BCPPlan.md

April 21, 2026 Β· View on GitHub

Hack23 Logo

πŸ“‹ Citizen Intelligence Agency β€” Business Continuity Plan

πŸ›‘οΈ Resilience Through Structured Recovery Planning
🎯 RTO/RPO Targets β€’ Failover Procedures β€’ Disaster Recovery β€’ Communication Plans

Owner Version Effective Date Review Cycle

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 1.1 | πŸ“… Last Updated: 2026-04-20 (UTC)
πŸ”„ Review Cycle: Annual | ⏰ Next Review: 2027-04-20
🏷️ Classification: Public (Open Civic Transparency Platform)


🎯 Purpose & Scope

This Business Continuity Plan (BCP) establishes the framework for maintaining critical operations of the Citizen Intelligence Agency (CIA) democratic transparency platform during disruptive events. It defines recovery objectives, failover procedures, and communication protocols to ensure platform resilience aligned with the Hack23 ISMS Backup & Recovery Policy and Classification Framework.

πŸ“š Architecture Documentation Map

DocumentFocusDescriptionDocumentation Link
ArchitectureπŸ›οΈ ArchitectureC4 model showing current system structureView Source
Security ArchitectureπŸ›‘οΈ SecurityComplete security implementation overviewView Source
Threat ModelπŸ›‘οΈ SecuritySTRIDE/MITRE ATT&CK threat analysisView Source
Financial Security PlanπŸ’° SecurityAWS security implementation costs and ROIView Source
End-of-Life StrategyπŸ“… LifecycleTechnology maintenance and patching strategyView Source
ISMS Compliance MappingπŸ” ISMSComprehensive ISMS-PUBLIC policy mappingView Source
CRA AssessmentπŸ›‘οΈ ComplianceEU Cyber Resilience Act conformityView Source

πŸ”— ISMS Policy Alignment

ISMS PolicyRelevanceLink
Backup & Recovery PolicyPrimary recovery frameworkView
Incident Response PlanIncident escalation proceduresView
Classification FrameworkRTO/RPO classification targetsView
Network Security PolicyNetwork resilience requirementsView

πŸ“Š System Classification & Recovery Objectives

🏷️ Platform Classification

DimensionLevelRationale
πŸ” ConfidentialityPublicParliamentary, governmental, and open economic data sources
πŸ”’ IntegrityHighAnalytical credibility and ranking accuracy are critical
⚑ AvailabilityModeratePublic civic transparency; tolerates brief maintenance windows

🎯 Recovery Time Objectives (RTO)

ComponentRTORPOPriorityJustification
Web Application (Vaadin 8.14.4/Spring 5.3.39/Jetty 12.1.8)4 hours1 hourP1Primary public-facing interface for civic transparency
PostgreSQL 18 Database2 hours15 minutesP1Core data store with analytical views; point-in-time recovery
Data Import Services8 hours24 hoursP2Batch processing; data is re-importable from external APIs
Authentication & Session (Spring Security 5.8.16 + MFA)4 hours1 hourP1Required for registered user and admin access; includes optional MFA enrollment
AWS Infrastructure (WAF/ALB)1 hourN/AP0CloudFormation automated re-provisioning
Monitoring (GuardDuty/Security Hub)4 hoursN/AP2Security monitoring can tolerate brief gaps
CI/CD Pipeline (GitHub Actions)24 hoursN/AP3Development workflow; not user-facing

πŸ“ˆ Recovery Priority Matrix

graph TD
    subgraph "P0 β€” Immediate (< 1 hour)"
        A[AWS Infrastructure<br/>WAF / ALB / VPC]
    end
    
    subgraph "P1 β€” Critical (< 4 hours)"
        B[PostgreSQL 18 Database<br/>RDS Multi-AZ Failover]
        C[Web Application<br/>Jetty 12.1.8 / Spring 5.3.39]
        D[Authentication<br/>Spring Security 5.8.16 / MFA]
    end
    
    subgraph "P2 β€” Important (< 8 hours)"
        E[Data Import Services<br/>Riksdag / Election APIs]
        F[Security Monitoring<br/>GuardDuty / Security Hub]
    end
    
    subgraph "P3 β€” Normal (< 24 hours)"
        G[CI/CD Pipeline<br/>GitHub Actions]
        H[Documentation<br/>Static Content]
    end
    
    A --> B
    A --> C
    B --> D
    C --> E
    D --> F
    F --> G
    G --> H

    style A fill:#ff4444,color:#fff
    style B fill:#ff8800,color:#fff
    style C fill:#ff8800,color:#fff
    style D fill:#ff8800,color:#fff
    style E fill:#ffbb33,color:#000
    style F fill:#ffbb33,color:#000
    style G fill:#99cc00,color:#000
    style H fill:#99cc00,color:#000

πŸ—οΈ Infrastructure Architecture & Resilience

☁️ AWS Multi-AZ Deployment Architecture

graph TB
    subgraph "AWS Region: eu-north-1 (Stockholm)"
        subgraph "Availability Zone A"
            EC2_A[EC2 Instance<br/>CIA Application<br/>Jetty 12.1.8 / Java 26]
            RDS_P[RDS Primary<br/>PostgreSQL 18<br/>pgaudit/pgcrypto/pgvector]
        end
        
        subgraph "Availability Zone B"
            EC2_B[EC2 Instance<br/>CIA Application<br/>Jetty 12.1.8 / Java 26]
            RDS_S[RDS Standby<br/>PostgreSQL 18<br/>Synchronous Replica]
        end
        
        subgraph "Shared Services"
            ALB[Application Load Balancer]
            WAF[AWS WAF]
            S3[S3 Backup Bucket<br/>Versioned + Lifecycle]
            KMS[AWS KMS<br/>Encryption Keys]
        end
    end
    
    WAF --> ALB
    ALB --> EC2_A
    ALB --> EC2_B
    EC2_A --> RDS_P
    EC2_B --> RDS_P
    RDS_P -->|Synchronous Replication| RDS_S
    RDS_P -->|Automated Snapshots| S3
    KMS -.->|Encryption| RDS_P
    KMS -.->|Encryption| S3

    style RDS_P fill:#2196F3,color:#fff
    style RDS_S fill:#4CAF50,color:#fff
    style WAF fill:#FF5722,color:#fff
    style ALB fill:#FF9800,color:#fff

πŸ”„ Automated Failover Mechanisms

ComponentFailover TypeMechanismExpected Recovery
RDS PostgreSQL 18AutomaticMulti-AZ with synchronous standby60–120 seconds
EC2 InstancesAutomaticAuto Scaling Group health checks2–5 minutes
Load BalancerAutomaticALB health check routingImmediate (unhealthy target removal)
WAFAutomaticAWS-managed, regional serviceN/A (always available)
S3 StorageBuilt-in99.999999999% durabilityN/A
KMS KeysBuilt-inAWS-managed multi-AZ replicationN/A

🚨 Disruption Scenarios & Response Procedures

Scenario 1: Single Availability Zone Failure

PhaseActionOwnerDuration
DetectionCloudWatch alarms trigger on EC2/RDS healthAutomated< 1 minute
FailoverRDS promotes standby; ALB routes to healthy AZAutomated1–2 minutes
ValidationHealth check endpoints confirm service recoveryAutomated2–3 minutes
NotificationSNS alert to operations teamAutomated< 5 minutes
Post-IncidentReview CloudTrail logs; document in incident logOperations< 24 hours

Scenario 2: Database Corruption or Data Loss

PhaseActionOwnerDuration
DetectionApplication errors; data integrity check failuresMonitoring / Users< 15 minutes
AssessmentDetermine corruption scope via audit logs (Javers)DBA / Operations< 30 minutes
RecoveryPoint-in-time recovery from automated RDS snapshotsDBA1–2 hours
ValidationRun data integrity checks against source APIsOperations1–2 hours
Re-importRe-run affected data imports from Parliament/Election APIsAutomated2–8 hours

