Business Continuity Plan

Document Sample
Business Continuity Plan Powered By Docstoc
					A Business Continuity Plan is the process of putting together a roadmap for how the
company will deal with adverse conditions in a way that protects competitive advantage,
and allows the business to continue its operations. Adverse conditions could consist of
anything from a natural disaster, major theft, or significant disruption in a supply chain.
Continuity planning is a way of managing the risks inherent in doing business. The goal
is to restore operations as quickly as possible. This Plan addresses all critical systems
and facilities. This form can be customized to provide for any additional industry
specific language that may be necessary. Use this Plan to help prepare a business in
case adverse conditions arise that might cause its operations to cease.
                                                                                                     .



                        [Your Company’s Name]
                                Business Continuity Plan

Purpose
The business continuity plan is to prepare [Your Company’s Name] to deal with a crisis in which
business operations might cease. The goal is to restore operations as quickly as and to the fullest
extent possible. The plan addresses all critical systems and facilities.

Plan Objectives
 Serves as a roadmap for [Your Company’s Name] crisis recovery
 Identifies the location of any data not included in this document
 Explains procedures and resources that will assist the recovery process
 Lists customers and vendors that need to be notified if a crisis occurs
 Avoids confusion in a crisis by explaining and testing recovery procedures
 Provides information about alternate sources for locations, resources, and supplies
 Establishes procedures for safeguarding, storing, and retrieving vital records.

Assumptions
 Key personnel are available during a crisis.
 An original copy of this plan and other vital records are stored in an off-site location that is
   secure and accessible after the crisis.

Crisis Definition
A crisis includes loss of utilities (water, power), connectivity (systems), or catastrophe (severe
weather, natural disaster, major theft, or vandalism) that results in an interruption of services
provided by [Your Company’s Name].

Crisis Teams
 Crisis Management Team (CMT)
 Incident Responder Team (IRT)
 Location Coordination Team (LCT)
 Post-Crisis Restoration Team (PCRT)
 Information Technology Team (ITT)
 Other [Describe additional teams if needed]

See Appendix A for details on the roles and responsibilities of each team.

Crisis Team Member Duties
 All team members must have alternate backups.
 All members must keep an up-to-date list containing team-member contact information both
   at home and at work.
 Each team members must have a copy of this document at home in case the crisis happens
   after working hours.


© Copyright 2011 Docstoc Inc.                                                            2
                                                                                                      .



Invoking the Plan
The plan takes effect when a crisis occurs. It remains in effect until operations can continue at
the main site or operations can reach an acceptable level at alternate locations. The CMT is the
one to declare a crisis that in turn mobilizes all other teams. The CMT is activated by the
following circumstances:
 Two (2) or more critical systems or sites are not functioning at the same time for [write in
    your maximum acceptable outage timeframe]
 It is anticipated that the above is about to occur.

External Communications
Personnel in public relations will be the main liaisons to have contact with all media venues,
government or regulatory agencies, and other external stakeholders during and after a crisis.

Emergency Management Standards

Data Backup Policy: Entire and incremental backing up of all essential company data occurs on
a regular basis and is stored in an off-site, secure location. The IT department uses the following
standards and procedures in backing up data:

[Insert your company’s detailed data backup procedures.]

Emergency Management Procedures
If you cannot access the place where you normally work, report to one of the alternative
locations listed below.

Alternative Locations       [Location #1]
                             Try contacting your immediate supervisor by telephone. Both
                               cell and home numbers can be found in this document.

                            [Location #2]
                             Try contacting your immediate supervisor by telephone. Both
                               cell and home numbers can be found in this document.

                            [Location #3]
                             Try contacting your immediate supervisor by telephone. Both
                               cell and home numbers can be found in this document.

                            [Location #4]
                             Try contacting your immediate supervisor by telephone. Both
                               cell and home numbers can be found in this document.




© Copyright 2011 Docstoc Inc.                                                           3
                                                                                                   .


In the Case of a Natural Disaster
Immediately notify the CMT Leader [Insert name of team leader].

