This document summaries the business continuity program maintained by Coupa Software for its production Software as a Service products via the Coupa Spend platform. This program is supervised by the Chief Information Security Officer and supported by executive leadership at the highest level.
The Business Continuity Management (BCM) within Coupa covers the key personnel, resources, services and actions required to maintain critical business processes and operations. This plan is intended to address extended business disruptions and is based on information contained in the following policies and processes:
- Business Continuity Policy
- Business Impact Assessment
- Business Continuity Plan
- Data Center Recovery - Spend Platform
- Incident Response Plan
- Activity Recovery Plans
- Contingency Testing - Spend Platform
- Business Continuity - Activity Recovery Testing
- Incident Response Testing and Tabletop Exercise
- Annual Business Continuity and Incident Response Training
The objective of the BCM is to present a clear course of action to accomplish the following:
- Protect human life, provide for the safety and well-being of Coupa employees, contractors and visitors.
- Limit the magnitude of unnecessary loss of physical assets by protecting company property, assets, records, and information, including financial and commercial assets, as well as intangible assets such as Coupa’s competitive edge, reputation, and goodwill.
- Reduce any conflict, confusion, and indecision as a result of a crisis, through continuous preparation and education on how Coupa should respond to an event that causes serious business interruption. Response to a crisis must be organized, effective, and professional, with the goal of reducing the effect of the interruption on Coupa’s people and business operations.
- Establish priorities with regards to critical business processes and components.
- Maintain the confidence of shareholders, employees, and customers.
- Maintain productive relations with law enforcement, regulatory, and other governmental agencies, by complying with applicable laws and regulations.
- Return to normal business operations as soon as possible.
Business Continuity Planning
Coupa maintains a business continuity plan which includes activity recovery plans for all critical business activities. The Business Continuity Strategy is reviewed annually to determine critical processes and strategies for recovery. The Business Continuity Plan was last updated/reviewed October 13th, 2021. As part of the annual review and planning, each activity completes a Business Impact Assessment to determine if any changes or modifications are required. These impact assessments will then be incorporated into the annual platform risk assessment. The Coupa Enterprise Risk Management (ERM) Team, was established to identify, evaluate, and remediate risk. This team is a cross-section of the organization and has representation across all departments. Each month ERM leadership monitors and prioritizes resolution of any unacceptable changes in the risk environment.
To support business continuity planning and disaster recovery activities, a BCM Team has been created to support recovery strategies and shall also function as the crisis management team. This team will manage the overall coordination of Coupa’s response to a crisis or disaster, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation, and ability to operate.
No less than once annually the components of the BCM are reviewed and updated by the identified team members. Additionally, Coupa requires annual training and testing of the business continuity and incident response plans. Any identified findings are then documented and tracked until the risk is mitigated to an acceptable level.
Data Center Recovery
Coupa selects Infrastructure providers (IaaS) with world-class data centers, allowing Coupa to provide a high level of uninterrupted service to its clients. Most Coupa customers are hosted with the Amazon Web Services (AWS) Global Infrastructure. AWS provides a highly reliable, scalable, and secure environment. Coupa inherits several processes and scalability safeguards from running within the AWS Global Infrastructure. Coupa works with AWS architects on a regular basis to validate alignment with AWS best practices for security, availability, and integrity. As described in the figure below, the Coupa production backup configuration runs in a source, replica, and tertiary replica architecture, across three different unique data centers across two different geographic regions. The data center recovery planning process is managed by our Infrastructure providers and Sub-Processors. Each provider supporting the production environment undergoes a risk assessment to review their security and recovery strategies.
As part of the internal annual review, Recovery Time Objectives (RTO) and Maximum Tolerable Downtimes (MTD) are calculated and updated. The expectation is that the downtime is infrequent due to our data center recovery planning, but if a disaster does strike, the RTO is 60 minutes.
|Availability of the Coupa application to customers||1 hour||24 hours|
|Availability of support to Coupa customers (Call center and portal)||4 hours||24 hours|
|Availability of Operations personnel (Site Reliability Engineering)||1 hour||24 hours|
|Availability of Development personnel||2 hours||24 hours|
|Access and availability to key documentation and procedures||1 hour||24 hours|
Testing, Exercises, Training
Contingency Planning and Testing - Spend Platform
The Cloud Operations team is responsible for the initiation, management, and implementation of the Contingency Plan. The Cloud Operations team also has responsibility for the day-to-day operations including, incident response and proactive maintenance. Since Coupa is hosted on Amazon Web Services (AWS) and AWS has a significant scale of capacity and redundancy in multiple data centers and geographies across the world, these elements are a low risk for Coupa and customers. Coupa currently runs in a Disaster Recovery site strategy known as Hot Sites.
