to the high availability architecture on the primary site, an equivalent setup of the same database capability has
been configured in the DR setup with active database replication between the two sites.
Obour has a dedicated DR site with online data replication. The DR site has been sized as of the same capacity and power
as DC site can accommodate all transaction loads from both and keep up with it to handle the immediate load. The DR site
is scalable with no limitations on adding additional resources to support a long-term outage.
Each site has its connections to open-loop schemes, hosts, terminals, and other accompanying and satellite systems. Both
systems can run separately and concurrently and represent two different entities for MC, VISA, and other hosts/terminals,
etc.
In summary, the core setup supports running multiple instances of every module in the same environment which provides
fault-tolerant and resilient setup; being implemented as a truly multithreaded application it allows for growth and
redundancy running both in vertical and horizontal scaled environments. Disaster and Recovery servers work in a standby
configuration.
5. Loss of Information

5.1 STORAGE & BACKUP

The application ecosystem has been setup such that it interacts with SAN devices to share system storage (disk arrays)
between servers and to increase storage capacity utilization, simplify storage administration, and to add the whole system
flexibility and availability. Each system component that is in charge of extensive data exchange possesses its physical
interface to improve stability and performance. No downtime is needed for the incorporation of modifications.
Obour - Data Centre architecture designed to provide resilience without any elaborated single point of failure. However,
adequate Backups are taken so that Data and Systems configuration can be restored in the event of a catastrophic failure.
The procedures that are used by Obour for backup are:
• Full database and binaries backup is performed weekly to the physical or virtual tape library b. Incremental database
backup is performed daily.

• Copies and all vital records are maintained at an offsite location. (All vital records for Obour’s that would be affected by a
facilities disruption are maintained, controlled stored by Obour’s)

• Backups are tested quarterly.

Obour setup effectively addressed the requirement to recover quickly from any Outage or Disaster, whether the situation
involves a simple component failure or the destruction of the HQ & Main site.

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

6. CYBERATTACKS

Obour is a PCI compliant, it has state of the art security controls. IPS to prevent intrusion or cyberattacks or malicious
activity on the network and host layers, 24/7 SOC team to detect, analyse, and respond to cybersecurity incidents using a
combination of technology solutions and a strong set of processes. DLP for personal information protection/compliance,
intellectual property. FIM will scan, analyse, and report on unexpected changes to important files in a business
environment. Vulnerability scanner to identify any systems that are subject to known vulnerabilities. Full disk encryption to
prevent unauthorized persons from opening and reading files that are stored on the disk.
7. MALWARE AND VIRUSES

Obour has highly capable AV to detect, neutralize or eradicate malware (malicious software) and to fight off other kinds of
threats such as phishing attacks, worms, Trojan horses, rootkits.
8. LOSS OF PREMISES

8.1 DATA CENTER

In case of loss of the primary data centre, the IT disaster recovery procedures are invoked and the operation switches to
the DR facility.
The details of the DR Plan, procedures are documented in the IT DR Plan and the time of recovery for each service
component is detailed in terms of its priority and criticality
8.2 PROCESSING CENTER
The processing centre comprises of the following facilities:
• Monitoring and Command Centre

• Centralized Operations or Backroom Operations comprising of

▪ Fraud Management
▪ Reconciliation Services
▪ Call Centre
▪ Chargeback Processing
▪ Customer Support

In case of loss of the primary data center, the processing operations switch to multiple locations. The connectivity to the
primary / DR data center is available through the VPN:
• Obour office in DR Premisses

• Work from home through VPN.

9. SUDDEN LOSS OF CRITICAL WORKFORCE

9.1 WORKFORCE STOPPAGES DUE TO PANDEMICS OR POLITICAL INSTABILITY

Given the recent COVID crisis an elaborate checklist of scheduling a minimal workforce presence for critical functions at
premises and facility to access work-related information and systems from home has been put in place.
The is also completed by the existing facility to work remotely from home to address critical production and operations (IT
and backroom) functions.

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

In the case of pandemics, a protocol has been put in place to limit the exposure on the workplace, and only critical staff
whose presence is unavoidable is required to attend the office. Also, an elaborate checklist of do and don’ts and physical
checks are in place.
10. RESTORATION PLANS

Disaster recovery/IT teams maintain, control, and periodically check on all the records that are vital to the continuation of
business operations and that would be affected by facility disruptions or disasters. The teams periodically back up and
store the most critical files at an offsite location.
In the event of a facility disruption, critical records located in the OBOURs may be destroyed or inaccessible. In this case,
the last backup of critical records would be restored. The number of critical records, which would have to be reconstructed,
will depend on when the last backup of critical records was done.
11. IT DISASTER RECOVERY KIT

An IT Disaster Recovery kit, including the following items, will be located at the CIO Office:
• Copy of IT Disaster Recovery Plan.

• Copy of the telephone numbers and email addresses for all members of the IT Disaster Recovery Team.