  STEP                                             ACTION

     1      If time permits, notify the IT Department of a pending event.


     2      If an impending major disaster can be tracked, prepare a site as quickly as
            possible, as follows:
             Set up portable generators with accessible fuel (within 50 miles).
             Prepare support personnel (engineering, etc.) within 100 miles.
             If it is possible to set up self-powered mobile workstations (trailers), do so.
             Line up basic resources for support personnel:
                    A week’s worth of cash
                    A week’s worth of food and water
                    Fuels for generators, heaters, coolers
                    Various emergency supplies such as batteries, flashlights, first-aid
                      supplies, rope, etc.


     3      24 hours prior to event:
             Perform backup of critical elements, servers, data, e-mail
             Verify generator functionality and available fuel
             Create backups of e-mail, file servers, etc.
             Notify all upper-level management


In the Case of Fire
If a fire occurs in a facility, follow these procedures.

Upon noticing fire or smoke, quickly assess the severity, classifying the fire as either Major
or Minor and follow the corresponding steps outlined below. Dial 911 immediately if
warranted.
 All personnel are expected to attempt to put out a minor fire using the fire extinguishers
   located in the facility. If the fire is major, exit the building immediately and wait for the
   local fire department to arrive after having dialed 911. Personal safety and site security
   are the most pressing concerns.
 If the fire is very serious, immediately notify the IT Department.

  STEP                                           ACTION

     1      Dial 9-1-1 to contact the fire department.




© Copyright 2011 Docstoc Inc.                                                             4
                                                                                                .



     2      Engage the fire alarms, and notify all personnel of the situation and the need
            to evacuate.


     3      Alert the IT Department. It will notify the Crisis Management Team leader.
            After hours, security personnel will do this.

     4      Inform building security of the situation so it can secure the location and limit
            access to the site as needed.


     5      Contact equipment vendors if time permits to help decide how to protect
            equipment.


     6      Personnel who leave the building should meet at the agreed-upon assembly
            point as detailed in the building’s evacuation plan.



In the Case of a Major Network Outage
If network services are down, follow the procedures outlined below.


  STEP                                         ACTION

     1      Notify the IT Department of outage. Figure out its cause and how long it will
            take to restore services.


     2      If the outage is major and expected to last more than [write in your maximum
            acceptable outage timeframe], wait for word from the CMT and LCT to move
            into alternative locations.




© Copyright 2011 Docstoc Inc.                                                            5
                                                                                                 .


In the Case of a Flood or Other Water Damage
Water incidents in any facility with computer systems will result in the use of the following
procedures:

    STEP                                         ACTION

     1       Determine the severity of the situation and dial 911 if needed.


     2       If warranted, notify all personnel to evacuate the facility.


     3       If water is coming down on top of equipment, turn it off, and cover it with
             something that will protect it.


     4       If water is coming up from the floor, assess the following:
             — If the water is a minor amount and is coming from an identifiable source,
                 notify building maintenance.
             — If the water is a major amount, shut down all equipment, notify building
                 maintenance, and evacuate the area.


Review and Maintenance of Plan
Please consider this plan to be a living document requiring periodic review (at least semi-
annually) and testing (at least annually). Testing may take the form of a simulated crisis.
Constant monitoring of personnel changes and updating the corresponding sections of this
document are critical.

The plan is to be stored in a common place so the IT Department and the Crisis Management
Team can view it.

The Crisis Management Team leader is responsible for the plan. The responsibilities of the CMT
leader include the following:

Plan Updating Schedule: Quarterly or Any Time Personnel Changes

        All Team members must have the plan readily available at home, in the car, or stored on
         a mobile device.

        The Crisis Management Team leader will distribute new copies of the plan as it is
         updated or changed.

        Each team should orient new members to the plan and have annual or semi-annual
         meetings to the review the plan.


© Copyright 2011 Docstoc Inc.                                                              6
                                                                                                      .



       All information regarding alternative locations, critical vendors, and customers as well as
        company personnel listed in the plan must be reviewed on an ongoing and regular basis.

Initial Response Phase: Responsibilities for On-Duty Personnel

During Regular Hours:
If a potential crisis is identified during working hours, notify all personnel to evacuate the
building, dial 911, and then inform the Crisis Management Team leader. The CMT Leader will
decide whether to declare a crisis.

After-Hours:
Security, Building Maintenance, or the IT Department personnel will contact the Crisis
Management Team leader. The CMT leader will decide whether to declare a crisis.

Decide course of action
Based on available information, the CMT leader decides how to respond: mobilize IRT,
repair/rebuild with location staff, or relocate to an alternative facility.

