Virtus Group BCDR Summary

v1.2 FINAL • Standardised 2025-09-04

Owner: Virtus Group Ltd • Audience: Clients, Reviewers & Operations • Classification: Public • Next Review: 2026-09-04

Executive Summary

This document describes Virtus Group’s standard for this area and how it is applied in practice. It is derived from our internal policies and standards and is intended for both reviewers and operations.

Scope & Assumptions

In scope: systems and processes directly managed by Virtus Group per contract.
Out of scope: client-owned or third‑party systems not onboarded to our managed service.
Dependencies: connectivity, power, and named client contacts for decision making.

Requirements (Key Controls)

In scope: Identity & Access, Core Networking, Secure Internet, Core Platforms (e.g., directory, DNS/DHCP, file services), Client Key Apps (per contract), Endpoint fleet management, Backup & Recovery.
Out of scope: Client‑owned third‑party SaaS and bespoke line‑of‑business systems unless explicitly onboarded. We document exceptions in the client runbook.
Dependencies: Client Internet access, power, and designated contacts for decisions during incidents.
Least‑privilege, MFA everywhere, break‑glass access sealed and tested.
Network segmentation; secure remote access; standardised baselines for endpoints and servers.
Config as code where supported; change control with peer review.
3‑2‑1‑1‑0 backup principle: at least one offline/immutable copy; routine restore tests.
Documented failover paths: identity first, then network, then apps/data.
Warm standby options for critical apps where SLAs require.
Assess: declare incident; classify Tier‑0..3 impact; start timeline.
Stabilise: contain and preserve evidence; isolate affected segments; maintain minimal access routes.
Recover: restore Tier‑0 identity boundary; re‑establish DNS/DHCP; bring up secure connectivity; restore critical apps per RTO/RPO.
Validate: service checks; user smoke tests; sign‑off.
Review: root cause, corrective actions, control improvements.
Virtus Incident Commander → Client Exec & IT Manager
Comms Lead → End‑user notifications (as approved)
Vendors/ISPs engaged via support contracts as needed
Schedules: daily incrementals; weekly synthetic fulls for Tier‑1/2; log‑level protection where supported.
Retention: minimum 30 days immutability; longer per regulatory or client requirement.
Restore testing: monthly sample restore (files/db); quarterly app recovery; annual full runbook test; evidence retained.

Procedures / Playbooks

Tier	Examples
Tier‑0	Identity platform, MFA, privileged access boundary
Tier‑1	Core Infra: AD DS, DNS/DHCP, firewall/SD‑WAN, site connectivity
Tier‑2	Key Applications (ERP/CRM), shared file services, collaboration
Tier‑3	Auxiliary services, low‑criticality workloads

Tier	RPO (max data loss)	RTO (max downtime)
Tier‑0	1 hour	4 hours
Tier‑1	4 hours	8 hours
Tier‑2	8 hours	24 hours
Tier‑3	24 hours	72 hours

Roles & RACI

Role	Responsibility
Incident Commander	Owns decisions, comms, and timeline
Core Infra Lead	Identity, directory, DNS/DHCP, virtualization
Network Lead	WAN/SD-WAN, firewalls, VPN
Apps/Data Lead	DB/app restores, file services, integrity
Comms/Privacy Officer	Stakeholder & regulatory notifications

Baseline Targets

Tier	RTO	RPO	Notes
Tier 1 (mission-critical)	4 hours	1 hour	HA where feasible; priority incident treatment
Tier 2	24 hours	4 hours	Standard business services
Tier 3	72 hours	24 hours	Back-office / low criticality

Restore testing: ≥ 1 verified restore per month per client; quarterly workload restore; annual end‑to‑end DR exercise + semiannual tabletop
Backups: 3‑2‑1‑1‑0 rule (3 copies, 2 media, 1 offsite, 1 immutable/air‑gapped, 0 errors in verification)
Retention: daily 30d, monthly 12m, yearly 7y (adjust per client/regulation)

KPIs & Reporting

Backup success ≥ 99% (30d)
Verified restore ≥ 1/month/client
RTO adherence ≥ 95%

Evidence & Records

Records are maintained per the VGL Document & Record Control guidelines, including logs, approvals, test outputs, meeting minutes, and reports.