Contingency plans

Contingency plans

Version: 3.0

Valid until: 2025-04-16

Last reviewed: 2024-10-30

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-12-23

2.0Edward RobinsonAdditions/changes as part of the annual review.

Fixed a link.
2023-06-01
3.0

Edward Robinson

Additions/changes as part of the annual review.

Updated the blocking of a specific user section.

Replaced CTO with CEO.
2024-04-16

Purpose & background


anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.


The purpose of this document is to describe contingency plans.


This document will be updated at least annually and when significant change happens.

Objective


The objective of this control is:


  • To establish clear procedures as contingency plans.

Scope

The scope of this document is according to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Contingency plans

Blocking of a specific user


  • Request via a ticket with the minimum requirements of:

    • Requested by a Workspace Accountable or mandated requestor of the organisation (e.g. Security Officers, department heads).

    • Name of user and username that needs to be blocked.

    • Workspace name(s) in dws-xxx-YYY format.

    • Reason and evidence.

  • The CEO or Security Officer will block the user in the Entra ID and the action has to be registered in the ticket.

  • Set follow-up date 5 working days later.

  • All actions must be registered in the ticket.

  • anDREa does not provide reasons for blocking to other organisations to which the user might belong. anDREa will facilitate a meeting between the organisations.


Shutting down a Workspace


  • Request via a ticket with the minimum requirements of:

    • Requested by a Workspace Accountable or mandated requestor of the organisation (e.g. Security Officers, department heads).

    • Workspace name(s).

    • Reason and evidence.

  • The CEO or Security Officer will assess the above and approval has to be registered in the ticket.

  • Based on the reason and evidence, anDREa will investigate further.

    • For example, the storage account containing the data must be preserved.

  • All actions must be registered in the ticket.


Shutting down a subscription


  • Request via a ticket with the minimum requirements of:

    • Requested by mandated requestor of the organisation (e.g. Security Officers, C-level).

    • Subscription name(s).

    • Reason and evidence.

  • The CEO and/or Security Officer will assess the above and approval has to be registered in the ticket.

  • Based on the reason and evidence, anDREa will investigate further.

    • For example, all storage accounts containing the data must be preserved.

    • Other example, giving control plane the subscription back to the tenant.

  • All actions must be registered in the ticket.


Shutting down myDRE



    • Related Articles

    • Clause 4 Context of the organisation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-23 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • anDREa Service Level Agreement

      First version: 2021-12-19 Last updated: 2023-11-28 Last change: Banner on top anDREa reserves the right to modify the EULA and SLA at any time in its sole discretion. Changes will be effective upon the posting of the modifications on the EULA and ...

    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...

    • 20230601 CTO Report

      Below you can download the 2023-06-01 CTO-report

    • 20230301 CTO Report

      Below you can download the 2023-03-01 CTO-report