Inform team members of decision
If a crisis is not declared, the Incident Responder Team will address and manage the situation
until it is resolved, providing regular updates to the CMT.

If a crisis is declared, the EMT will notify all teams for immediate deployment.

The CMT leader will declare a crisis if the situation cannot be resolved within the timeframe
listed at the beginning of this plan. The CMT leader must also have an authorized backup to
declare a crisis in the event of being unavailable to do so him or herself.

CMT Notifies Other Teams
Using the call list in Appendix D, CMT members contact other team members to let them know
of the crisis and potential timeframe for resolution.

Contact Vendors: see Appendix J

Crisis declared: Deploy Incident Responder Team to Command Center
If a crisis is declared, the Incident Responder Team (IRT) is mobilized. This is the team that will
handle initial responses to the crisis, gathering as quickly as possible at the nearest available
command center. See Appendix E for the location of Command Centers.

Assess the Damage (possibly prior to declaring a crisis if permitted)
   1. With the cooperation of local authorities, the IRT assess damage to the facility and
       equipment. If possible, include equipment vendors/providers to get their expert
       opinions. This needs to happen as quickly as possible. NOTE: Facility access may be
       limited for at least 24 hours depending on the type of crisis involved. Use Appendix F
       materials to perform this assessment.


© Copyright 2011 Docstoc Inc.                                                           7
                                                                                                        .


    2. Create a Restoration Priority List that includes which facilities and records can be
       retrieved quickly in order to resume operations.
    3. Create a Salvage Priority List that includes the facilities and records that could be
       salvaged eventually.
    4. Recommend what resources are required to perform these operations.
    5. CMT decides whether the crisis will take weeks to recover from or if normal operations
       can resume in less than a week.

Contact CMT, Decide on Next Course of Action
The IRT furnishes all information to the CMT, which then decides whether to continue to the
business restoration phase of the plan. If a full business recovery phase is not warranted, the IRT
will continue to address the situation, keeping the CMT fully informed. The business restoration
phase should be initiated if significant resources are needed to resume full business operations at
the original location or if alternative locations need to be used for substantial periods of time.

Business Restoration Phase
This part of the plan lays out the steps to begin recovery operations to restore full functionality
either at the original facility or at an alternative site. This would eventually include deactivating
teams when normal operations have been restored.

Notify Technical and Information Technology Staff of Relocation
See Appendix B for technical and information technology staff contacts. Brief them on
relocation to alternative facility.

Secure funding for relocation
Be sure to make advance arrangements for having enough funds to relocate and begin business
operations. This might include contacting local hotels, office suppliers, banks and credit
suppliers, food suppliers, and other support.

Operations recovered
Once the alternative location is up and running and enough employees are present to support
activities, the company can announce it has resumed normal operations at the new site.

                                            Appendices
Appendix A: Teams

Crisis Management Team (CMT)
    Charter: Handles overall coordination of crisis response and recovery, assessment, and
       determination of crisis. The CMT is also responsible for communication with senior
       management.
    Support Activities
        Decide what crisis response elements are needed and mobilize corresponding teams.
        Review damage assessment reports and information.
        Determine restoration priorities based on damage assessment information.
        Provide regular briefings to senior management.
        Facilitate contact among teams, with vendors, and with customers.


© Copyright 2011 Docstoc Inc.                                                              8
                                                                                              .


           Cooperate with vendors on restoring critical equipment and services.

Incident Responder Team (IRT)
    Charter: The Incident Responder Team (IRT) is the initial reporter of the problem to the
       CMT during normal business hours. During off hours, the IRT will be notified along with
       the CMT. In the event of a crisis declaration, this team will become a part of the Post-
       Crisis Restoration Team.
    Support Activities
           o If a crisis is not declared, take necessary actions to restore normal operations
               using regular staff.
           o Decide if vendors or other teams need to assist in the damage assessment process.
           o Prepare post-crisis debriefing report.
           o Gather damage assessment information and report it to EMT
           o Provide the following information to the CMT if there is an outage:
                    Type of event
                    Where it is happening
                    What time it began
           o Facilitate restoration of data and voice communications:
                    Re-route data and voice lines to new location if applicable.
                    Restore electronic and voice mail systems when asked by CMT.
                    Verify electronic and voice mail systems are functioning at alternative
                       site.
                    Review the level of resources available to ensure adequacy.
           o Facilitate restoration of information technology systems:
                    Recover critical applications, systems, and infrastructure.
                    Recover critical data and information when asked to by CMT.
                    Make sure the network and facility at alternative location are secure.
                    Confirm normal, secured operation of servers and systems at alternative
                       site.
                    Make sure adequate resources are available to support operations.

