Disaster recovery policy

Disaster recovery policy

To maintain business continuity, we have in place “high availability” systems on our Document Management system, on-premise file stores and a finance system which provides automatic failover to duplicate servers should hardware faults occur on our business critical servers, this is supplemented by off-site Disaster Recovery facilities providing replacement hardware should our offices become unavailable. Our backup systems store data off site to provide full recovery due to a building disaster or accessibility issues.
 
Our email, intranet and off-premise file stores are Office365 based. Office365 has built-in redundancy and high availability. These are all backed up to an alternative off-premise backup system. 
 
We currently have offices in London, Newcastle, Manchester, Cardiff, Leeds, Thames Valley, Birmingham, Bristol and Edinburgh and staff are able to work from any one of these nine locations as well as from home.
 
We are Cyber Essentials certified.
 
All staff receive training on what to do in an emergency during induction and at intervals throughout the year. All staff upload the emergency contact details during their induction onto their personal and work mobile phones.
 
All Surface Pros are enabled with remote access using the Cisco AnyConnect VPN with two factor authentication. Our mobile devices are smart phones (iPhones) providing remote email functions. All staff are therefore able to work remotely from their home, another Lichfields office, or any other location.
 
We consider our IT security to be of best practice and sufficient to safeguard confidential data. Our backup systems store data offsite to provide full recovery due to a building disaster or accessibility issue.
 
We rely on four key elements: our IT policies which all employees are aware of; our Quality Management Handbook; our iManage Document Management System (DMS), Office365 - which provides email, and our intranet for internal communications.
 
Our DMS maintains security at both project and document level and provides a full audit trail on all usage including import and export.
 
Network access is strictly controlled via a secure password, password restrictions follow best practice of minimum length and we encourage passphrases for ease of memory and security.
 
All iPhones and iPads are secured with PIN numbers and can be wiped remotely on loss. Our policy on carrying data requires the use of encrypted USB memory sticks and encrypted mobile devices.
 
Third party consultant access is strictly controlled via login accounts which are disabled when no longer required.
 
Our operating system and all software applications are maintained and updated with security patches and fixes. We have up-to-date antivirus and anti-spam software, all email and web traffic is filtered for complete protection from malware, security risks, and viruses.
 
We have physical restrictions on server access and electronic backups are encrypted prior to being transmitted over the internet.
 
We have a limited number of network administrator accounts and these are within the IT department. We monitor server log files and have in place change procedures and a test environment to minimise negative impact on our production environment. We maintain a hardware and software inventory and have an update schedule for servers and desktop hardware. Obsolete hardware is recycled only once hard disks have been removed for secure destruction.
 
Our printer copiers are set to release prints on walk-up using ID cards or PIN numbers, so confidential data is never left accessible in shared areas.
 
Our WAN is monitored for cyber-attack by our ISO accredited network consultants and we employ independent penetration testing on a regular basis.