Page 1 of 11

DATA BACKUP & DISASTER RECOVERY

PROCEDURE MANUAL & POLICY

Page 2 of 11

DATA BACK UP & DISASTER RECOVERY PROCEDURE MANUAL & POLICY

OVERVIEW

Disaster Recovery Plan (DRP) is a documented process or set of procedures to recover and

protect our IT infrastructure in the event of a disaster. This plan specifies procedures to follow

in the event of a disaster. It is a comprehensive statement of consistent actions to be taken

before, during and after a disaster.

DRP refers to interim measures to recover IT services following an emergency or system

disruption. Interim measures may include:

The relocation of IT systems and operations to an alternate site;

The recovery of IT functions using alternate equipment;

The performance of IT functions using manual methods.

IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term

power outage, disk drive failure) to severe (e.g., equipment destruction, fire hazard)

disruptions from a variety of sources such as natural disasters to terrorists acts.

Organizations cannot always avoid disasters, but with careful planning the effects of a

disaster can be minimized.

INTRODUCTION

Businesses and organizations of all sizes increasingly depend on computerized data systems

for their operations. Business continuance is the process of ensuring that critical data and

systems remain available even if hardware, software, or environmental problems interrupt

the primary servers' normal operation.

OBJECTIVES

The purpose of this plan is to provide guidance in recovering from any disaster, which might

befall IT infrastructure to minimize downtime, loss of information, and to assist users in

accomplishing their individual processing requirements.

Consequently, it is imperative to develop a disaster recovery plan to mitigate the risk of

business disruption to an acceptable level in the event of failure of any component of the

system. However, the most successful Disaster Recovery Strategy is one that will never be

implemented; therefore, risk avoidance is a critical element in the disaster recovery process.

The scope of this disaster recovery plan is to ensure continuous operation of SAP, Exchange

and Payroll Application processing so that GCL can resume normal business operations after

a disruptive event. The objective of DRP is to minimize downtime and data loss. The primary

Page 3 of 11

objective is to protect the company in the event that all or parts of its operations and/or

computer services are rendered unusable. The plan minimizes the disruption of operations

and ensures that some level of stability, and an orderly recovery after a disaster will prevail.

In many cases, critical resources may reside outside our company’s control (such as electric

power or telecommunications), and the company may be unable to ensure their availability.

Thus effective disaster recovery planning, execution, and testing are essential to mitigate the

risk of system and service unavailability and should:

Provide information and procedures necessary to respond to an occurrence, notify

relevant personnel, assemble recovery teams, recover data and resume

processing/business operations

Limit the magnitude of any loss within the risk limit by minimizing the duration of

a critical application service interruption.

Identify and protect information systems resources required to maintain an

acceptable level of business.

Provide a documented plan of predetermined actions to assist decision-making during

recovery operations.

Create a disaster recovery structure strong and adequate to provide guidance to all

interrelated yet flexible enough to allow ease of response

Ensure that critical services that SAP, Exchange and Payroll Application use resume

quickly.

Enable resumption of normal service at the earliest possible time in the most cost-

effective manner.

POLICY STATEMENTS

In order for disaster recovery planning to be successful the business must implement

the following comprehensive Disaster Recovery Program:

Critical Application Assessment

Back-Up Procedures

Recovery Procedures

Implementation Procedures

Acceptance

Plan Maintenance

Page 4 of 11

The plan also documents the responsibilities and procedures that will be used to manage

and control the situation following an emergency or crisis occurrence. The intent is to

minimize the decision-making process when a business disruptive event occurs. In each

Quarter of the year, the Disaster Recovery Team will be convened to review the Plan and all

the simulation tests carried out during that period. Updates or revisions will be made and

documented at this time.

PROCEDURE

The implementation of this disaster recovery procedure is the responsibility of the ITM,

GCL. The Disaster Recovery Team will convene within 24 hours after a disaster has

occurred to assess damages and make recommendations to the Financial Controller. The

ITM is also responsible for the review of this manual.