Location Coordination Team (LCT)
    Charter: Responsible for establishing and maintaining alternative locations for business
       operations as well as command centers
    Support Activities
        Notify the Incident Responder Team.
        Determine alternative location needs.
        Set up the command centers and needed operations. Command centers are
          prearranged facilities where CMT/LCT/IRT members meet to plan damage
          assessment and business restoration tasks for affected operations.
        Facilitate development of restoration plans specific to sites and ensure the plans are
          updated at least semi-annually.




© Copyright 2011 Docstoc Inc.                                                       9
                                                                                              .



Post-Crisis Restoration Team (PCRT)
    Charter: The PCRT deploys to the crisis location when a crisis is declared to begin
      preparations for business restoration at original site or to an alternative location.
    Support Activities
           o Gives restoration support to affected operations and locations
           o Facilitate reconnection of data and voice communications:
                  Coordinate re-routing of data and voice lines, especially if alternative
                     locations are identified and in use.
                  Recover voice mail and electronic mail systems when requested by EMT.
                  Verify voice mail and electronic mail are operational at the alternate site.
                  Review the <Client> Minimum Acceptable Operational Requirements
                     checklist to determine if sufficient resources are in place to support
                     operations.
           o Facilitate resumption of information technology operations:
                  Work with management to recover critical systems, applications and
                     infrastructure at recovery site (s) or alternate work locations.
                  Recover critical data files and related information when requested by
                     EMT.
                  Ensure that network and perimeter security is re-established at alternate
                     location.
                  Verify normal, secure operation of systems and servers at alternate site.
                  Review the <Client> Minimum Acceptable Operational Requirements
                     checklist to determine if sufficient resources are in place to support
                     operations.

Information Technology Team (ITT)
    Charter: The IT Team will facilitate technology restoration operations.
    Support Activities
          o Upon notification of crisis declaration, review and provide support as follows:
                 Facilitate technology recovery and restoration activities, providing
                   guidance on replacing systems and equipment as needed.
                 Facilitate removal of salvageable equipment at crisis site that could be
                   used for operations at alternative sites.

Appendix B: Team Contacts

Crisis Management Team (CMT)
       Name              Address                   Home Phone          Mobile Phone




© Copyright 2011 Docstoc Inc.                                                       10
                                                                            .


Incident Responder Team (IRT)
      Name                 Address              Home Phone   Mobile Phone




Location Coordination Team (LCT)
      Name                 Address              Home Phone   Mobile Phone




Post-Crisis Restoration Team (PCRT)
      Name                   Address            Home Phone   Mobile Phone




Information Technology Team (ITT)
      Name                 Address              Home Phone   Mobile Phone




Other Technical or Engineering Staff Contacts
      Name                  Address             Home Phone   Mobile Phone




© Copyright 2011 Docstoc Inc.                                          11
                                                                              .


Appendix C: Emergency numbers

First Responders, Utility Companies, Other
  Responder/Utility Name             Contact Name               Phone




Appendix D: Contact List of Team Leaders

        Name                    Address             Home       Mobile Phone




Appendix E: Command Center Locations

Emergency Command Center – [Location Name]
           Primary:     Address: [Address]
                        Room: [room#]
                        [City], [State]
                        Contact: [name of space coord. (xxx) xxx-xxxx]
           Alternate:   Address: [Address]
                        Room: [room#]
                        [City], [State]
                        Contact: [name of space coord. (xxx) xxx-xxxx]

Emergency Command Center – [Location Name]
           Primary:     Address: [Address]
                        Room: [room#]
                        [City], [State]
                        Contact: [name of space coord. (xxx) xxx-xxxx]
           Alternate:   Address: [Address]
                        Room: [room#]
                        [City], [State]
                        Contact: [name of space coord. (xxx) xxx-xxxx]

Emergency Command Center – [Location Name]
           Primary:     Address: [Address]



© Copyright 2011 Docstoc Inc.                                            12
                                                                                                   .


                                 Room: [room#]
                                 [City], [State]
                                 Contact: [name of space coord. (xxx) xxx-xxxx]
                Alternate:       Address: [Address]
                                 Room: [room#]
                                 [City], [State]
                                 Contact: [name of space coord. (xxx) xxx-xxxx]

Appendix F: Forms for Crisis Reporting and Damage Assessment

Incident/Crisis Form
Upon notification of an incident/crisis situation, personnel on duty will make the first entries
onto this form. It is then forwarded to the CMT, where it will be continually updated. The
document will act as a running log until the incident/crisis is over and normal business
operations have continued.

TIME AND DATE

________________________________________________________________________

TYPE OF INCIDENT

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

LOCATION

________________________________________________________________________

________________________________________________________________________


FACILITY ACCESS ISSUES

________________________________________________________________________

________________________________________________________________________



© Copyright 2011 Docstoc Inc.                                                            13
                                                                           .


ANTICIPATED IMPACT ON BUSINESS OPERATIONS

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

RUNNING LOG OF EVENTS

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________




© Copyright 2011 Docstoc Inc.                                        14
                                                                                      .


                                ESSENTIAL EQUIPMENT STATUS
                                     ASSESSMENT FORM

Team: __________________________________________ ______________________

                                [----------STATUS---------]
Equipment                       Condition Code                Comments

1. ___________________          ______________ _______________________________

2. ___________________          ______________ _______________________________

3. ___________________          ______________ _______________________________

4. ___________________          ______________ _______________________________

5. ___________________          ______________ _______________________________

6. ___________________          ______________ _______________________________

7. ___________________          ______________ _______________________________

8. ___________________          ______________ _______________________________

9. ___________________          ______________ _______________________________

10. __________________          ______________ _______________________________

11. __________________          ______________ _______________________________

12. __________________          ______________ _______________________________

13. __________________          ______________ _______________________________

14. __________________          ______________ _______________________________

15. __________________          ______________ _______________________________

Condition Codes:          OK - Undamaged
                          DBU - Damaged, but still functions adequately
                          DS - Damaged, must be salvaged before it can be used
                          D - Destroyed, must be reconstructed




© Copyright 2011 Docstoc Inc.                                                    15
                                                                             .


Appendix G: Facility Evacuation Plan

[Insert your pre-existing evacuation plan here]

Appendix H: Inventory of Critical Equipment and Systems

[Insert your inventory of critical equipment systems here]

Appendix I: Inventory of Backup Equipment and Systems

[Insert your inventory of Backup equipment systems here]

Appendix J: Vendor Contact Lists

Server and Computer Suppliers
 Company Name           Contact                      Work    Mobile Phone




Communications and Network Services
 Company Name          Contact                       Work    Mobile Phone




Engineering Companies
 Company Name                   Contact              Work    Mobile Phone




© Copyright 2011 Docstoc Inc.                                           16
                                                                 .




Electrical Contractors
 Company Name                   Contact   Work   Mobile Phone




Excavating Contractors
 Company Name                   Contact   Work   Mobile Phone




Emergency Generators
 Company Name                   Contact   Work   Mobile Phone




Facility-Related Engineering
 Company Name              Contact        Work   Mobile Phone




Plumbers
 Company Name                   Contact   Work   Mobile Phone




Security Providers
 Company Name                   Contact   Work   Mobile Phone




© Copyright 2011 Docstoc Inc.                               17
                                                           .



Other Suppliers / Contractors
 Company Name             Contact   Work   Mobile Phone




© Copyright 2011 Docstoc Inc.                         18
                                                                                                                                            .



				
DOCUMENT INFO
Shared By:
Tags:
Stats:
views:437
posted:1/4/2012
language:English
pages:19
Description: A Business Continuity Plan is the process of putting together a roadmap for how the company will deal with adverse conditions in a way that protects competitive advantage, and allows the business to continue its operations.  Adverse conditions could consist of anything from a natural disaster, major theft, or significant disruption in a supply chain. Continuity planning is a way of managing the risks inherent in doing business.  The goal is to restore operations as quickly as possible.  This Plan addresses all critical systems and facilities.  This form can be customized to provide for any additional industry specific language that may be necessary.  Use this Plan to help prepare a business in case adverse conditions arise that might cause its operations to cease.