Business Resiliency Policy
Business Resiliency Policy
First Oregon LLC is a data administrator of My Alts Data, a proprietary technology platform that assists accredited investors, financial advisors and private fund sponsors keep track of individual private fund account data and enhance compliant communications among these three key groups.
Continued service to our My Alts Data platform is the main tenet of First Oregon’s business continuity management program. Priority is given to critical activities that include, but are not limited to account maintenance, communications and client service.
Business Continuity, Resiliency Planning & Testing are integrated to deliver clients’ service with minimal disruption. First Oregon implements the measures described below as part of our overall continuity plan to ensure that critical services are maintained for our clients.
Resiliency Policy
First Oregon uses a resiliency model that includes studying our business environment to gain the ability to absorb shocks in the technologies being used.
Our primary goal is to mitigate all failure points internally that would require us to activate contingency plans. Due to the critical nature of our processing, First Oregon’s core systems, applications, and network infrastructure are designed with the objective of eliminating single points of failure.
In addition, we have an oversight function, Enterprise Business Resiliency (EBR) as the second line of defense monitoring the Resiliency Policy at First Oregon. EBR includes Business Continuity and Technology Resiliency and Recovery teams providing Business Recovery and Resiliency standards and compliance tracking. We apply our resiliency compliance standards across the First Oregon ecosystem, and as required with partners, and vendors.
Our My Alts Data application in the Cloud utilizes multi region zones provided by our Cloud provider. First Oregon’s online services rely on a distributed, redundant infrastructure and are architected to be available 24/7 apart from scheduled daily maintenance back up windows.
First Oregon executes multiple exercises throughout each calendar year. First Oregon’s business processes, critical infrastructure, application and data environments are exercised based on defined criticality and in accordance with our Resiliency standards.
Business Continuity
First Oregon’s business continuity management program focuses on maintaining and recovering critical business processes that enable uninterrupted service to clients.
• A Business Impact Analysis (BIA) is conducted annually to determine the criticality of business processes.
• Risk assessments are conducted to identify threats requiring mitigation, and recovery plans are adjusted accordingly.
• Clients-facing business processes operate in at least two geographically diverse locations that are fully equipped and staffed.
• Back-office operations operate in multiple locations and/or have capability to work remotely and/or move work.
• Business recovery exercises are required at least annually. Annual Emergency Notification System tests are performed to assess the ability to contact key managers and associates. Recovery exercises consist of performing critical process activities and validating the operating status of working remotely, application accessibility, data accessibility, and business processing capability.
• Third-party suppliers are subject to contract provisions requiring information security and business continuity capabilities consistent with service expectations. Critical suppliers are subjected to periodic risk-based assessments, with additional actions taken as needed to ensure the resiliency of our supply chains.
First Oregon has developed the capabilities to recover both operations and systems. All continuity plans are designed to account for disruptions of various lengths and scopes, and to ensure that critical functions are recovered to meet their business objectives. Key components of our business continuity plan include:
• Alternate physical locations and preparedness
• Alternative means to communicate with our clients and employees
• Strategies to address loss or impact to technology/applications
First Oregon is focused on addressing the potential risks associated with a contagious illness outbreak, including the impact on our employees, our clients, and continuity of operations.
Telecommuting
• Geographic diversification of critical functions
• Extended and flexible operating hours
• Regional work sharing
Because contagious illness scenarios can vary widely, our continuity teams work closely with management to implement any strategy and take necessary steps to maintain business operations based on consultation with our enterprise teams and external resources.
First Oregon’s Enterprise Business Resiliency Policy is reviewed annually to demonstrate our rigorous review of our resiliency Policy.
Systems Access and Authentication
Access to all company systems and business applications is controlled and monitored to ensure secure use by authorized personnel only.
• Initial Login: All users must authenticate via a secure login portal using unique credentials (username and password).
• Two-Factor Authentication (2FA): Two-step verification is mandatory for all employees.
• User Permissions: Role-based access is enforced; admin privileges are limited.
• Remote Access: Secured through encrypted channels.
Disruption Response and Recovery
In the event of a system disruption, disaster, or failure, the following recovery procedures are in place:
• Incident Detection & Response:
o Monitoring tools on AWS and GitHub alert technical staff of potential
disruptions (e.g., downtime, unauthorized access).
o The response team is activated immediately upon detection of any
critical event.
• Data Restoration:
o Encrypted backups are restored from the most recent stable snapshot using AWS recovery services.
o GitHub repositories can be recovered using built-in version control and archived commits.
• Communication Plan:
o Internal teams are notified via email and messaging platforms.
o External stakeholders (e.g., Fund Sponsors) are notified within 24 hours if the disruption affects operations or data availability.
• Post-Incident Review:
o A formal review is conducted after each incident to identify root causes and improve future preparedness
In support of the My Alts Data business continuity program, First Oregon reviews recovery of critical functions at least annually. This includes, but is not limited to, employee notification validation, event management education and training, functional recovery exercises, and tabletop exercises.