Risk Indicator

A disaster is an event that significantly reduces the ability of the company to provide normal

services. Any event that results in the loss of application processing for more than 24 hrs. Is

considered a disaster.

Recovery Time Requirements:

Maximum Tolerable Outage (MTO): This is the amount of time the company’s critical business functions may be unavailable before business operations are severely impacted.

Recovery Time Objective (RTO): is the time within which a business process must be

restored, after a major incident (MI) has occurred, in order to avoid unacceptable

consequences associated with a break in business continuity. This shall be a maximum of 24-

hours.

Recovery Point Objective (RPO): is the age of files that must be recovered from backup

storage for normal operations to resume if a computer, system, or network goes down as a

result of a MI. The RPO is expressed backward in time. It is the age of the files or data in

backup storage required to resume normal operations after the MI. This shall be maximum of

12-hours.

A backup of daily transactions of all relevant employees will be taken on tapes by the

application and network support personnel. A copy will be maintained within the IT

Page 5 of 11

Department and monthly period-end and weekly transaction copies will be maintained at a

location away from the facility known as "off-site backup location".

The Monthly and Weekly Backups are kept in the Offsite storage office.

When a weekly backup is completed, the register is signed to indicate a

completion of one stage of the process.

The backup is taken to the Offsite Storage office

Designated IT staff signs the offsite storage register which is countersigned by the

representative of the offsite host.

The backup is therefore delivered offsite or taken as the case may be.

A record of all back up done detailing date and content shall be maintained by an assigned

officer. This record MUST be reviewed and confirmed by the ITM monthly.

Tape Recycling Procedure for GCL

The tape recycling procedure is as follows;

For each tape drive device there are 5 individual tape cartridges to be used in a 5-day (1 week)

rotation. Each tape is numbered 1-5 with the day of the week, i.e. #1 Monday, #2 Tuesday..., etc.

After tape #5 Friday is used, the rotation begins again from tape #1 Monday, overwriting the

data previously backed up onto tape #1 Monday. All tape cartridges are thus overwritten every

5 days. The tape cartridges are stored next to the tape drives in a secure area.

Daily tapes are recycled weekly

Weekly tapes are recycled annually

Monthly and yearly tapes are never recycled.

Basic Recovery Plan Requirements

The basic requirements for the Recovery Plan are as follows:

Disaster recovery team.

Disaster recovery simulation Test Team

Disaster recovery documentation (DRP Plan).

Backup computer facilities & storage.

Proposed Disaster Recovery Process

Process owner communicates disaster event

Convenes the disaster recovery team and assesses damages

Contacts vendors and discusses options.

Restores programs and data

Page 6 of 11

Tests integrity of programs and data.

Begins restoring communications and networking capabilities.

Restores partial operation to priority departments.

Determines priority of data processing.

Takes delivery and sets up new equipment.

Restores full communications and networking capabilities.

Works with departments to verify data and operations of applications.

Page 7 of 11

Disaster Recovery Simulation Test

Testing Schedule

The Recovery plan should be tested periodically and coordinated by the Disaster Recovery

Coordinator according to the schedule below to ensure its effectiveness:

Type of Tests Test Objective Responsibility Frequency

Checklist test

(Recovery Items

Inventory):

This is to ensure that the

preventive measures and

backup resources exist as

specified.

Disaster

Recovery

coordinator/Team

members

Quarterly

Simulation:

This is to ensure that

the preventive measures

and backup resources are

functioning in the event of

partial or full interruption of

the information systems

Disaster

Recovery

coordinator/Team

members

Quarterly

Testing Procedure

The ITM is responsible for ensuring that the test is carried out. The procedure below shall be

followed in conducting simulation test

Action Procedure:

List the objectives for the test, establish the scope of the test exercise,

And develop the test scenario(s). Develop monitoring criteria for evaluating

the test results. Schedule test time at the backup site. Review hardware configuration at backup

site to ensure compatibility

Page 8 of 11

Select personnel to participate in the test. Identify and brief personnel with

responsibilities for monitoring the test. Familiarize personnel with logistics at

the backup site.

