Business Continuity Plan for KEE I.T. Services Ltd (KEE) 

Cloud-Based Infrastructure using Microsoft 365, Zoho CRM+, and Other Cloud Services

Introduction

This Business Continuity Plan (BCP) outlines the strategies and procedures that KEE I.T. Services Ltd (KEE) will follow to ensure continuity of operations in the event of a disaster or disruption. KEE are fully reliant on cloud-based services, including Microsoft 365 for productivity tools, Zoho CRM+ for customer relationship management, and other cloud services for business operations.

The primary goal is to ensure the organisation can maintain critical services, minimise downtime, protect client data, and recover from any incidents with minimal impact on business operations.

 

Objective

The main objectives of this BCP are:

 - To maintain the availability of essential business operations.

- To minimise downtime and data loss across cloud services, including Microsoft 365 and Zoho CRM+.

- To protect client data and ensure compliance with regulatory requirements, including GDPR.

- To outline clear communication protocols during a disaster or disruption.

- To ensure a structured recovery process to restore full operations swiftly.

 

Scope

This BCP covers:

- Cloud-based infrastructure: Microsoft 365 (including Exchange Online, OneDrive, SharePoint, Teams), Zoho CRM+, and any other relevant cloud applications.

- Business-critical processes: Client service management, communication, data storage, collaboration, and CRM functionalities.

- Employee roles: Staff access to Microsoft 365 and Zoho CRM+ for remote work and daily operations.

 Excluded from this plan are any on-premise infrastructure or legacy systems not reliant on the cloud.

 

Risk Assessment

 The following risks could significantly impact business operations and are addressed in this BCP:

 - Service Outages: Microsoft 365, Zoho CRM+, or other cloud services experiencing downtime.

- Data Loss or Corruption: Accidental data deletion, malicious attacks, or data corruption in Microsoft 365 or Zoho CRM+.

- Cybersecurity Threats: Ransomware, phishing, or unauthorised access leading to a breach or disruption in service.

- Internet or Power Failure: Interruptions in internet access or power supply affecting the ability to work remotely or access cloud-based services.

- Human Factors: Unavailability of critical staff due to illness, resignation, or emergency situations.

Business Continuity Strategy

 

Cloud Service Redundancy and Availability

 - Service-level Agreements (SLAs):

  - Microsoft 365 and Zoho CRM+ both offer service-level guarantees (99.9% uptime) that will be monitored and managed.

  - Understand Microsoft’s and Zoho’s planned maintenance schedules and align operations to minimise disruption.

  - Multi-Region Availability:

  - Microsoft 365 services are hosted in multiple regions, offering high availability with automatic failover.

  - Ensure that the Zoho CRM+ instance is located in a region with sufficient redundancy and geographical replication if applicable.

 - Critical Service Monitoring:

  - Implement monitoring for the availability of both Microsoft 365 and Zoho CRM+ through third-party services or native tools (Microsoft 365 Service Health Dashboard).

  - Set up notifications for service disruptions and outages.

 

Data Backup and Recovery

 - Microsoft 365 Data Backup:

  - Implement a third-party cloud backup solution (N-Able COVE) to back up Exchange Online (email), OneDrive, SharePoint, and Teams data regularly.

  - Retain backups for at least 90 days to enable recovery from accidental deletion or corruption.

 - Zoho CRM+ Data Backup:

  - Ensure regular backups of Zoho CRM+ data, which can be configured using Zoho’s native backup tools or third-party integration.

  - Set up periodic manual or automated exports of CRM data (leads, contacts, opportunities, etc.) to mitigate the risk of data loss.

  - Backup Testing:

  - Regularly test backup restoration procedures for both Microsoft 365 and Zoho CRM+ data to ensure recovery times and processes are effective and efficient.

 

Incident Response Plan

 - Incident Detection and Reporting:

  - Implement monitoring and alert systems for all critical cloud services (Microsoft 365, Zoho CRM+).

  - Use Microsoft Defender for Office 365 and Zoho’s built-in security features (MFA, IP restrictions, audit logs) to detect and report on suspicious activity.

