Sample Business Continuity Plan BY Thesthx MD Health Business Continuity Plan Table of Contents I ne purpose 0T tne Buslness contlnulty Plan Is to prov10e a series 0T aeTlnea procedures and protocols to protect MD-Health; to minimize or contain the extent of damage to University facilities and property; to allow communication systems to function in spite of suspension of normal operating conditions; and by and large, to enable the institution to respond in an efficient, well-organized, and safe manner (“Business Continuity’, 2013).
The most important thing in the event of mayor incident s to make sure that employees, students and staff are educated about the significance of being prepared at home. This is because any preparations that the institution makes will be useless if the individuals who are responsible for coordinating, protecting and helping with recovery are worried about the safety of their families. It is encouraged that employees, students and staff have preparation kits for emergencies to make sure that they can take care of their family and pets if the need arises.
In addition, these kits should contain point of contact information for upervisors, teachers and other students in case they can’t come in to class or can’t return to work. This is especially important for personnel who have been identified as critical personnel for the continued operations of their departments or units. Necessary Infrastructure and Services As mentioned before, the purpose of the BCP is to limit the damage to the institution’s necessary infrastructure and services; therefore it is imperative that we determine what those services are.
The following is a list of eight University components that are considered to be necessary for the preservation of the nstitution’s operations after a mayor incident: 1 . Campus Police 2. Facilities Management 3. Information Technology/Communications 4. Environmental Health & Safety and Risk Management 5. Financial 6. Human Resources / Payroll 7. Registrar’s Office 8. Auxiliary Enterprises Many continuity worksheets have been created to assist recovery for each of the departmental units.
For some departments such as IT and campus police there are detailed plans that specify procedures to follow depending on the type of incident affecting the institution. Communication Plan During the periods of emergency, communication will be driven by the MD Health Executive Team which retains the authority to suspend institutional operations. The decision to suspend operations will be applied to all campus and departments on a consistent basis. In an emergency situation, students, faculty and staff may obtain information about the institution by any of the following ways: Visiting the MD-Health Web at http://www. mdhealth. du Student and Employees can tune to the following radio stations: KICK FM-95. 7, KILT- AM 610, and AAM-AM 740. Local TV stations are also informed. Or by calling (777) 555-6000. For tne auratlon 0T tne emergency ana up to 30 clays tne unlverslty will communicate updates on campus information through this site: http://www. mdhealth. edu/ emergency. This site will indicate which facilities are open and operational and which facilities or systems are still under recovery. The site will display a campus map with green, yellow and red markings to more easily show which facilities are open, and the information will be updated at least once daily.
Updates on information systems will also be done by color codes and the will be grouped in the ollowing categories: Academic Systems Administrative Systems Collaborative Technology Potential Hazards There are many forms of catastrophic loss that can occur and this section lists some of the events and situations that were considered when determining what to include in the plan. Hurricanes: Hurricanes can result in major damages. Powerful winds can produce structural damage, including telecommunication and power outages.
Heavy rains can produce flooding. The probability ofa hurricane which impacts the Houston area is high because of its proximity to the Gulf of Mexico and previous istory. Fire: Fire can result in partial or total loss of data for an extended period. Recovery could be slow because of the extensive damage fires can leave. The probability of fire within a data center can be quite high, based on the high power consumption requirements of modern computing equipment, heat generation and solvents present within the computing environment.
Paper supplies within close proximity to the data center provide a ready source of fuel in the event of a fire (“Hurricane Winds at Landfall,” 2013). Smoke: Smoke particles on magnetic media can render it useless. The damage from smoke occurs much faster than damage from the actual fire or water. A relatively small amount of smoke can cause a huge degree of loss in terms of data. It is imperative that smoke be contained to the smallest possible area (“Fire, ” 2013).
Floods: In the event of flooding, the sediments and contaminants carried by flood waters can be damaging to paper records, computers and magnetic media. Most of the paper records are stored on the upper floors; however a malfunction or discharge of the sprinkler system on an upper floor could put this data at risk. Leakage from the roof could also cause considerable amounts of ater to reach such areas. Terrorist Activity or Sabotage: Physical damage to the data center or other facilities by disgruntled employee(s) (or students, or hackers) can pose a serious threat to data integrity.
To minimize these risks, an effective guideline for the handling of human relations issues and labor disputes, in conjunction with good data protection procedures, will minimize the exposure to these risks. Protection and Prevention – Pre-incident Preparations University Wide Preparations There are many things that can be done to prepare the institution for a major incident or event. What follows are some of the measures that can be taken to minimize the impact of such an event and which will allow for a faster recovery of Duslness operatlons.
Protecting tne The University contains, creates and collects a great amount of information and is important to protect it for a number of reasons; some of it is valuable research data that can be used to request funds as grants from government or by selling it to corporations; some of it is personally identifiable staff and student data that needs to be protected to comply with FERPA or state laws, to prevent identity theft, and to revent competitive or potentially embarrassing information to be released.