Coupa data center contingency testing is conducted at least annually to ensure the recovery processes and procedures are successful. The most recent test was completed on September 30th, 2021 with the following objectives:
- Assess effectiveness of system activation
- Assess effectiveness of automated system recovery
- Assess effectiveness of recovery team escalation and coordination
- Assess effectiveness of notification procedures
- Identify runbook and process improvement opportunities within recovery documentation
The most current contingency plan test was completed successfully and documentation was updated. There were no major findings or deficiencies; the services recovered within the expected RTO parameters. In addition, there was no impact (loss) to our data in any test case scenario that required data recovery, thus our RPO was achieved.
Business Continuity and Activity Recovery Testing
In order to validate the Coupa capability to execute effective Business Continuity plans and procedures, a checklist and review exercise will be conducted to analyze the processes and procedures associated with the Coupa Business Continuity Plan, Activity Recovery Plans, and Incident Response plans.
Each activity will be presented with a checklist for completion and review of the business continuity objectives. The checklist test will involve the activity and Compliance Manager's review, audit, validation and verification of techniques for recovery. These checklists are then used to facilitate internal discussions and team training to aid in maturing the Coupa Business Continuity by:
- ensuring the identified procedures meet the objectives of the BCP,
- ensuring the BCP meets the needs og the organization,
- identifying any training required for Coupa personnel, and
- identifying any shortcomings in the BCP and procedures.
Checklists include tasks to check whether plans are accurate and resources provided to: implement recovery plans for each activity, check whether employees responsible for recovery are familiar with plan details, check the implementation of all steps specified by the plans, complete all obligations within predefined deadlines, start alternative procedures (if needed), ensure all necessary resources (including recovery data), enable communication and warning procedures between individual team members, towards other recovery teams, Crisis Management Team and other interested parties, to achieve harmonization with the recovery plans of other activities, and to create comments or suggestions in order to improve the plans.
Incident Response Exercise and Testing
A checklist exercise was used for the incident response team using the same methods described above. In addition, to this checklist method, a tabletop exercise was also conducted. A tabletop exercise is a discussion-based event in which participants meet in a “classroom” setting to address the actions they would take in response to an incident. Tabletops are an effective initial step for personnel to discuss the full range of issues related to a crisis scenario. These exercises provide an excellent forum to examine roles and responsibilities, unearth interdependencies, and evaluate plans.
Participants in this exercise will be presented with scenarios affecting the Incident Response Plan. The facilitator will help guide the discussion by asking questions designed to address the exercise’s objectives. The facilitator may choose to inject modifications to the scenario to further stimulate discussion. Participants will also be encouraged to ask one another questions.
The following are the objectives of this exercise:
- Validate the team’s ability to identify an incident.
- Validate the team’s ability to respond to a confirmed incident.
- Identify any additional training that needs to take place to ensure all personnel with incident response duties are proficient in their assigned roles.
- Identify any shortcomings in the Incident Response Plan.
The objectives will be met through the discussion of the incident response handling stages (preparation; identification; containment; eradication; recovery; follow-up) in the presented scenarios. Incident Response team members answer questions posed to the group by the facilitator with regard to their role in the incident response process. The Incident Response Plan has been provided to all team members as a reference for testing. Keep in mind this is not a test but a tool that Coupa will use to gauge our current capacity for responding to an incident. This is as much a learning mechanism for the incident response team members as it is for the exercise facilitators. The data from these exercises will help Coupa to formulate lessons learned and incorporate those findings into the policies and procedures that govern our incident response capability. These exercises will also help team members to understand ALL of the roles outside of their realm of responsibilities within the IR process so that a complete understanding of the processes and procedures will help facilitate a smooth response to future incidents.
Business Continuity, Activity Recovery, and Incident Response Testing Results
Results from the Business Continuity and Incident Response testing/exercises are reviewed and combined into one enterprise report. This report will be submitted to leadership and the ERM Team for review and action. Any nonconformities or findings will be documented in the ERM ticketing queue for remediation and closure. The Compliance Manager is responsible for completion of the report and tracking of nonconformities. During the most current testing and exercise period, there were no major findings. All minor findings have been documented and will be tracked until they are resolved.
Coupa has a disaster recovery communication plan for customers. Processes have been established to communicate with customers in the event of a disaster via various outlets. Customers and stakeholders can review the status of the Coupa Spend Platform via the Coupa Support Portal or the Coupa Website.