1. WOSM Staff Support Centre
  2. Workplace and Travel
  3. Digital and Information Technology

WSB Policy: IT Continuity Backup & Recovery

Updated
Have more questions? Submit a request

Purpose

The World Scout Bureau (WSB) business operations rely on stable and constantly available Information Technology (“IT”) systems & resources. Effective recovery plans are in place to ensure that IT services can be resumed within required recovery times in the event of a system disruption or disaster.

A disruption, loss, damage or compromise of the IT systems and data may negatively impact the WSB’s reputation and operations, resulting in significant tangible and intangible costs, therefore, a formal and comprehensive IT continuity, backup and recovery policy and controls are necessary to mitigate such risks.

The objective of this policy is to define formal requirements for IT continuity, backup and recovery, in order to prevent or mitigate the risk of IT system disruption or disaster and allow for an efficient recovery of IT services and data in a timely manner.

 

Scope

This policy represents the WSB’s official position and takes precedence over all other relevant policies which may be developed at a local level. This policy applies to:

    1. All WSB Offices globally.
    2. All staff, contractors, consultants, interns, volunteers and third-party commercial service providers authorised to use the WSB’s IT services & resources.
    3. All IT systems or applications managed by WSB that store, process or transmit information, including network and computer hardware, software and applications.

This policy does not apply to information that is stored locally by users on desktops, laptops, tablets and mobile phones. Device owners are responsible for appropriate backup of the data stored locally on their mobile devices, with the exception of data synchronised with the device and stored on Cloud services subscribed by the WSB (e.g. Dropbox).

 

Definitions

A list of terms used throughout this policy are defined in Appendix A.

 

Policy

Guiding Principles

  1. IT systems that are critical to the WSB’s activities must be clearly identified along with any potential service disruption risks associated with the IT system.
  2. IT continuity, recovery and backup must be maintained in accordance to the locally developed IT Disaster Recovery Plan.
  3. Recovery Time Objectives (RTOs) of critical systems must be formally defined as per the business needs
  4. IT Disaster Recovery Plans and Procedures must be in place and tested regularly to ensure:
    • Prevention against IT system disruption.
    • Regular and comprehensive backup of critical systems, applications and data.
  5. Timely recovery of critical systems, in line with the business expectation or RTO.

 

IT Disaster Recovery Plan

  1. All WSB personnel including staff and interns are recommended to maximise the use of Dropbox as the primary source of document storage. WSB personnel are not encouraged to store work related documents outside of the Dropbox folder. This prevents any data losses should your notebook’s hard disk become faulty.
  2. WSB engaged personnel issued with a notebook are RECOMMENDED to take back their notebook with them after each working day and to not store the notebook overnight in the office premises. Notebooks may be left behind in the provided it is secured and locked away. Doing this allows WSB Personnel to work from any location that has an internet connection should a WSB office become inaccessible.

 

Preventive Requirements

  1. Protection from power failures or other electrical anomalies must be in place, including where possible:
    • Multiple power feeds or power supplies.
    • Uninterruptible Power Supplies (UPS) with sufficient running time for:
      • Switching to an alternative source of power.
      • Backing-up IT systems or transferring data.
      • Clean shut down of all IT systems. If equipment supporting critical business operations is not capable of auto-shutdown, then the equipment shall be powered down in accordance with an emergency shutdown procedure.
    • It is recommended that all power to critical IT infrastructure be filtered to provide a source of “clean” power using a surge protector or a UPS.
    • All power supply equipment must be maintained, regularly checked and tested in accordance with the manufacturer’s recommended instructions or procedures.
  2. Protection from environmental hazards must be in place, including where possible:
    • Hazardous or combustible materials shall not be stored within network rooms or data rooms.
    • Appropriate equipment must be installed in network rooms or data-rooms to monitor and react to fire, flood, high temperature, vibration, air quality and dust hazards.
  3. Systems redundancy and high-availability equipment must be in place where appropriate.

