Financial Model Template Financial Model Template Financial Model Template
Dr Template
-
Upload
diana-munteanu -
Category
Documents
-
view
213 -
download
0
Transcript of Dr Template
-
7/25/2019 Dr Template
1/54
Disaster Recovery
PlanTemplate
Notice: Copyright Stay In Business.com - Stay In Business is the legal owner of the template. This may be used
only by the purchaser for business purposes only. The template may not be sold, shared, copied or transmitted to
any third party without the written epressed consent of Stay In Business.
-
7/25/2019 Dr Template
2/54
Table of ContentsSection ! - "oals of a #isaster $eco%ery &lan.................................................................'
Section ( - &ersonnel........................................................................................................)Section ' - *pplication &rofile............................................................................................+
Section ) - In%entory &rofile..............................................................................................
Section + - Information Ser%ices Bacup &rocedures.......................................................
Section - #isaster $eco%ery &rocedures......................................................................./
#isaster *ction Checlist.............................................................................................../
Section 0- $eco%ery &lan-1obile Site.............................................................................!'
1obile site setup plan..................................................................................................!)
#isaster &lan for Communications...............................................................................!)
2lectrical ser%ice..........................................................................................................!)
Section - $eco%ery &lan - 3ot Site...............................................................................!+
3ot-site system configuration.......................................................................................!
3ot-site solutions..........................................................................................................!
Section / - $estoring the 2ntire System.........................................................................!0
Section !4 - $ebuilding &rocess.....................................................................................!
Section !! - Testing the #isaster $eco%ery &lan............................................................!/
Conducting a $eco%ery Test 5 Chec 6ist...................................................................!/
*reas to be Tested 5 Chec 6ist..................................................................................(4
Section !( - #isaster Site $ebuilding..............................................................................((
Section !' 5 Infectious7Communicable #iseases &lan...................................................()
Situational *nalysis......................................................................................................'4
BC#$ &lan #eacti%ation..............................................................................................'
Section !) 5 BC#$ &lan for #ata Security Breach.........................................................)4
&lan *cti%ation and Notification....................................................................................))
Situational *nalysis......................................................................................................)0
&ersonnel.....................................................................................................................+(
Section !+ - $ecord of &lan Changes.............................................................................+)
Page (
-
7/25/2019 Dr Template
3/54
Section 1 - Goals of a Disaster
Recovery Plan
The ma8or goals of a disaster reco%ery plan are:
1inimi9e interruptions to normal operations.
6imit the etent of disruption and damage.
1inimi9e the economic impact of the interruption.
2stablish alternati%e means of operation in ad%ance.
Train employees, networ engineers and managers on emergency procedures.
Smooth and rapid restoration of ser%ice.
Constant re%iew of re;uently *sed
-
7/25/2019 Dr Template
4/54
Section 2 - Personnel
The following is a list of all IT personnel who are in%ol%ed with information technology
aspects. This list should be updated fre;uently.
Data Processing Personnel
Name Position Email Address Telephone
Note:*ttach a copy of your organi9ation chart to this section of the plan.
Page )
-
7/25/2019 Dr Template
5/54
Section 3 - Application Prole
This is a list of all application personnel who are in%ol%ed with payroll, accounts
payable7recie%able, orders etc.
Application profile
Application Name Critical?
Yes/No
Fixed
Asset?
Yes/No
Manfactrer Comments
Comment legend:
!.$uns daily.
(.$uns weely on @@@@@@@@.
'.$uns bi weely on @@@@@@ and @@@@@@
).$uns monthly on @@@@@@@@.
+.Ather @@@@@@@@@@@@@@@
Page +
-
7/25/2019 Dr Template
6/54
Section 4 - nventory Prole
This is a list of physical in%entory that in%ol%es your 6*N ?*N and other importante;uipment. This list should be updated fre;uently and should include all components of
your networ and other business acti%ity.
This list should include the following:
!. &rocessing units
(. #is units
'. 1odels
). ?orstation controllers
+. &ersonal computers. Spare worstations
0. Telephones
. *ir conditioner or heater
/. System printer
!4. Tape and disette units
!!. Controllers
!(. I7A processors
!'. "eneral data communication
!). Spare displays
!+. $acs
!. 3umidifier or dehumidifier
!0. &ower "enerator
!. 1anufacturing e;uipment
!/. Affice e;uipment
(4. 1iscellaneous in%entory
Page
-
7/25/2019 Dr Template
7/54
!n"entor# Profile
Manfactrer Description Model $erial
Nm%er
&'n or
(eased
Cost
Note:This list should be audited e%ery @@@@@@@@ months
Miscellaneos !n"entor#
Description )antit# Comments
Note:This list should include all e;uipment and miscellaneous items that are crucial to restarting
operations
Page 0
-
7/25/2019 Dr Template
8/54
Section ! - nformation Services
"ac#$p Proce%$res
! Ser%er
#aily, 8ournal recei%ers are changed at @@@@@@@@@@@ and at @@@@@@@@@@@.
#aily, a sa%e of changed ob8ects in the following libraries and directories is
done at @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
!. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
(. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
'. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
). @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
0. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
This procedure also sa%es the 8ournals and 8ournal recei%ers.
! An @@@@@@@@ =day> at @@@@@@@@ =time> a complete sa%e of the system isdone
( *ll sa%ed media is stored off-site in a %ault at @@@@@@@@ =location>
' &ersonal Computer
) It is recommended that all personal computers be baced up. Copies of the
personal computer files should be uploaded to the ser%er on @@@@@@@@ =date>
at @@@@@@@@ =time>, 8ust before a complete sa%e of the system is done. It is
then sa%ed with the normal system sa%e procedure. This pro%ides for a more
secure bacup of personal computer-related systems where a local area
disaster could wipeout important personal computer systems.
Page
-
7/25/2019 Dr Template
9/54
Section & - Disaster Recovery
Proce%$res
or any disaster reco%ery plan, the following three elements should be addressed:
Emergenc# *esponse Procedres:To document the appropriate emergency
response to a fire, natural disaster, or any other calamity in order to protect li%es
and limit damage.
+ac,p &perations Procedres:To ensure that essential data processing
operational tass can be conducted after the disruption.
*eco"er# Actions Procedres:To facilitate the rapid restoration of a data
processing system following a disaster.
Disaster Action C'ec#list
A- Plan !nitiation
Notify Senior 1anagement
Contact and setup the disaster reco%ery team
#etermine degree of disaster
Implement proper application reco%ery plan dependent on etent
of disaster =see Section 0. $eco%ery plan--mobile site>
1onitor progress
Contact bacup site and establish schedules
Contact all other necessary personnel
Contact %endors 5 all %endors that are critical to resuming operations
should be contacted
Notify employees of the disruption of ser%ice
Page /
-
7/25/2019 Dr Template
10/54
$enior Management
Name Position Address Telephone
Page !4
-
7/25/2019 Dr Template
11/54
+- Follo'.p Chec,list
6ist teams and tass of each team and indi%idual
Abtain emergency cash and setup transportation to and from the bacup
site, if necessary
Setup li%ing ;uarters, if necessary
Setup eating establishments, as re;uired
6ist all personnel and their telephone numbers
2stablish user participation plan
Setup the deli%ery and the receipt of mail
2stablish emergency office supplies
$ent or purchase e;uipment, as needed
#etermine applications to be run and in what se;uence
Identify number of worstations needed
Chec out any off-line e;uipment needs for each application
Chec on forms needed for each application
Chec all data being taen to the bacup site before lea%ing and lea%e anin%entory profile at a home location
Setup primary %endors for assistance with problems incurred during
emergency
&lan for transportation of any additional items needed at the bacup site
Tae directions to bacup site
Chec for additional magnetic tapes, if re;uired
Tae copies of system and operational documentation and procedural
manuals.
