Dr Template

7/25/2019 Dr Template

1/54

Disaster Recovery

PlanTemplate

Notice: Copyright Stay In Business.com - Stay In Business is the legal owner of the template. This may be used

only by the purchaser for business purposes only. The template may not be sold, shared, copied or transmitted to

any third party without the written epressed consent of Stay In Business.


2/54

Table of ContentsSection ! - "oals of a #isaster $eco%ery &lan.................................................................'

Section ( - &ersonnel........................................................................................................)Section ' - *pplication &rofile............................................................................................+

Section ) - In%entory &rofile..............................................................................................

Section + - Information Ser%ices Bacup &rocedures.......................................................

Section - #isaster $eco%ery &rocedures......................................................................./

#isaster *ction Checlist.............................................................................................../

Section 0- $eco%ery &lan-1obile Site.............................................................................!'

1obile site setup plan..................................................................................................!)

#isaster &lan for Communications...............................................................................!)

2lectrical ser%ice..........................................................................................................!)

Section - $eco%ery &lan - 3ot Site...............................................................................!+

3ot-site system configuration.......................................................................................!

3ot-site solutions..........................................................................................................!

Section / - $estoring the 2ntire System.........................................................................!0

Section !4 - $ebuilding &rocess.....................................................................................!

Section !! - Testing the #isaster $eco%ery &lan............................................................!/

Conducting a $eco%ery Test 5 Chec 6ist...................................................................!/

*reas to be Tested 5 Chec 6ist..................................................................................(4

Section !( - #isaster Site $ebuilding..............................................................................((

Section !' 5 Infectious7Communicable #iseases &lan...................................................()

Situational *nalysis......................................................................................................'4

BC#$ &lan #eacti%ation..............................................................................................'

Section !) 5 BC#$ &lan for #ata Security Breach.........................................................)4

&lan *cti%ation and Notification....................................................................................))

Situational *nalysis......................................................................................................)0

&ersonnel.....................................................................................................................+(

Section !+ - $ecord of &lan Changes.............................................................................+)

Page (


3/54

Section 1 - Goals of a Disaster

Recovery Plan

The ma8or goals of a disaster reco%ery plan are:

1inimi9e interruptions to normal operations.

6imit the etent of disruption and damage.

1inimi9e the economic impact of the interruption.

2stablish alternati%e means of operation in ad%ance.

Train employees, networ engineers and managers on emergency procedures.

Smooth and rapid restoration of ser%ice.

Constant re%iew of re;uently *sed


4/54

Section 2 - Personnel

The following is a list of all IT personnel who are in%ol%ed with information technology

aspects. This list should be updated fre;uently.

Data Processing Personnel

Name Position Email Address Telephone

Note:*ttach a copy of your organi9ation chart to this section of the plan.

Page )


5/54

Section 3 - Application Prole

This is a list of all application personnel who are in%ol%ed with payroll, accounts

payable7recie%able, orders etc.

Application profile

Application Name Critical?

Yes/No

Fixed

Asset?

Yes/No

Manfactrer Comments

Comment legend:

!.$uns daily.

(.$uns weely on @@@@@@@@.

'.$uns bi weely on @@@@@@ and @@@@@@

).$uns monthly on @@@@@@@@.

+.Ather @@@@@@@@@@@@@@@

Page +


6/54

Section 4 - nventory Prole

This is a list of physical in%entory that in%ol%es your 6*N ?*N and other importante;uipment. This list should be updated fre;uently and should include all components of

your networ and other business acti%ity.

This list should include the following:

!. &rocessing units

(. #is units

'. 1odels

). ?orstation controllers

+. &ersonal computers. Spare worstations

0. Telephones

. *ir conditioner or heater

/. System printer

!4. Tape and disette units

!!. Controllers

!(. I7A processors

!'. "eneral data communication

!). Spare displays

!+. $acs

!. 3umidifier or dehumidifier

!0. &ower "enerator

!. 1anufacturing e;uipment

!/. Affice e;uipment

(4. 1iscellaneous in%entory

Page


7/54

!n"entor# Profile

Manfactrer Description Model $erial

Nm%er

&'n or

(eased

Cost

Note:This list should be audited e%ery @@@@@@@@ months

Miscellaneos !n"entor#

Description )antit# Comments

Note:This list should include all e;uipment and miscellaneous items that are crucial to restarting

operations

Page 0


8/54

Section ! - nformation Services

"ac#$p Proce%$res

! Ser%er

#aily, 8ournal recei%ers are changed at @@@@@@@@@@@ and at @@@@@@@@@@@.

#aily, a sa%e of changed ob8ects in the following libraries and directories is

done at @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

!. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

(. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

'. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

). @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

+. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

0. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

This procedure also sa%es the 8ournals and 8ournal recei%ers.

! An @@@@@@@@ =day> at @@@@@@@@ =time> a complete sa%e of the system isdone

( *ll sa%ed media is stored off-site in a %ault at @@@@@@@@ =location>

' &ersonal Computer

) It is recommended that all personal computers be baced up. Copies of the

personal computer files should be uploaded to the ser%er on @@@@@@@@ =date>

at @@@@@@@@ =time>, 8ust before a complete sa%e of the system is done. It is

then sa%ed with the normal system sa%e procedure. This pro%ides for a more

secure bacup of personal computer-related systems where a local area

disaster could wipeout important personal computer systems.

Page


9/54

Section & - Disaster Recovery

Proce%$res

or any disaster reco%ery plan, the following three elements should be addressed:

Emergenc# *esponse Procedres:To document the appropriate emergency

response to a fire, natural disaster, or any other calamity in order to protect li%es

and limit damage.

+ac,p &perations Procedres:To ensure that essential data processing

operational tass can be conducted after the disruption.

*eco"er# Actions Procedres:To facilitate the rapid restoration of a data

processing system following a disaster.

Disaster Action C'ec#list

A- Plan !nitiation

Notify Senior 1anagement

Contact and setup the disaster reco%ery team

#etermine degree of disaster

Implement proper application reco%ery plan dependent on etent

of disaster =see Section 0. $eco%ery plan--mobile site>

1onitor progress

Contact bacup site and establish schedules

Contact all other necessary personnel

Contact %endors 5 all %endors that are critical to resuming operations

should be contacted

Notify employees of the disruption of ser%ice

Page /


10/54

$enior Management

Name Position Address Telephone

Page !4


11/54

+- Follo'.p Chec,list

6ist teams and tass of each team and indi%idual

Abtain emergency cash and setup transportation to and from the bacup

site, if necessary

Setup li%ing ;uarters, if necessary

Setup eating establishments, as re;uired

6ist all personnel and their telephone numbers

2stablish user participation plan

Setup the deli%ery and the receipt of mail

2stablish emergency office supplies

$ent or purchase e;uipment, as needed

#etermine applications to be run and in what se;uence

Identify number of worstations needed

Chec out any off-line e;uipment needs for each application

Chec on forms needed for each application

Chec all data being taen to the bacup site before lea%ing and lea%e anin%entory profile at a home location

Setup primary %endors for assistance with problems incurred during

emergency

&lan for transportation of any additional items needed at the bacup site

Tae directions to bacup site

Chec for additional magnetic tapes, if re;uired

Tae copies of system and operational documentation and procedural

manuals.