12. ROLES AND RESPONSABILTIES

Obour establishes recovery teams and divides the participants into appropriate groups based on job roles and titles.
It assigns a specific role or duty to each remaining member of the team.
Maintenance of the Obour’s Business Continuity Plan is the joint responsibility of the senior management, the Departments
head, and the Business Continuity Coordinator.
Team Responsibilities

Obour Management ▪ Periodically reviewing the adequacy and appropriateness of its

▪ Business Continuity strategy.
▪ Assessing the impact on the Business Continuity Plan of

▪ additions or changes to existing business functions, procedures, equipment, and facilities

requirements.
▪ Keeping recovery team personnel assignments current, considering promotions, transfers, and
terminations.
▪ Managers will serve as the focal points for their departments, while designated employees will
call other employees to discuss the crisis/disaster and OBOUR immediate plans. Employees who
cannot reach staff on their call list are advised to call the staff member’s emergency contact to
relay information on the disaster.

Emergency Response ▪ Consists of a represented from each of the following Infrastructure, network & security,
Team application support, InfoSec, HR, operations.

▪ Responsible for taking predefined actions to remedy the disaster occurring.

▪ Responsible for taking the risk committee decisions into actions.

Risk Committee ▪ Consists of all the company Cs and department heads.

▪ Take timely and tactical decisions in the middle of a disaster in case of undetermined events.

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

Team Responsibilities

Business Recovery ▪ Consists of BCP coordinator and a representative from every Department.
Team
▪ Officially declare the disaster and start the disaster recovery plan/BCP
▪ Identifying business-critical functions and the disaster impact on them and how to make them
operable again.

BCP Coordinators In the event of a disaster, the BCP Coordinator is responsible for ensuring that the following activities are
completed:
▪ Works to officially declare a disaster and start the Disaster Recovery/Business Continuation
process to recover OBOUR business functions.

▪ Alert OBOUR Senior Management that a disaster has been declared.

▪ Assist in the development of an official public statement concerning the disaster.

▪ Monitor the progress of all Business Continuity and Disaster

▪ Recovery teams details.

▪ Present Business Continuity Plan recovery status reports to Senior Management daily.

▪ Interface with appropriate work management personnel throughout the recovery process.
▪ Communicate directions received from OBOUR Senior Management to the Departmental
Business Continuity Teams.
▪ Provide on-going support and guidance to the Business Continuity teams and personnel.

▪ Review staff availability and recommend alternate assignments, if necessary.

▪ Work with Senior Management to authorize the use of the alternate recovery site selected for
re-deploying critical resources.
▪ Review and report critical processing schedules and backlog work progress, daily.
▪ Ensure that a record of all Business Continuity and Disaster Recovery activity and expenses
incurred by OBOUR is being Maintained.

EOC Human Resources ▪ Providing information regarding the disaster and recovery efforts to employees and families.
▪ Assisting in arranging cash advances if out of area travel is required.
▪ Notifying employee’s emergency contact of employee injury or fatality.

▪ Ensuring the processing of all life, health, and accident insurance claims as required.
▪ Coordinates temporary organization employee requests.

EOC Administration ▪ Ensuring the recovery/restoration personnel has assistance with clerical tasks, errands, and
other administrative activities.
▪ Arranging for the availability of necessary office support services and equipment.

▪ Providing a channel for authorization of expenditures for all recovery personnel.

▪ Arranging travel for employees.

▪ Tracking all costs related to the recovery and restoration effort.

▪ Identifying and documenting when repairs can begin and obtaining cost estimates.
▪ Determining where forms and supplies should be delivered, based on damage to the normal
storage areas for the materials.

▪ Contacting vendors to schedule specific start dates for the repairs.

▪ Taking appropriate actions to safeguard equipment from further damage or deterioration.

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

Team Responsibilities

▪ Coordinating the removal, shipment, and safe storage of all furniture, documentation, supplies,
and other materials as necessary.

▪ Supervise all salvage and cleanup activities.

▪ Coordinating required departmental relocations to the recovery Sites.
▪ Assuring that arrangements are made for meals and temporary housing facilities, when
required, for all recovery personnel.
▪ Assuring order placement for consumable materials (forms, supplies, etc.) for processing based
upon input from the other teams.

Technology Recovery ▪ Consists of a nominee from each of infrastructure, network& security and Application Support
Team departments.
▪ Mobilizing and managing IT resources.
▪ Coordinating all communications-related activities, as required, with telephone & data
communications, PC, LAN support.
▪ personnel, and other IT-related vendors.

▪ Assisting, as required, in the acquisition and installation of equipment at the recovery site.
▪ Participating in testing equipment and facilities.

▪ Participating in the transfer of operations from the primary data site to the DR site.
▪ Coordinating and performing restoration or replacement of all desktop PCs, LANs, telephones,
and telecommunications access at the damaged site.
▪ Coordinating Disaster Recovery/IT efforts between different departments in the same or remote
locations.
▪ Training Disaster Recovery/IT Team Members.
▪ Keeping Senior Management and the EOC Business Continuity
▪ Coordinator appraised of recovery status.

13. RISKS CLASSIFICATION AND MITIGATION

Risk Impact Mitigation Response

Time

Communication interruption or Communication to external parties Implement a secondary internet service provider 10 Min
ISP outage. is down as a backup

Web interface rendered The web application is inaccessible HA platform, load balancing switches to the No Down
Inaccessible. or down due to a particular issue. secondar time

server.