2nsure that all personnel in%ol%ed now their tass
Notify insurance companies
Page !!
-
7/25/2019 Dr Template
12/54
*eco"er# $tart.p Procedres for se After a Disaster
!. Notify =name of company and indi%idual> of #isaster $eco%ery Ser%ices of the
need to utili9e ser%ice and of reco%ery plan selection.
Note:"uaranteed deli%ery time countdown begins at the time =name of company
and indi%idual> is notified of reco%ery plan selection.
#isaster notification numbers =phone number of #$ site> or =alternate
number>. These telephone numbers are in ser%ice from @@@@@@@@ am7pm
until @@@@@@@@ am7pm 1onday through riday.
(. #isaster notification number =after hours number>
This telephone number is in ser%ice for disaster notification after business hours,
on weeends, and during holidays. &lease use this number only for the
notification of the actual disaster.
'. &ro%ide =name> with an e;uipment deli%ery site address =when applicable>, a
contact, and an alternate contact for coordinating ser%ice and telephone numbers
at which contacts can be reached () hours a day.
). Contact power and telephone ser%ice suppliers and schedule any necessary
ser%ice connections.
+. Notify =name of #$ Coordinator> immediately if any related plans should change
.
Page !(
-
7/25/2019 Dr Template
13/54
Section (- Recovery Plan-)obile Site
!. Notify =name> of the nature of the disaster and the need to select the mobile site
plan.
(. Confirm in writing the substance of the telephone notification to =name> within )
hours of the telephone notification.
'. Confirm all needed bacup media are a%ailable to load the bacup machine.
). &repare a purchase order to co%er the use of bacup e;uipment.
+. Notify =name> of plans for a trailer and its placement =6ocation 5 address and
eact site>. =See the 1obile site setup plan in this section>.
. #epending on communication needs, notify telephone company =name and
number of Telephone Company or representati%e> of possible emergency line
changes.
0. Begin setting up power and communications at =bac up site address>.
&ower and communications are prearranged to hoo into when trailer
arri%es.
*t the point where telephone lines come into the building =mar entry point>,
brea the current linage to the administration controllers =mar point>.
These lines are rerouted to lines going to the mobile site. They are lined to
modems at the mobile site. The lines currently going from =begin point to
end point would then be lined to the mobile unit %ia modems.
This could concei%ably re;uire =company name> to redirect lines at
=address> comple to a more secure area in case of disaster.
. ?hen the trailer arri%es, plug into power and do necessary checs.
/. &lug into the communications lines and do necessary checs.
!4.Begin loading system from bacups =see Section /. $estoring the 2ntire
System>.
!!. Begin normal operations as soon as possible
#aily 8obs
#aily sa%es
?eely sa%es
Page !'
-
7/25/2019 Dr Template
14/54
!(.&lan a schedule to bacup the system in order to restore on a home-base
computer when a site is a%ailable. =Dse regular system bacup procedures>.
!'.Secure mobile site and distribute eys as re;uired.
!).Eeep a maintenance log on mobile e;uipment.
!+.Eeep log on people, eys, e;uipment etc at #$ site
)obile site set$p plan
*ttach the mobile site setup plan here.
Disaster Plan for Comm$nications
*ttach the communication disaster plan, including the wiring diagrams.
*lectrical service
*ttach the electrical ser%ice diagram here.
Page !)
-
7/25/2019 Dr Template
15/54
Section + - Recovery Plan - ,ot Site
The disaster reco%ery ser%ice pro%ides an alternate hot site. The site has a bacup
system for temporary use while the home site is being reestablished.
Notify =name of contact and name of company> of the nature of the disaster and
of its desire for a hot site.
$e;uest air shipment of modems to =address> for communications. =See =name
and contact of person in charge> for communications for the hot site.>.
Confirm in writing the telephone notification to =name of company and contact>
within ) hours of the telephone notification.
Begin maing necessary tra%el arrangements to the site for the operations team.
Confirm that all needed tapes are a%ailable and paced for shipment to restoreon the bacup system.
&repare a purchase order to co%er the use of the bacup system.
$e%iew the checlist for all necessary materials before departing to the hot site.
1ae sure that the disaster reco%ery team at the disaster site has the necessary
information to begin restoring the site. =See Section !( - #isaster Site
$ebuilding>.
&ro%ide for tra%el epenses =cash ad%ance>.
*fter arri%ing at the hot site, contact home base to establish communications
procedures.
$e%iew materials brought to the hot site for completeness.
Begin loading the system from the sa%e tapes.
Begin normal operations as soon as possible
a. #aily 8obs
b. #aily sa%es
c. ?eely sa%es
!. &lan the schedule to bacup the hot-site system in order to restore on the home-
base computer.
Page !+
-
7/25/2019 Dr Template
16/54
,ot-site system con$ration
*ttach the hot-site system configuration here.
,ot-site sol$tions
at&ipe Networs has de%eloped a host of products that ensure the highest le%el of?*N reliability, redundancy, and maimum bandwidth for disaster reco%ery planning,
including data mirroring and remote storage. *s the in%entor and multiple patents holder
of $outer Clustering technology -- which aggregates multiple data lines from the same
or separate IS&s -- at&ipe pro%ides dynamic, intelligent and automatic failo%er of
downed ?*N connections.
at&ipe Networs also maes a%ailable se%eral other solutions for corporations that are
implementing or wanting to enhance their current disaster reco%er7continuity plans.
at&ipe offers dual power supply units for power bacup and auto-failo%er units. The
failo%er unit can be placed at the customer premise or at a remote location, such as a
remote storage site or disaster reco%ery site.
In addition, at&ipe pro%ides site load balancing capabilities, where traffic can be
shared between one or more remote site units utili9ing all lines a%ailable at each
location. This is used when inbound connecti%ity to Internet accessible ser%ers is
critical. This technology utili9es at&ipeFs Site 6oad Balancing feature. The ser%ers
located in geographically separate locations can ha%e identical or similar information in
two or more locations. or more information www.fatpipeinc.com
Page !
-
7/25/2019 Dr Template
17/54
Section . - Restorin t'e *ntire
System
To get your system bac to the way it was before the disaster, use the procedures onreco%ering after a complete system loss in the Bacup and $eco%ery section .
Before You Begin:ind the following tapes, e;uipment, and information from the on-
site tape %ault or the off-site storage location:
!. If you install from the alternate installation de%ice, you need both your tape media
and the C#-$A1 media containing the 6icensed Internal Code.