 

Backup Procedures

  1. Generic backup requirements
    • Contingency IT equipment must be in place where appropriate (e.g. UPS, secondary internet line etc).
    • Backups of critical systems must cover system files, software files and data files, for both the running systems and the default system -built image.
    • All users must ensure their working documents / files / folders are stored on Dropbox.
    • Completed files / folders / documents are to be archived to Dropbox (please contact the Knowledge management team).
    • Where applicable, automated Cloud backup options must be implemented for critical systems.
    • The WSB Relevant IT support staff is tasked with the responsibility of managing, operating, and troubleshooting backup solutions, as well as answering any requests related to backups and recoveries.
  2. Backup Frequency & Retention
    • The following approach, based on a Grandfather-Father-Son (GFS) schedule provides the minimum requirements for the backup of critical IT systems:
      • Daily backups: Differentials or incremental backups
      • Weekly backups
    • Daily backups are performed each day (if applicable).
    • Weekly backups are performed each weekend, during non-working hours (if applicable).

    • Monthly backups are performed each month.

    • Yearly backups are optional but if performed are performed at the end of the calendar year.

Recovery - Standard Restoration Process

  1. All restore requests must be formally submitted to the WSB Relevant IT personnel, who will sequence and address the request.
  2. Requests must detail the following:
    • Specific file(s) and / or folder(s) that are required to be restored.
    • From which location.
    • From which specific date.
    • To what restore location.
    • Whether the restored data should over-write the current data in the original location or not.
  3. A detailed procedure for data restoration must be documented, including the restoration of data stored in both on-site and off-site backups.

 

Recovery - Emergency Restoration

  1. Emergency restoration must be formally approved by the WSB Responsible IT personnel
  2. Due care must be followed to prevent any loss of data or damage to backup media in an emergency.
  3. Details of the backup restoration must be formally documented by the WSB Relevant IT personnel, after the emergency.

 

Digital Services list below are backed up to ensure business continuity in the event of a disaster.

  1. Microsoft Office 365 (infrastructure only, the data sitting within the Microsoft Office 365 tenancy is not backed up.) Mailbox data is backed up automatically using Datto Backupify.
  2. Dropbox
  3. Slack
  4. Financial Management Systems (FMS) & related sub-systems.
  5. Payroll
  6. Zoho People & Expense
  7. Scout.org
  8. Scout Donation Platform
  9. WOSM Service Platform
  10. World Scouting Directory
  11. NSO Data Portal

Roles & Responsibilities

Stakeholders

Responsibilities

Senior Management Team

Review, Approve and formally support this policy

Users
  • Complying with the terms of this policy and all other relevant WSB policies, procedures, regulations and applicable legislation
  • Contact the WSB Relevant IT support for any question or concern related to the technology. When a question or concern cannot be addressed by the WSB Relevant IT support, please contact the Manger, IT & Digital Services.
  • Backup their personal files stored locally on computers and mobile devices
  • Complying with instructions issued by the IT Coordinators on behalf of the WSB.
  • Reporting all misuse and breaches of this policy to their line manager.

IT Department (Senior Manager, Digital & IT Services, IT Coordinators)
  • Ensure tools used for backup and recovery are configured as per this Policy.
  • Ensure backups and recoveries are performed without issue and remediate any such issue.
  • Answer and address requests to backup or to restore backed-up data or systems.
  • Provide recommendations regarding the processes to backup, and recover IT systems, applications and data, and participate in the development of the BCP and the IT DRP.
  • Provide recommendations to improve or update this Policy.
  • Identify the critical IT systems, applications and data necessary to support critical business operations.
  • Define the minimum availability requirements for their systems, including Recovery Time Objectives (RTOs).
  • Develop and maintain this Policy.
  • Review and approve any exceptions to the requirements of this Policy.
  • Take proactive steps to reinforce compliance of all stakeholders with this Policy.
  • Communicate with the WSB, directly or through representatives, in informal or formal instances, to understand the WSB’s needs and expectations, explain the capabilities of the existing technology in production, including backup and recovery capabilities.
  • Formally present the backup and recovery policy for approval by the SMT. Formally ensure the implementation of the IT DRP.
  • Report to the Senior Management Team any and all issues, changes, deviations, exceptions, breaches and general problems related to the IT DRP and BCP.

