{"id":1443,"date":"2021-12-10T19:09:39","date_gmt":"2021-12-10T19:09:39","guid":{"rendered":"http:\/\/box5442.temp.domains\/~arpioio\/soc-2-for-saas-the-information-security-policy-2\/"},"modified":"2021-12-10T19:09:39","modified_gmt":"2021-12-10T19:09:39","slug":"business-continuity-and-disaster-recovery","status":"publish","type":"post","link":"https:\/\/arpio.io\/staging\/8013\/business-continuity-and-disaster-recovery\/","title":{"rendered":"Business Continuity and Disaster Recovery: The Arpio SOC-2 Certification Journey"},"content":{"rendered":"<body>\n<p>This post is the second installment in our series on achieving SOC-2, where we peel back the covers on what it took for us to get compliant.\u00a0 We\u2019re walking through the 10 policies that our company adopted for SOC-2, and dedicating a blog post to what each entailed.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/arpio.io\/staging\/8013\/soc-2-for-saas-the-information-security-policy-2\/\">first installment of the series<\/a> focused on our information security policy.\u00a0 This post covers the business continuity and disaster recovery plan.<\/p>\n\n\n\n<p>SOC-2 requires that you\u2019ve thought through how to protect your business from any kind of disaster \u2014 everything from natural disasters to cyber events to the loss of a critical employee \u2014 and that you\u2019re periodically testing that capability.\u00a0<\/p>\n\n\n\n<p>The good news for us was that our product is a disaster recovery solution for AWS. We manage disaster recovery for our own business continuity plan with a best-in-class solution that understands what it looks like to protect the full environment at the platform layer. This is what our business is about.<\/p>\n\n\n\n<p>That said, any DR plan accounts for 2 categories of disaster scenarios:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>The failure of infrastructure, and the ability to recover your service on alternate infrastructure.\u00a0 Commonly, this alternate infrastructure needs to be far away so that large-scale events (like natural disasters) can\u2019t undermine both the primary and recovery infrastructure.<\/li><li>A cyber compromise of your production environment, such as a ransomware attack or a disgruntled employee doing something unfathomable.\u00a0 To account for these disasters, it\u2019s critical to maintain backups in an immutable manner where they can\u2019t also be destroyed by an attacker.<\/li><\/ol>\n\n\n\n<p>We account for the first category by running Arpio as a \u201cmulti-region-active\u201d workload across 3 regions of AWS.\u00a0 There are about 2500 miles of separation between these regions.\u00a0 And because we\u2019re spread across regions (not just availability zones), we\u2019re resilient to the failure of regional services, like the 7-hour outage in the us-east-1 region the other day.<\/p>\n\n\n\n<p>The second category is accounted for by moving data backups out of our production AWS account.\u00a0 The best practice is to maintain a second AWS account that you don\u2019t grant any access to, and store your backups there.\u00a0 The bad actor that compromises production can\u2019t also compromise this environment.\u00a0<\/p>\n\n\n\n<p>The next hurdle was DR testing, but we were in pretty good shape there as well.\u00a0 We\u2019ve run quarterly disaster recovery drills from day one.\u00a0 These drills have never been \u2018tabletop.\u2019 We bring up the entire system, validate that it\u2019s all working, and then tear it down. Its speed and efficiency is thanks to the extensive automation of our solution.<\/p>\n\n\n\n<p>On the people side, we already had good redundancy thanks to our process for cross-training our colleagues.\u00a0 But we needed to formalize how we, as a group, would communicate with each other in the event of a disaster.\u00a0 Our team communication is typically facilitated in Slack, but if you recall the Facebook outage on October 4th, 2021, sometimes an outage takes down your communication tools as well.\u00a0 That lesson was fresh as we were planning here.<\/p>\n\n\n\n<p>We went old school to solve this. We created a formal contact list including real-life phone numbers (yes! phone numbers!) to ensure connectivity to every person on the team in the event of a disaster. We then posted and shared that contact list and communicated where, when, and how to access it.<\/p>\n\n\n\n<p>The documented policy itself came primarily from Laika.\u00a0 We tweaked 20% of it, but the majority of it is standard or boilerplate and didn\u2019t require much work.<\/p>\n<\/body>","protected":false},"excerpt":{"rendered":"<p>This post is the second installment in our series on achieving SOC-2, where we peel back the covers on what it took for us to get compliant.\u00a0 We\u2019re walking through&#8230;<\/p>\n","protected":false},"author":4,"featured_media":1125,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","content-type":"","inline_featured_image":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1443","post","type-post","status-publish","format-standard","has-post-thumbnail","category-blog"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Business Continuity and Disaster Recovery<\/title>\n<meta name=\"description\" content=\"This post is the second installment in our series on achieving SOC-2, where we peel back the covers on what it took for us to get compliant.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Business Continuity and Disaster Recovery\" \/>\n<meta property=\"og:description\" content=\"This post is the second installment in our series on achieving SOC-2, where we peel back the covers on what it took for us to get compliant.\u00a0\" \/>\n<meta property=\"og:url\" content=\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/\" \/>\n<meta property=\"og:site_name\" content=\"Arpio Disaster Recovery Made Easy\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-10T19:09:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/arpio.io\/wp-content\/uploads\/2021\/12\/SOC-2-policies.