Backup & Recovery Policy and Procedure

 

Scope

The Backup & Recovery Policy and Procedure shall be applied to all critical information systems and services that fall within the scope of Evercam ISMS.

1. Policy statement

Evercam is committed to ensuring the availability, integrity, and security of our ICT systems and data. As such, regular and reliable backups are essential to mitigate information security risks and threats. Evercam ensures that all essential business information and software are backed up to allow recovery from

  • Disasters;
  • Data loss;
  • Hardware, media, and system failures;
  • Cyber attacks;
  • User errors.

This policy outlines the procedures and responsibilities for implementing and maintaining a comprehensive backup and recovery strategy in line with our business, legal, regulatory, and contractual requirements.

Key points

  • Backups are regular;
  • The backup is securely stored;
  • Backup data is retained for a minimum of [1] years;
  • The backup process should not adversely affect the other network users;
  • All essential (electronic) business information and software is stored on the secure servers;
  • Where possible, all paper-based essential business information is scanned and stored on the file servers;
  • Only data stored on the networked servers qualify for backup;
  • Data recoveries are regular and can range from a server restore to an individual file;
  • Retain the ability to recover historic data using obsolete/old backup software.

Responsibilities

All users have an individual responsibility to ensure that:

  • Essential Company information and software are stored correctly for backup and in line with its data classification.
  • Temporary, unnecessary, and duplicate data stored on the network is managed and deleted in a timely manner.
  • Data should only be saved to GDrive or Zoho Work Drive.
  • All owners of essential Company information and software are required to ensure that backup arrangements and procedures are in place to safeguard the data.
  • The Ops and Devs Departments are responsible for the execution of the backup & recovery procedures and for identifying and reporting any faults, failures, or errors. This includes selecting appropriate backup methods, monitoring backups, and testing recovery processes regularly. The Ops and Devs Departments together with the ISMS team are also responsible for documenting, testing, and maintaining the backup and recovery process in line with the business needs.
  • The ISMS team and system administrators are responsible for configuring and scheduling backups according to the defined procedures. They must ensure that backups are completed successfully and regularly review the backup logs for any issues.
  • Data owners are responsible for identifying critical data and applications that require regular backups. They should communicate changes in data retention requirements to the ISMS team and/or Ops/Devs department.

Paper-Based Data

All Essential Company data whose master copy is in paper format is stored in the following locations:

  • Master Copy – securely stored as per its data classification, preferably in a fire safe/cabinet.
  • Paper Copy – if required, should be stored as per its data classification within the relevant department for general reference.
  • Electronic Copy – scanned and stored on the file servers in suitable locations depending on data classification.

Electronic-Based Data

It is the responsibility of each user to ensure that electronic-based data is properly stored to ensure backup and recovery. The appropriate manager is responsible for ensuring that suitable backup & recovery procedures are in place. For a summary of Evercam key electronic system backups refer to the table below. 

 

Evercam core systems backups 

System

Type of data

Location

Frequency of backup

Person in charge

Zoho People

Employee data

Cloud and Zoho data centres 

every 7 days

Director of Support

Zoho Email

Employee and customer data

Cloud and Zoho data centres 

Evercam has an e-discovery policy enabled for email which means that all emails even if they have been deleted are retained. A default retention policy is enabled which states that all emails (including spam/deleted) will be retained for 365 days.

Director of Support

Zoho CRM

Customer data

Cloud and Zoho data centres 

2 times a month

Director of Support

Zoho Analytics

Customer and employee data

Cloud and Zoho data centres 

every 7 days

Director of Support

Google Drive

Customer and employee data

Cloud and Google data centres 

real-time

Director of Support

GitHub

Evercam Source code

Cloud and data centres in USA (Seattle and Northern Virginia)

real-time

CTO

Hetzner Servers

Customer data (recordings)

Hetzner: Am Datacenter-Park 1, 08223 Falkenstein/Vogtland, Germany

ZFS File System is in place Additional backup in edge Evercam kits storage (NVR)

CTO

Heroku Servers

Customer data

Amazon AWS cloud datacenter in Ireland

every 7 days

CTO

AWS Servers

Customer data (users’ passwords and credentials, projects, links between cameras and users, and events managed by the Evercam platform)

AWS: Burlington Rd, Dublin 4, D04 HH21, Ireland

Database servers on AWS are managed by Heroku, and automatic backups are included in the AWS Plan (SLA).

CTO

 

2. Backup and Recovery Procedure 

In line with our ISMS Evercam follows the Business Continuity Policy and Incident Response Procedure in the event of disasters, data loss, cyber-attacks, hardware, media, and/or system failures etc. To recover from such a situation one must escalate through a series of procedures until a satisfactory restoration is met. As Evercam is a remote-first company this procedure covers the backup and restoration of electronic data held on external servers. Paper-based data is NOT covered by this procedure. 

Responsibility

It is the Technology Lead and Director of Support responsibility to manage, monitor, and audit the backup and recovery procedures for data held on designated servers. 

Scope 

The backup and restore procedures are essential to our business. Their primary purpose is to aid in disaster recovery to minimize the amount of data lost after a disaster has occurred e.g.  equipment failure, data corruption, loss of power, etc. Their secondary purpose is to allow the recovery  of specific files requested by individuals. This document outlines the step-by-step procedures for conducting backups and performing data recovery in Evercam. These procedures are designed to ensure the availability, integrity, and security of critical data and systems.

Backup procedure 

1. Data Classification and Selection

Identify and classify data based on its criticality and importance. Prioritise critical systems, databases, source code, and user data for regular backups.

