[BCM] [BT] [E3] [PD] [CBF] [6] Information Systems & Records Management

Plan Development

BCM Plan and Procedure

CBF 6: Information Systems & Records Management

WHAT: Function Overview and Importance

CBF-6 encompasses all activities related to managing Bandtree’s information technology infrastructure and records management systems, ensuring the integrity, availability, and security of critical data and systems.

This function supports daily business operations by maintaining ICT infrastructure, property systems, data backup, cybersecurity, and compliance with IT governance standards. It is essential to prevent operational disruption, safeguard corporate information assets, and enable swift recovery during crises.

Pre-Crisis: Preparedness Phase

Objective:

To establish a robust foundation that minimises risks and ensures Bandtree’s Information Systems and Records Management functions are well-prepared to handle potential disruptions effectively. This phase focuses on proactive measures to prevent crises or reduce their impact and to enable rapid response and recovery.

HOW: Detailed Preparedness Steps

1. ICT Infrastructure Management (CBF-6.1)

• Asset Inventory Management:
  Maintain a comprehensive, regularly updated inventory of all ICT hardware, software, and network components. This includes serial numbers, configurations, warranty status, and support contracts.
• Regular Maintenance and Updates:
  Schedule and conduct preventive maintenance for servers, network devices, and end-user equipment to avoid unexpected failures. Apply software patches, firmware updates, and security fixes promptly to protect against vulnerabilities.
• Infrastructure Redundancy:
  Design and implement redundancy in critical infrastructure components, such as power supplies (UPS and generators), network connections (dual Internet service providers), and storage systems (RAID configurations, SAN/NAS), to prevent single points of failure.
• Monitoring and Alerting:
  Deploy monitoring tools to continuously track system performance, resource utilisation, and network health. Configure alert mechanisms to notify IT staff of anomalies or impending failures.

2. Property Systems Application Support (CBF-6.2)

• System Health Checks:
  Perform scheduled health assessments of property management applications, databases, and interfaces to ensure optimal performance.
• Failover Testing:
  Regularly test failover processes and backup application environments to validate system availability during outages.
• Vendor Engagement:
  Maintain close communication with application vendors for timely updates, patches, and support services. Verify vendor’s business continuity capabilities and escalation paths.

3. Records Retention & Archiving (CBF-6.3)

• Retention Policy Enforcement:
  Develop and enforce records retention schedules in line with legal, regulatory, and internal policies—Categorise records based on sensitivity and retention duration.
• Physical Records Storage:
  Ensure physical records are stored in secure, climate-controlled environments to prevent damage from humidity, pests, or unauthorised access.
• Digital Archiving:
  Promote the digitisation of physical documents for easier management and backup. Implement secure, indexed digital archives with controlled access.

4. Data Backup & Recovery (CBF-6.4)

• Backup Strategy:
  Establish a multi-tier backup approach, including daily incremental backups and weekly full backups. Store backup copies onsite for quick recovery and offsite for disaster protection.
• Backup Verification:
  Perform routine tests of backup data integrity and conduct periodic recovery drills to ensure data can be restored effectively.
• Backup Security:
  Protect backup media with encryption and secure storage to prevent unauthorised access or data breaches.

5. Cybersecurity & Access Control (CBF-6.5)

• Access Management:
  Implement strict role-based access control (RBAC), limiting user permissions to the minimum necessary for job functions.
• Authentication Controls:
  Enforce multi-factor authentication (MFA) for critical systems and remote access.
• Security Awareness:
  Conduct regular cybersecurity training, including phishing simulations and best practice guidelines, to build a security-conscious culture.
• Threat Monitoring:
  Utilise Security Information and Event Management (SIEM) systems and intrusion detection/prevention tools to continuously monitor threats and suspicious activities.

6. System Development & Enhancement (CBF-6.6)

• Change Management:
  Adopt formal procedures for requesting, reviewing, approving, and documenting system changes or enhancements to minimise risk.
• Testing Environments:
  Maintain segregated development, testing, and production environments to ensure that new features or fixes do not disrupt operational systems.
• Rollback Plans:
  Prepare contingency rollback plans for any system updates or patches to revert changes in the event of issues quickly.

7. ICT Vendor Management (CBF-6.7)

• Vendor Assessment:
  Evaluate vendors’ business continuity and disaster recovery capabilities before engagement.
• Contracts & SLAs:
  Include precise business continuity requirements and response times in vendor agreements.
• Contact Management:
  Keep an up-to-date directory of vendor contacts for emergency escalation and support.