There are several mechanisms that have been put in place to protect the data during normal business operations, a few of these are: the use of an email DLP solution that allows for the secure communications of emails with sensitive information, the use of hard drive encryption software that is used on all workstations and laptops and is offered for free to students as well. The use of Firewall and IPS systems to prevent the intrusion of cyber attackers; in addition, there are written procedural policies and ser training that is carried out to minimize the potential for an incident to lead to the release of confidential information.
In an effort to have the same kind of protection during an emergency scenario, the University has procured a disaster recovery hot site that contains similar controls although to a lesser capacity. Data is backed up every night though a secure link so in the event of a catastrophic failure at the main data center data can be safely and securely restored at the hot site location in a manner of hours. The IT department mains the disaster recovery plans with etailed recovery procedures for each system. In addition, the disaster recovery plan is tested yearly for all of those applications that are deemed critical for University operations.
Fire Preparation Fire prevention initially involves staff awareness and housekeeping procedures but is also influenced by management. Induction training should familiarize employees with preventive measures such as: the control of flammable materials; the clearing of rubbish and unwanted materials; the control of smoking; the restriction of hazardous processes to certain areas; full enforcement of fire prevention requirements; and, uality installation and maintenance of HVAC systems. In addition, the use of fire detection systems linked to a central system that sounds an alarm and activates the extinguishing system.
Smoke detection Smoke detectors will be installed on every building, these detectors can detect smoke by optical light scattering; ionization; heat detection, or even flame detection. Physical Security Physical barriers or security controls are installed to provide defense for facilities and equipment. These controls make intrusion difficult and deter the theft of supplies and equipment. There are a wide range of physical controls that are used to safeguard the University such as perimeter barriers, clear areas, lighting; and locking devices.
Cameras, detection system as well as access control devices such as access cards are also used for identification (“Access Control,” 2013). Flooding Flood walls can be installed in parts of the campus that are prone to flooding, and some sort of waterproofing would be applied to sensitive areas to prevent damage from sprinkler systems or roof leaks. Unit/Department Preparations It is important that all units or departments are aware of the specific recovery tasks hat they are responsible for so that they are not caught off guard in the event of an emergency, tne Tollowlng Is a llst 0T tasks asslgnea to tne OITTerent recovery teams.
Emergency Coordination Team: Create telephone lists and contact information for team members, suppliers, insurance agents, company security, and police. This should be readily accessible in the event of a disaster. Provide emergency response training and orientation on fires and hazardous materials for team members. Design a standard form to be used for salvageability determination of assets in the event of a disaster. Liaise with Finance and/or Purchasing Departments to define notification process for them to initiate emergency procurement for items identified as unsalvageable.
Prepare a complete media contact list of telephone numbers, fax numbers, pager numbers and email addresses. Prepare a notification list of those people that should be notified for each type of disaster and with the notification priority for each. Prepare sample press releases to lessen the time required when needed. Store these in hard and soft copy formats. Coordinate with Campus Police and Facilities Management the security and ecovery of facilities and determine which personnel should be permitted to visit the disaster site.
Work with Facilities Management to coordinate potential relocation sites. Network and Communications Team Make an inventory of existing telecommunications facilities and systems and have recovery procedures for all equipment including: Direct phone lines, facsimile lines, voice/data lines. Routers, switches, firewalls, ‘PS. Ensure all inventory records containing models, operating systems and versions, schematic drawings, confguration, and vendor names is documented and stored off- site. Ensure all hardware is on maintenance contract.
Restoration of service is dependent on all segments of restoration taking place and interdependencies must be considered and accounted for in the plan. Review with telecommunications vendors all requirements in the event of a disaster. Identify LANIWAN Components susceptible to failure. Data Center Operations Team Compile an inventory of existing computer system and versions and have recovery procedures for all critical equipment and have an off-site copy. Ensure that vendor software support agreements are up-to-date and the delineation of acceptable esponse time is within the guidelines for data urgency.
Maintain current contact information for its current team members. Administration: Facilities Management / Human Resources Establishes an emergency location and retain as available in the event of an emergency. Negotiates a standing offer for additional clerical staff from external source (either personnel agency, or another division). Establish emergency supply requirements and store a temporary interim emergency supply at a location that is accessible to the emergency location. A contract for provision of these emergency upplies must be signed clearly delineating the delivery expectations.
Define emergency administrative support skills and cross-references with the team to ensure that all required skills are accounted for. These requirements should be reviewed as part of normal operating procedures to ensure that as technology changes that new skills or skill requirements are accounted for and available in the event 0T a Olsaster. compile ana prov10e to all emergency teams Tor tnelr revlew a description of the services that would be provided in the event of an emergency to ensure that their needs have been adequately satisfied by the plan.
Their feedback should be reviewed and incorporated into the plan Negotiate and regularly review standby leasing provisions for short-term hardware procurement such as facsimile, photocopier, microcomputers with corporate recommended software, laser printers, desks, chairs, lighting, filing cabinets, etc. Coordinate telephone support and communications via the Communications Team Define message center procedures and alternate communications functions to ensure rapid and effective dissemination of information throughout the organization. This may require liaison with other teams such as Communications and Executive Team.