(. *ll tapes from the most recent complete sa%e operation
a. The most recent tapes from sa%ing security data =S*GS2C#T* or
S*GSHS>
'. The most recent tapes from sa%ing your configuration, if necessary
b. *ll tapes containing 8ournals and 8ournal recei%ers sa%ed since the most
recent daily sa%e operation
). *ll tapes from the most recent daily sa%e operation
c. &T list =stored with the most recent complete sa%e tapes, weely sa%e
tapes, or both>
+. Tape list from most recent complete sa%e operation
. Tape list from most recent weely sa%e operation0. Tape list from daily sa%es
. 3istory log from the most recent complete sa%e operation
/. 3istory log from the most recent weely sa%e operation
!4.3istory log from the daily sa%e operations
!!. The Software Installationboo
!(.The Backup and Recoveryboo
!'.1odem manual
!).Tool it
Page !0
-
7/25/2019 Dr Template
18/54
Section 1/ - Reb$il%in Process
The management team must assess the damage and begin the reconstruction of a new
data center. If the original site must be restored or replaced, the following are some of
the factors to consider:
!. ?hat is the pro8ected a%ailability of all needed computer e;uipment
(. ?ill it be more effecti%e and efficient to upgrade the computer systems with
newer e;uipment
'. ?hat is the estimated time needed for repairs or construction of the data site
). Is there an alternati%e site that more readily could be upgraded for computer
purposes
Ance the decision to rebuild the data center has been made, go to Section !( - #isaster
Site $ebuilding.
Page !
-
7/25/2019 Dr Template
19/54
Section 11 - Testin t'e Disaster
Recovery Plan
In successful contingency planning, it is important to test and e%aluate the planregularly. #ata processing operations are %olatile in nature, resulting in fre;uent
changes to e;uipment, programs, and documentation. These actions mae it critical to
consider the plan as a changing document. Dse this checlist as you conduct your test
and decide what areas should be tested:
Con%$ctin a Recovery Test 0 C'ec# ist
!tem Yes No Applica%leNot
Applica%leComments
Select the purpose of the test. ?hat aspects
of the plan are being e%aluated
#escribe the ob8ecti%es of the test. 3ow will
you measure successful achie%ement of the
ob8ecti%es
1eet with management and eplain the test
and ob8ecti%es. "ain their agreement and
support.
3a%e management announce the test and
the epected completion time.
Collect test results at the end of the testperiod.
2%aluate results. ?as reco%ery successful
?hy or why not
#etermine the implications of the test
results. #oes successful reco%ery in a
simple case imply successful reco%ery for all
critical 8obs in the tolerable outage period
1ae recommendations for changes. Call
for responses by a gi%en date.Notify other areas of results. Include users
and auditors.
Change the disaster reco%ery plan manual
as necessary.
Page !/
-
7/25/2019 Dr Template
20/54
Areas to be Teste% 0 C'ec# ist
!tem Yes No Applica%le
Not
Applica%le Comments
$eco%ery of indi%idual application systems
by using files and documentation stored off-site.
$eloading of system tapes and performing
an I&6 by using files and documentation
stored off-site.
*bility to process on a different computer.
*bility of management to determine priority
of systems with limited processing.
*bility to reco%er and process successfully
without ey people.*bility of the plan to clarify areas of
responsibility and the chain of command.
2ffecti%eness of security measures and
security bypass procedures during the
reco%ery period.
*bility to accomplish emergency e%acuation
and basic first-aid responses.
*bility of users of real-time systems to cope
with a temporary loss of on-line information.
*bility of users to continue day-to-day
operations without applications or 8obs that
are considered not critical.
*bility to contact ey people or their
designated alternates ;uicly.
*bility of data entry personnel to pro%ide the
input to critical systems by using alternate
sites and different input media.
*%ailability of peripheral e;uipment and
processing, such as printers and scanners.*%ailability of support e;uipment, such as air
conditioners and dehumidifiers.
*%ailability of support: supplies,
transportation, and communication.
Page (4
-
7/25/2019 Dr Template
21/54
#istribution of output produced at the
reco%ery site.
*%ailability of important forms and paper
stoc.
*bility to adapt plan to lessen disasters.
Page (!
-
7/25/2019 Dr Template
22/54
Section 12 - Disaster Site Reb$il%in
!. loor plan of data center 5 distribute to ey employees
(. #etermine current hardware needs and possible alternati%es. =See Section ) -In%entory profile>.
a. #ata center s;uare footage, power re;uirements and security
re;uirements.
b. *rea =s;uare feet>
c. &ower re;uirements =describe>
d. Security re;uirements: loced area, preferably with combination loc on
one door 5 establish procedures: ey employee responsible, access
restrictions, loced areas. *ccess to loced areas, CCTG, monitoring
e. loor-to-ceiling studding
f. #etectors for high temperature, water, smoe, fire and motion 5 ey
employee responsible and initial safety chec to determine if all safety
systems are woring and in place.
g. $aised floor
Page ((
-
7/25/2019 Dr Template
23/54
Floor plan
Include a copy of the proposed floor plan here.
0endors
0endors . Include %endor information here.
Compan# Name Contact Address Telephone
Page ('
-
7/25/2019 Dr Template
24/54
Section 13 0
nfectio$sComm$nicable Diseases
Plan$ecent e%ents such as the 2bola outbrea ha%e made it imperati%e for companies to
start thining about policies and procedures in case an employee is infected. or
companies that ha%e employees that tra%el - a well thought out plan is essential.
2ach business is different. The following gi%es a guideline of the elements of a BC#$
plan. 2ach business should modify this to suit needs.
Execti"e Management
6ist names and contact information of the following personnel here. *lso include their
area of responsibility
!. BC#$ plan coordinator
(. 1anager - 3uman $esources
'. 1anager - inancial
). 1anager 5 6egal
+. 1anager 5 Technical and #ata Security
. 1anager 5 Site and building security
0. 1anager 5 Industrial 3ealth and Safety
. Ather 5 list names, contact information and area of responsibility
*lso discuss plan goals, $eco%ery &oint and $eco%ery Time Ab8ecti%es. 1anagement
should also communicate to employees in general, their support of the plan and
introduce %arious ey personnel who will be tased with continuity and reco%ery
operations.
1- Plan &%2ecti"es
The aim of this plan is to allow =company name> to respond effecti%ely in a safe
manner and reco%ery from an Infectious7Communicable disease outbrea. The
main ob8ecti%es are:
$educe eposure and transmission among employees
2nsure essential ser%ices and operations are maintained
$educe economic impact
Ather 5 list any other ob8ecti%es rele%ant to your organi9ation
Page ()
-
7/25/2019 Dr Template
25/54
(. $pporting Plans and *esorces
6ist any other plans that support your plans 5 for eample county or city plans.
'. &"er"ie'
6ist an o%er%iew of the Infectious7Communicable disease that you are writing the
plan for. The description should ideally include a history of the disease in
;uestion and include the following:
#escription of the Infectious7Communicable disease
Its pre%alence locally and globally
&rognosis of an infected person
Treatment options
Current go%ernment directi%es if any
&recautions to pre%ent infection
International considerations 5 where outbreas are and local intelligence
gathered. *lso, determine if any employees ha%e tra%elled to these areas
and ensure they are safe and are not the cause of an outbrea among
employees
Ather rele%ant information
3- Cit#4 Cont#4 $tate and National 5ealth Agenc# 6 *oles and Assistance
#etermine all public agencies that may play a part in case of an
Infectious7Communicable disease outbrea at your company
Contact agencies and determine who will be the point person at the
agency during outbreas 5 gather and record contact information
*ll local and state ordinances and laws should be understood. Hour
BC#$ plan should not %iolate these.
Sharing your plan with agencies and asing for their opinion is a good way
to fine tune plans 5 de%elop personal relationships #epending on 8urisdiction, one or more than one agency will be the
coordinating agency.
They can mae public recommendations regarding interactions with your
business
Page (+
-
7/25/2019 Dr Template
26/54
They will ha%e the power to enforce %arious ordinances to ensure
outbreas are contained. These include protecti%e gear and isolation
orders
1edical 5 they can assist with all health and health safety issues.
