Cloud Security Continuity and Disaster Recovery Plan
Trust and Security Overview
- Commitment to Security
Professional Advantage is dedicated to safeguarding the confidentiality, integrity, and availability of our cloud products, services, and customer data. Security requirements are integrated from the design phase and continually reviewed, tested, and updated to mitigate evolving threats and vulnerabilities. - Security Framework and Best Practices
We apply a multi-layered approach to security, employing overlapping controls to protect customer data throughout each stage. Our security measures are supported by our partnership with Microsoft Azure and a dedicated team of security specialists who monitor and strengthen our security posture proactively. - Application Security Measures
- Code Reviews: Compliance with Open Web Application Security Project (OWASP) standards.
- Configuration Management: Formal configuration and change management practices.
- Vulnerability Testing: Ongoing testing throughout the product lifecycle.
- Network Security Protocols
Microsoft Azure provides robust networking infrastructure and security features, including network access control, Azure Firewall, secure remote access, DDoS protection, and threat monitoring, ensuring only authorised traffic flows across our network. - Physical Security
Microsoft’s Azure datacentres implement a multi-layered physical security approach to prevent unauthorised access. Security controls include access approvals at various perimeters and extensive surveillance.
High Availability and Distributed Architecture
- Service Uptime and Availability
Our high-availability system leverages Microsoft Azure’s capabilities, achieving an average service uptime of 98.999%, excluding scheduled maintenance. This enables reliable access to your applications and data. - Distributed Application Architecture
We utilise Azure Availability Zones to ensure service continuity even in the event of localised disruptions within a region, effectively eliminating single points of failure. - Continuous Monitoring and Proactive Alerts
Azure Monitoring provides continuous oversight of our systems, triggering proactive alerts for any deviations, allowing us to maintain uninterrupted availability.
Incident Response Plan
- Incident Identification and Classification
In the event of a security or service disruption, incidents are promptly identified and classified based on severity, allowing for an effective and prioritised response. - Response Steps
- Detection: Identify and validate the incident.
- Containment: Limit the spread and impact.
- Eradication: Remove the root cause and affected components.
- Recovery: Restore and verify system integrity.
- Client Communication During Incidents
Affected clients will be informed promptly, with regular updates provided until resolution. After resolution, a post-incident summary will be shared, detailing incident causes and corrective actions taken. - Post-Incident Review and Improvement
After each incident, a thorough review is conducted to identify lessons learned, enabling improvements to our processes and response capabilities.
Data Security, Privacy, and Compliance
- Regulatory Compliance Requirements
Professional Advantage is committed to compliance with applicable data protection regulations, including GDPR, CCPA, and other relevant standards, to protect customer data privacy. - Data Protection and Privacy Policies
We adhere to stringent data privacy policies, ensuring data confidentiality and integrity through secure handling and storage practices. - Encryption Standards
Data at rest and in transit are encrypted following industry best practices to prevent unauthorised access.
Access Management and Identity Controls
- Role-Based Access Control (RBAC)
Access is granted based on job roles, with least-privilege principles ensuring that users only access the data and resources necessary for their role. - Privileged Access Management (PAM)
Critical systems are secured through PAM practices, restricting privileged access and adding extra layers of control. - Multi-Factor Authentication (MFA)
MFA is enforced for all access to critical systems, reducing the risk of unauthorised access due to compromised credentials.
Vendor and Third-Party Risk Management
- Vendor Assessment and Security Requirements
We conduct rigorous evaluations of all third-party vendors to ensure they meet our security standards, with periodic assessments to address new risks. - Continuous Monitoring of Third-Party Risk
We actively monitor our vendors for any changes to their security posture and ensure they adhere to best practices aligned with our standards. - Contingency Plans for Vendor Disruptions
Contingency protocols are established for essential vendors to minimize impact in case of vendor-related service disruptions.
Backup and Disaster Recovery
- Daily, Weekly, and Monthly Backups
Application and database servers are backed up daily, weekly, and monthly, stored in geographically dispersed zones within Azure to provide high resilience. - Recovery Point Objective (RPO) and Recovery Time Objective (RTO)
- RPO: Up to 1 hour within a business day.
- RTO: Application servers are restored within one business day, ensuring minimal disruption.
Backup Verification and Integrity Testing
Regular verification and testing of backup integrity ensure that recovery can proceed smoothly when needed.
Communication Protocols
- Scheduled and Unscheduled Maintenance Notifications
Clients receive at least 72 hours’ notice for scheduled maintenance windows, typically lasting up to 4 hours. In cases of unscheduled critical maintenance, we strive to provide advance notice. - Client Communication During Disruptions
During any disruption, clients will be informed promptly, with regular updates until service restoration. Communication includes details on the nature of the incident, expected resolution times, and any steps clients may need to take. - Post-Incident Summary Reports
Following an incident, a detailed report will be shared with clients to inform them of the root cause and improvements made to prevent recurrence.
Testing and Continuous Improvement
- Regular Plan Testing and Simulation Drills
Simulated disaster recovery drills, penetration tests, and other security audits are conducted routinely to validate the effectiveness of our continuity plan. - Penetration Testing and Security Audits
External penetration tests and internal security audits ensure our systems remain resilient against emerging threats. - Documented Review and Update Schedule
Our continuity plan is reviewed and updated at regular intervals to address any new risks or improvements identified through testing and operational feedback.
Employee Training and Awareness
- Ongoing Security Training Programmes
Employees receive ongoing training on security best practices, data protection, and incident response protocols. - Incident Response Training and Awareness
Regular training prepares staff to respond efficiently to incidents, minimizing the potential impact on service continuity. - Staff Compliance with Security Best Practices
Employees are required to comply with defined security policies and best practices, reinforcing a culture of security and accountability.
Conclusion
Professional Advantage is committed to maintaining a secure, resilient, and high-availability environment for our clients. By leveraging Microsoft Azure’s robust infrastructure and implementing industry-leading continuity practices, we ensure our clients can rely on uninterrupted service access. This Cloud Security Continuity Plan will be regularly reviewed and enhanced to meet evolving security standards and client expectations.