Valid until: 2025-04-16

Classification: Low

Version Management

Purpose & background

anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.

The purpose of this document is to describe contingency plans.

This document will be updated at least annually and when significant change happens.

Objective

The objective of this control is:

• To establish clear procedures as contingency plans.

Scope

The scope of this document is according to Clause 4 Context of the organisation.

Availability

This document is:

• required reading for:

• all employees and contractors of anDREa.

• available for all interested parties as appropriate.

Contingency plans

Blocking of a specific user

• Request via a ticket with the minimum requirements of:

• Requested by a Workspace Accountable or mandated requestor of the organisation (e.g. Security Officers, department heads).

• Name of user and username that needs to be blocked.

• Workspace name(s) in dws-xxx-YYY format.

• Reason and evidence.

• The CEO or Security Officer will block the user in the Entra ID and the action has to be registered in the ticket.

• Set follow-up date 5 working days later.

• All actions must be registered in the ticket.
  

• anDREa does not provide reasons for blocking to other organisations to which the user might belong. anDREa will facilitate a meeting between the organisations.

Shutting down a Workspace

• Request via a ticket with the minimum requirements of:

• Requested by a Workspace Accountable or mandated requestor of the organisation (e.g. Security Officers, department heads).

• Workspace name(s).

• Reason and evidence.

• The CEO or Security Officer will assess the above and approval has to be registered in the ticket.

• Based on the reason and evidence, anDREa will investigate further.

• For example, the storage account containing the data must be preserved.

• All actions must be registered in the ticket.

Shutting down a subscription

• Request via a ticket with the minimum requirements of:

• Requested by mandated requestor of the organisation (e.g. Security Officers, C-level).

• Subscription name(s).

• Reason and evidence.

• The CEO and/or Security Officer will assess the above and approval has to be registered in the ticket.

• Based on the reason and evidence, anDREa will investigate further.

• For example, all storage accounts containing the data must be preserved.

• Other example, giving control plane the subscription back to the tenant.

• All actions must be registered in the ticket.

Shutting down myDRE

• This is part of the disaster recovery plan.