Purpose and Scope

The purpose of this policy is to define requirements for proper controls to protect the availability of Shuffl's information systems. This policy applies to all users of information systems within Shuffl. This typically includes partners, employees, consultants and contractors, as well as external parties that come into contact with systems and information controlled by Shuffl (hereinafter referred to as “users”). This policy must be made readily available to all users.

Background

The intent of this policy is to minimize the amount of unexpected or unplanned downtime (also known as outages) of information systems under the Shuffl's control. This policy prescribes specific measures for Shuffl that will increase system redundancy, introduce fail-over mechanisms, and implement monitoring such that outages are prevented as much as possible. Where they cannot be prevented, outages will be quickly detected and remediated.

Within this policy, an availability is defined as a characteristic of information or information systems in which such information or systems can be accessed by authorized entities whenever needed.

References

  1. Risk Assessment Policy

Policy

Information systems must be consistently available to conduct and support business operations. Information systems must have a defined availability classification, with appropriate controls enabled and incorporated into development and production processes based on this classification. System and network failures must be reported promptly to Shuffl's technical leaders. Users must be notified of scheduled outages (e.g., system maintenance) that require periods of downtime. This notification must specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.

Prior to production use, each major application release must have a completed risk assessment that includes availability risks. Risk assessments must be completed in accordance with the Risk Assessment Policy (Reference 1). Capacity management and load balancing techniques must be used, as deemed necessary, to help minimize the risk and impact of system failures.

Information systems must have an appropriate data backup plan that ensures:

  • All sensitive data can be restored within a reasonable time period.

  • Full backups of critical resources are performed on at least a weekly basis.

  • Incremental backups for critical resources are performed on at least a daily basis.

  • Backups and associated media are maintained for a minimum of thirty (30) days and retained for at least one (1) year, or in accordance with legal and regulatory requirements.

  • Backups are stored off-site with multiple points of redundancy and protected using encryption and key management.

  • Tests of backup data must be conducted quarterly with shared results internally.

  • Tests of configurations must be conducted twice per year.

Information systems must have an appropriate redundancy and fail-over plan that meets the following criteria:

  • Network infrastructure that supports critical resources must have system-level redundancy (including but not limited to a secondary power supply, backup disk-array, and secondary computing system).

  • Critical core components (including but not limited to routers, switches, and other devices linked to Service Level Agreements (SLAs) must have an actively maintained spare.

  • Redundancies achievable through appropriate logical replacements available through cloud infrastructure resources and tooling.

Information systems must have an appropriate business continuity plan that meets the following criteria:

  • Recovery time and data loss limits are defined in below table.

  • Recovery time requirements and data loss limits must be adhered to with specific documentation in the plan.

  • Company and/or external critical resources, personnel, and necessary corrective actions must be specifically identified.

  • Specific responsibilities and tasks for responding to emergencies and resuming business operations must be included in the plan.

  • All applicable legal and regulatory requirements must be satisfied.

Availability Classification

Availability Requirements

Scheduled Outage

Recovery Time Requirements

Data Loss or Impact Loss

High

High to
Continuous

30 minutes

1 hour

Minimal

Medium

Standard
Availability

2 hours

4 hours

Some data
loss is
tolerated if it
results in
quicker
restoration

Low

Limited
Availability

4 hours

Next business
day

Some data
loss is
tolerated if it
results in
quicker
restoration

Standard Controls Satisfied

TSC A1.1, CC9.1


Did this answer your question?