Primary Database failure. Database malfunction due to HA platform switches to the secondary server, No Down
hardware or application issue High-speed replication to DR site. time

Compass plus Service Outage Primary cluster malfunctions The passive cluster will become online No Down
automatically time

Main DC Site Failure. Datacentre down due to human Secondary DR site, will be available, error, a 8 HOURS
error, a cooling cooling failure, cabling problem, Etc.

failure, cabling problem, Etc.

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

Risk Impact Mitigation Response

Time

Power, Electrical power failure Power outage or electricity cut Redundant UPS array together with the auto 10 Min
down
standby generator

Data loss Data loss due to hardware failure ALL critical data are fully mirrored to a remote No Down
or cyber attack site. time
offsite backups are maintained

Authorization failure Payment Hardware Security HSM active-active model applied No down
time
Module (HSM) malfunction or

system down.

14. RECOVERY STRATEGY

This plan has been established to ensure that in the event of a disaster or crisis, personnel will have a clear understanding
of who should be contacted. Procedures have been defined to ensure that clear communications and responsibility can be
established while activating disaster recovery.
The IT DR plan will rely principally on key members of management and designated staff who will provide the technical and
management skills necessary to achieve a smooth technology and business recovery. Suppliers ofcritical systems and
services will continue to support the recovery of business operations as Obour returns to normal operating mode.
The recovery strategy follows a logical sequence of events as detailed below:
14.1 DISASTER OCCURRENCE
This phase begins with the occurrence of the disaster event and continues until a decision is made to activate the recovery
plans. The major activities that take place in this phase include:
• Emergency Response Measures,

• Notification of Management,

• Assembly of The Risk Committee,

• Damage Assessment Activities,

• Declaration of The Disaster.

14.2 NOTIFICATION OF MANAGEMENT

Members of the management team will keep a hard copy of the names and contact numbers of each employee in their
departments. Besides, management team members will have a hard copy of Obour disaster recovery and business
continuity plans on file in their homes if the headquarters building is inaccessible, unusable, or destroyed. A copy of BCP is
available in every facility of Obour.
14.3 PRELIMINARY DAMAGE ASSESSMENT
In the case of a (qualified) incident occurs the Emergency Response Team (ERT) must be activated. The ERT will then
decide the extent to which the IT DRP must be invoked. Responsibilities of the ERT are to:
• Respond immediately to a potential disaster and call emergency services;

• Assess the extent of the disaster and its impact on the business, data center, etc.

• Decide which elements of the IT DR Plan should be activated;

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

• Manage disaster recovery team to maintain vital services and return to normal operation.

• Ensure employees are notified and allocate responsibilities and activities as required.

14.4 DECLARATION OF DISASTER

The person discovering the incident calls a member of the Emergency Response Team in the order listed:
• Emergency Response Team

• If not available, contact the next alternate provided in the emergency contact list

• The Emergency Response Team (ERT) will activate the appropriate plan corresponding to the nature of the exigency
identified in this plan, as well as in the event of any other occurrence that affects Obour capability to perform normally.

• One of the most critical tasks during the early stages of the emergency is to notify the Disaster Recovery Team (DRT) that
an emergency has occurred.
• The notification will request DRT members to assemble at the site of the problem and will involve enough information to
have this request effectively communicated. The Business Recovery Team (BRT) will consist of senior representatives
from the main business departments.

• The BRT Leader will be a senior member of the MDP management team and will be responsible for taking overall charge
of the process and ensuring that MDP returns to normal working operations as early as possible.

14.5 BCP ACTIVATION

The ERT Teams will Assess the damage status and the affected parties, Initiating the disaster recovery procedures, Taking
the risk committee decisions into action.
14.6 IMPLEMENTATION OF RISK PROCEDURES BASED ON INVOLVED RISK TYPE
The concerned team will be contacted by the ERT, the team's responsibilities include:
• Restore key services (based on the issue type) within 2 hours of the incident.

• Recover to business as usual status based on the plan and the type of the incident.

• Coordinate activities with other members of disaster recovery teams.

• Report to the emergency response team

14.7 ESTABLISHMENT OF THE RISK COMMITTEE

Respective unit heads will serve as the focal points for their departments, while designated employees will call other
employees to discuss the crisis/disaster and MDP immediate plans. Employees who cannot reach staff on their call list are
advised to call the staff member’s emergency contact to relay information on the disaster.

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com
 Business Continuity & Disaster Recovery Policy

15. Policy Sign Off

Name Description

Document Title Business Continuity & Disaster Recovery Policy

Original Published 01/11/2021

Date

Document Author Abd Elsalam Ramadan

Document Board Audit and Risk Committee

Approver (s)

Document Contact Abd Elsalam Ramadan

(s)

Function Obour Company

Applicability

Last Review Date N/A

Next Review Date 01/11/2022

Language English

Approved Date 01/11/2021

Effective Date 01/02/2022

Alqadesia Square MPQ@obour.com

+218 (21) 4448116 / +218 (21) 4447622
Tripoli, Libya info@obour.com