Business continuity management and operational resilience

This section describes Itron's policy for establishing a contingency planning standard for the Itron Azure environment and the outcomes it hosts, for documenting and implementing best practices for Itron Azure environment business continuity and a disaster recovery plan (DRP). Contingency planning aims to protect Itron’s capability to do business and mitigate the risk of the Itron Azure environment ecosystem becoming unavailable. This policy applies to all staff, contracts, or third-party personnel responsible for the Itron Azure environment and the outcomes it hosts, including all software, applications, and services, data, and infrastructure. This policy applies to all business-critical assets, operations, and functionality of the Itron Azure environment and the outcomes it hosts. This policy applies to all facilities of Itron, Inc. and all its direct and indirect subsidiaries.

The infrastructure team and all developer teams utilizing the Itron Azure environment are responsible for ensuring they comply with this policy and adhere to procedures and controls that demonstrate compliance with this policy. Teams are responsible for assigning resources necessary to achieve compliance. Itron management commits to actively supporting the teams with complying with this policy by ensuring the policy is reviewed and approved, responsibilities are defined, and resources and budget are available. Any Itron employee being in scope found to have violated this policy may be subject to disciplinary action. The severity of the incident shall govern the severity of the action taken (from a verbal warning up to termination).

Policy

Itron adheres to formal, documented contingency planning procedures for the Itron Azure environment that facilitate the implementation of the contingency planning policy and associated contingency planning controls. The contingency planning procedures document addresses scope, roles and responsibilities and the contingency planning processes and procedures necessary to ensure business continuity and disaster recovery capabilities for the Itron Azure environment, its assets, and the outcomes it supports.

Contingency plan

Itron adopts Itron Azure environment contingency plans that:

  • Identify business essential operations and functionality and associated contingency requirements.

  • Provide recovery objectives, restoration priorities, and metrics.

  • Define contingency roles and responsibilities and assign individuals (and their contact details).

  • Define how business-essential operations and functionality are maintained regardless of disruption caused by asset failure or disaster.

  • Define how to complete restoration of the Itron Azure environment and the outcomes it hosts is achieved without deterioration of any security safeguards originally planned and implemented.

  • Are reviewed and approved by the infrastructure team manager.

Contingency plans are distributed to all individuals who have roles and responsibilities defined in the contingency plans. Contingency plans are coordinated with Incident Handling activities. Contingency plans are reviewed at least annually. Contingency plans are updated when necessary to reflect changes to the organization, the Itron Azure environment infrastructure, platform, or outcomes hosted, or to correct problems found during contingency plan implementation or testing. Changes to contingency plans are communicated to relevant stakeholders. Contingency plans are protected from unauthorized disclosure and modification.

Contingency training

All staff with contingency plan roles and responsibilities receive training consistent with their role and responsibilities. Staff receive refresher training at least annually or when required by changes to the contingency plans.

Contingency plan testing

All contingency plans are tested/exercised at least annually to determine their effectiveness and the team’s readiness to execute the plan. Results of contingency plan tests/exercises are reviewed, and any required contingency plan corrective actions initiated. Methods for testing / exercising contingency plans, to determine the effectiveness and potential weaknesses, include walk through and tabletop exercises, checklists, simulations, and comprehensive disaster simulation testing.

Alternative storage and processing site

An appropriate alternative storage site for the backup and recovery of business-critical information within the Itron Azure environment is established. An appropriate alternative processing site for a resumption of business-critical operations and functionality running in the Itron Azure environment is established, for when primary processing capabilities are unavailable. The alternative storage and processing sites provide security protection equivalent to the primary site. The alternative storage and processing sites are geographically distinct from the primary sites (for example, in a different Azure region).

Information backup

Business-critical Itron Azure environment information, configuration, and state are regularly backed up. This could include application data, system data, application state, application configuration, system configuration, infrastructure configuration, keys, and licenses. Itron Azure environment documentation is regularly backed up. The confidentiality, integrity, and availability of backed-up information at the storage location is maintained.

