Professional Documents
Culture Documents
19-Business Continuity & Disaster Recovery Plan
19-Business Continuity & Disaster Recovery Plan
Version 1.0
TABLE OF CONTENTS
1. OVERVIEW 2
2. SCOPE 2
4. SERVICES AVAILABILITY 4
5. LOSS OF INFORMATION 5
6. CYBERATTACKS 6
8. LOSS OF PREMISES 6
1. Overview
Obour Payments is primarily focused on processing payments and Platform as a Service (PaaS) for issuing, acquiring, and
e-payments. This necessitates an elaborate business continuity plan to commit to a high level of service levels and
continuity of critical functions.
OBOUR Business continuity plan also includes an elaborate IT Disaster recovery Plan, that covers the biggest risk posed
by the business.
The Disaster Recovery Plan is a guiding document containing the necessary instruction, guidelines, organization,
responsibilities, and information required for a department to be prepared for an emergency that would affect computer and
network services. The content of the document covers disaster procedures, responsibilities, and identification of essential
software applications and hardware, general procedures for potential interruptions, policies for reducing risk, contingency
planning parameters, disaster response, and testing & maintenance of the disaster recovery plan that are necessary to
guarantee the ongoing viability of the plan.
2. Scope
2.1 Purpose
The purpose of the Disaster Recovery Plan is to provide guidelines and procedures for an orderly and timely recovery from
an interruption of data processing and/or network services. Procedures to recover from a disaster are predicated on the
most serious occurrence possible.
The Business Continuity Plan is limited in scope to recovery and business continuance from a serious disruption in
activities due to non-availability of Obour’s facilities.
The Business Continuity Plan includes procedures for all phases of recovery as defined in the Business Continuity Strategy
of this document.
Unless otherwise modified, this plan does not address temporary interruptions of duration less than the time frame
determined to be critical to business operations.
The purpose of the Business Continuity Plan is to coordinate recovery of critical business functions in the event of a
facilities disruption or disaster. This can include short or long-term disasters or other disruptions, such as:
• . Service Availability
− Hardware/software failure
o Terrorist attacks
o Office vandalism/destruction
o Sudden loss of critical workforce
o Workforce stoppages due to pandemics or political instability
o Single resource dependency
2.2 Objectives
The primary objectives of the Disaster Recovery Plan are to make sufficient agreed-upon preparations, and to design and
implement a sufficient set of agreed-upon procedures for responding to a disaster of any size in the departmental area of
responsibility.
The purpose of these procedures is to minimize the effect of a disaster upon the operations of the department. The
emphasis is on safeguarding the vital assets of the Obour Data Centre and ensuring the continued availability of critical IT
services. Other objectives of the plan are as follows:
• Ensure the safety of employees and visitors in datacentre/office buildings.
• Risk reduction and prevention to help avert any interruption in computing system, application, network
systems and services.
• Reduce confusion during any chaotic period by having a clearly defined course of action that will re-
establish services as soon as possible. Having documented plans and procedures are essential for
ensuring the quick & effective execution of recovery strategies for critical business functions.
• Conclude formal backup arrangements with such sites as identified. Specify steps necessary to relocate
to the alternate site.
• Identify key personnel for each application, database or service so that they can be summoned without
delay when needed.
• Identify users of departmental services to be notified of delays and to be involved in the recovery
process. Establish the personnel responsible for all phases of Disaster Recovery
• Believing Obour employees know what to do when they get an emergency alert
• Misjudging the disaster scale or large an impact it will have (example COVID and current resource constraints)
• Inclusion of "Work-From-Home" as a contingency plan for Disruptions such as pandemics and political instability.
• Defined Business Continuity Metrics and KPI’s that are monitored and tested as part of the BCP and DR simulation
• Mitigate threats or limit the damage that threats can cause through structured risk management.
• Have advanced tested preparations to ensure that critical business functions continue in case of exigencies.
• Have documented plans, procedures, and training for every department to ensure the quick, effective execution of recovery
strategies for critical business functions.
• Have a plan for testing the IT DR with the member banks being processed once a year and internal testing of DR including
above at-least twice a year.
4. Services availability
Service availability focuses on eliminating the limiting single points of failure at all levels (from network adapters to data
centres). The solution is fault-tolerant to different kind of failures that are possible in a typical IT data centre.