 - Response Team:

  - Assign an incident response team responsible for managing disruptions or breaches. The team should include technical experts, management, and communication personnel.

 - Escalation Procedures:

  - Define clear escalation paths for different types of incidents (service outage, data breach, cyber attack).

  - Prepare communication templates for internal and external notifications during an incident (client alerts, downtime updates).

 

Remote Work and Access

 - Remote Access Security:

  - Use VPNs and Multi-Factor Authentication (MFA) for staff to access Microsoft 365 and Zoho CRM+ remotely.

  - Ensure that remote work tools (Teams, OneDrive, SharePoint) are fully accessible and that all staff can work from home or alternative locations in the event of a disruption.

 - Business Continuity Tools:

  - Ensure that Zoho CRM+ and Microsoft 365 apps (Teams, Outlook, etc.) are available on mobile devices and desktops, allowing staff to access essential tools regardless of their location.

 

 Communication Protocols

- Internal Communication:

  - Use Microsoft Teams as the primary tool for internal communication. Ensure that key team members are trained in using Teams for real-time updates and task management during a disruption.

- External Communication:

  - Develop templates for client-facing communications, ensuring timely and transparent updates on service disruptions, estimated resolution times, and any required actions from clients.

  - Use Zoho CRM+ or email for critical client notifications and tracking of support requests during incidents.

 

Disaster Recovery Plan

Recovery Time Objective (RTO)

- Critical Services: The RTO for critical cloud services (email, file storage, CRM) is 4 hours. If a disruption occurs, these services must be restored or accessible within this time frame.

- **Full Recovery**: The full recovery, including all non-critical systems, should be completed within 24 hours.

Recovery Point Objective (RPO)

- Data Loss Tolerance: The RPO for critical data (email, CRM records, and file storage) is no more than 24 hours, based on daily backups.

- Backup Retention: Ensure backups of Microsoft 365 and Zoho CRM+ data are retained for at least 30 days.

Recovery Procedures

- Microsoft 365:

  - In case of an outage, use Microsoft’s recovery tools such as Exchange Online eDiscovery for restoring deleted emails, OneDrive’s recycle bin for file restoration, and SharePoint’s versioning feature for document recovery.

  - Zoho CRM+:

  - If Zoho CRM+ experiences a disruption, utilise the system's built-in data restore options or revert to the most recent data export for restoring client records, leads, and sales opportunities.

- Manual Workarounds:

  - For critical services (email, CRM) that experience downtime for more than 4 hours, consider manual workarounds such as using temporary email forwarding systems or CRM spreadsheets to track leads and opportunities.

  

Staffing and Roles

Critical Roles

- BCP Coordinator: Oversees the execution of the BCP and serves as the point of contact in case of an emergency.

- IT Support Team: Responsible for managing the technical systems, monitoring cloud services, and executing recovery plans.

- Communications Lead: Ensures clear internal and external communications, including client notifications and updates.

- Management Team: Provides oversight, strategic decisions, and resource allocation during disruptions.

 Cross-Training and Succession Planning

- Cross-train staff to ensure that critical roles can be temporarily filled in case of unavailability.

- Maintain a clear succession plan for key roles, including backup staff for IT support and management positions.

Testing and Review

 Testing

- BCP Testing: Conduct an annual tabletop exercise simulating a service outage or data breach scenario. Test recovery times, backup procedures, and communication workflows.

- **Backup and Restoration Drills**: Perform semi-annual drills to ensure data backup and restoration procedures work effectively for both Microsoft 365 and Zoho CRM+.

Plan Review and Updates

- The BCP should be reviewed and updated annually or when significant changes occur (e.g., new software, cloud services, or staff roles).

- Ensure that changes to Microsoft 365 or Zoho CRM+ services are reflected in the recovery and incident management procedures.

Conclusion

This BCP ensures that the KEE can continue to deliver services to clients, even in the event of a disaster or disruption. By leveraging the redundancy and resilience of cloud-based platforms like Microsoft 365 and Zoho CRM+, and having a comprehensive disaster recovery and communication strategy, the organisation can minimize downtime and recover swiftly from any incident, ensuring business continuity and client satisfaction.

Updated August 2024