2nsure that all personnel in%ol%ed now their tass

Notify insurance companies

Page !!


12/54

*eco"er# $tart.p Procedres for se After a Disaster

!. Notify =name of company and indi%idual> of #isaster $eco%ery Ser%ices of the

need to utili9e ser%ice and of reco%ery plan selection.

Note:"uaranteed deli%ery time countdown begins at the time =name of company

and indi%idual> is notified of reco%ery plan selection.

#isaster notification numbers =phone number of #$ site> or =alternate

number>. These telephone numbers are in ser%ice from @@@@@@@@ am7pm

until @@@@@@@@ am7pm 1onday through riday.

(. #isaster notification number =after hours number>

This telephone number is in ser%ice for disaster notification after business hours,

on weeends, and during holidays. &lease use this number only for the

notification of the actual disaster.

'. &ro%ide =name> with an e;uipment deli%ery site address =when applicable>, a

contact, and an alternate contact for coordinating ser%ice and telephone numbers

at which contacts can be reached () hours a day.

). Contact power and telephone ser%ice suppliers and schedule any necessary

ser%ice connections.

+. Notify =name of #$ Coordinator> immediately if any related plans should change

.

Page !(


13/54

Section (- Recovery Plan-)obile Site

!. Notify =name> of the nature of the disaster and the need to select the mobile site

plan.

(. Confirm in writing the substance of the telephone notification to =name> within )

hours of the telephone notification.

'. Confirm all needed bacup media are a%ailable to load the bacup machine.

). &repare a purchase order to co%er the use of bacup e;uipment.

+. Notify =name> of plans for a trailer and its placement =6ocation 5 address and

eact site>. =See the 1obile site setup plan in this section>.

. #epending on communication needs, notify telephone company =name and

number of Telephone Company or representati%e> of possible emergency line

changes.

0. Begin setting up power and communications at =bac up site address>.

&ower and communications are prearranged to hoo into when trailer

arri%es.

*t the point where telephone lines come into the building =mar entry point>,

brea the current linage to the administration controllers =mar point>.

These lines are rerouted to lines going to the mobile site. They are lined to

modems at the mobile site. The lines currently going from =begin point to

end point would then be lined to the mobile unit %ia modems.

This could concei%ably re;uire =company name> to redirect lines at

=address> comple to a more secure area in case of disaster.

. ?hen the trailer arri%es, plug into power and do necessary checs.

/. &lug into the communications lines and do necessary checs.

!4.Begin loading system from bacups =see Section /. $estoring the 2ntire

System>.

!!. Begin normal operations as soon as possible

#aily 8obs

#aily sa%es

?eely sa%es

Page !'


14/54

!(.&lan a schedule to bacup the system in order to restore on a home-base

computer when a site is a%ailable. =Dse regular system bacup procedures>.

!'.Secure mobile site and distribute eys as re;uired.

!).Eeep a maintenance log on mobile e;uipment.

!+.Eeep log on people, eys, e;uipment etc at #$ site

)obile site set$p plan

*ttach the mobile site setup plan here.

Disaster Plan for Comm$nications

*ttach the communication disaster plan, including the wiring diagrams.

*lectrical service

*ttach the electrical ser%ice diagram here.

Page !)


15/54

Section + - Recovery Plan - ,ot Site

The disaster reco%ery ser%ice pro%ides an alternate hot site. The site has a bacup

system for temporary use while the home site is being reestablished.

Notify =name of contact and name of company> of the nature of the disaster and

of its desire for a hot site.

$e;uest air shipment of modems to =address> for communications. =See =name

and contact of person in charge> for communications for the hot site.>.

Confirm in writing the telephone notification to =name of company and contact>

within ) hours of the telephone notification.

Begin maing necessary tra%el arrangements to the site for the operations team.

Confirm that all needed tapes are a%ailable and paced for shipment to restoreon the bacup system.

&repare a purchase order to co%er the use of the bacup system.

$e%iew the checlist for all necessary materials before departing to the hot site.

1ae sure that the disaster reco%ery team at the disaster site has the necessary

information to begin restoring the site. =See Section !( - #isaster Site

$ebuilding>.

&ro%ide for tra%el epenses =cash ad%ance>.

*fter arri%ing at the hot site, contact home base to establish communications

procedures.

$e%iew materials brought to the hot site for completeness.

Begin loading the system from the sa%e tapes.

Begin normal operations as soon as possible

a. #aily 8obs

b. #aily sa%es

c. ?eely sa%es

!. &lan the schedule to bacup the hot-site system in order to restore on the home-

base computer.

Page !+


16/54

,ot-site system con$ration

*ttach the hot-site system configuration here.

,ot-site sol$tions

at&ipe Networs has de%eloped a host of products that ensure the highest le%el of?*N reliability, redundancy, and maimum bandwidth for disaster reco%ery planning,

including data mirroring and remote storage. *s the in%entor and multiple patents holder

of $outer Clustering technology -- which aggregates multiple data lines from the same

or separate IS&s -- at&ipe pro%ides dynamic, intelligent and automatic failo%er of

downed ?*N connections.

at&ipe Networs also maes a%ailable se%eral other solutions for corporations that are

implementing or wanting to enhance their current disaster reco%er7continuity plans.

at&ipe offers dual power supply units for power bacup and auto-failo%er units. The

failo%er unit can be placed at the customer premise or at a remote location, such as a

remote storage site or disaster reco%ery site.

In addition, at&ipe pro%ides site load balancing capabilities, where traffic can be

shared between one or more remote site units utili9ing all lines a%ailable at each

location. This is used when inbound connecti%ity to Internet accessible ser%ers is

critical. This technology utili9es at&ipeFs Site 6oad Balancing feature. The ser%ers

located in geographically separate locations can ha%e identical or similar information in

two or more locations. or more information www.fatpipeinc.com

Page !


17/54

Section . - Restorin t'e *ntire

System

To get your system bac to the way it was before the disaster, use the procedures onreco%ering after a complete system loss in the Bacup and $eco%ery section .

Before You Begin:ind the following tapes, e;uipment, and information from the on-

site tape %ault or the off-site storage location:

!. If you install from the alternate installation de%ice, you need both your tape media

and the C#-$A1 media containing the 6icensed Internal Code.

(. *ll tapes from the most recent complete sa%e operation

a. The most recent tapes from sa%ing security data =S*GS2C#T* or

S*GSHS>

'. The most recent tapes from sa%ing your configuration, if necessary

b. *ll tapes containing 8ournals and 8ournal recei%ers sa%ed since the most

recent daily sa%e operation

). *ll tapes from the most recent daily sa%e operation

c. &T list =stored with the most recent complete sa%e tapes, weely sa%e

tapes, or both>

+. Tape list from most recent complete sa%e operation

. Tape list from most recent weely sa%e operation0. Tape list from daily sa%es

. 3istory log from the most recent complete sa%e operation

/. 3istory log from the most recent weely sa%e operation

!4.3istory log from the daily sa%e operations

!!. The Software Installationboo

!(.The Backup and Recoveryboo

!'.1odem manual

!).Tool it

Page !0


18/54

Section 1/ - Reb$il%in Process

The management team must assess the damage and begin the reconstruction of a new

data center. If the original site must be restored or replaced, the following are some of

the factors to consider:

!. ?hat is the pro8ected a%ailability of all needed computer e;uipment

(. ?ill it be more effecti%e and efficient to upgrade the computer systems with

newer e;uipment

'. ?hat is the estimated time needed for repairs or construction of the data site

). Is there an alternati%e site that more readily could be upgraded for computer

purposes

Ance the decision to rebuild the data center has been made, go to Section !( - #isaster

Site $ebuilding.