4.1 DATA CENTRE FACILITY
This section provides details of the OBOUR data center facility and touches briefly on the high availability setup that
provides a fault-tolerant processing environment. Detailed coverage of the IT DR setup is available in a separate Disaster
recovery Plan document.
Obour IT infrastructure is hosted in tier 4 certified primary data centers in Libya. The facility is characterized by 24/7
continuous monitoring, and multiple redundancies comprising of:
• Dedicated Primary and DR Datacentres Locations in Libya
• Zero single points of failure, multiple redundancies for all resources such that no single outage or error can shut down the
system.
• Copies and all vital records are maintained at an offsite location. (All vital records for Obour’s that would be affected by a
facilities disruption are maintained, controlled stored by Obour’s)
Obour setup effectively addressed the requirement to recover quickly from any Outage or Disaster, whether the situation
involves a simple component failure or the destruction of the HQ & Main site.
6. CYBERATTACKS
Obour is a PCI compliant, it has state of the art security controls. IPS to prevent intrusion or cyberattacks or malicious
activity on the network and host layers, 24/7 SOC team to detect, analyse, and respond to cybersecurity incidents using a
combination of technology solutions and a strong set of processes. DLP for personal information protection/compliance,
intellectual property. FIM will scan, analyse, and report on unexpected changes to important files in a business
environment. Vulnerability scanner to identify any systems that are subject to known vulnerabilities. Full disk encryption to
prevent unauthorized persons from opening and reading files that are stored on the disk.
7. MALWARE AND VIRUSES
Obour has highly capable AV to detect, neutralize or eradicate malware (malicious software) and to fight off other kinds of
threats such as phishing attacks, worms, Trojan horses, rootkits.
8. LOSS OF PREMISES
▪ Fraud Management
▪ Reconciliation Services
▪ Call Centre
▪ Chargeback Processing
▪ Customer Support
In case of loss of the primary data center, the processing operations switch to multiple locations. The connectivity to the
primary / DR data center is available through the VPN:
• Obour office in DR Premisses
In the case of pandemics, a protocol has been put in place to limit the exposure on the workplace, and only critical staff
whose presence is unavoidable is required to attend the office. Also, an elaborate checklist of do and don’ts and physical
checks are in place.
10. RESTORATION PLANS
Disaster recovery/IT teams maintain, control, and periodically check on all the records that are vital to the continuation of
business operations and that would be affected by facility disruptions or disasters. The teams periodically back up and
store the most critical files at an offsite location.
In the event of a facility disruption, critical records located in the OBOURs may be destroyed or inaccessible. In this case,
the last backup of critical records would be restored. The number of critical records, which would have to be reconstructed,
will depend on when the last backup of critical records was done.
11. IT DISASTER RECOVERY KIT
An IT Disaster Recovery kit, including the following items, will be located at the CIO Office:
• Copy of IT Disaster Recovery Plan.
• Copy of the telephone numbers and email addresses for all members of the IT Disaster Recovery Team.
Obour establishes recovery teams and divides the participants into appropriate groups based on job roles and titles.
It assigns a specific role or duty to each remaining member of the team.
Maintenance of the Obour’s Business Continuity Plan is the joint responsibility of the senior management, the Departments
head, and the Business Continuity Coordinator.
Team Responsibilities
Emergency Response ▪ Consists of a represented from each of the following Infrastructure, network & security,
Team application support, InfoSec, HR, operations.
Team Responsibilities
Business Recovery ▪ Consists of BCP coordinator and a representative from every Department.
Team
▪ Officially declare the disaster and start the disaster recovery plan/BCP
▪ Identifying business-critical functions and the disaster impact on them and how to make them
operable again.
BCP Coordinators In the event of a disaster, the BCP Coordinator is responsible for ensuring that the following activities are
completed:
▪ Works to officially declare a disaster and start the Disaster Recovery/Business Continuation
process to recover OBOUR business functions.
▪ Present Business Continuity Plan recovery status reports to Senior Management daily.
▪ Interface with appropriate work management personnel throughout the recovery process.
▪ Communicate directions received from OBOUR Senior Management to the Departmental
Business Continuity Teams.
▪ Provide on-going support and guidance to the Business Continuity teams and personnel.
