Help & Support

Business Continuity Plan 

1. Introduction: This Business Continuity Plan (BCP) outlines strategies and procedures to mitigate risks and maintain essential functions during emergencies or unforeseen events.

Business continuity efforts are supervised by senior management for each key functional area within Timetabling Solutions and are supported by executive management.

2.  Scope:

This BCP applies to all operations for restoring critical business processes in the event that various resources are unavailable, including the loss of buildings, technology, human resources, third-party vendors, and vital records.

Our Data Breach Response Plan will deal with incidents regarding actual or potential data breaches, which have specific legal requirements.

3. Risk Assessment:

Potential risks to information assets and business processes may include:

• Natural disasters (earthquakes, floods, fire)
• Health-related (Covid19)
• Cyberattacks
• Equipment failures
• Human errors or malicious activities
  

4. Backup Strategies:

a) critical data and systems 
To ensure the availability and integrity of critical data and systems, we have the following backup strategies in place:

Timetabling Solutions Cloud Applications: 7 Days point-in-time restore, 12 hours differential backup and 4 Weeks Long-Term retention

CRM: once every 24 hours starting at 5:00 PM Central Time (GMT - 5)

Timetabling Solutions Desktop Data files:  To minimize downtime due to equipment failures, human error, or malicious activities, work completed in local data files are saved in OneDrive folders that are synced with a Sharepoint Document Library. 

b)  Professional Services
To ensure the continuation of professional services, we have the following backup strategies in place:

Timetabling Solutions In-person Training Courses:  to minimize the risk of a health-related incident impacting our ability to deliver in-person events, no trainer will be scheduled to deliver in-person courses week to week.

Timetabling Solutions will only contract with external venues that have clearly defined health & hygiene policies and the capability to convert an event into an online event within 24 hours.

Timetabling Consultations:  to minimize the risk of a health-related incident impacting our ability to deliver timetabling consultations, one senior timetabling consultant will remain on outsourced work and available to step in if one of our timetabling consultants becomes ill during a consultation.

The terms and conditions set forth by Timetabling Solutions for participation in a professional service event permit Timetabling Solutions to cancel an event and refund the client in full. Except where mandated by applicable law, we will not assume liability for any airfare, hotel expenses, or other direct or indirect costs or losses incurred by participants under any circumstances.

Work Anywhere Capability
All Timetabling Solutions staff will be equipped to work anywhere to minimize potential disruptions due to natural disasters, power outages and other unforeseen events.  All critical business applications are cloud-based (including the phone system), and client-facing staff have laptops with SIM cards to access the internet securely. 

5. Restoration Strategies

In a disruption, systems and data recovery are based on their criticality to business operations.

Recovery Plan: The person or automated monitoring service will post all potential high & medium priority issues on our 'Server Status team channel'; this alerts senior management and the incident response team 24/7 to urgently begin incident classification, which triggers our required responses

Priority: HIGH

• Timetabling Solutions Cloud Applications.
  
  Recovery Plan: the incident response team allocates resources and personnel to expedite the restoration process.
  
  Implement redundant systems or failover mechanisms to minimize downtime and ensure continuous availability.
  
  Communication teams will communicate with stakeholders regarding the status of restoration efforts and expected timelines for recovery on https://timetabling.freshstatus.io/ first, then other communication tools such as social media, voicemail messages and replies to emails.
  
  Engage internal end-users and stakeholders in validation activities to confirm that business processes can resume as intended.
  
  After the restoration, testing and validation will be conducted to ensure their functionality and integrity.
  
  Document lessons learned and areas for improvement to enhance future recovery efforts.  

Priority: MEDIUM

• Timetabling Solutions CRM, Ticketing software, Accounting software.
  
  Recovery plan:  The incident response team first confirms high-priority systems and data are operational, then begins focusing on restoring essential systems and data in a timely manner.
  
  Allocate resources based on the severity and impact of the disruption.
  
  Communication teams will communicate with stakeholders regarding the status of restoration efforts and expected timelines for recovery on https://timetabling.freshstatus.io/ first, then consider other communication tools such as social media, voicemail messages and email replies.
  
  

Priority: LOW

• Non-essential systems and data are not directly related to core business functions. These may include archived data, historical reports, and legacy applications.
  
  Recovery plan: The incident response team first confirms high and medium-priority systems and data are operational, then begins focusing on restoring non-essential systems and data in a timely manner.
  
  We will prioritise recovery efforts based on available resources and business priorities. Consider alternative solutions, such as temporary workarounds or delaying non-critical tasks until normal operations are restored.
  
  The communication team will communicate internally regarding the status of restoration efforts, available workarounds and expected timelines through various means, most likely through Microsoft Teams, email or phone calls.

6. Preservation Strategies

To preserve information assets and maintain business continuity during and after a disruption, we have the following preservation strategies;

• All critical documents, licenses, and contracts are securely stored online with access controls, MFA and encryption to protect sensitive information from unauthorised access.  Weekly audit reports and change notifications are sent to the senior management.  
• Automated monitoring of IT infrastructure to detect and mitigate vulnerabilities.
• Provide training and awareness programs to educate employees so they understand their responsibilities for safeguarding assets and resources.

7. Incident Classification:

• Critical Incident - High Priority: An incident that severely impacts business operations, compromises sensitive data, or poses a significant security threat.
  
  Major Incident - Medium Priority: An incident that disrupts normal operations or compromises non-sensitive data.
  
  Minor Incident - Low Priority: An incident with minimal impact on operations or data security.

8. Incident Response Team:

• Incident Manager: The General Manager coordinates the incident response efforts and oversees the resolution process.
  
  Technical Team: The Director of Software is responsible for investigating and resolving technical issues associated with the incident.
  
  Communication Team: The Office Manager is responsible for internal and external communication regarding the incident, including notifying stakeholders and clients as necessary.  The office manager may delegate communications 

9. Documentation and Review:

• All actions taken during the incident response process will be documented for review and analysis in the 'Post Incident Review' list.
  
  
• Lessons learned will be used to improve incident response procedures and enhance overall security posture.

10. Communication Protocol:

• Clear and timely communication is essential during incident response.
• The communication team will manage external communication, including social media posts, status page posts, website notifications, emails, or direct client communication.

11. Training and Awareness:

• Regular training sessions will be conducted to ensure employees know their roles and responsibilities during an incident response.
  
  Employees will be educated on common security threats, incident detection techniques, and reporting procedures.

12. Escalation Procedures:

• In the event that the initial response efforts are unsuccessful, the Incident Manager may escalate the issue to external experts for assistance.

13. Testing and Maintenance:

• The BCP will be tested through tabletop exercises and simulated incidents.
• The BCP plan will be updated and revised based on lessons learned from testing and real-world incidents.

14. Plan Review and Revision:

• This BCP will be reviewed annually and updated as necessary to reflect changes in technology, business processes, or regulatory requirements.
  
  Last Review: April 2024