Page !


19/54

Section 11 - Testin t'e Disaster

Recovery Plan

In successful contingency planning, it is important to test and e%aluate the planregularly. #ata processing operations are %olatile in nature, resulting in fre;uent

changes to e;uipment, programs, and documentation. These actions mae it critical to

consider the plan as a changing document. Dse this checlist as you conduct your test

and decide what areas should be tested:

Con%$ctin a Recovery Test 0 C'ec# ist

!tem Yes No Applica%leNot

Applica%leComments

Select the purpose of the test. ?hat aspects

of the plan are being e%aluated

#escribe the ob8ecti%es of the test. 3ow will

you measure successful achie%ement of the

ob8ecti%es

1eet with management and eplain the test

and ob8ecti%es. "ain their agreement and

support.

3a%e management announce the test and

the epected completion time.

Collect test results at the end of the testperiod.

2%aluate results. ?as reco%ery successful

?hy or why not

#etermine the implications of the test

results. #oes successful reco%ery in a

simple case imply successful reco%ery for all

critical 8obs in the tolerable outage period

1ae recommendations for changes. Call

for responses by a gi%en date.Notify other areas of results. Include users

and auditors.

Change the disaster reco%ery plan manual

as necessary.

Page !/


20/54

Areas to be Teste% 0 C'ec# ist

!tem Yes No Applica%le

Not

Applica%le Comments

$eco%ery of indi%idual application systems

by using files and documentation stored off-site.

$eloading of system tapes and performing

an I&6 by using files and documentation

stored off-site.

*bility to process on a different computer.

*bility of management to determine priority

of systems with limited processing.

*bility to reco%er and process successfully

without ey people.*bility of the plan to clarify areas of

responsibility and the chain of command.

2ffecti%eness of security measures and

security bypass procedures during the

reco%ery period.

*bility to accomplish emergency e%acuation

and basic first-aid responses.

*bility of users of real-time systems to cope

with a temporary loss of on-line information.

*bility of users to continue day-to-day

operations without applications or 8obs that

are considered not critical.

*bility to contact ey people or their

designated alternates ;uicly.

*bility of data entry personnel to pro%ide the

input to critical systems by using alternate

sites and different input media.

*%ailability of peripheral e;uipment and

processing, such as printers and scanners.*%ailability of support e;uipment, such as air

conditioners and dehumidifiers.

*%ailability of support: supplies,

transportation, and communication.

Page (4


21/54

#istribution of output produced at the

reco%ery site.

*%ailability of important forms and paper

stoc.

*bility to adapt plan to lessen disasters.

Page (!


22/54

Section 12 - Disaster Site Reb$il%in

!. loor plan of data center 5 distribute to ey employees

(. #etermine current hardware needs and possible alternati%es. =See Section ) -In%entory profile>.

a. #ata center s;uare footage, power re;uirements and security

re;uirements.

b. *rea =s;uare feet>

c. &ower re;uirements =describe>

d. Security re;uirements: loced area, preferably with combination loc on

one door 5 establish procedures: ey employee responsible, access

restrictions, loced areas. *ccess to loced areas, CCTG, monitoring

e. loor-to-ceiling studding

f. #etectors for high temperature, water, smoe, fire and motion 5 ey

employee responsible and initial safety chec to determine if all safety

systems are woring and in place.

g. $aised floor

Page ((


23/54

Floor plan

Include a copy of the proposed floor plan here.

0endors

0endors . Include %endor information here.

Compan# Name Contact Address Telephone

Page ('


24/54

Section 13 0

nfectio$sComm$nicable Diseases

Plan$ecent e%ents such as the 2bola outbrea ha%e made it imperati%e for companies to

start thining about policies and procedures in case an employee is infected. or

companies that ha%e employees that tra%el - a well thought out plan is essential.

2ach business is different. The following gi%es a guideline of the elements of a BC#$

plan. 2ach business should modify this to suit needs.

Execti"e Management

6ist names and contact information of the following personnel here. *lso include their

area of responsibility

!. BC#$ plan coordinator

(. 1anager - 3uman $esources

'. 1anager - inancial

). 1anager 5 6egal

+. 1anager 5 Technical and #ata Security

. 1anager 5 Site and building security

0. 1anager 5 Industrial 3ealth and Safety

. Ather 5 list names, contact information and area of responsibility

*lso discuss plan goals, $eco%ery &oint and $eco%ery Time Ab8ecti%es. 1anagement

should also communicate to employees in general, their support of the plan and

introduce %arious ey personnel who will be tased with continuity and reco%ery

operations.

1- Plan &%2ecti"es

The aim of this plan is to allow =company name> to respond effecti%ely in a safe

manner and reco%ery from an Infectious7Communicable disease outbrea. The

main ob8ecti%es are:

$educe eposure and transmission among employees

2nsure essential ser%ices and operations are maintained

$educe economic impact

Ather 5 list any other ob8ecti%es rele%ant to your organi9ation

Page ()


25/54

(. $pporting Plans and *esorces

6ist any other plans that support your plans 5 for eample county or city plans.

'. &"er"ie'

6ist an o%er%iew of the Infectious7Communicable disease that you are writing the

plan for. The description should ideally include a history of the disease in

;uestion and include the following:

#escription of the Infectious7Communicable disease

Its pre%alence locally and globally

&rognosis of an infected person

Treatment options

Current go%ernment directi%es if any

&recautions to pre%ent infection

International considerations 5 where outbreas are and local intelligence

gathered. *lso, determine if any employees ha%e tra%elled to these areas

and ensure they are safe and are not the cause of an outbrea among

employees

Ather rele%ant information

3- Cit#4 Cont#4 $tate and National 5ealth Agenc# 6 *oles and Assistance

#etermine all public agencies that may play a part in case of an

Infectious7Communicable disease outbrea at your company

Contact agencies and determine who will be the point person at the

agency during outbreas 5 gather and record contact information

*ll local and state ordinances and laws should be understood. Hour

BC#$ plan should not %iolate these.

Sharing your plan with agencies and asing for their opinion is a good way

to fine tune plans 5 de%elop personal relationships #epending on 8urisdiction, one or more than one agency will be the

coordinating agency.

They can mae public recommendations regarding interactions with your

business

Page (+


26/54

They will ha%e the power to enforce %arious ordinances to ensure

outbreas are contained. These include protecti%e gear and isolation

orders

1edical 5 they can assist with all health and health safety issues.