+. Planning Assmptions
Se%eral assumptions ha%e to be made when de%eloping these plans. rom the
etent of the outbrea to its se%erity to personnel, reasonable assumptions ha%e
to be made. 3owe%er, assumptions made should be listed and rationale gi%en if
applicable. Some of the assumptions that should be considered are
#uration of outbrea
This assumption can be made depending on the disease. Since mostdisease life phases are nown, reasonable assumptions can be made.
&re%ention and Treatment
&ublic health agencies or departments can be %ery useful in determining
the best course of action.
Staff 1ae a reasonable assumption about the number of staff that could
be infected. This will determine staff a%ailability for %ital and critical
functions.
Gendors and Autside Ser%ice &ro%iders
* list of %endors and contact information should be de%eloped for %arious ser%ices and
products. $emember to determine lead times needed for each.
Plan Acti"ation and Notification
!. Plan Acti"ation
The acti%ation of the entire plan or only a part are dependent on a %ariety of
factors. I any or all of the following are met the plan should be acti%ated.
a. *ny public health agency issues an alert or warning in the same general
area as the business.
Page (
-
7/25/2019 Dr Template
27/54
b. Business functions are disrupted due to employee absence due to
sicness
c. #isruption of essential ser%ices
d. Concern among staff of possibility of getting infected. ?hile this may be
reduced with the correct information, these concerns ha%e to be taen
seriously.
e. *dd other criteria here
f. *uthority to *cti%ate BC#$
It is important that acti%ation of a BC#$ plan is only carried out on the
direct orders of a manager who has to authority to tae this step. Since a
manager with this authority may not be a%ailable when disaster stries, '
or ) senior managers should ha%e this authority. It is recommended that
at least one of the authori9ed managers be in a different geographic
location. "i%e names below:
a. Name and title of BC#$ acti%ation authority
b. Name and title of BC#$ acti%ation authority
c. Name and title of BC#$ acti%ation authority
d. Name and title of BC#$ acti%ation authority
(. Notification
#uring an emergency, there are %arious stae holders that ha%e to be informed
about the disaster. 3owe%er, messages ha%e to be tailored to the group that
recei%es it.
*ll employees message=Insert message here>
Sample message: The #isaster $eco%ery plan for =name disease> has been
acti%ated. The plan was acti%ated due to =reason>. ?e will eep you
informed by =name more of information 5 tet, email, %ideo, website
announcement etc> e%ery hour on the hour unless circumstance pre%ent us.
Hou are instructed to: =gi%e instructions here 5do not come to office, report at
Page (0
-
7/25/2019 Dr Template
28/54
a different site etc>.
BC#$ Team
=Insert message here>
Sample message: The BC#$ plan for =name disease> has been acti%ated.
$eport for your assignments per the BC#$ plan. In case you need to refer to
the BC#$ plan, copies of the plan can be obtained at =name source 5
website, cloud etc>. Hou should call our #$ number =gi%e emergency number
here> immediately to chec in.
Customers
=Insert message here>
Sample message: #ear =name> 5 this is to inform you that we ha%e acti%ated
our BC#$ plan due to =gi%e reason>. ?e will stri%e to ensure you will see little
or no disruption. &lease call the hot line we ha%e set up =gi%e number> for
further information. Ane of our specialists, assigned to ensure our %alued
customers are not incon%enienced will also be contacting you shortly to
discuss the situation and inform you of the actions we will tae to minimi9e
the effects of the disaster. ?e than you for your understanding and
coorporation.
Gendors
=Insert message here>
Sample message: #ear =name> 5 this is to inform you that we ha%e acti%ated
our BC#$ plan due to =gi%e reason>. ?e will stri%e to ensure you will see little
or no disruption. &lease call the hot line we ha%e set up =gi%e number> for
further information. Ane of our specialists, assigned to ensure our %alued
%endors are not incon%enienced will also be contacting you shortly to discuss
the situation and inform you of the actions we will tae to minimi9e the effects
of the disaster. ?e than you for your understanding and coorporation.
Ather
=Insert message here>
Athorit# and Command
!> BC#$ $esponse Argani9ation and Structure
Page (
-
7/25/2019 Dr Template
29/54
The following will be the organi9ation and structure of the response to the
Infectious7Communicable disease emergency. *ll or parts may be acti%ated and
modified as needed during the emergency
(. $esponse 1anagement
Ance the Infectious7Communicable diseases BC#$ plan has been acti%ated, the
Incident Commander will be =Name, Title and Contact information of Incident
Commander>. In case he or she cannot assume command, the following are
authori9ed to assume Incident Command
*lternate ! =name, title and contact information>
*lternate ( =name, title and contact information>
*lternate ' =name, title and contact information>
Ather 5 add name per re;uirement
If the first alternate is unable to tae command, the command mo%es to the net
person on the list. Dnable to tae command is defined as gi%en below. It is
ad%isable to carefully consider who is capable of leading during emergency -
especially non managerial employees. They should ha%e leadership ;ualities
and ha%e the respect of their colleagues.
Not able to carry out assignment due to physical limitations, death or
geographic location.
Dnable to contact within =hours>
*lternate has been assigned another duty
Ather 5 insert per re;uirement
Page (/
-
7/25/2019 Dr Template
30/54
Sit$ational Analysis
1- Mission $tatement
This BC#$ planFs mission is to disseminate information on acti%ation to all
staeholders gi%ing information about the nature of the disaster, the responseand actions each staeholder has to perform during the crisis.
7- +CD* Plan !mplementation
* BC#$ plan is only as good as its implementation. To this end to ensure that
the BC#$ plan meets the ob8ecti%e of business continuity and ;uic reco%ery,
input of %arious plan staeholders is important in the planning stage itself.
a. Status of Infectious7Communicable #isease
* %ital part of plan acti%ation and implementation is nowledge of the
current status of the Infectious7Communicable disease outside and within
the business. To this end, source of information the business will use in
such cases should be identified and listed. Source that will be used are:
6ocal7County 3ealth #epartment =gi%e D$6 and information
helpline numbers>
State 3ealth #epartment =gi%e D$6 and information helpline
numbers>
Centers for #iseases Control and &re%ention =gi%e D$6>
?orld 3ealth Argani9ation =gi%e D$6>
News organi9ation =gi%e list>
Ather sources =gi%e name and D$6 per re;uirement>
b. Infectious7Communicable #isease Control and Safety $ecommendations
$ecommendations issues by 6ocal7County7State health agencies should
be monitored and implemented. 6ist sources of information below:
6ocal7County 3ealth #epartment =gi%e D$6 and information
helpline numbers>
State 3ealth #epartment =gi%e D$6 and information helpline
Page '4
-
7/25/2019 Dr Template
31/54
numbers>
Centers for #iseases Control and &re%ention =gi%e D$6>
?orld 3ealth Argani9ation =gi%e D$6>
News organi9ation =gi%e list>
Ather sources =gi%e name and D$6 per re;uirement>
c. Community
2%ery business eists in a community and goodwill and respect is an
important part of business operations. ?hen confronted with these
diseases in the community, a business should gather all possible
information to ensure proper action can be taen. 6ocal health ser%ices
will pro%ide information. In case the outbrea is within a business, it is
important to inform local agencies. Information flow through these
agencies to the public is important in maintaining public relations
d. Customer $elationships
If a business has acti%ated its BC#$ plan, customer and it is important for
the business to understand why customer beha%ior has changed. The
BC#$ of plan should ha%e steps in place to handle the change in beha%ior
and re%enue flows. This is important to ensure financial %iability of the
business during this crisis.
e. Gendor $elationships
Gendor relationships mean change during the crisis. If the %endor ser%ice
being pro%ided is on-site it may be e%en affected to a greater etent than
normal. If the %endor is pro%iding ser%ices that do not re;uire a physical
presence, then the relationship might not be affected to a great etent.