Define essential administration functions and these definitions should be made available to all teams to ensure that expectations are clearly set prior to the event of a disaster. Finance Develop a method for emergency funding of recovery efforts. Determine the levels of emergency funding that could be expected following a disaster, and determine what the funding priorities will be in a disaster. Maintain current contact information for its current team members. Work with Administration team to determine where this team will work following a disaster.
Ensure that remote communications will be available, as required. Determine strategy for both incoming and outgoing communications in a disaster. Develop a system for handling paper generated in work flow so as to be able to integrate this into the normal file system once the disaster is over. Registrar Determine what will be needed to service customers’ requirements following the disaster. Maintain current contact information for staff, team members and clients. Select and train staff from this unit as members of the Continuity Team.
Determine where each member of the staff will work following a disaster. For those who will work remotely, ensure that remote communications are available and that staff embers are prepared to work in that manner. For people working remotely, select a location for team meetings. Determine what the notification priorities will be in a disaster. Determine strategy for both incoming and outgoing communications in a disaster. Develop a system for handling paper generated in work flow so as to be able to integrate this into the normal file system once the disaster is over.
Activating the Business Continuity Plan Activating the Business Continuity Plan is done by the President or the EPO (Emergency Preparedness Officer) of MD-Health; however, approval of the overall lan is done by the Executive Team, taking into account that each department has significant input into the functions that they will be tasked with recovering. The Vice President for Environmental Health & Safety and Risk Management has been designated as the Emergency Preparedness Officer (EPO).
The EPO coordinates emergency response teams during natural disasters and works on Joint disaster response plans with local, state, and federal agencies. Master Contact List Depending on the type of incident, the head of the following departments will be contacted Dy tne Executive leam, employing tne most erective metnoa starting witn telephone call, and followed by text and email if telephone-voice is not available. 1. Campus Police Facilities Management 2. Information Technology/Communications 3. Environmental Health & Safety and Risk Management 4. 5. Finance Department Human Resources / Payroll 6.
Registrar’s Office 7. Auxiliary Enterprises 8. The following are the post-incident steps that the different departments will take upon notification of an incident. Campus police Once notified of an emergency they will report to the scene and make sure that the University campus is safe for staff and students; campus police is responsible for rowd control and will assist with evacuation if necessary and since they are usually on-site 2417 they will be the first ones to notice any damage to University facilities which will be useful in determining additional resources needed.
Facilities Management Once notified they will be responsible in assisting with evacuations; shutting down mechanical equipment; assessing damages; and informing, updating, and making recommendations to the Executive Team, and Environmental Health and Safety. Once notified, essential personnel will check and restore any damaged information esources such as network connections, communications links, servers and workstations as well as security equipment as necessary following the order of priorities specified in the IT disaster recovery plan.
For any equipment that is badly damaged at the primary site the recovery will be performed at the disaster recovery hot site. Environmental Health & Safety and Risk Management Their primary responsibility is to work with campus police and facilities management to assist with evacuations and survey the affected areas to ascertain the presence of any chemical, biological, or physical hazards. They will also assist in securing areas, handling hazardous materials, and making recommendations to the appropriate level of authority, as needed.
Finance Department Once notified will make sure that the University maintains the ability to purchase goods, bill for services, manage cash and manage capital assets. They will work closely with the EPO to make sure that recovery is as quick as possible. Human Resources / Payroll Once notified will make sure that the University maintains the ability to make decisions regarding return to work issues, the capacity to manage payroll and time- eeping and the hiring and separation of employees.
Registrar’s Office Once notified essential personnel will make sure that the University maintains the ability to process new applications, track student progress and process grades. Once notified, essential personnel will make sure that MD-Health maintains the ty to transport students ana sta TT around tne unlverslty campus. Also, In conjunction with campus police and the office of Environmental Health and Services they will make sure that student housing is safe for the staff and students that live there. During the business continuity period the EPO, Executive Team, Campus Police,
Environmental Health and Safety and Facilities Management will be working with the other operational teams and departments to make sure that the different processes are brought back online in a safe manner. The process to initiate different departmental transactions and practices will be dictated by the status of infrastructure and the information system. While most critical systems should be back online within 48 hours with the assistance of the disaster recovery hot-site most departments have the ability to use paper forms to get them through most of day to day operations with though with limited speed functionality.
References Business Continuity. (2013). In Wikipedia. Retrieved January 29, 2013, http:// en. wikipedia. org/wiki/Business_continuity Hurricane Winds at Landfall. (2013) Retrieved January 29, 2013, http:// www. hurricanescience. org/society/impacts/windsatlandfall/ Fire. (2013). In Wikipedia. Retrieved January 30, 2013, http://en. wikipedia. org/wiki/Fire Family Educational Rights and Privacy Act. (2013). In Wikipedia. Retrieved January 30, 2013, http://en. wikipedia. org/wiki/Family_Educational_Rights_and_Privacy_Act Access Control. (2013). In Wikipedia. Retrieved January 30, 2013, http://en. wikipedia. org/wiki/ Access control