+. Planning Assmptions

Se%eral assumptions ha%e to be made when de%eloping these plans. rom the

etent of the outbrea to its se%erity to personnel, reasonable assumptions ha%e

to be made. 3owe%er, assumptions made should be listed and rationale gi%en if

applicable. Some of the assumptions that should be considered are

#uration of outbrea

This assumption can be made depending on the disease. Since mostdisease life phases are nown, reasonable assumptions can be made.

&re%ention and Treatment

&ublic health agencies or departments can be %ery useful in determining

the best course of action.

Staff 1ae a reasonable assumption about the number of staff that could

be infected. This will determine staff a%ailability for %ital and critical

functions.

Gendors and Autside Ser%ice &ro%iders

* list of %endors and contact information should be de%eloped for %arious ser%ices and

products. $emember to determine lead times needed for each.

Plan Acti"ation and Notification

!. Plan Acti"ation

The acti%ation of the entire plan or only a part are dependent on a %ariety of

factors. I any or all of the following are met the plan should be acti%ated.

a. *ny public health agency issues an alert or warning in the same general

area as the business.

Page (


27/54

b. Business functions are disrupted due to employee absence due to

sicness

c. #isruption of essential ser%ices

d. Concern among staff of possibility of getting infected. ?hile this may be

reduced with the correct information, these concerns ha%e to be taen

seriously.

e. *dd other criteria here

f. *uthority to *cti%ate BC#$

It is important that acti%ation of a BC#$ plan is only carried out on the

direct orders of a manager who has to authority to tae this step. Since a

manager with this authority may not be a%ailable when disaster stries, '

or ) senior managers should ha%e this authority. It is recommended that

at least one of the authori9ed managers be in a different geographic

location. "i%e names below:

a. Name and title of BC#$ acti%ation authority

b. Name and title of BC#$ acti%ation authority

c. Name and title of BC#$ acti%ation authority

d. Name and title of BC#$ acti%ation authority

(. Notification

#uring an emergency, there are %arious stae holders that ha%e to be informed

about the disaster. 3owe%er, messages ha%e to be tailored to the group that

recei%es it.

*ll employees message=Insert message here>

Sample message: The #isaster $eco%ery plan for =name disease> has been

acti%ated. The plan was acti%ated due to =reason>. ?e will eep you

informed by =name more of information 5 tet, email, %ideo, website

announcement etc> e%ery hour on the hour unless circumstance pre%ent us.

Hou are instructed to: =gi%e instructions here 5do not come to office, report at

Page (0


28/54

a different site etc>.

BC#$ Team

=Insert message here>

Sample message: The BC#$ plan for =name disease> has been acti%ated.

$eport for your assignments per the BC#$ plan. In case you need to refer to

the BC#$ plan, copies of the plan can be obtained at =name source 5

website, cloud etc>. Hou should call our #$ number =gi%e emergency number

here> immediately to chec in.

Customers


Sample message: #ear =name> 5 this is to inform you that we ha%e acti%ated

our BC#$ plan due to =gi%e reason>. ?e will stri%e to ensure you will see little

or no disruption. &lease call the hot line we ha%e set up =gi%e number> for

further information. Ane of our specialists, assigned to ensure our %alued

customers are not incon%enienced will also be contacting you shortly to

discuss the situation and inform you of the actions we will tae to minimi9e

the effects of the disaster. ?e than you for your understanding and

coorporation.

Gendors


Sample message: #ear =name> 5 this is to inform you that we ha%e acti%ated

our BC#$ plan due to =gi%e reason>. ?e will stri%e to ensure you will see little

or no disruption. &lease call the hot line we ha%e set up =gi%e number> for

further information. Ane of our specialists, assigned to ensure our %alued

%endors are not incon%enienced will also be contacting you shortly to discuss

the situation and inform you of the actions we will tae to minimi9e the effects

of the disaster. ?e than you for your understanding and coorporation.

Ather


Athorit# and Command

!> BC#$ $esponse Argani9ation and Structure

Page (


29/54

The following will be the organi9ation and structure of the response to the

Infectious7Communicable disease emergency. *ll or parts may be acti%ated and

modified as needed during the emergency

(. $esponse 1anagement

Ance the Infectious7Communicable diseases BC#$ plan has been acti%ated, the

Incident Commander will be =Name, Title and Contact information of Incident

Commander>. In case he or she cannot assume command, the following are

authori9ed to assume Incident Command

*lternate ! =name, title and contact information>

*lternate ( =name, title and contact information>

*lternate ' =name, title and contact information>

Ather 5 add name per re;uirement

If the first alternate is unable to tae command, the command mo%es to the net

person on the list. Dnable to tae command is defined as gi%en below. It is

ad%isable to carefully consider who is capable of leading during emergency -

especially non managerial employees. They should ha%e leadership ;ualities

and ha%e the respect of their colleagues.

Not able to carry out assignment due to physical limitations, death or

geographic location.

Dnable to contact within =hours>

*lternate has been assigned another duty

Ather 5 insert per re;uirement

Page (/


30/54

Sit$ational Analysis

1- Mission $tatement

This BC#$ planFs mission is to disseminate information on acti%ation to all

staeholders gi%ing information about the nature of the disaster, the responseand actions each staeholder has to perform during the crisis.

7- +CD* Plan !mplementation

* BC#$ plan is only as good as its implementation. To this end to ensure that

the BC#$ plan meets the ob8ecti%e of business continuity and ;uic reco%ery,

input of %arious plan staeholders is important in the planning stage itself.

a. Status of Infectious7Communicable #isease

* %ital part of plan acti%ation and implementation is nowledge of the

current status of the Infectious7Communicable disease outside and within

the business. To this end, source of information the business will use in

such cases should be identified and listed. Source that will be used are:

6ocal7County 3ealth #epartment =gi%e D$6 and information

helpline numbers>

State 3ealth #epartment =gi%e D$6 and information helpline

numbers>

Centers for #iseases Control and &re%ention =gi%e D$6>

?orld 3ealth Argani9ation =gi%e D$6>

News organi9ation =gi%e list>

Ather sources =gi%e name and D$6 per re;uirement>

b. Infectious7Communicable #isease Control and Safety $ecommendations

$ecommendations issues by 6ocal7County7State health agencies should

be monitored and implemented. 6ist sources of information below:

6ocal7County 3ealth #epartment =gi%e D$6 and information

helpline numbers>

State 3ealth #epartment =gi%e D$6 and information helpline

Page '4


31/54

numbers>

Centers for #iseases Control and &re%ention =gi%e D$6>

?orld 3ealth Argani9ation =gi%e D$6>

News organi9ation =gi%e list>

Ather sources =gi%e name and D$6 per re;uirement>

c. Community

2%ery business eists in a community and goodwill and respect is an

important part of business operations. ?hen confronted with these

diseases in the community, a business should gather all possible

information to ensure proper action can be taen. 6ocal health ser%ices

will pro%ide information. In case the outbrea is within a business, it is

important to inform local agencies. Information flow through these

agencies to the public is important in maintaining public relations

d. Customer $elationships

If a business has acti%ated its BC#$ plan, customer and it is important for

the business to understand why customer beha%ior has changed. The

BC#$ of plan should ha%e steps in place to handle the change in beha%ior

and re%enue flows. This is important to ensure financial %iability of the

business during this crisis.

e. Gendor $elationships

Gendor relationships mean change during the crisis. If the %endor ser%ice

being pro%ided is on-site it may be e%en affected to a greater etent than

normal. If the %endor is pro%iding ser%ices that do not re;uire a physical

presence, then the relationship might not be affected to a great etent.