EOC Human Resources ▪ Providing information regarding the disaster and recovery efforts to employees and families.
▪ Assisting in arranging cash advances if out of area travel is required.
▪ Notifying employee’s emergency contact of employee injury or fatality.
▪ Ensuring the processing of all life, health, and accident insurance claims as required.
▪ Coordinates temporary organization employee requests.
EOC Administration ▪ Ensuring the recovery/restoration personnel has assistance with clerical tasks, errands, and
other administrative activities.
▪ Arranging for the availability of necessary office support services and equipment.
Team Responsibilities
▪ Coordinating the removal, shipment, and safe storage of all furniture, documentation, supplies,
and other materials as necessary.
Technology Recovery ▪ Consists of a nominee from each of infrastructure, network& security and Application Support
Team departments.
▪ Mobilizing and managing IT resources.
▪ Coordinating all communications-related activities, as required, with telephone & data
communications, PC, LAN support.
▪ personnel, and other IT-related vendors.
▪ Assisting, as required, in the acquisition and installation of equipment at the recovery site.
▪ Participating in testing equipment and facilities.
▪ Participating in the transfer of operations from the primary data site to the DR site.
▪ Coordinating and performing restoration or replacement of all desktop PCs, LANs, telephones,
and telecommunications access at the damaged site.
▪ Coordinating Disaster Recovery/IT efforts between different departments in the same or remote
locations.
▪ Training Disaster Recovery/IT Team Members.
▪ Keeping Senior Management and the EOC Business Continuity
▪ Coordinator appraised of recovery status.
Communication interruption or Communication to external parties Implement a secondary internet service provider 10 Min
ISP outage. is down as a backup
Web interface rendered The web application is inaccessible HA platform, load balancing switches to the No Down
Inaccessible. or down due to a particular issue. secondar time
server.
Primary Database failure. Database malfunction due to HA platform switches to the secondary server, No Down
hardware or application issue High-speed replication to DR site. time
Compass plus Service Outage Primary cluster malfunctions The passive cluster will become online No Down
automatically time
Main DC Site Failure. Datacentre down due to human Secondary DR site, will be available, error, a 8 HOURS
error, a cooling cooling failure, cabling problem, Etc.
Power, Electrical power failure Power outage or electricity cut Redundant UPS array together with the auto 10 Min
down
standby generator
Data loss Data loss due to hardware failure ALL critical data are fully mirrored to a remote No Down
or cyber attack site. time
offsite backups are maintained
Authorization failure Payment Hardware Security HSM active-active model applied No down
time
Module (HSM) malfunction or
system down.
This plan has been established to ensure that in the event of a disaster or crisis, personnel will have a clear understanding
of who should be contacted. Procedures have been defined to ensure that clear communications and responsibility can be
established while activating disaster recovery.
The IT DR plan will rely principally on key members of management and designated staff who will provide the technical and
management skills necessary to achieve a smooth technology and business recovery. Suppliers ofcritical systems and
services will continue to support the recovery of business operations as Obour returns to normal operating mode.
The recovery strategy follows a logical sequence of events as detailed below:
14.1 DISASTER OCCURRENCE
This phase begins with the occurrence of the disaster event and continues until a decision is made to activate the recovery
plans. The major activities that take place in this phase include:
• Emergency Response Measures,
• Notification of Management,
• Assess the extent of the disaster and its impact on the business, data center, etc.
• Manage disaster recovery team to maintain vital services and return to normal operation.
• Ensure employees are notified and allocate responsibilities and activities as required.
• If not available, contact the next alternate provided in the emergency contact list
• The Emergency Response Team (ERT) will activate the appropriate plan corresponding to the nature of the exigency
identified in this plan, as well as in the event of any other occurrence that affects Obour capability to perform normally.
• One of the most critical tasks during the early stages of the emergency is to notify the Disaster Recovery Team (DRT) that
an emergency has occurred.
• The notification will request DRT members to assemble at the site of the problem and will involve enough information to
have this request effectively communicated. The Business Recovery Team (BRT) will consist of senior representatives
from the main business departments.
• The BRT Leader will be a senior member of the MDP management team and will be responsible for taking overall charge
of the process and ensuring that MDP returns to normal working operations as early as possible.
• Recover to business as usual status based on the plan and the type of the incident.
Name Description
Language English