3owe%er there should be a clear understanding between the business and
the %endor what can be epected by each party. *s soon as the BC#$
plan is acti%ated, %endors especially the critical ones, should be contactedand a clear understanding of epectations should be established. The
following a list of %endor, contact information and ser%ices pro%ided
Gendor Name, Contact Information, Ser%ices pro%ided.
Gendor Name, Contact Information, Ser%ices pro%ided.
Page '!
-
7/25/2019 Dr Template
32/54
Gendor Name, Contact Information, Ser%ices pro%ided.
f. Business Aperations
Aperations will be affected mainly due to staff strength. Businessesshould pre-determine what critical business functions are and how to
handle them. Staff functions may ha%e to be reassigned to fill gaps.
Critical Aperation ! 5 name, department, minimum staff needed
=names of staff should be included if nown, howe%er it mut be ept
updated.
Critical Aperation ( - name, department, minimum staff needed
=names of staff should be included if nown, howe%er it mut be ept
updated..
Critical Aperation ' - name, department, minimum staff needed
=names of staff should be included if nown, howe%er it must be
ept updated.
The following operations can be suspended or curtailed
Non Critical Aperation ! =gi%e details>
Non Critical Aperation (
Non Critical Aperation '
g. Staffing
The BC#$ plan should ha%e a staffing plan. To do this, reasonable
assumptions must be made. 6ist functions, staff strength and
assumptions in this section.
Commnications
a. Staeholders
#uring disasters, communications are critical in ensuring smooth handling
of the disaster. Communications to %arious staeholders will be different
and the manner and mode of communications %ary. It is important to
ensure, the entire business speas with one %oice and therefore it is
prudent to assign an empowered committee to channel communications
through. The staeholders are:
Page '(
-
7/25/2019 Dr Template
33/54
2mployees
Customers
Gendors
"o%ernment *gencies
Community
Ather 5 specify per local re;uirement
a. 2mpowered Communications Committee
The following employees are assigned to the committee through whom all
communication will be routed.
#irector of Communications =Chair of committee>
1ember ! =name title>
1ember ( =name title>
1ember ( =name title>
Ather per local business re;uirements
b. 1essaging
The content of message to each group of staeholders can be
predetermined because it is a initial message informing that the BC#$
plan has been acti%ated. *fter the initial message goes out, the net batch
of messages can be crafted to meet needs.
i. 2mployees
Sample message =edit to suit business needs>
The company has acti%ated the BC#$ plan for
Infectious7communicable diseases with effect from =date and time>.
This message is to inform you of the acti%ation of the plan. The
company places a %ery high %alue on eeping employees informed
as time progresses. * follow-up message will be sent shortly
informing you of the actions the company will be taing and the role
Page ''
-
7/25/2019 Dr Template
34/54
and actions we epect you to tae. ?e will be establishing a
hotline before the close of business today.
ii.Customers
Sample message =edit to suit business needs>
The company =company name> has acti%ated its BC#$ plan for
Infectious7communicable diseases with effect from =date and time>.
This message is to inform you of the acti%ation of the plan. The
company places a %ery high %alue on eeping our %alued
customers informed as time progresses. * follow-up message will
be sent shortly informing you of the actions the company will be
taing to ensure the effect on our customers is ept to a minimum.
* company representati%e assigned to assist you will be contacting
you shortly. ?e appreciate your understanding and patience as we
resol%e the situation
iii.Gendors
The company =company name> has acti%ated its BC#$ plan for
Infectious7communicable diseases with effect from =date and time>.
This message is to inform you of the acti%ation of the plan. The
company places a %ery high %alue on eeping our %alued %endors
informed as time progresses. * follow-up message will be sentshortly informing you of the actions the company will be taing to
ensure the effect on our %endors is ept to a minimum. * company
representati%e assigned to assist you will be contacting you shortly.
?e appreciate your understanding and patience as we resol%e the
situation
i%."o%ernment 3ealth *gencies
The company =company name> has acti%ated its BC#$ plan for
Infectious7communicable diseases with effect from =date and time>.
This message is to inform you of the acti%ation of the plan.
* representati%e designated to establish statutory and regular
communications will be contacting you shortly. ?e appreciate your
Page ')
-
7/25/2019 Dr Template
35/54
patience and your guidance in resol%ing this crisis at the earliest.
%.Community
The company =company name> has acti%ated its BC#$ plan for
Infectious7communicable diseases with effect from =date and time>.
This message is to inform you of the acti%ation of the plan.
?e deeply %alue the relationship we ha%e with the community. ?e
belie%e open and honest communications are essential to ensure
that the crisis is resol%ed speedily while ensuring the safety and
welfare of the public.
?e will shortly issue a communi;u with more details. Till such
time we as for your patience. ?e ha%e been good neighbors and
we will stri%e to ensure our actions comply or eceed local
re;uirement for such a crisis. ?e than you for yor goodwill and
patience.
%i.Ather
*dd message per local business re;uirement
c. #issemination of Information
Information will be disseminated per the following modes
&hones 5 hot line =internal and eternal 5 gi%e numbers here>, tet,
%oice mail, recorded messages, call tree, call centers.
2lectronic 5 email, website messaging =gi%e D$6>, online chat
&ersonal 5 meetings, town halls meetings, etc
1edia 5 TG, $adio, Newspaper, &ress $eleases and Conferences
Ather 5 insert per local business re;uirement
d. Drgent Communi;u
#etermine what modes will be used to communicate urgent messages to
Page '+
-
7/25/2019 Dr Template
36/54
each group of stae holders
2ample - 2mployees 5 by phone tree
e. $egular Dpdates
2ample 5 2mployees 5 website updates
Personnel
The effect of Infectious7Communicable diseases on employees is hard to predict. &ast
eperience has shown that during se%ere outbreas, (4 to '4J staff can be absent.
Naturally, this will ha%e a direct bearing on business operations. Both the paces of
operations are slowed down to match a%ailable man-power or pace ept constant and
only critical operations are carried out. &lanning is essential. Communications are ey
to ensuring that employees that are sic stay home and those that are called to wor inunfamiliar areas now the reason why. * mission statement such as the one below is
useful =modify to meet local business re;uirement>
=Name of business> is committed to ensuring a safe en%ironment for all employees.
#uring an infectious7communicable disease emergency that re;uires acti%ation of the
companyFs BC#$ plan, the company will mae e%ery effort to carry our normal business
operations. In the e%ent there is a shortage of staff, the company will restrict operations
to those essential for business continuity. Staff that fall ill will be re;uired to stay home.
Non puniti%e absentee policies will be in effect and the company will stand by
employees that fall sic. Ather employees may be temporarily reassigned to otherduties with ade;uate training. The entire focus will be on reco%ery with minimal
employee disruption.
a. 2mployee 6ea%e &olicy #uring 2mergency
#uring the crisis, epect absentee rates to be (4 to '4J abo%e normal.
Some employees may not ha%e lea%e left and may report for wor when
they are sic. This prolongs the crisis. Some may not ha%e lea%e but
ha%e to stay home to care for sic family. ?hate%er the cause, a policy
has to be in place during the acti%ation of the BC#$ plan. This policy
should clearly spell how the company will handle sicness and lea%e. It
should be communicated to all employees.