Scenario 3: Full Region Outage

PhaseActionOwnerDuration
DetectionAWS Health Dashboard notification; external monitoringAutomated< 5 minutes
AssessmentEvaluate AWS estimated recovery vs manual failoverCEO / Operations< 30 minutes
DecisionIf AWS ETA > 4 hours, initiate cross-region recoveryCEO30 minutes
RecoveryRestore from S3 cross-region backup to secondary regionOperations2–4 hours
ValidationVerify data integrity and service functionalityOperations1–2 hours
CommunicationStatus page update; stakeholder notificationCEOOngoing

Scenario 4: Security Incident (Compromise)

PhaseActionOwnerDuration
DetectionGuardDuty alert; Security Hub finding; Drools BruteForceAttack rulesAutomated< 5 minutes
ContainmentIsolate affected resources; revoke compromised credentials; MFA enforcementSecurity / Operations< 1 hour
AssessmentForensic analysis via CloudTrail, VPC Flow LogsSecurity2–4 hours
RecoveryRe-provision from CloudFormation; restore clean dataOperations2–4 hours
CommunicationFollow Incident Response PlanCEOPer IRP

πŸ’Ύ Backup Strategy

πŸ“¦ Backup Architecture

Data TypeBackup MethodFrequencyRetentionStorage
PostgreSQL 18 DatabaseRDS Automated SnapshotsDaily + continuous WAL35 daysSame-region S3
Database (Point-in-Time)RDS PITRContinuous (5-min granularity)35 daysSame-region
Application ConfigurationCloudFormation templatesOn every change (Git)IndefiniteGitHub + S3
Encryption KeysAWS KMS automatic rotationAnnual rotationIndefiniteAWS KMS (multi-AZ)
Audit Logs (CloudTrail)S3 with lifecycle policyContinuous1 year active + GlacierS3 + Glacier
Application LogsCloudWatch LogsContinuous90 daysCloudWatch
Source CodeGit (GitHub)On every commitIndefiniteGitHub + local clones

🌍 Cross-Region Backup

AssetPrimary RegionBackup RegionReplicationEncryption
RDS Snapshotseu-north-1eu-west-1Daily cross-region copyKMS CMK
S3 Audit Logseu-north-1eu-west-1S3 Cross-Region ReplicationSSE-KMS
CloudFormationGitHubGitHubGit distributedN/A

πŸ§ͺ Backup Validation Schedule

Test TypeFrequencyLast TestedNext ScheduledSuccess Criteria
RDS Snapshot RestoreQuarterlyPer deploymentNext quarterFull data recovery within RTO
Point-in-Time RecoverySemi-annuallyPer deploymentNext cycleRecovery to specific timestamp
CloudFormation Stack DeployMonthly (CI/CD)Every releaseNext releaseComplete infrastructure provisioning
Cross-Region RestoreAnnuallyInitial setupNext annual reviewFull service in secondary region

πŸ“’ Communication & Escalation

πŸ”” Escalation Matrix

SeverityDescriptionInitial ResponseEscalation PathCommunication
P0 β€” CriticalComplete platform unavailability< 15 minutesOperations β†’ CEOStatus page + stakeholder email
P1 β€” HighMajor feature degradation< 30 minutesOperations β†’ CEOStatus page update
P2 β€” MediumMinor feature impact< 2 hoursOperationsInternal notification
P3 β€” LowNon-user-facing issue< 8 hoursOperationsInternal ticket

πŸ“ž Contact Information

RoleResponsibilityContact Method
CEO / Platform OwnerFinal decision authority; external communicationGitHub Issues / Email
OperationsTechnical response; infrastructure managementGitHub Issues / Monitoring alerts
SecurityIncident investigation; forensic analysisSecurity advisory process