3owe%er there should be a clear understanding between the business and

the %endor what can be epected by each party. *s soon as the BC#$

plan is acti%ated, %endors especially the critical ones, should be contactedand a clear understanding of epectations should be established. The

following a list of %endor, contact information and ser%ices pro%ided

Gendor Name, Contact Information, Ser%ices pro%ided.


Page '!


32/54


f. Business Aperations

Aperations will be affected mainly due to staff strength. Businessesshould pre-determine what critical business functions are and how to

handle them. Staff functions may ha%e to be reassigned to fill gaps.

Critical Aperation ! 5 name, department, minimum staff needed

=names of staff should be included if nown, howe%er it mut be ept

updated.

Critical Aperation ( - name, department, minimum staff needed

=names of staff should be included if nown, howe%er it mut be ept

updated..

Critical Aperation ' - name, department, minimum staff needed

=names of staff should be included if nown, howe%er it must be

ept updated.

The following operations can be suspended or curtailed

Non Critical Aperation ! =gi%e details>

Non Critical Aperation (

Non Critical Aperation '

g. Staffing

The BC#$ plan should ha%e a staffing plan. To do this, reasonable

assumptions must be made. 6ist functions, staff strength and

assumptions in this section.

Commnications

a. Staeholders

#uring disasters, communications are critical in ensuring smooth handling

of the disaster. Communications to %arious staeholders will be different

and the manner and mode of communications %ary. It is important to

ensure, the entire business speas with one %oice and therefore it is

prudent to assign an empowered committee to channel communications

through. The staeholders are:

Page '(


33/54

2mployees

Customers

Gendors

"o%ernment *gencies

Community

Ather 5 specify per local re;uirement

a. 2mpowered Communications Committee

The following employees are assigned to the committee through whom all

communication will be routed.

#irector of Communications =Chair of committee>

1ember ! =name title>

1ember ( =name title>

1ember ( =name title>

Ather per local business re;uirements

b. 1essaging

The content of message to each group of staeholders can be

predetermined because it is a initial message informing that the BC#$

plan has been acti%ated. *fter the initial message goes out, the net batch

of messages can be crafted to meet needs.

i. 2mployees

Sample message =edit to suit business needs>

The company has acti%ated the BC#$ plan for

Infectious7communicable diseases with effect from =date and time>.

This message is to inform you of the acti%ation of the plan. The

company places a %ery high %alue on eeping employees informed

as time progresses. * follow-up message will be sent shortly

informing you of the actions the company will be taing and the role

Page ''


34/54

and actions we epect you to tae. ?e will be establishing a

hotline before the close of business today.

ii.Customers


The company =company name> has acti%ated its BC#$ plan for



company places a %ery high %alue on eeping our %alued

customers informed as time progresses. * follow-up message will

be sent shortly informing you of the actions the company will be

taing to ensure the effect on our customers is ept to a minimum.

* company representati%e assigned to assist you will be contacting

you shortly. ?e appreciate your understanding and patience as we

resol%e the situation

iii.Gendors




company places a %ery high %alue on eeping our %alued %endors

informed as time progresses. * follow-up message will be sentshortly informing you of the actions the company will be taing to

ensure the effect on our %endors is ept to a minimum. * company

representati%e assigned to assist you will be contacting you shortly.

?e appreciate your understanding and patience as we resol%e the

situation

i%."o%ernment 3ealth *gencies



This message is to inform you of the acti%ation of the plan.

* representati%e designated to establish statutory and regular

communications will be contacting you shortly. ?e appreciate your

Page ')


35/54

patience and your guidance in resol%ing this crisis at the earliest.

%.Community



This message is to inform you of the acti%ation of the plan.

?e deeply %alue the relationship we ha%e with the community. ?e

belie%e open and honest communications are essential to ensure

that the crisis is resol%ed speedily while ensuring the safety and

welfare of the public.

?e will shortly issue a communi;u with more details. Till such

time we as for your patience. ?e ha%e been good neighbors and

we will stri%e to ensure our actions comply or eceed local

re;uirement for such a crisis. ?e than you for yor goodwill and

patience.

%i.Ather

*dd message per local business re;uirement

c. #issemination of Information

Information will be disseminated per the following modes

&hones 5 hot line =internal and eternal 5 gi%e numbers here>, tet,

%oice mail, recorded messages, call tree, call centers.

2lectronic 5 email, website messaging =gi%e D$6>, online chat

&ersonal 5 meetings, town halls meetings, etc

1edia 5 TG, $adio, Newspaper, &ress $eleases and Conferences

Ather 5 insert per local business re;uirement

d. Drgent Communi;u

#etermine what modes will be used to communicate urgent messages to

Page '+


36/54

each group of stae holders

2ample - 2mployees 5 by phone tree

e. $egular Dpdates

2ample 5 2mployees 5 website updates

Personnel

The effect of Infectious7Communicable diseases on employees is hard to predict. &ast

eperience has shown that during se%ere outbreas, (4 to '4J staff can be absent.

Naturally, this will ha%e a direct bearing on business operations. Both the paces of

operations are slowed down to match a%ailable man-power or pace ept constant and

only critical operations are carried out. &lanning is essential. Communications are ey

to ensuring that employees that are sic stay home and those that are called to wor inunfamiliar areas now the reason why. * mission statement such as the one below is

useful =modify to meet local business re;uirement>

=Name of business> is committed to ensuring a safe en%ironment for all employees.

#uring an infectious7communicable disease emergency that re;uires acti%ation of the

companyFs BC#$ plan, the company will mae e%ery effort to carry our normal business

operations. In the e%ent there is a shortage of staff, the company will restrict operations

to those essential for business continuity. Staff that fall ill will be re;uired to stay home.

Non puniti%e absentee policies will be in effect and the company will stand by

employees that fall sic. Ather employees may be temporarily reassigned to otherduties with ade;uate training. The entire focus will be on reco%ery with minimal

employee disruption.

a. 2mployee 6ea%e &olicy #uring 2mergency

#uring the crisis, epect absentee rates to be (4 to '4J abo%e normal.

Some employees may not ha%e lea%e left and may report for wor when

they are sic. This prolongs the crisis. Some may not ha%e lea%e but

ha%e to stay home to care for sic family. ?hate%er the cause, a policy

has to be in place during the acti%ation of the BC#$ plan. This policy

should clearly spell how the company will handle sicness and lea%e. It

should be communicated to all employees.

Insert company sicness and lea%e policy here.

b. ?or rom 3ome and leible ?oring 3ours

Page '


37/54

In order to minimi9e contact with fellow employees, a wor from home or

fleible wor policy can be acti%ated during the emergency. Ance again

this has to be clearly articulated and communicated.