Obtain and transport (if offsite) backup files, supplies, forms, and

documentation required for the test.

Conduct the test exercise.

Evaluate test results and correct deficiencies noted.

Retest if necessary.

Report to management on test results and recommendations

RESPONSIBILITIES

Responsibilities of DRP Team Members: T eam members shall perform tasks

relating to their designations in the event of business disruption or carry out tasks

as assigned by the DRP coordinator.

Disaster Recovery Coordinator’s Responsibilities

The ITM w i l l serve as the coordinator of the DRP.

The Disaster Recovery Coordinator (DRC) is responsible for directing, coordinating, and

reporting to management until full recovery has been accomplished. Also, she / he will

oversee the development, maintenance and testing of recovery plans.

In the event of a "disaster", the DRC will manage the backup and recovery efforts and

facilitate the support for key business functions and restoration of normal activities. Other

responsibilities include:

Take a service representative from each of the appropriate vendors, and

Information Systems personnel into the site.

Contact maintenance solution providers regarding reconditioning of damaged

equipment

The Coordinator will also constitute a team whose responsibilities are:

o Assess damage to the facility and its components:

o Identify extent of damage to the facility

o Determine condition of equipment

o Identify software problems

o Define data problems

o Identify data communications problems

o Describe salvage ability of supplies

Page 9 of 11

o Assess operational capability

o Define restoration requirements

o Schedule salvage and restoration

o Monitor salvage and restoration operation

o Provide a detailed accounting of damages for insurance claims, if applicable.

o Contact maintenance solution providers regarding reconditioning of

damaged equipment.

Recovering From a Disaster

This section describes stages in recovery from a disaster. In the event of a disaster, the

Coordinator provides general and technical support until full recovery is achieved.

Disaster Response Steps

1. Detect and determine a disaster condition.

2. Notify persons responsible for recovery.

3. Initiate the Disaster Recovery Plan . 4. Activate the designated back-up resources.

5. Disseminate Stakeholder Information.

6. Provide support services to aid recovery.

Response Level/Step

Responsibilities

Disaster detection &

Determination

Systems Operators, IT Personnel or whoever first

discovers or receives information about an

emergency situation.

Disaster Notification. When a situation occurs that could result in a

major information systems processing interruption,

on the Local Area Network (LAN), the following

people should be notified (via email if possible and

telephone):

The MD

The FC

HRM

Disaster Recovery Co-ordinator (ITM)

Page 11 of 11

SIGN-OFF PAGE: DATA BACKUP & DISASTER RECOVERY PROCEDURE MANUAL & POLICY

Michael Opaleke Information Technology Manager Signature & Date

Anil Kumar Chief Financial Officer Signature & Date

Layi Oyatoki Managing Director Signature & Date

Page 12 of 11

Appendix 1

ADDITIONAL POLICY GUIDELINES FOR SAP ERP / SAGE / POWER ERP

The SAP database is replicated into a Private cloud which is currently hosted offsite, from

where it would be transferred to another location (co-location) by Go-Live day. The replicated

database is readily available on-line in real time, should the corporate centre site go down, it

will be kicked in with little human intervention.

Connection is provided by a 10Mb link; a backup link is available. A third redundant link is

currently being proposed.

For Backup, the strategy is a virtual Tape Library (VTL) due to the large amount of data that

would have to be backed up.

Tapes generated via this backup platform shall be deposited for safe keeping with one of our

approved sites.

For Sage and Power ERP, the backup is done via tapes and databases are backed up on CDs,

these are taken to offsite location for safe keep and the offsite systems updated using the

CDs.