Information recovery and reconstitution

Itron is prepared to execute the contingency plans to recover its business-essential Itron Azure environment operations and functionality to a known state after the disruption caused by asset failure or disaster. Following recovery, Itron provides for the complete reconstitution of its operations and functionality to fully operational states. This could involve returning the operation to the primary site.

Procedure

All Itron Azure environment assets, infrastructure, outcomes, and services are subject to the Itron Azure environment contingency planning policy and procedures on all Itron Azure environment production instances.

Team processes

Teams implement contingency planning procedures for the Itron Azure environment assets they are responsible for.

  • The infrastructure team implements the contingency planning procedures described in this section for the Itron Azure environment Infrastructure and Operational Services (logging, monitoring, alerting, metrics), for each Itron Azure environment production instance.

  • Each developer team implements the contingency planning procedures described in this section for their platform services or outcomes, for each Itron Azure environment production instances on which they operate.

  1. Backup or replication of team business-critical information

    1. Conduct a Business Impact Analysis to identify the team’s critical business processes and Itron Azure environment assets and determine their recovery priorities. Determine the impact of a system disruption and the maximum amount of downtime for Recovery Time Objective (RTO) and data loss for Recovery Point Objective (RPO) that can be tolerated.

    2. Determine the confidentiality classification of the information.

    3. Ensure that all business-critical and essential information (data, configuration, state, certificates, keys, and licenses) necessary to re-create the team’s Itron Azure environment assets can be recovered, for example from backup or replication, in the alternative Azure region, if the primary Azure region and the information stored in it is lost.

      • The Azure region that is paired to the primary Itron Azure environment instance’s Azure region is used as the alternative region for recovering business-critical information.

      • As a minimum, infrastructure-specific and platform services-specific business-critical information is recoverable to points in time on a 24-hourly cadence, so that RPO in the event of a disaster is 24 hours, and so that the data remains approximately synchronized.

      • The frequency and cadence of outcome-specific recovery points are defined by the developer team, based on their specific customer requirements for RPO.

      • All backups, replications, and copies of data that are classified as confidential or private are encrypted.

      • All backups, replications, and copies of data stored at the alternative storage site are secured as defined in the Itron Azure environment Security Architecture.

      • Backups are not deleted without team manager approval.

  2. Development of team recovery and reconstitution processes

    To achieve an RTO of 3 days for the complete Itron Azure environment instance being recovered, each team’s recovery processes completes within a maximum one-day time frame. The team’s Itron Azure environment assets can be recovered and reconstituted in the primary processing site (the original Azure region), for the scenario that the original Azure region is recovered, but the Itron Azure environment instance in that region remains lost. The team’s Itron Azure environment assets can be recovered and reconstituted in the alternative processing site (the paired Azure region), for the scenario that the original Azure region remains offline. The same capabilities (for example, Azure services) are available at the alternative processing site (the paired Azure region).

    1. Recovery processes restore business-critical Itron Azure environment assets within the agreed RTO.

    2. Reconstitution processes restore non-business-critical Itron Azure environment assets. Reconstitution processes run as a second step after full recovery of business-critical functionality is achieved.

  3. Creation of team disaster recovery plan (DRP)

    1. The documentation and publication of a DRP for the recovery of the team’s business-critical Itron Azure environment assets that:

      • Defines how a disaster recovery situation is declared and how the execution of the team’s DRP is triggered

      • Identifies the team’s business-critical Itron Azure environment assets to be recovered

      • Provides team recovery objectives, restoration priorities, and metrics

      • Defines team roles and responsibilities, and assigns individuals and their contact details

      • Lists stakeholders who need to be informed in the case of the team’s DRP being triggered, and how to inform them

