Emergency Plan and Policy

Purpose

The purpose of this policy and associated plans is to determine the conditions, methods, and procedures for EticSoft Information Technologies Inc. to fulfill its obligations to customers, business partners, regulatory institutions, affiliated products and services, personnel, and third parties in unexpected and extraordinary situations.

Definition and Classification of Emergency and Unexpected Situations

Unexpected events, natural disasters, cyber attacks, energy and communication interruptions, security vulnerabilities, attacks on physical environment and infrastructure security that stop, restrict, or prevent EticSoft Information Technologies Inc.’s activities are defined as emergency and unexpected situations.

1. Extraordinary Situations for Working Environment

Situations where the working environment in EticSoft Information Technologies Inc.’s offices becomes inaccessible or unusable:

  • Natural disasters,
  • Natural events like fire, flood, explosion, storm,
  • Physical events like water flooding, power outages, damage to communication lines,
  • Social events like demonstrations, epidemics,
  • Security events like conflict, war, terrorist attack.

In situations where using office spaces is not possible or safe, business continuity will be maintained through remote working method where employees work from their location without using offices, and working conditions have been planned without dependency on office and inventory devices during the period of determining and resolving the relevant situation and any damage.

Methods and applications that will ensure communication between employees in the remote working model are determined annually and communicated to all personnel as an emergency plan.

Improvements have been made to increase efficiency in this working model, experiencing that all functions of our company can be minimally continued in the remote working model.

2. Situations Requiring Emergency Recovery for Products and Services

Situations where EticSoft Information Technologies Inc.’s electronic products and services become unusable appear possible under the following conditions:

  • Damage to communication or power lines in data centers as a result of natural disasters, fire, flood, explosion, storm, or any other reason.
  • Cyber attacks.
  • Extraordinary situations experienced by data centers.

EticSoft Information Technologies Inc. has arranged disaster recovery plans specific to each product to use the following measures and methods respectively in such situations.

A) Automatically Activated Backup Systems

If the relevant product supports it, it is built on multi-data center cloud structures to prevent interruption. In this structure, when there is an interruption in the data center, a system waiting in backup in another data center activates. In disaster situations, backup systems are arranged to activate without any broadcast loss, data loss, or any interruption. The relevant service/product continues to operate. Disaster scenario tests are applied before the product service environment goes live.

B) Disaster Recovery Backups

Backup of the relevant product is planned at the highest frequency possible and performs backup operations with an automation system. Backups are stored in two separate data centers at least 500km apart. Recovery Point Objective (RPO) and Recovery Time Objective (RTO) of these backups are used to measure emergency recovery and interruption time.

Disaster Recovery Plan Preparation Procedure

  • Parties that will be damaged in case of loss or damage to product or service assets, and resulting material and legal losses are determined.

  • Risks specific to the product or service are defined. If any, indirect risks arising from relationships with other products are determined. The legal, commercial, and administrative responsibilities and extent of losses these risks will create are determined.

  • Architectural drawings and access network topology of the product/service are re-examined to be added to the emergency plan, and additional risks are tried to be identified.

  • If possible, an instant backup system architecture that will automatically activate with a multi-data center structure is planned. This architecture is tested.

  • Independent of the automatically activated backup system, a disaster recovery plan is prepared. It is developed as a work plan consisting of recovery steps. It is put in writing.

  • Access plan is made for assigned personnel according to Emergency high-level access procedure.

  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are determined.

  • Methods for informing relevant customers during and at the end of RTO period are determined.

  • Pre-assignments are made according to relevant personnel’s work plan. Requirements (like access to recovery system) are determined and recorded with contact information.