Insert company sicness and lea%e policy here.
b. ?or rom 3ome and leible ?oring 3ours
Page '
-
7/25/2019 Dr Template
37/54
In order to minimi9e contact with fellow employees, a wor from home or
fleible wor policy can be acti%ated during the emergency. Ance again
this has to be clearly articulated and communicated.
Insert the ?or from 3ome and leible ?oring 3ours policy here
c. Business Tra%el
* clear policy that details the business tra%el policy during the emergency
should be de%eloped.
Insert business tra%el policy here
d. Illness &rotocol
* protocol for employees calling in sic or those that become sic during
wor should be in place. This protocol must include the following at a
minimum
i. 2mployee calling in sic 5 company medical personnel or
super%isor should spea with person by phone.
ii.Compare employee symptoms with those that are issued by health
agencies. If the employee has symptoms, they should be ad%ised
to stay home and see medical ad%ice. If they do not ha%e the
symptoms of the infectious or communicable diseases, then they
should be ad%ised to call later. It is better to err on the side of
caution. They should be reassured that no puniti%e action will be
taen.
iii.If the employee falls sic during wor, they should be isolated and
gi%en medical attention. If re;uired to go home, they should be
ad%ised to a%oid public transportation. Tra%el assistance if possible
should be offered =de%elop policy according to your company
business needs>. #isinfecting wor station should be a part of the
policy.
i%.*d%ice all sic employees to follow guidelines issued by local
health agency.
Page '0
-
7/25/2019 Dr Template
38/54
%.Communicate with employee who is at home to reassure them.
%i.*s them to return to wor once they are cleared by medical
personnel.
b. &ersonnel Committee
*n empowered committee to de%elop emergency personnel policies and
their implementation should be constituted.
i. #irector &ersonnel
ii.1ember ! 5 policy matters
iii.1ember ( - training and reassignment
i%.1ember ' - tracing
%.1ember ) 5 temporary wor assignment
%i.1ember + 5 inter department coordination and liaison
%ii.1ember - other
"CDR Plan Deactivation
*n orderly deacti%ation of the plan is 8ust as important as acti%ation. The policies that
will be followed when transitioning bac to normal should be detailed in this section.
a. &lan #eacti%ation *nnouncement
1anagement should announce the end of the crisis. This is %ery
important as it will gi%e employees, customers, %endors and other
staeholders confidence that the company is bac on trac and the worst
is o%er.
b. Transition to Normal Aperations
The following should be considered and policies de%eloped
i. ?or assignments for staff =specially if some staff are yet to report
to wor>
ii.Transition from temporary assignments to regular assignments
Page '
-
7/25/2019 Dr Template
39/54
iii.SA& modifications if any
i%.$amp up schedule for hours of operation
%.$esponse documentation for fine tuning BC#$ plan
%i.Community outreach and appreciation
%ii.Ather
c. ormal end of emergency notification
d. *ssessment of BC#$ &lan &erformance
*s a part of the continuous impro%ement cur%e, an internal assessment
that re%iews plan performance is essential. * panned %ersus actual
analysis should be conducted and this will enable current plans to be
modified for the better.
Page '/
-
7/25/2019 Dr Template
40/54
Section 14 0 "CDR Plan for Data
Sec$rity "reac'
Cyber crime is on the rise. 3acers are continuously checing companyFs networsecurity to gain entry. Ance they ha%e secured entry, they either maliciously destroy or
steal data to be used fraudulently. ?hile many small companies do not ha%e in house
resources to ensure they are secure from attacs, e%en large companies are %ulnerable
=Target Corp Sonly Corp>. Theft of data is a real possibility and companies should be
prepared with a BC#$ plan to handle such a crisis.
There a few ey points to remember when it comes to security planning
! *wareness 5 now the system you ha%e and what data you are gathering and
why
( 1inimi9e 5 collect and retain only data that is needed 5 the less you collect theless you ha%e to protect
' &rotect it 5 ensure only authori9ed people ha%e access. 3ard copies should e
under loc and ey
) #isposal 5 establishment of proper data disposal procedures
+ &lanning 5 good planning impro%es security eponentially
Execti"e Management
This is the team that is in o%erall charge of efforts to de%elop, implement and eecute a
BC#$ plan. It is comprised mainly of senior managers.
6ist names and contact information of the following personnel here. *lso include their
area of responsibility
!. BC#$ plan coordinator
(. 1anager - 3uman $esources
'. 1anager - inancial
). 1anager 5 Technical and #ata Security
+. 1anager 5 Site and building security
. Ather 5 list names, contact information and area of responsibility
*lso discuss plan goals, $eco%ery &oint and $eco%ery Time Ab8ecti%es. 1anagement
should also communicate to employees in general, their support of the plan and
introduce %arious ey personnel who will be tased with continuity and reco%ery
operations.
Page )4
-
7/25/2019 Dr Template
41/54
+CD* Prpose and &%2ecti"es
The purpose of this plan is to de%elop sound data security procedures to pre%ent
breaches. In the e%ent breaches occur the BC#$ is a plan to minimi9e damage.
Technical Committee
The management committee should first form a technical committee. This committee
should be tased to re%iew all aspects of the networ 5 ?*N, 6*N, Security
&rocedures, #ata Security, #ata Bacup, &ersonnel, and Infrastructure. Ance this has
been completed, the recommendation for impro%ement should be con%eyed to the
management team. *ppro%ed changes should be implemented *S*&.
!. Technical Committee 6ead =name and contact information>
(. Team 1ember ! =name and contact information>
'. Team 1ember ( =name and contact information>
). Ather =input per local re;uirement>
Typically, committee members should be technical personnel who are nowledgeable in
IT security issues. If in house epertise is not a%ailable, the committee should be
authori9ed to secure assistance from consultants. The re%iew should include at a
minimum
! In%entory 5 all destops, laptops, mobiles, home systems, digital copies and
scanners should be in%entoried to determine what types of data are stored. If
data is stored on these de%ices, what is the le%el of protection in case of loss or
theft Is the data password protected or encrypted
( 3ard copies of information 5 what is the system in place for sensiti%e data stored
on hard copies. Is it ept under loc and ey at all times. #o authori9ed people
only ha%e access to this #etermine security of disposal procedures.
' Ather sensiti%e data 5 data gathered from your website, call centers, through
employees, 3$ department can all be potentially sensiti%e and should be
secured. ?hat are the procedures in place for that
) Sources of #ata 5 it is important to now the sources of data coming into a
business. The le%el of security re;uired for each type and source of data is also
re;uired.
+ #ata collection points 5 where in the business process is each type of data
collected. ?hat are the security measures in place at each point.
Page )!
-
7/25/2019 Dr Template
42/54
Ance data is gathered 5 how is it stored If it is first gathered in hard copies 5
how is it transferred
0 2stablish who has access to data at each collection point.