Insert the ?or from 3ome and leible ?oring 3ours policy here

c. Business Tra%el

* clear policy that details the business tra%el policy during the emergency

should be de%eloped.

Insert business tra%el policy here

d. Illness &rotocol

* protocol for employees calling in sic or those that become sic during

wor should be in place. This protocol must include the following at a

minimum

i. 2mployee calling in sic 5 company medical personnel or

super%isor should spea with person by phone.

ii.Compare employee symptoms with those that are issued by health

agencies. If the employee has symptoms, they should be ad%ised

to stay home and see medical ad%ice. If they do not ha%e the

symptoms of the infectious or communicable diseases, then they

should be ad%ised to call later. It is better to err on the side of

caution. They should be reassured that no puniti%e action will be

taen.

iii.If the employee falls sic during wor, they should be isolated and

gi%en medical attention. If re;uired to go home, they should be

ad%ised to a%oid public transportation. Tra%el assistance if possible

should be offered =de%elop policy according to your company

business needs>. #isinfecting wor station should be a part of the

policy.

i%.*d%ice all sic employees to follow guidelines issued by local

health agency.

Page '0


38/54

%.Communicate with employee who is at home to reassure them.

%i.*s them to return to wor once they are cleared by medical

personnel.

b. &ersonnel Committee

*n empowered committee to de%elop emergency personnel policies and

their implementation should be constituted.

i. #irector &ersonnel

ii.1ember ! 5 policy matters

iii.1ember ( - training and reassignment

i%.1ember ' - tracing

%.1ember ) 5 temporary wor assignment

%i.1ember + 5 inter department coordination and liaison

%ii.1ember - other

"CDR Plan Deactivation

*n orderly deacti%ation of the plan is 8ust as important as acti%ation. The policies that

will be followed when transitioning bac to normal should be detailed in this section.

a. &lan #eacti%ation *nnouncement

1anagement should announce the end of the crisis. This is %ery

important as it will gi%e employees, customers, %endors and other

staeholders confidence that the company is bac on trac and the worst

is o%er.

b. Transition to Normal Aperations

The following should be considered and policies de%eloped

i. ?or assignments for staff =specially if some staff are yet to report

to wor>

ii.Transition from temporary assignments to regular assignments

Page '


39/54

iii.SA& modifications if any

i%.$amp up schedule for hours of operation

%.$esponse documentation for fine tuning BC#$ plan

%i.Community outreach and appreciation

%ii.Ather

c. ormal end of emergency notification

d. *ssessment of BC#$ &lan &erformance

*s a part of the continuous impro%ement cur%e, an internal assessment

that re%iews plan performance is essential. * panned %ersus actual

analysis should be conducted and this will enable current plans to be

modified for the better.

Page '/


40/54

Section 14 0 "CDR Plan for Data

Sec$rity "reac'

Cyber crime is on the rise. 3acers are continuously checing companyFs networsecurity to gain entry. Ance they ha%e secured entry, they either maliciously destroy or

steal data to be used fraudulently. ?hile many small companies do not ha%e in house

resources to ensure they are secure from attacs, e%en large companies are %ulnerable

=Target Corp Sonly Corp>. Theft of data is a real possibility and companies should be

prepared with a BC#$ plan to handle such a crisis.

There a few ey points to remember when it comes to security planning

! *wareness 5 now the system you ha%e and what data you are gathering and

why

( 1inimi9e 5 collect and retain only data that is needed 5 the less you collect theless you ha%e to protect

' &rotect it 5 ensure only authori9ed people ha%e access. 3ard copies should e

under loc and ey

) #isposal 5 establishment of proper data disposal procedures

+ &lanning 5 good planning impro%es security eponentially

Execti"e Management

This is the team that is in o%erall charge of efforts to de%elop, implement and eecute a

BC#$ plan. It is comprised mainly of senior managers.

6ist names and contact information of the following personnel here. *lso include their

area of responsibility

!. BC#$ plan coordinator

(. 1anager - 3uman $esources

'. 1anager - inancial

). 1anager 5 Technical and #ata Security

+. 1anager 5 Site and building security

. Ather 5 list names, contact information and area of responsibility

*lso discuss plan goals, $eco%ery &oint and $eco%ery Time Ab8ecti%es. 1anagement

should also communicate to employees in general, their support of the plan and

introduce %arious ey personnel who will be tased with continuity and reco%ery

operations.

Page )4


41/54

+CD* Prpose and &%2ecti"es

The purpose of this plan is to de%elop sound data security procedures to pre%ent

breaches. In the e%ent breaches occur the BC#$ is a plan to minimi9e damage.

Technical Committee

The management committee should first form a technical committee. This committee

should be tased to re%iew all aspects of the networ 5 ?*N, 6*N, Security

&rocedures, #ata Security, #ata Bacup, &ersonnel, and Infrastructure. Ance this has

been completed, the recommendation for impro%ement should be con%eyed to the

management team. *ppro%ed changes should be implemented *S*&.

!. Technical Committee 6ead =name and contact information>

(. Team 1ember ! =name and contact information>

'. Team 1ember ( =name and contact information>

). Ather =input per local re;uirement>

Typically, committee members should be technical personnel who are nowledgeable in

IT security issues. If in house epertise is not a%ailable, the committee should be

authori9ed to secure assistance from consultants. The re%iew should include at a

minimum

! In%entory 5 all destops, laptops, mobiles, home systems, digital copies and

scanners should be in%entoried to determine what types of data are stored. If

data is stored on these de%ices, what is the le%el of protection in case of loss or

theft Is the data password protected or encrypted

( 3ard copies of information 5 what is the system in place for sensiti%e data stored

on hard copies. Is it ept under loc and ey at all times. #o authori9ed people

only ha%e access to this #etermine security of disposal procedures.

' Ather sensiti%e data 5 data gathered from your website, call centers, through

employees, 3$ department can all be potentially sensiti%e and should be

secured. ?hat are the procedures in place for that

) Sources of #ata 5 it is important to now the sources of data coming into a

business. The le%el of security re;uired for each type and source of data is also

re;uired.

+ #ata collection points 5 where in the business process is each type of data

collected. ?hat are the security measures in place at each point.

Page )!


42/54

Ance data is gathered 5 how is it stored If it is first gathered in hard copies 5

how is it transferred

0 2stablish who has access to data at each collection point.

&hysical security of data 5 in%entory all physical data and the security procedures

established

/ 2lectronic security of data

o Thorough re%iew of networ infrastructure and points of %ulnerability

o #etermine security procedures

o Identify connecti%ity to de%ices that store sensiti%e information. #etermine

security procedures and assess %ulnerabilities

o #etermine if sensiti%e data is encrypted 5 what encryption protocols are

used

o ?hat anti-%irus measures are in place *re they updated regularly

o *n employee downloading unauthori9ed software is a ma8or security

threat. ?hat measures are in place to manage this

o ?hat Aperating Systems are being used *re they updated regularly and

security patches up to date

o Thoroughly re%iew all web applications and determine their security. 3eyare commonly the targets of hacing.

o 1anagement of passwords 5 this is a particularly difficult tas because

employees can be %ery la. Constant training, re;uirement of a le%el of

pass word difficulty and regular changing will impro%e security.

o &assword acti%ated screen sa%ers after a period of inacti%ity is a %ery

basic security feature that should be implemented company wide.

o Conduct regular employee training to warn them about security riss

o #etermine who is using laptops and their need to do so. *lso determine if

each of these laptops are password secured or data encrypted. 6oss ortheft of laptops is a %ery common security breach.

o ?ireless and remote access these are fre;uent security wea points.