      • Provides detailed step-by-step instructions on how the team’s business-critical Itron Azure environment assets can be recovered to a known state after disruption, in line with the RTO and RPO. Recovery processes are written at a level such that an appropriately skilled engineer can perform the recovery without intimate system knowledge

      • Describes how the recovery of the team’s Itron Azure environment assets is achieved without deterioration of any security safeguards

      • Details what disaster recovery actions need to be documented, or which auditable artifacts need to be retained, during the process, for post-incident review purposes

      • Provides tests that are to be used to confirm the team’s Itron Azure environment assets are restored effectively and are operating correctly

      • Defines who is responsible for declaring that recovery of the team’s Itron Azure environment assets is successful, and the team is ready to go live

    2. The team’s DRP is updated as required to reflect changes to implementation and personnel.

    3. The team’s DRP is re-reviewed after being updated, and at least annually, by Itron Security, the responsible developer team manager, subject matter experts that they nominate, and other key stakeholders identified by the team.

    4. The developer team manager accountable for the team is responsible for approving the team’s DRP.

    5. On approval, the team’s DRP is published in the approved storage location, in a read-only format and made accessible to all with roles and responsibilities in the plan, and all other stakeholders.

    6. All individuals who have roles and responsibilities in the team’s DRP are informed of the team’s DRP publication by email, and a copy of the email is saved in a folder inside the approved storage location.

  4. Team disaster recovery training

    1. Each team is responsible for training all staff who have disaster recovery roles and responsibilities on their team’s DRPs.

    2. Staff receive refresher training at least annually, or when required due to role or personnel changes or disaster recovery process changes.

    3. Traceable evidence that the DRP training has been done is retained in a folder inside the approved storage location. For example, meeting invites and meeting minutes.

  5. Team disaster recovery testing

    1. Each team is responsible for the testing or exercising of their team’s DRPs at least annually to determine their effectiveness and the team’s readiness to execute the plan.

    2. Methods for testing / exercising contingency plans to determine the effectiveness and potential weaknesses, including walk through and tabletop exercises, checklists, simulations, and comprehensive disaster simulation testing.

    3. Traceable evidence that the DRP testing has been done, results have been reviewed, and any required corrective actions made, is retained in a folder inside the approved storage location. For example, meeting invites, meeting minutes, test plans, test results, lessons learned, work items created for any corrective actions.

Global processes

The infrastructure team implements the global DRP that coordinates the execution of the team-specific DRPs to recover the full Itron Azure environment Instance, for each Itron Azure environment production instance.

  1. The documentation and publication of a global DRP to coordinate the execution of the team-specific DRPs required to recover an Itron Azure environment instance that:

    • Defines who is responsible for declaring a disaster recovery situation, how it is declared, and how the execution of the global DRP for an Itron Azure environment instance is triggered

    • Provides global instance-specific recovery objectives, restoration priorities, and metrics

    • Defines roles and responsibilities, and assigns individuals and their contact details.

    • Lists stakeholders who need to be informed in the case of the DRP being triggered, and how to inform them

    • Orchestrates the execution of the team-specific DRPs, including roles and responsibilities, handoffs, and communication requirements and mechanisms

    • Describes how the recovery of the Itron Azure environment instance is achieved without deterioration of any security safeguards

    • Defines who is responsible for declaring that recovery of the Itron Azure environment instance is successful and that it is ready to “go live”

  2. The global DRP is updated as required to reflect changes to implementation and personnel.

  3. The global DRP is re-reviewed after being updated, and at least annually, by Itron Security, subject matter experts that they nominate, the infrastructure team leaders, and other key stakeholders identified.

  4. The infrastructure team manager is responsible for approving the global DRP.

  5. On approval, the global DRP is published and made accessible to all with roles and responsibilities in the plan, and all other stakeholders.

  6. All individuals who have roles and responsibilities in the global DRP are informed of the global DRP publication by email, and a copy of the email is saved in a folder inside the approved storage location.