8. User Training & Support (CBF-6.8)

• Regular Training Programs:
  Schedule ongoing training sessions to keep users informed of system updates, security protocols, and incident reporting procedures.
• Helpdesk Operations:
  Maintain a responsive help desk with clear escalation paths for incident reporting and resolution.
• Documentation:
  Provide accessible user manuals, FAQs, and quick reference guides.

9. Compliance & IT Governance (CBF-6.9)

• Policy Review:
  Regularly review and update IT policies, procedures, and standards to ensure compliance with relevant laws, regulations, and industry best practices.
• Audits:
  Conduct internal and external IT audits to identify gaps and areas for improvement.
• Risk Assessments:
  Periodically assess risks related to ICT systems and data handling, incorporating findings into business continuity planning.

10. Physical Records Handling (CBF-6.10)

• Secure Handling Procedures:
  Train staff on protocols for safely handling, transporting, and accessing physical records.
• Access Controls:
  Use locked cabinets, secure rooms, and access logs to protect sensitive physical records.
• Disaster Prevention:
  Implement fire suppression systems, flood barriers, and environmental monitoring in storage areas.

Within T+24 Hours (RESUMPTION Phase)

Objective:

To initiate immediate response and recovery actions that restore critical Information Systems and Records Management functions, enabling Bandtree to resume essential business operations as quickly and safely as possible within the first 24 hours following a disruption.

HOW: Immediate Recovery and Resumption Steps

1. Incident Activation & Coordination

• Activate Incident Response Team (IRT):
  • Immediately notify and mobilise the designated ICT Incident Response Team comprising ICT managers, system administrators, records management officers, and cybersecurity personnel.
  • Assign clear roles and responsibilities within the team to ensure coordinated recovery efforts.
• Initial Incident Assessment:
  • Conduct a rapid assessment to identify the nature, scope, and impact of the disruption on ICT infrastructure, applications, and the availability of records.
  • Determine affected systems, data integrity, and user access constraints.
• Incident Communication:
  • Notify Bandtree’s senior management, affected departments, and key stakeholders with an initial incident status report.
  • Provide timely updates through established communication channels (email, SMS alerts, intranet).

2. ICT Infrastructure Containment & Recovery

• System Isolation & Containment:
  • Isolate affected servers, network segments, or devices to prevent further spread of damage, especially in cases of cyberattack or malware infection.
  • Disconnect compromised systems from the network if necessary.
• Failover to Redundant Systems:
  • Initiate switch-over to redundant or backup systems, including alternate data centres, cloud platforms, or backup servers, to restore critical ICT infrastructure functionality.
• Power and Network Checks:
  • Confirm availability of power supply (including UPS and generators) and network connectivity to recovery sites or backup locations.

3. Application and Systems Recovery

• Priority Application Restoration:
  • Restore access to high-priority property systems and management applications critical to business continuity (e.g., property management databases, tenant portals).
  • Coordinate with software vendors for urgent support, patches, or hotfixes if the disruption involves application faults.
• Data Restoration from Backups:
  • Retrieve and restore data from the latest verified backups in accordance with backup recovery protocols.
  • Prioritise the restoration of essential databases, records, and files to minimise operational downtime.
• Verification of Restored Data:
  • Perform quick integrity checks on restored data to ensure completeness and accuracy.
  • Document any data loss or inconsistencies detected during restoration.

4. Cybersecurity Incident Response

• Threat Removal & System Cleaning:
  • Run malware and virus scans on all restored systems.
  • Remove malicious code or unauthorised access points identified during the incident.
• Credential Resets & Access Controls:
  • Immediately reset passwords and access credentials for all potentially compromised accounts.
  • Reinforce access restrictions and review permissions for sensitive systems.
• Security Monitoring:
  • Enhance monitoring of network traffic and system logs for indications of ongoing threats or anomalies.

5. Physical Records Handling & Accessibility

• Securing Physical Records:
  • Inspect and secure the physical records storage areas affected by the incident.
  • Implement temporary protective measures (e.g., relocating records to safe areas) if necessary.
• Access Provision:
  • Provide interim access solutions for physical or digitised records essential to critical business processes.

6. User Support & Communication

• User Guidance:
  • Inform users of system status, available functionalities, and temporary workarounds.
  • Provide instructions on how to report ongoing issues or access support services.
• Helpdesk Activation:
  • Ensure helpdesk staff are fully operational and equipped to handle increased incident-related queries.
  • Log all reported issues and recovery actions in an incident management system.

7. Documentation and Reporting

• Incident Log Maintenance:
  • Keep detailed records of all recovery activities, decisions made, and communications issued during the resumption phase.
• Initial Post-Incident Report:
  • Prepare a preliminary incident report summarising the disruption, actions taken, and current status.
  • Submit the report to senior management and relevant stakeholders.