6imiting the number of de%ices that can connect to them is a good idea.

Ance the technical committee has done a end to end re%iew of all security aspects of

the business, a report to management with recommendations should be prepared.

Page )(


43/54

Ance management appro%es, recommendations should be incorporated epeditiously.

Small and medium si9e business oftentimes does not ha%e in house epertise to

thoroughly analy9e potential %ulnerabilities. Securing the assistance of an epert

consultant should be considered. This upfront epense is far cheaper than dealing with

a security breach.

Plan Assmptions

2%ery disaster will be different and no amount of planning can epect to co%er all

e%entualities. 3owe%er, plans tailored to specific situations =e%en without all details

nown> can be de%eloped. Some assumptions will ha%e to be made. These should be

listed as a part of the o%erall plan.

Some assumptions of a generic nature are gi%en below. Businesses should re%ise

these and add per their own set of circumstances

!. #ata security breach will not re;uire mo%ing personnel to a different site

(. Since in house epertise is a%ailable no outside %endor will be used. If in house

epertise is not a%ailable then the ser%ices of the following consultants will be

used

a. Consultant !7consulting company ! =name and contact information>

b. Consultant (7consulting company ( =name and contact information>

c. *dd per business re;uirement

'. *ll members of the IT department will be a part of the plan eecution

). *ll product and software re;uirements during the eecution of the BC#$ plan will

be fulfilled by one of the following:

d. Gendor ! =name and contact information>

e. Gendor ( =name and contact information>

f. *dd per business re;uirement

+. Ather 5 add to this list per business re;uirements

Page )'


44/54

Plan Activation an% otication

!. Plan Acti"ation

The acti%ation of the entire plan or a part of te plan depends on a %ariety of

factors. 2ach business should e%aluate their situation and act accordingly. orthe plan to be acti%ated the any one of the following should be met:

a. Business website has been haced

b. Sensiti%e data has been compromised

c. Sensiti%e storage infrastructure has been compromised or stolen

d. 6aptop or other de%ice with sensiti%e data has been stolen or lost

e. Ather 5 per business re;uirement

(. Plan Acti"ation Athorit#

The following people has the authority to acti%ate the plan. The authority will be

in descending order and if unable to acti%ate, authority passes down the list

f. Name and title of BC#$ acti%ation authority

g. Name and title of alternate !

h. Name and title of alternate (

i. Ather per business re;uirement

'. Notification

Breach of data security is serious and affects se%eral people 5 employees,

management, customers. Therefore a plan to notify each group is essential.

?hile a general message notifying all staeholders may be enough initially, tailor

made messages for each group will be more effecti%e

8. *ll employees message

=Insert message per business re;uirement>

Page ))


45/54

Sample message =edit per your business situation>: The BC#$ plan for a

breach of data security has been acti%ated. The plan was acti%ated due to

=gi%e reason>. ?e will eep you informed by =name mode of information 5

tet, email, %ideo, website announcement, etc> e%ery hour on the hour

unless circumstances pre%ent us. Hou are instructed to =gi%e instructions

here 5 do not use company laptop till it is checed by an epert etc>. Callthe following number that has been established for more information and

instructions.

. BC#$ Team

=Insert message per business re;uirement>

Sample message =edit per your business situation>: The BC#$ plan for a

breach of data security has been acti%ated. $eport for your assignments

per the BC#$ plan. In case you need to refer to the plan, it can be

obtained securely at =name source 5 cloud, website etc>. Hou should call

the falling number =gi%e number> immediately and chec in. *ll lea%e and

%acations ha%e been cancelled.

l. Customers

=Insert message per your business re;uirement>

Sample message =edit per your business situation>: #ear =name> 5 this isto inform you we ha%e acti%ated our BC#$ plan for a breach of data

security. ?e are woring urgently to secure our data and systems to

minimi9e further issues. &lease be assured we tae this situation %ery

seriously and will eep you updated periodically by =tet, email, %ideo,

public announcements, press conferences etc>. ?e ha%e set up a hotline

=number> to answer any ;uestions you may ha%e. ?e re;uest your

patience and we wor to resol%e this situation.

m. Gendors

=Insert message per your business re;uirement>

Sample message =edit per your business situation>: #ear =name> 5 this is

to inform you we ha%e acti%ated our BC#$ plan for a breach of data

security. ?e are woring urgently to secure our data and systems to

minimi9e further issues. &lease be assured we tae this situation %ery

Page )+


46/54

seriously and will eep you updated periodically by =tet, email, %ideo,

public announcements, press conferences etc>. ?e ha%e set up a hotline

=number> to answer any ;uestions you may ha%e. ?e re;uest your

patience and we wor to resol%e this situation. Ane of our specialists will

contact you shortly.

n. Ather

=Insert message her per your re;uirements>

Athorit# and Command

The following will be *uthority and command structure during a data security breach

!> BC#$ $esponse Argani9ation and Command Structure

The following is the organi9ation and command structure for the response to a

breach of data security. *ll or parts may be acti%ated or mdified during this

emergency.

(. $esponse 1anagement

Ance the BC#$ plan for a data security breach has been acti%ated, the incident

commander will be =Name, Title, Contact Information of Commander>. In case he

or she cannot assume command, the following are authori9ed to assume

command in descending order

a. *lternate ! =name, title and contact number>

b. *lternate ( =name, title and contact number>

c. *lternate ' =name, title and contact number>

d. Ather 5 add name per re;uirement

If the first alternate is unable to tae command, the command mo%es to the net

person on the list. Dnable to tae command is defined below. It is ad%isable to

carefully consider who is capable of leading during emergency 5 especially non

managerial employees. They should ha%e leadership ;ualities and ha%e the

Page )


47/54

respect of their colleagues.

a. Not able to command due to physical limitations, death or geographic

location

b. Dnable to contact within =hours>c. *lternate has been assigned other duties

d. Ather =insert per business re;uirement>

Sit$ational Analysis

!. Mission $tatement

This BC#$ pans mission is to systematically handle a data security breach while

disseminating information to all staeholders.