 

Policy Distribution & Awareness

This policy and it's supporting policies, standards and guidelines will be published on the WSB Dropbox.

Soft copies of the policy and its supporting policies, standards and guidelines will be available on WSB Staff Support Center.

The IT Personnel and/or the Senior Manager, Digital & IT Services may make periodic policy announcements by email.

WSB line managers will ensure that all existing and new staff, contractors, consultants, interns, volunteers and third-party commercial service providers who report to them are made aware of and have access to the policy and its supporting policies, standards and guidelines.

Individuals requiring clarification on any aspect of the policy and its supporting policies, standards and guidelines and/or advice on general I.T. security matters may email their queries to the Senior Manager, Digital & IT Services or the local IT Personnel.

 

Exceptions to this Policy

Exceptions to the guiding principles in this policy must be documented and formally approved by the Global Director, Communications , with evidence of support from the appropriate Senior Management Team.

Policy exceptions must describe:

  • The nature of the exception.
  • A reasonable explanation for why the policy exception is required
  • Any risks created by the policy exception.
  • Evidence of approval.

 

Policy Enforcement

The WSB reserves the right to take such action as it deems appropriate against individuals who breach the conditions of this policy. WSB staff, contractors, consultants, interns and volunteers who breach this policy maybe subject to disciplinary action, including suspension and dismissal as provided for in the WSB disciplinary procedure.

Breaches of this policy by a third-party commercial service provider, may lead to the withdrawal of WSB information technology resources to that third party commercial service provider and/or the cancellation of any contract(s) between the WSB and the third-party commercial service provider.

The WSB reserves the right to refer any use of its IT resources for illegal activities to the relevant Authorities.

 

Review & Update

This policy will be reviewed and updated annually or more frequently if necessary, to ensure any changes to the WSB’s organisation structure and business practices are properly reflected in the policy.

 

 

Appendix A: Definitions

BCP “Business Continuity Plan”: A comprehensive plan describing the strategy and necessary activities to recover from a significant disruption of business operations, including by relocating part or all personnel and system resources, making urgent decisions, and conducting business operations with diminished or altered capabilities.

DRP “Disaster Recovery Plan”: A documented set of procedures describing the key activities that are necessary to recover minimum IT services, applications and data to continue critical business operations, and to fully recover such operations after a disaster affecting normal IT services.

Information: Any data in an electronic format that is capable of being processed or has already been processed.

Information Technology (I.T.) resources: Includes all computer facilities and devices, networks and data communications infrastructure, telecommunications systems and equipment, internet/intranet and email facilities, software, information systems and applications, account usernames and passwords, and information and data that are owned or leased by the WSB.

IT Personnel: These are the individuals responsible for the day to day management of a WSB network domain. Also includes WSB personnel who have been authorised to create and manage user accounts and passwords on a WSB network domain

Line manager: The individual a user reports directly to.

Password: A string of characters that a user must supply in order to gain access to an IT resource.

Process / Processed / Processing: Performing any manual or automated operation or set of operations on information including:

  • Obtaining, recording or keeping the information.
  • Collecting, organising, storing, altering or adapting the information.
  • Retrieving, consulting or using the information.
  • Disclosing the information or data by transmitting, disseminating or otherwise making it available.
  • Aligning, combining, blocking, erasing or destroying the information.

RTO “Recovery Time Objective”: Maximum tolerable length of time that a computer, system, network, or application can be down after a failure or disaster occurs.

Users: Any authorised individual who uses the WSB’s IT resources.

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful