Add Business Resiliency Policy and update navigation; refine email and remote access policies for clarity

Author: johnmckeever

src/data/nav-items.yaml

@@ -22,6 +22,8 @@
       path: /policies/acceptable_use_policy
     - title: Anti-virus Guidelines
       path: /policies/anti_virus_guidelines
+    - title: Business Resiliency Policy
+
     - title: Change Management and Control
       path: /policies/change_management_and_control
     - title: Cloud Computing Policy
@@ -34,10 +36,10 @@
       path: /policies/cybersecurity_executive_summary
     - title: Data Breach Response
       path: /policies/data_breach_response
-    - title: Database Credentials Policy
-      path: /policies/database_credentials_policy
     - title: Data Protection Policy
       path: /policies/data_protection_policy
+    - title: Database Credentials Policy
+      path: /policies/database_credentials_policy
     - title: Disaster Recovery plan Policy
       path: /policies/disaster_recovery_plan_policy
     - title: Email Policy
@@ -104,5 +106,7 @@
       path: /policies/technology_equipment_disposal_policy
     - title: Vendor Management Policy
       path: /policies/vendor_management_policy
+    - title: Vulnerability Management Policy
+      path: /policies/vulnerability_management_policy
     - title: Workstation Security for HIPPA Policy
       path: /policies/workstation_security_for_hipaa_policy

src/pages/policies/business_resilience_policy.md

@@ -27,17 +27,13 @@ The purpose of this policy is to ensure that Data Migrators can anticipate, prep
 
 **Scope:** This policy applies to all employees, contractors, and third-party vendors. It covers all physical operations and cloud-hosted environments (e.g., AWS, Azure, GCP).
 
----
-
 ## 2. Resilience Objectives
 Our goal is to protect our people, our reputation, and our customers' data. We aim to achieve the following metrics:
 
 * **Recovery Time Objective (RTO):** Critical customer-facing services must be restored within **4 business hours** of a declared disaster.
 * **Recovery Point Objective (RPO):** Maximum allowable data loss is **1 hour** of transactions.
 * **Availability:** Maintain a service level agreement (SLA) of **99.9%** uptime.
 
----
-
 ## 3. Governance and Roles
 
 | Role | Responsibility |
@@ -47,8 +43,6 @@ Our goal is to protect our people, our reputation, and our customers' data. We a
 | **Product/DevOps Lead** | Ensuring software architecture supports high availability and DR. |
 | **Customer Success** | Managing communication with clients during service disruptions. |
 
----
-
 ## 4. Critical Business Functions (CBF)
 The following functions are prioritized for recovery in the event of a disruption:
 
@@ -57,8 +51,6 @@ The following functions are prioritized for recovery in the event of a disruptio
 3.  **Software Development Pipeline:** CI/CD tools required for security patching.
 4.  **Financial Operations:** Payroll and accounts receivable/payable.
 
----
-
 ## 5. Resilience Strategy
 
 ### 5.1 Infrastructure & Data Resilience (DR)
@@ -75,17 +67,13 @@ The following functions are prioritized for recovery in the event of a disruptio
 * **Immutable Logs:** Maintain tamper-proof audit logs to detect and recover from ransomware.
 * **Security Patches:** Critical security vulnerabilities in the software must be patched within **[e.g., 24-48]** hours.
 
----
-
 ## 6. Testing and Maintenance
 A plan is only as good as its last test. Data Migrators commits to:
 
 * **Tabletop Exercises:** Annual walkthroughs of "What-if" scenarios (e.g., AWS Region outage, Ransomware).
 * **DR Drills:** Semi-annual technical failover tests to confirm RTO/RPO targets are met.
 * **Policy Review:** This policy is reviewed annually or after any major architectural change.
 
----
-
 ## 7. Communication Plan
 In the event of a disruption affecting customers:
 

src/pages/policies/capacity_and_performance_management_policy.md

@@ -1,50 +1,75 @@
+---
+title: Capacity and Performance Management Policy
+description: Our Capacity and Performance Management Policy
+keywords: 'policy,capacity, performance management,security,markdown'
+---
+
+<PageDescription>
+
+This page describes Data Migrators' capacity and performance management policy
+
+</PageDescription>
+
+<AnchorLinks>
+    <AnchorLink>Purpose</AnchorLink>
+    <AnchorLink>Policy Statement</AnchorLink>
+    <AnchorLink>Capacity Monitoring Procedures</AnchorLink>
+    <AnchorLink>Resource Optimization</AnchorLink>
+    <AnchorLink>Roles and Responsibilities</AnchorLink>
+    <AnchorLink>Policy Compliance</AnchorLink>
+</AnchorLinks>
+
 # Capacity and Performance Management Policy
 
 ## 1. Purpose
+
 The purpose of this policy is to ensure that Data Migrators' systems are proactively monitored and managed to provide consistent performance, high availability, and scalability. This policy ensures that infrastructure capacity aligns with business growth and technical evolution.
 
 ## 2. Policy Statement
-**Our organization requires that system resources are monitored to ensure adequate capacity for new, upgraded, or enhanced systems.**
 
-To fulfill this requirement, Data Migrators shall:
+Our organization requires that system resources are monitored to ensure adequate capacity for new, upgraded, or enhanced systems.  To fulfill this requirement, Data Migrators shall:
+
 * Maintain a continuous baseline of resource utilization (CPU, memory, storage, and network).
 * Forecast future capacity requirements based on the product roadmap and sales projections.
 * Proactively identify and mitigate potential bottlenecks before they impact service delivery or customer experience.
 
----
-
 ## 3. Capacity Monitoring Procedures
 
 ### 3.1 Real-Time Monitoring and Alerting
-All production environments must be integrated with automated monitoring tools (e.g., AWS CloudWatch, Datadog). 
+
+All production environments must be integrated with automated monitoring tools (e.g., AWS CloudWatch). 
+
 * **Thresholds:** Automated alerts are configured to trigger when resource utilization exceeds **75%** of allocated capacity.
 * **Visibility:** Real-time dashboards must be maintained to provide the technical team with immediate visibility into system health.
 
 ### 3.2 Cloud Elasticity and Auto-Scaling
+
 As a cloud-native ISV, we utilize dynamic scaling to ensure "adequate capacity" is available on-demand:
+
 * **Auto-Scaling:** Critical application tiers must use Auto-Scaling Groups (ASGs) to handle traffic spikes.
 * **Quota Management:** AWS Service Quotas (limits) must be reviewed quarterly to ensure that account-level restrictions do not impede the ability to scale.
 
 ### 3.3 New and Upgraded Systems
+
 Before the deployment of any new software system or significant feature enhancement:
+
 * **Impact Assessment:** The engineering team must evaluate the expected resource consumption of the new code.
 * **Load Testing:** For major releases, load testing must be performed in a staging environment to validate that the production architecture can handle the anticipated increase in demand.
 
----
-
 ## 4. Resource Optimization
+
 To balance resilience with cost-efficiency, the following practices are mandated:
+
 * **Right-Sizing:** Monthly reviews of infrastructure utilization to downsize underutilized resources.
 * **Decommissioning:** Procedures must be in place to identify and remove "orphan" resources (e.g., unattached storage volumes) that no longer contribute to system capacity.
 
----
-
 ## 5. Roles and Responsibilities
+
 * **Infrastructure/DevOps Team:** Responsible for implementing monitoring tools, managing auto-scaling logic, and responding to capacity alerts.
 * **Product Management:** Responsible for communicating forecasted increases in user load or data processing requirements.
 * **CTO/Engineering Lead:** Responsible for the strategic oversight of infrastructure spend and capacity planning.
 
----
 
 ## 6. Policy Compliance
+
 Failure to comply with this policy may result in service degradation or outages. Compliance is verified through annual internal audits and periodic reviews of monitoring logs and scaling performance.

src/pages/policies/change_management_and_control.md

@@ -15,6 +15,20 @@ This page describes Data Migrators’ policy on change management and control.
   <AnchorLink>Purpose</AnchorLink>
   <AnchorLink>Scope</AnchorLink>
   <AnchorLink>Policy</AnchorLink>
+  <AnchorLink>Operational Procedures</AnchorLink>
+  <AnchorLink>Documented Change</AnchorLink>
+  <AnchorLink>Risk Management</AnchorLink>
+  <AnchorLink>Change Classification</AnchorLink>
+  <AnchorLink>Testing</AnchorLink>
+  <AnchorLink>Changes Affecting SLA‘s</AnchorLink>
+  <AnchorLink>Version Control</AnchorLink>
+  <AnchorLink>Approval</AnchorLink>
+  <AnchorLink>Communicating Changes</AnchorLink>
+  <AnchorLink>Implementation</AnchorLink>
+  <AnchorLink>Fall Back</AnchorLink>
+  <AnchorLink>Documentation</AnchorLink>
+  <AnchorLink>Business Continuity Plans (BCP)</AnchorLink>
+  <AnchorLink>Change Monitoring</AnchorLink>
   <AnchorLink>Roles And Responsibilities</AnchorLink>
   <AnchorLink>Policy Compliance</AnchorLink>
   <AnchorLink>Exceptions</AnchorLink>
@@ -87,7 +101,7 @@ All change requests shall be prioritised in terms of benefits, urgency, effort r
 
 Changes shall be tested in an isolated, controlled, and representative environment (where such an environment is feasible) prior to implementation to minimise the effect on the relevant business process, to assess its impact on operations and security and to verify that only intended and approved changes were made. 
 
-### Changes Affecting Sla‘s
+### Changes Affecting SLA‘s
 
 The impact of change on existing SLA’s shall be considered. Where applicable, changes to the SLA shall be controlled through a formal change process which includes contractual amendments. 
 
@@ -116,7 +130,7 @@ Procedures for aborting and recovering from unsuccessful changes shall be docume
 Information resources documentation shall be updated on the completion of each change and old documentation shall be archived or disposed of as per the documentation and data retention policies.
 Information resources documentation is used for reference purposes in various scenarios i.e. further development of existing information resources as well as ensuring adequate knowledge transfer in the event of the original developer and/or development house being unavailable.  It is therefore imperative that information resources documentation is complete, accurate and kept up to date with the latest changes. Policies and procedures, affected by software changes, shall be updated on completion of each change. 
 
-### Business Continuity Plans (Bcp)
+### Business Continuity Plans (BCP)
 
 Business continuity plans shall be updated with relevant changes, managed through the change control process. Business continuity plans rely on the completeness, accuracy and availability of BCP documentation.  BCP documentation is the road map used to minimise disruption to critical business processes where possible, and to facilitate their rapid recovery in the event of disasters.  
 

src/pages/policies/communications_equipment_policy.md

@@ -12,15 +12,15 @@ equipment such as laptops and phones.
 </PageDescription>
 
 <AnchorLinks>
-<AnchorLink>Overview</AnchorLink>
-<AnchorLink>Purpose</AnchorLink>
-<AnchorLink>Scope</AnchorLink>
-<AnchorLink>Policy</AnchorLink>
-<AnchorLink>Policy Compliance</AnchorLink>
-<AnchorLink>Exceptions</AnchorLink>
-<AnchorLink>Non-compliance</AnchorLink>
-<AnchorLink>Related Documents</AnchorLink>
-<AnchorLink>Definitions and Terms</AnchorLink>
+    <AnchorLink>Overview</AnchorLink>
+    <AnchorLink>Purpose</AnchorLink>
+    <AnchorLink>Scope</AnchorLink>
+    <AnchorLink>Policy</AnchorLink>
+    <AnchorLink>Policy Compliance</AnchorLink>
+    <AnchorLink>Exceptions</AnchorLink>
+    <AnchorLink>Non-compliance</AnchorLink>
+    <AnchorLink>Related Documents</AnchorLink>
+    <AnchorLink>Definitions and Terms</AnchorLink>
 </AnchorLinks>
 
 ## Overview

src/pages/policies/email_policy.md

@@ -36,7 +36,7 @@ This policy covers appropriate use of any email sent from a Data Migrators email
 
 ## Policy
 
-1.  All use of email must be consistent with Data Migrators policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices. 
+1.  All use of email must be consistent with Data Migrators policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
 
 2.  Data Migrators email account should be used primarily for Data Migrators business-related purposes; personal communication is permitted on a limited basis, but non-Data Migrators related commercial uses are prohibited.
 
@@ -55,7 +55,7 @@ This policy covers appropriate use of any email sent from a Data Migrators email
 
 7.  Users are prohibited from automatically forwarding Data Migrators email to a third party email system (noted in 4.8 below). Individual messages which are forwarded by the user must not contain Data Migrators confidential or above information. 
 
-8.  Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Data Migrators business, to create or memorialize any binding transactions, or to store or retain email on behalf of Data Migrators.  Such communications and transactions should be conducted through proper channels using Data Migrators-approved documentation. 
+8.  Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Data Migrators business, to create or memorialize any binding transactions, or to store or retain email on behalf of Data Migrators. Such communications and transactions should be conducted through proper channels using Data Migrators-approved documentation.
 
 9.  Using a reasonable amount of Data Migrators resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a Data Migrators email account is prohibited. 
 

src/pages/policies/employee_confidentiality_policy.md

@@ -20,7 +20,7 @@ This page describes Data Migrators' employee confidentiality policy.
 
 ## Purpose
 
-We designed our company confidentiality policy to explain how we expect our employees to treat confidential information. Employees will unavoidably receive and handle personal and private information about clients, partners and our company. We want to make sure that this information is well-protected.
+We designed our company confidentiality policy to explain how we expect our employees to treat confidential information. Employees will unavoidably receive and handle personal and private information about clients, partners and our company. We want to make sure that this information is well protected.
 
 We must protect this information for two reasons. It may:
 -	Be legally binding (e.g. sensitive customer data.)

src/pages/policies/internet_usage_policy.md

@@ -55,7 +55,7 @@ The Internet usage Policy applies to all Internet users (individuals
 working for the company, including permanent full-time and part-time
 employees, contract workers, temporary agency workers, business
 partners, and vendors) who access the Internet through the computing or
-networking resources. The company\'s Internet users are expected to be
+networking resources. The company's Internet users are expected to be
 familiar with and to comply with this policy, and are also required to
 use their common sense and exercise their good judgment while using
 Internet services.
@@ -320,9 +320,9 @@ various systems across which it has been transmitted.
 
 When using company resources to access and use the Internet, users must
 realize they represent the company. Whenever employees state an
-affiliation to the company, they must also clearly indicate that \"the
+affiliation to the company, they must also clearly indicate that "the
 opinions expressed are my own and not necessarily those of the
-company\". Questions may be addressed to the IT Department.
+company". Questions may be addressed to the Directors.
 
 ### Company Materials
 
@@ -391,8 +391,7 @@ potential Internet user is required to read this Internet usage Policy
 and sign an acknowledgment form (located on the last page of this
 document). The signed acknowledgment form should be turned in and will
 be kept on file at the facility granting the access. For questions on
-the Internet usage Policy, contact the Information Technology (IT)
-Department.
+the Internet usage Policy, contact the Directors.
 
 ## Related Documents
 

src/pages/policies/remote_access_policy.md

@@ -75,10 +75,9 @@ information and definitions, see the *Acceptable Use Policy*.
 Authorized Users will not use Data Migrators networks to access the
 Internet for outside business interests.
 
-For additional information regarding Data Migrators\'s remote access
+For additional information regarding Data Migrators's remote access
 connection options, including how to obtain a remote access login, free
-anti-virus software, troubleshooting, etc., go to the Remote Access
-Services website (company url).
+anti-virus software, troubleshooting, etc., contact the Directors.
 
 ### Requirements
 

src/pages/policies/risk_assessment_policy.md

@@ -71,9 +71,7 @@ disciplinary action, up to and including termination of employment.
 
 ## Related Documents
 
--   Risk Assessment Process
-
--   Third Party Agreement
+- [Risk Management Policy](risk_management_policy)
 
 ## Definitions and Terms