2. Backup Schedule

Please refer to the table above on p. 4. 

3. Backup Methods

Select an appropriate backup method:

  • Full Backups: Create complete copies of selected data and systems on a scheduled basis.
  • Incremental Backups: Capture changes made since the last full backup. Perform incremental backups daily.

4. Backup Execution

System administrators will initiate backups using the designated backup software or tools (contacting a dedicated support contact for third-party systems) 

5. Ensure backups are stored in designated backup storage locations

Types of backup retention:

  • Daily Backups: Retain backups for 7 days.
  • Weekly Backups: Retain backups for 4 weeks.

Regularly monitor and manage backup storage to ensure sufficient space.

6. Offsite Storage

Store a copy of backups off-site in a secure and controlled environment. Maintain a documented inventory of off-site backup storage.

Email backup 

Evercam has enabled eDiscovery, Email Retention, and backup for our Zoho mail server.  An email retention policy and eDiscovery help Evercam to stay compliant with retention laws, handle lawsuits and litigations, avoid witness tampering, and investigate theft of information or contractual disputes. 

In summary, our email backup is:

  • By the default retention policy, all emails (including spam/deleted) will be retained for 365 days. 
  • Mails older than the above retention period are considered expired emails and are purged from storage once every 10 days.
  • Backups have no retention period – emails are stored forever.
  • Emails from suspended or removed accounts are also retained.
  • At any point in time Evercam can launch investigations and place holds on or export emails.
  • At any point in time Evercam can recover and expunge emails.
  • At any point in time Evercam can restore emails that have been accidentally or purposely deleted.
  • At any point in time Evercam can scan all mailboxes for a particular email (for example a phishing email that we know has been received) and delete it from employees’ inboxes.

Database (server) backup 

Evercam database covering users’ passwords and credentials, projects, links between cameras and users, and events managed by the Evercam platform is backed up in AWS servers automatically with Heroku as the main interface to manage backups. The availability and durability levels of the AWS backups are guaranteed through SLA. 

Evercam follows a two-fold strategy:

  1. The database is backed up in regular intervals: weekly (managed by Heroku and stored in AWS).
  2. A real-time copy of each second of the last 4 days is generated every 4 days (managed by Heroku and stored in AWS).

The customer recordings from the site are stored in Hertzner servers. To ensure the backup full frame recordings can be retrieved from hard drives and NVR installed locally in the Evercam kit on site. These can be accessed remotely to retrieve the necessary data. To monitor the performance Evercam relies on Grafana as a tool to query and visualize logs and metrics. It allows us to control our hard drives’ performance metrics remotely. Grafana is used daily by our Dev team. Evercam relies also on Prometheus as a system that alerts DevOps (via email) about issues and irregularities (when a metric is going above/beyond a threshold) when it comes to our hard drives. Prometheus is used to collect metrics from servers (CPU, Memory, Network, and Storage).

Emergency response

In case of emergency (hardware issues such as loss of a hard drive) the procedure is to email Hetzner support system support@hetzner.com

Code backup 

Evercam source code is stored on Github with Cloud servers located in the USA (Seattle and Northern Virginia). Regular automated backups of code repositories are performed in real-time. Backups must be encrypted during transmission and storage to protect sensitive code and data from unauthorized access. Periodic restoration tests should be conducted to ensure the viability of backups for recovery purposes.

Developers are responsible for committing their code to the designated repositories and ensuring that the code is up-to-date. Regular commits reduce the risk of code loss.

By adhering to this Code Backup Policy, we aim to maintain the integrity of our code repositories and enable swift recovery in the face of data loss or other unforeseen events. This policy underscores our commitment to data security, continuous availability, and the overall success of our development efforts.

Recovery Procedures

1. Data Restoration

In case of data loss or system failure, follow these steps for data recovery:

  • Identify the data or systems to be restored based on the nature of the incident.
  • Reach out to the dedicated support contact assigned to a given system. The contacts are listed in the Evercam Business Continuity Plan Contact Sheet
    • The dedicated contact will access the most recent backup that contains the required data.
    • The dedicated contact will restore the data using the designated recovery procedures and tools.
  • Verify the restored data for accuracy and integrity.

2. Disaster Recovery

In the event of a larger-scale disruption, such as a system-wide failure or disaster, follow these steps:

  • Activate the company’s disaster recovery procedure.
  • Reach out to the dedicated support contact assigned to a given system. The contacts are listed in the Evercam Business Continuity Plan Contact Sheet. They will:
    • Retrieve the necessary off-site backups and hardware.
    • Restore critical systems and data according to the disaster recovery plan.
    • Perform testing to ensure the functionality and integrity of recovered systems.

To identify the best recovery methods to use, the following data is required:

  • When did the problem occur?
  • Is the data stored in a general area backed up?
  • When was the last backup?

Depending on the answers above, the best recovery method is applied. Time is important and the quicker the loss/corruption is found, the quicker the recovery will be.

Testing and Monitoring

Backup Testing

Regularly perform test restores from backups to ensure data recoverability. Document and address any issues identified during testing.

Backup Monitoring

Continuously monitor backup logs for any failures or errors. Investigate and resolve backup issues promptly.

Documentation and Reporting

Maintain comprehensive documentation of backup and recovery procedures, including schedules, methods, and test results. Provide regular reports to management on the status of backups, recoveries, and any incidents.

Training

Ensure that system administrators are trained on the proper execution of backup and recovery procedures. Conduct regular training sessions and refresher courses as needed.

Review and Update

Regularly review and update this procedure to reflect changes in technology, data needs, and company requirements.