After T+24 Hours (RECOVERY Phase)

Objective:

To fully restore Information Systems and Records Management capabilities to pre-incident conditions, validate recovery effectiveness, address any residual issues, and implement improvements to enhance future resilience and continuity.

HOW: Complete Recovery and Restoration Steps

1. Comprehensive System Validation and Testing

• Complete System Integrity Checks:
  • Conduct thorough testing of all ICT infrastructure components, including servers, networks, storage, and endpoints, to confirm operational stability.
  • Perform application functionality tests on all property systems to ensure that business-critical processes operate as intended.
• Data Consistency Verification:
  • Reconcile restored data against source records and transaction logs to identify any discrepancies, omissions, or corruption.
  • Validate that all critical datasets, including backup archives and physical record indexes, are complete and accurate.
• Performance Monitoring:
  • Monitor system performance metrics over an extended period to detect latent issues such as slowdowns or intermittent failures.

2. Incident Review and Root Cause Analysis

• Post-Incident Investigation:
  • Conduct a formal root cause analysis (RCA) to determine the origin and factors that led to the disruption.
  • Involve cross-functional teams, including ICT, records management, cybersecurity, and vendors as needed.
• Documentation of Findings:
  • Prepare a detailed incident report outlining the cause, impact, response actions, recovery timeline, and lessons learned.
• Management Review:
  • Present findings to senior management and the Business Continuity Planning Committee for evaluation and strategic decisions.

3. Remediation and Preventive Measures

• Infrastructure Improvements:
  • Address vulnerabilities or weaknesses revealed by the incident, such as hardware upgrades, network segmentation, or system hardening.
  • Update software patches, firmware, and configurations based on the latest security advisories.
• Policy and Procedure Updates:
  • Revise business continuity, disaster recovery, cybersecurity, and records management policies, incorporating insights from the incident.
  • Enhance incident response playbooks and escalation protocols.
• Backup Strategy Enhancements:
  • Optimise backup schedules, diversify backup locations, and implement improved verification techniques to ensure backup reliability.

4. Vendor and Third-Party Coordination

• Performance Review:
  • Evaluate vendor and service provider responsiveness and effectiveness during incident recovery.
  • Document any shortcomings or contractual gaps.
• Contractual Updates:
  • Negotiate revisions to service level agreements (SLAs) better to align vendor support with Bandtree’s continuity requirements.
• Ongoing Collaboration:
  • Schedule follow-up meetings with vendors to discuss improvement plans and ensure readiness for future incidents.

5. User Training and Awareness Reinforcement

• Refresher Training:
  • Conduct targeted training sessions addressing any new procedures, systems, or security practices introduced post-incident.
  • Emphasise lessons learned and best practices to mitigate human error risks.
• Communication of Changes:
  • Inform all users of changes in system access, workflows, or security protocols.
  • Distribute updated user manuals, FAQs, and quick reference guides.

6. Compliance and Regulatory Reporting

• Regulatory Notification:
  • Submit required reports to regulatory bodies or government agencies within stipulated timeframes, if applicable.
• Audit Preparation:
  • Prepare evidence of incident handling and recovery actions for internal or external IT audits.
• Governance Review:
  • Review IT governance frameworks to ensure ongoing compliance with relevant standards and legal obligations.

7. Physical Records Restoration and Security

• Return of Physical Records:
  • Restore physical records to their designated secure storage locations once it is safe and practical to do so.
• Condition Assessment:
  • Inspect physical records for damage, deterioration, or loss and initiate restoration or replacement processes as needed.
• Security Reinforcement:
  • Upgrade physical security controls such as locks, access logs, and environmental protections to prevent future incidents.

8. Continuous Improvement and Monitoring

• Incident Follow-up:
  • Schedule periodic reviews to assess the effectiveness of implemented improvements.
• Ongoing Risk Assessment:
  • Incorporate new risks or vulnerabilities identified during recovery into the organisational risk register and update business continuity plans accordingly.
• Feedback Loop:
  • Encourage user and stakeholder feedback on recovery processes and usability of systems post-incident.

Summing Up ... 

The Business Continuity Recovery Procedure detailed in this chapter establishes a comprehensive and actionable roadmap for managing disruptions to Bandtree’s Information Systems and Records Management functions.

By adhering to the outlined phases — from pre-crisis preparedness through to full recovery — the organisation can effectively mitigate risks, restore essential services promptly, and enhance its overall resilience against future incidents.

This procedure not only protects critical infrastructure and data integrity but also reinforces Bandtree’s operational stability and stakeholder confidence.

Continuous review and improvement of these recovery processes will ensure that the company remains agile and prepared in an evolving threat landscape, thereby upholding its mandate as a reliable and forward-looking government-linked company.