&hysical security of data 5 in%entory all physical data and the security procedures
established
/ 2lectronic security of data
o Thorough re%iew of networ infrastructure and points of %ulnerability
o #etermine security procedures
o Identify connecti%ity to de%ices that store sensiti%e information. #etermine
security procedures and assess %ulnerabilities
o #etermine if sensiti%e data is encrypted 5 what encryption protocols are
used
o ?hat anti-%irus measures are in place *re they updated regularly
o *n employee downloading unauthori9ed software is a ma8or security
threat. ?hat measures are in place to manage this
o ?hat Aperating Systems are being used *re they updated regularly and
security patches up to date
o Thoroughly re%iew all web applications and determine their security. 3eyare commonly the targets of hacing.
o 1anagement of passwords 5 this is a particularly difficult tas because
employees can be %ery la. Constant training, re;uirement of a le%el of
pass word difficulty and regular changing will impro%e security.
o &assword acti%ated screen sa%ers after a period of inacti%ity is a %ery
basic security feature that should be implemented company wide.
o Conduct regular employee training to warn them about security riss
o #etermine who is using laptops and their need to do so. *lso determine if
each of these laptops are password secured or data encrypted. 6oss ortheft of laptops is a %ery common security breach.
o ?ireless and remote access these are fre;uent security wea points.
6imiting the number of de%ices that can connect to them is a good idea.
Ance the technical committee has done a end to end re%iew of all security aspects of
the business, a report to management with recommendations should be prepared.
Page )(
-
7/25/2019 Dr Template
43/54
Ance management appro%es, recommendations should be incorporated epeditiously.
Small and medium si9e business oftentimes does not ha%e in house epertise to
thoroughly analy9e potential %ulnerabilities. Securing the assistance of an epert
consultant should be considered. This upfront epense is far cheaper than dealing with
a security breach.
Plan Assmptions
2%ery disaster will be different and no amount of planning can epect to co%er all
e%entualities. 3owe%er, plans tailored to specific situations =e%en without all details
nown> can be de%eloped. Some assumptions will ha%e to be made. These should be
listed as a part of the o%erall plan.
Some assumptions of a generic nature are gi%en below. Businesses should re%ise
these and add per their own set of circumstances
!. #ata security breach will not re;uire mo%ing personnel to a different site
(. Since in house epertise is a%ailable no outside %endor will be used. If in house
epertise is not a%ailable then the ser%ices of the following consultants will be
used
a. Consultant !7consulting company ! =name and contact information>
b. Consultant (7consulting company ( =name and contact information>
c. *dd per business re;uirement
'. *ll members of the IT department will be a part of the plan eecution
). *ll product and software re;uirements during the eecution of the BC#$ plan will
be fulfilled by one of the following:
d. Gendor ! =name and contact information>
e. Gendor ( =name and contact information>
f. *dd per business re;uirement
+. Ather 5 add to this list per business re;uirements
Page )'
-
7/25/2019 Dr Template
44/54
Plan Activation an% otication
!. Plan Acti"ation
The acti%ation of the entire plan or a part of te plan depends on a %ariety of
factors. 2ach business should e%aluate their situation and act accordingly. orthe plan to be acti%ated the any one of the following should be met:
a. Business website has been haced
b. Sensiti%e data has been compromised
c. Sensiti%e storage infrastructure has been compromised or stolen
d. 6aptop or other de%ice with sensiti%e data has been stolen or lost
e. Ather 5 per business re;uirement
(. Plan Acti"ation Athorit#
The following people has the authority to acti%ate the plan. The authority will be
in descending order and if unable to acti%ate, authority passes down the list
f. Name and title of BC#$ acti%ation authority
g. Name and title of alternate !
h. Name and title of alternate (
i. Ather per business re;uirement
'. Notification
Breach of data security is serious and affects se%eral people 5 employees,
management, customers. Therefore a plan to notify each group is essential.
?hile a general message notifying all staeholders may be enough initially, tailor
made messages for each group will be more effecti%e
8. *ll employees message
=Insert message per business re;uirement>
Page ))
-
7/25/2019 Dr Template
45/54
Sample message =edit per your business situation>: The BC#$ plan for a
breach of data security has been acti%ated. The plan was acti%ated due to
=gi%e reason>. ?e will eep you informed by =name mode of information 5
tet, email, %ideo, website announcement, etc> e%ery hour on the hour
unless circumstances pre%ent us. Hou are instructed to =gi%e instructions
here 5 do not use company laptop till it is checed by an epert etc>. Callthe following number that has been established for more information and
instructions.
. BC#$ Team
=Insert message per business re;uirement>
Sample message =edit per your business situation>: The BC#$ plan for a
breach of data security has been acti%ated. $eport for your assignments
per the BC#$ plan. In case you need to refer to the plan, it can be
obtained securely at =name source 5 cloud, website etc>. Hou should call
the falling number =gi%e number> immediately and chec in. *ll lea%e and
%acations ha%e been cancelled.
l. Customers
=Insert message per your business re;uirement>
Sample message =edit per your business situation>: #ear =name> 5 this isto inform you we ha%e acti%ated our BC#$ plan for a breach of data
security. ?e are woring urgently to secure our data and systems to
minimi9e further issues. &lease be assured we tae this situation %ery
seriously and will eep you updated periodically by =tet, email, %ideo,
public announcements, press conferences etc>. ?e ha%e set up a hotline
=number> to answer any ;uestions you may ha%e. ?e re;uest your
patience and we wor to resol%e this situation.
m. Gendors
=Insert message per your business re;uirement>
Sample message =edit per your business situation>: #ear =name> 5 this is
to inform you we ha%e acti%ated our BC#$ plan for a breach of data
security. ?e are woring urgently to secure our data and systems to
minimi9e further issues. &lease be assured we tae this situation %ery
Page )+
-
7/25/2019 Dr Template
46/54
seriously and will eep you updated periodically by =tet, email, %ideo,
public announcements, press conferences etc>. ?e ha%e set up a hotline
=number> to answer any ;uestions you may ha%e. ?e re;uest your
patience and we wor to resol%e this situation. Ane of our specialists will
contact you shortly.
n. Ather
=Insert message her per your re;uirements>
Athorit# and Command
The following will be *uthority and command structure during a data security breach
!> BC#$ $esponse Argani9ation and Command Structure
The following is the organi9ation and command structure for the response to a
breach of data security. *ll or parts may be acti%ated or mdified during this
emergency.
(. $esponse 1anagement
Ance the BC#$ plan for a data security breach has been acti%ated, the incident
commander will be =Name, Title, Contact Information of Commander>. In case he
or she cannot assume command, the following are authori9ed to assume
command in descending order
a. *lternate ! =name, title and contact number>
b. *lternate ( =name, title and contact number>
c. *lternate ' =name, title and contact number>
d. Ather 5 add name per re;uirement
If the first alternate is unable to tae command, the command mo%es to the net
person on the list. Dnable to tae command is defined below. It is ad%isable to
carefully consider who is capable of leading during emergency 5 especially non
managerial employees. They should ha%e leadership ;ualities and ha%e the
Page )
-
7/25/2019 Dr Template
47/54
respect of their colleagues.
a. Not able to command due to physical limitations, death or geographic
location
b. Dnable to contact within =hours>c. *lternate has been assigned other duties
d. Ather =insert per business re;uirement>
Sit$ational Analysis
!. Mission $tatement
This BC#$ pans mission is to systematically handle a data security breach while
disseminating information to all staeholders.