(. +CD* Plan !mplementation

*ny BC#$ plan is only as good as its implementation. In order to achie%e this,

the plan must meet the ob8ecti%es of business continuity and reco%ery. Input of

%arious parts of a business is important to ensure that the plan is well rounded

and acceptable to all employees. &lans de%eloped with employee input generally

are the best. * top down plan, where upper management de%elops the plan and

foists it on employees usually fails during eecution.

a. Status of #ata &rotection

Enowledge of the current trends in data protection is %ital to ensuring that

data will be secure and not %ulnerable to hacing. To do this, it is prudent

to ha%e multiple sources of information that describe and detail %arious

ad%ances in data protection. Sources that will be used are

i. Information Source !

ii.Information Source (iii.Ather

b. Customers

If a business has acti%ated a BC#$ plan due to a security breach, it is

natural for customers to be concerned if their personal data has been

Page )0


48/54

compromised. This may cause a change in customer beha%ior and may

substantially affect re%enue flow. Therefore any plan should ha%e steps in

place to handle these reactions. or eample, business that ha%e

suffered data security breaches ha%e offered their customers free data

monitoring for a year. In addition they ha%e offered monetary

compensation. 2ach business is different and each is urged to thinthrough steps that are needed to ensure customers remain loyal

c. Gendors

Gendor data is 8ust as important as customer data. If %endor data is

compromised, it may affect %endor operations and oftentimes may spill

o%er to their operations. It is important to retain %endor confidence to

ensure they will continue supplying you. Company personnel should e

assigned to the tas of contacting all ma8or %endors as soon as possible

once the BC#$ plan is acti%ated. &roacti%e communication indicates the

business taes protection of %endor information seriously and will mae

them more liely to continue the relationship. The following is a list of the

%endors in descending order of importance:

i. Gendor Name, Contact Information, Ser%ice &ro%ided

ii.Gendor Name, Contact Information, Ser%ice &ro%ided

iii.Gendor Name, Contact Information, Ser%ice &ro%ided

d. Business Aperations

6oss of data or the possibility data may be contaminated may lead to

curtailing of business operations. *ll businesses should pre-determine

what critical business functions are and de%elop steps to handle them.

i. Critical Business Aperation ! 5 name, department, minimum staff

needed

ii.Critical Business Aperation ( 5 name, department, minimum staff

needed

iii.Critical Business Aperation ' 5 name, department, minimum staff

needed

i%.Ather 5 add per business re;uirement

%.Non critical business operations that can be curtailed during plan

Page )


49/54

acti%ation are

! Non Critical Aperation ! - Name, department

( Non Critical Aperation ( - Name, department

' Ather 5 add per business re;uirement

e. Staffing &lan

The BC#$ should ha%e a staffing plan when acti%ated. Staff duties may

ha%e to be rearranged during this period. 6ist functions, staff strength and

assumptions in this section.

Commnications

a. Staeholders

#uring disasters, communications are critical in ensuring smooth handling

of the disaster. Communications to %arious staeholders will be different

and the manner and mode of communications %ary. It is important to

ensure, the entire business speas with one %oice and therefore it is

prudent to assign an empowered committee to channel communications

through. The staeholders are:

i. 2mployees

ii.Customers

iii.Gendors

i%.Ather 5 specify per local re;uirement

b. 2mpowered Communications Committee

The following employees are assigned to the committee through whom all

communication will be routed.

i. #irector of Communications =Chair of committee>

ii.1ember ! =name title>

iii.1ember ( =name title>

i%.1ember ( =name title>

Page )/


50/54

%.Ather per local business re;uirements

b. 1essaging

The content of message to each group of staeholders can be

predetermined because it is a initial message informing that the BC#$

plan has been acti%ated. *fter the initial message goes out, the net batch

of messages can be crafted to meet needs.

i. 2mployees


The company has acti%ated the BC#$ plan for data security breach

with effect from =date and time>. This message is to inform you of

the acti%ation of the plan. The company places a %ery high %alueon eeping employees informed as time progresses. * follow-up

message will be sent shortly informing you of the actions the

company will be taing and the role and actions we epect you to

tae. ?e will be establishing a hotline before the close of business

today.

ii.Customers


The company has acti%ated the BC#$ plan for data security breachwith effect from =date and time>. This message is to inform you of

the acti%ation of the plan. The company places a %ery high %alue

on eeping our %alued customers informed as time progresses. *

follow-up message will be sent shortly informing you of the actions

the company will be taing to ensure the effect on our customers is

ept to a minimum. * company representati%e will be made

a%ailable to assist you. ?e appreciate your understanding and

patience as we resol%e the situation

iii.GendorsThe company has acti%ated the BC#$ plan for data security breach

with effect from =date and time>. This message is to inform you of

the acti%ation of the plan. The company places a %ery high %alue

on eeping our %alued %endors informed as time progresses. *

follow-up message will be sent shortly informing you of the actions

the company will be taing to ensure the effect on our %endors is

Page +4


51/54

ept to a minimum. * company representati%e assigned to assist

you will be contacting you shortly. ?e appreciate your

understanding and patience as we resol%e the situation.

i%.Ather

*dd message per business re;uirements

f. #issemination of Information

Information will be disseminated per the following modes

i. &hones 5 hot line =internal and eternal 5 gi%e numbers here>, tet,

%oice mail, recorded messages, call tree, call centers.

ii.2lectronic 5 email, website messaging =gi%e D$6>, online chat

iii.&ersonal 5 press conference, meetings, town halls meetings, etc

i%.1edia 5 TG, $adio, Newspaper, &ress $eleases and Conferences

%.Ather 5 insert per local business re;uirement

g. Drgent Communi;u#etermine what modes will be used to communicate urgent messages to

each group of stae holders

2ample - 2mployees 5 by phone tree

c. $egular Dpdates

2ample 5 2mployees 5 website updates

Page +!


52/54

Personnel

#uring crisis, employees may be re;uired to carry out duties in new areas and support

other departments. In this section add all personnel policies that will be in effect.

$emember, e%en during emergencies, all policies should adhere to pre%ailing federal,

state and local laws. * committee that o%ersees issues regarding personnel should beconstituted. Tae 3$7legal ad%ice to ensure compliance.

a. &ersonnel Committee

i. #irector &ersonnel

ii.1ember ! 5 policy matters

iii.1ember ( 5 training and reassignment

i%.1ember ' 5 tracing

%.1ember ) 5 temporary wor assignment%i.1ember + inter departmental coordination and liaison

%ii.Ather 5 add per business re;uirement

+CD* Plan Deacti"ation

*n orderly deacti%ation of the plan is 8ust as important as acti%ation. The policies that

will be followed when transitioning bac to normal should be detailed in this section.

a. &lan #eacti%ation *nnouncement

1anagement should announce the end of the crisis. This is %ery

important as it will gi%e employees, customers, %endors and other

staeholders confidence that the company is bac on trac and the worst

is o%er.

b. Transition to Normal Aperations

The following should be considered and policies de%eloped

i. ?or assignments for staff =specially if some staff are yet to report

to wor>

ii.Transition from temporary assignments to regular assignments

iii.SA& modifications if any

Page +(


53/54

i%.$amp up schedule for hours of operation

%.$esponse documentation for fine tuning BC#$ plan

%i.Ather

c. ormal end of emergency notification

d. *ssessment of BC#$ &lan &erformance

*s a part of the continuous impro%ement cur%e, an internal assessment

that re%iews plan performance is essential. * panned %ersus actual

analysis should be conducted and this will enable current plans to be

modified for the better.

Page +'


54/54

Section 1! - Recor% of Plan C'anes

Eeep your plan current. Eeep records of changes to your configuration, your applications, and

your bacup schedules and procedures.

Dr Template

Documents

Transcript of Dr Template