πŸ“ Communication Templates

Initial Incident Notification:

Subject: [CIA Platform] Service Disruption - [Severity]
Status: Investigating
Impact: [Description of user impact]
ETA: [Estimated recovery time]
Updates: [Frequency of updates]

Resolution Notification:

Subject: [CIA Platform] Service Restored - [Severity]
Status: Resolved
Duration: [Total outage duration]
Root Cause: [Brief description]
Follow-up: [Post-incident review date]


πŸ”„ BCP Maintenance & Testing

πŸ“… Review Schedule

ActivityFrequencyOwnerDeliverable
BCP Document ReviewAnnualCEOUpdated BCPPlan.md
Tabletop ExerciseAnnualOperations + CEOExercise report
Failover Testing (RDS)QuarterlyOperationsTest results documentation
Backup Restoration TestQuarterlyOperationsRecovery validation report
Contact Information UpdateSemi-annuallyCEOUpdated contact matrix
Compliance Alignment CheckAnnualCEOISMS compliance evidence

πŸ“Š BCP Effectiveness Metrics

MetricTargetMeasurementFrequency
Actual RTO vs TargetWithin defined RTORecovery time during incidents/testsPer incident/test
Backup Success Rate> 99.9%Successful backups / total scheduledMonthly
Failover Success Rate100%Successful failovers / total attemptsPer test
Data Loss (RPO adherence)Zero data loss beyond RPOData gap during recoveryPer incident
Communication TimelinessWithin severity SLATime to first notificationPer incident

πŸ“œ Compliance Framework Alignment

πŸ›οΈ Standards Mapping

FrameworkControlBCP RequirementImplementation
ISO 27001:2022A.5.29, A.5.30Business continuity planningThis document + tested procedures
ISO 27001:2022A.8.13, A.8.14Information backup and redundancyRDS Multi-AZ + S3 cross-region
NIST CSF 2.0RC.RPRecovery planningDocumented procedures per scenario
NIST CSF 2.0RC.CORecovery communicationsEscalation matrix + templates
CIS Controls v8.111Data recoveryAutomated backups + tested restoration
AWS Well-ArchitectedREL-9Backup strategyMulti-AZ + cross-region replication
AWS Well-ArchitectedREL-13Disaster recovery planDocumented failover procedures

πŸ“ Appendix: Recovery Runbooks

Runbook A: RDS Point-in-Time Recovery

  1. Identify target recovery timestamp from CloudTrail/application logs
  2. Initiate RDS point-in-time recovery via AWS Console or CLI
  3. Verify recovered instance data integrity
  4. Update application configuration to point to recovered instance
  5. Validate application functionality via health check endpoints
  6. Update DNS/ALB target group if necessary
  7. Document recovery in incident log

Runbook B: CloudFormation Stack Re-Provisioning

  1. Verify CloudFormation template is current in repository
  2. Deploy stack to target region/AZ
  3. Restore database from latest snapshot or cross-region copy
  4. Configure application environment variables (Secrets Manager)
  5. Validate security group rules and WAF configuration
  6. Run smoke tests against deployed environment
  7. Switch traffic via ALB/Route 53

Runbook C: Data Re-Import from External Sources

  1. Verify external API availability (Riksdag, Election Authority, World Bank)
  2. Initiate full data import sequence via admin interface
  3. Monitor import progress via application logs
  4. Validate imported data against known checksums/counts
  5. Rebuild analytical views and materialized data
  6. Verify dashboard accuracy against source data

πŸ“‹ Document Control:
βœ… Approved by: James Pether SΓΆrling, CEO - Hack23 AB
πŸ“€ Distribution: Public
🏷️ Classification: Confidentiality: Public Integrity: High Availability: Moderate
πŸ“… Effective Date: 2026-04-20
⏰ Next Review: 2027-04-20
🎯 Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls AWS Well-Architected