(. +CD* Plan !mplementation
*ny BC#$ plan is only as good as its implementation. In order to achie%e this,
the plan must meet the ob8ecti%es of business continuity and reco%ery. Input of
%arious parts of a business is important to ensure that the plan is well rounded
and acceptable to all employees. &lans de%eloped with employee input generally
are the best. * top down plan, where upper management de%elops the plan and
foists it on employees usually fails during eecution.
a. Status of #ata &rotection
Enowledge of the current trends in data protection is %ital to ensuring that
data will be secure and not %ulnerable to hacing. To do this, it is prudent
to ha%e multiple sources of information that describe and detail %arious
ad%ances in data protection. Sources that will be used are
i. Information Source !
ii.Information Source (iii.Ather
b. Customers
If a business has acti%ated a BC#$ plan due to a security breach, it is
natural for customers to be concerned if their personal data has been
Page )0
-
7/25/2019 Dr Template
48/54
compromised. This may cause a change in customer beha%ior and may
substantially affect re%enue flow. Therefore any plan should ha%e steps in
place to handle these reactions. or eample, business that ha%e
suffered data security breaches ha%e offered their customers free data
monitoring for a year. In addition they ha%e offered monetary
compensation. 2ach business is different and each is urged to thinthrough steps that are needed to ensure customers remain loyal
c. Gendors
Gendor data is 8ust as important as customer data. If %endor data is
compromised, it may affect %endor operations and oftentimes may spill
o%er to their operations. It is important to retain %endor confidence to
ensure they will continue supplying you. Company personnel should e
assigned to the tas of contacting all ma8or %endors as soon as possible
once the BC#$ plan is acti%ated. &roacti%e communication indicates the
business taes protection of %endor information seriously and will mae
them more liely to continue the relationship. The following is a list of the
%endors in descending order of importance:
i. Gendor Name, Contact Information, Ser%ice &ro%ided
ii.Gendor Name, Contact Information, Ser%ice &ro%ided
iii.Gendor Name, Contact Information, Ser%ice &ro%ided
d. Business Aperations
6oss of data or the possibility data may be contaminated may lead to
curtailing of business operations. *ll businesses should pre-determine
what critical business functions are and de%elop steps to handle them.
i. Critical Business Aperation ! 5 name, department, minimum staff
needed
ii.Critical Business Aperation ( 5 name, department, minimum staff
needed
iii.Critical Business Aperation ' 5 name, department, minimum staff
needed
i%.Ather 5 add per business re;uirement
%.Non critical business operations that can be curtailed during plan
Page )
-
7/25/2019 Dr Template
49/54
acti%ation are
! Non Critical Aperation ! - Name, department
( Non Critical Aperation ( - Name, department
' Ather 5 add per business re;uirement
e. Staffing &lan
The BC#$ should ha%e a staffing plan when acti%ated. Staff duties may
ha%e to be rearranged during this period. 6ist functions, staff strength and
assumptions in this section.
Commnications
a. Staeholders
#uring disasters, communications are critical in ensuring smooth handling
of the disaster. Communications to %arious staeholders will be different
and the manner and mode of communications %ary. It is important to
ensure, the entire business speas with one %oice and therefore it is
prudent to assign an empowered committee to channel communications
through. The staeholders are:
i. 2mployees
ii.Customers
iii.Gendors
i%.Ather 5 specify per local re;uirement
b. 2mpowered Communications Committee
The following employees are assigned to the committee through whom all
communication will be routed.
i. #irector of Communications =Chair of committee>
ii.1ember ! =name title>
iii.1ember ( =name title>
i%.1ember ( =name title>
Page )/
-
7/25/2019 Dr Template
50/54
%.Ather per local business re;uirements
b. 1essaging
The content of message to each group of staeholders can be
predetermined because it is a initial message informing that the BC#$
plan has been acti%ated. *fter the initial message goes out, the net batch
of messages can be crafted to meet needs.
i. 2mployees
Sample message =edit to suit business needs>
The company has acti%ated the BC#$ plan for data security breach
with effect from =date and time>. This message is to inform you of
the acti%ation of the plan. The company places a %ery high %alueon eeping employees informed as time progresses. * follow-up
message will be sent shortly informing you of the actions the
company will be taing and the role and actions we epect you to
tae. ?e will be establishing a hotline before the close of business
today.
ii.Customers
Sample message =edit to suit business needs>
The company has acti%ated the BC#$ plan for data security breachwith effect from =date and time>. This message is to inform you of
the acti%ation of the plan. The company places a %ery high %alue
on eeping our %alued customers informed as time progresses. *
follow-up message will be sent shortly informing you of the actions
the company will be taing to ensure the effect on our customers is
ept to a minimum. * company representati%e will be made
a%ailable to assist you. ?e appreciate your understanding and
patience as we resol%e the situation
iii.GendorsThe company has acti%ated the BC#$ plan for data security breach
with effect from =date and time>. This message is to inform you of
the acti%ation of the plan. The company places a %ery high %alue
on eeping our %alued %endors informed as time progresses. *
follow-up message will be sent shortly informing you of the actions
the company will be taing to ensure the effect on our %endors is
Page +4
-
7/25/2019 Dr Template
51/54
ept to a minimum. * company representati%e assigned to assist
you will be contacting you shortly. ?e appreciate your
understanding and patience as we resol%e the situation.
i%.Ather
*dd message per business re;uirements
f. #issemination of Information
Information will be disseminated per the following modes
i. &hones 5 hot line =internal and eternal 5 gi%e numbers here>, tet,
%oice mail, recorded messages, call tree, call centers.
ii.2lectronic 5 email, website messaging =gi%e D$6>, online chat
iii.&ersonal 5 press conference, meetings, town halls meetings, etc
i%.1edia 5 TG, $adio, Newspaper, &ress $eleases and Conferences
%.Ather 5 insert per local business re;uirement
g. Drgent Communi;u#etermine what modes will be used to communicate urgent messages to
each group of stae holders
2ample - 2mployees 5 by phone tree
c. $egular Dpdates
2ample 5 2mployees 5 website updates
Page +!
-
7/25/2019 Dr Template
52/54
Personnel
#uring crisis, employees may be re;uired to carry out duties in new areas and support
other departments. In this section add all personnel policies that will be in effect.
$emember, e%en during emergencies, all policies should adhere to pre%ailing federal,
state and local laws. * committee that o%ersees issues regarding personnel should beconstituted. Tae 3$7legal ad%ice to ensure compliance.
a. &ersonnel Committee
i. #irector &ersonnel
ii.1ember ! 5 policy matters
iii.1ember ( 5 training and reassignment
i%.1ember ' 5 tracing
%.1ember ) 5 temporary wor assignment%i.1ember + inter departmental coordination and liaison
%ii.Ather 5 add per business re;uirement
+CD* Plan Deacti"ation
*n orderly deacti%ation of the plan is 8ust as important as acti%ation. The policies that
will be followed when transitioning bac to normal should be detailed in this section.
a. &lan #eacti%ation *nnouncement
1anagement should announce the end of the crisis. This is %ery
important as it will gi%e employees, customers, %endors and other
staeholders confidence that the company is bac on trac and the worst
is o%er.
b. Transition to Normal Aperations
The following should be considered and policies de%eloped
i. ?or assignments for staff =specially if some staff are yet to report
to wor>
ii.Transition from temporary assignments to regular assignments
iii.SA& modifications if any
Page +(
-
7/25/2019 Dr Template
53/54
i%.$amp up schedule for hours of operation
%.$esponse documentation for fine tuning BC#$ plan
%i.Ather
c. ormal end of emergency notification
d. *ssessment of BC#$ &lan &erformance
*s a part of the continuous impro%ement cur%e, an internal assessment
that re%iews plan performance is essential. * panned %ersus actual
analysis should be conducted and this will enable current plans to be
modified for the better.
Page +'
-
7/25/2019 Dr Template
54/54
Section 1! - Recor% of Plan C'anes
Eeep your plan current. Eeep records of changes to your configuration, your applications, and
your bacup schedules and procedures.