Business Continuity Plan and Disaster Recovery Policy
Purpose:
To establish procedures for maintaining business operations and recovering critical services and data in the event of disruptions, ensuring the Pitaka platform's resilience and continuity in compliance with applicable laws and regulations in the Philippines.
Scope:
This policy applies to all systems, applications, employees, contractors, and third-party vendors involved in the operations and management of the Pitaka platform.
Policy
1. Business Continuity Planning (BCP):
Pitaka will develop, maintain, and periodically test a Business Continuity Plan (BCP) to ensure essential business functions remain operational during emergencies or disruptions. The BCP will identify critical services, systems, and resources necessary to sustain operations and will be reviewed and updated annually or after significant changes to the platform or organizational structure.
2. Risk Assessment and Impact Analysis:
A comprehensive risk assessment and business impact analysis (BIA) will be conducted to identify potential threats (e.g., natural disasters, cyberattacks, system failures) and evaluate their potential impact on the platform. Based on the assessment, risk mitigation strategies will be implemented to minimize disruptions.
3. Disaster Recovery Plan (DRP):
The Disaster Recovery Plan (DRP) outlines the steps to restore critical systems, data, and services in the event of a disaster or significant system outage. The DRP includes backup procedures, recovery time objectives (RTOs), and recovery point objectives (RPOs) to ensure timely restoration.
4. Backup and Data Restoration:
Regular backups of critical data will be performed, including customer data, transaction records, and operational data. Backups will be securely stored both on-site and off-site, ensuring they are protected from unauthorized access, tampering, or loss. Periodic restoration tests will be conducted to verify the integrity and availability of backup data.
5. Communication Plan:
A clear communication plan will be established to notify stakeholders, employees, and users in the event of a business disruption or disaster. Designated communication channels (e.g., email, SMS, internal notifications) will be used to provide timely updates on recovery efforts and service availability.
6. Roles and Responsibilities:
A Business Continuity and Disaster Recovery Team (BCDR) will be designated, with clear roles and responsibilities for handling incidents, managing recovery efforts, and ensuring compliance with the BCP and DRP. Each team member will be trained and must participate in periodic drills to familiarize themselves with their responsibilities during an emergency.
7. Testing and Maintenance:
The BCP and DRP will be tested at least once a year to ensure their effectiveness. The tests will simulate potential disruptions and assess the team’s ability to execute recovery procedures within the designated recovery time and recovery point objectives. The plans will be updated as necessary based on test outcomes, changes in the organization, or newly identified risks.
8. Legal and Regulatory Compliance:
The Business Continuity and Disaster Recovery Plans will comply with all applicable Philippine laws and regulations, including the Data Privacy Act of 2012 and other relevant guidelines from regulatory authorities such as the Bangko Sentral ng Pilipinas (BSP).
9. Policy Enforcement:
Failure to adhere to this policy may result in disciplinary actions, including but not limited to revocation of access privileges, employment termination, or legal action. Compliance audits will be conducted regularly to ensure adherence to the policy and assess the effectiveness of business continuity and disaster recovery measures.