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2520\" \/>\n\t<meta property=\"og:image:height\" content=\"1520\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Doug\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Doug\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/\"},\"author\":{\"name\":\"Doug\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42\"},\"headline\":\"Business Continuity and Disaster Recovery: The Arpio SOC-2 Certification Journey\",\"datePublished\":\"2021-12-10T19:09:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/\"},\"wordCount\":607,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2021\/12\/SOC-2-policies-e1659733445515.jpg\",\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/\",\"url\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/\",\"name\":\"Business Continuity and Disaster Recovery\",\"isPartOf\":{\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2021\/12\/SOC-2-policies-e1659733445515.jpg\",\"datePublished\":\"2021-12-10T19:09:39+00:00\",\"author\":{\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42\"},\"description\":\"This post is the second installment in our series on achieving SOC-2, where we peel back the covers on what it took for us to get compliant.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#primaryimage\",\"url\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2021\/12\/SOC-2-policies-e1659733445515.jpg\",\"contentUrl\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2021\/12\/SOC-2-policies-e1659733445515.jpg\",\"width\":960,\"height\":579},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/arpio.io\/staging\/8013\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Business Continuity and Disaster Recovery: The Arpio SOC-2 Certification Journey\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#website\",\"url\":\"https:\/\/arpio.io\/staging\/8013\/\",\"name\":\"Arpio Disaster Recovery Made Easy\",\"description\":\"AWS Disaster Recovery\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/arpio.io\/staging\/8013\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42\",\"name\":\"Doug\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/98d763d738bde480338f289de28be30208ce6fbcdb2e370e4e94dd5e5ec5ffb5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/98d763d738bde480338f289de28be30208ce6fbcdb2e370e4e94dd5e5ec5ffb5?s=96&d=mm&r=g\",\"caption\":\"Doug\"},\"url\":\"https:\/\/arpio.io\/staging\/8013\/author\/doug\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Business Continuity and Disaster Recovery","description":"This post is the second installment in our series on achieving SOC-2, where we peel back the covers on what it took for us to get compliant.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/","og_locale":"en_US","og_type":"article","og_title":"Business Continuity and Disaster Recovery","og_description":"This post is the second installment in our series on achieving SOC-2, where we peel back the covers on what it took for us to get compliant.\u00a0","og_url":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/","og_site_name":"Arpio Disaster Recovery Made Easy","article_published_time":"2021-12-10T19:09:39+00:00","og_image":[{"width":2520,"height":1520,"url":"https:\/\/arpio.io\/wp-content\/uploads\/2021\/12\/SOC-2-policies.jpg","type":"image\/jpeg"}],"author":"Doug","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Doug","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#article","isPartOf":{"@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/"},"author":{"name":"Doug","@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42"},"headline":"Business Continuity and Disaster Recovery: The Arpio SOC-2 Certification Journey","datePublished":"2021-12-10T19:09:39+00:00","mainEntityOfPage":{"@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/"},"wordCount":607,"commentCount":0,"image":{"@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#primaryimage"},"thumbnailUrl":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2021\/12\/SOC-2-policies-e1659733445515.jpg","articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/","url":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/","name":"Business Continuity and Disaster Recovery","isPartOf":{"@id":"https:\/\/arpio.io\/staging\/8013\/#website"},"primaryImageOfPage":{"@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#primaryimage"},"image":{"@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#primaryimage"},"thumbnailUrl":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2021\/12\/SOC-2-policies-e1659733445515.jpg","datePublished":"2021-12-10T19:09:39+00:00","author":{"@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42"},"description":"This post is the second installment in our series on achieving SOC-2, where we peel back the covers on what it took for us to get compliant.\u00a0","breadcrumb":{"@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#primaryimage","url":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2021\/12\/SOC-2-policies-e1659733445515.jpg","contentUrl":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2021\/12\/SOC-2-policies-e1659733445515.jpg","width":960,"height":579},{"@type":"BreadcrumbList","@id":"https:\/\/arpio.io\/business-continuity-and-disaster-recovery\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/arpio.io\/staging\/8013\/"},{"@type":"ListItem","position":2,"name":"Business Continuity and Disaster Recovery: The Arpio SOC-2 Certification Journey"}]},{"@type":"WebSite","@id":"https:\/\/arpio.io\/staging\/8013\/#website","url":"https:\/\/arpio.io\/staging\/8013\/","name":"Arpio Disaster Recovery Made Easy","description":"AWS Disaster Recovery","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/arpio.io\/staging\/8013\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42","name":"Doug","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/98d763d738bde480338f289de28be30208ce6fbcdb2e370e4e94dd5e5ec5ffb5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/98d763d738bde480338f289de28be30208ce6fbcdb2e370e4e94dd5e5ec5ffb5?s=96&d=mm&r=g","caption":"Doug"},"url":"https:\/\/arpio.io\/staging\/8013\/author\/doug\/"}]}},"_links":{"self":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts\/1443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/comments?post=1443"}],"version-history":[{"count":0,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts\/1443\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/media\/1125"}],"wp:attachment":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/media?parent=1443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/categories?post=1443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/tags?post=1443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}