Business Continuity Plan (BCP)

Original Date: 08/18/13

Revision Date: 08/22/13

Written By: Joe GrazianoSr. Infrastructure EngineerW.R.O – World Rebuild Organization

After the Outbreak: Rebuilding the World

Contents

BUSINESS CONTINUITY PLAN.........................................................................2

Distribution List................................................................................................2

References and related documents................................................................2

SECTION 1..........................................................................................................3

Executive Summary........................................................................................3

Objectives.......................................................................................................3

Glossary..........................................................................................................3

SECTION 2..........................................................................................................6

Risk Management Planning.................................................................................6

Data security and backup strategy..................................................................8

SECTION 3..........................................................................................................9

Business Impact Analysis....................................................................................9

Business Impact Analysis..............................................................................12

SECTION 4........................................................................................................13

Incident Response Plan.....................................................................................13

Immediate Response Checklist.....................................................................13

Evacuation Procedures.................................................................................14

Emergency kit................................................................................................14

Roles and Responsibilities............................................................................16

Key Contact Sheet........................................................................................17

Event Log......................................................................................................18

SECTION 5........................................................................................................19

Recovery...........................................................................................................19

Recovery Plan...............................................................................................20

Incident Recovery Checklist..........................................................................21

SECTION 6........................................................................................................23

Rehearse, Maintain and Review........................................................................23

Training schedule..........................................................................................23

Review schedule...........................................................................................23

Page

Business Continuity Plan

Date: _August, 22, 2013___________________________________

Distribution List

Copy Number Name Location

001 Mr Phil N. Thropist New Metropolis Mayor’s Office

002 Joe Graziano New Metropolis Datacenter 1

003 Jonathan Frapier New Metropolis Datacenter 2

004 Akmal Waheed New Metropolis Datacenter 3

005 Josh Atwell New Metropolis Datacenter 1

006 Mike Laverick New Metropolis Datacenter 2

007 Scott Lowe New Metropolis Datacenter 3

008 Angelo Luciani New Metropolis Datacenter 1

009 Chris Wahl New Metropolis Datacenter 2

010 Eric Wright New Metropolis Datacenter 3

References and related documents

Document TitleRestoringTheDatacenter-ZombiesRisevDM2-Datacenter1.vsdxvDM2-Datacenter2.vsdxvDM2-Datacenter3.vsdx

Page

Section 1

Executive Summary

In less than a year the world has been uprooted from what once was and the virus left chaos and disorder in its wake. So many people lost and businesses left in ruin. Society on the whole is gone. When Phil N. Thropist pulled together a small team of engineers to re-establish the internet and found untouched buildings to use as new data centers we all joined in and gave the world purpose again.

As more and more people flock to this new metropolis we need to be committed to preserving our buildings, homes and lives. This BCP is designed to ensure that we prepare for any and all threats. The undead are still among us and we need to be vigilant.

Objectives

The objectives of this plan are to: Assess the possible risks to our new family Define and prioritize the functions of the new metropolis Detail your immediate response to a critical incident Detail strategies and actions to be taken to enable our society to

continue operating Review and update this plan on a regular basis.

Glossary

This table provides a consistent and commonly agreed set of definitions for terms used in the plan. You should customise this list to suit your business.

Business Continuity Planning

a process that helps develop a plan document to manage the risks to a business, ensuring that it can operate to the extent required in the event of a crisis/disaster.

Business Continuity Plan

a document containing all of the information required to ensure that your business is able to resume critical business activities should a crisis/disaster occur.

Business Impact Analysis

the process of gathering information to determine basic recovery requirements for your key business activities in the event of a crisis/disaster.

Page

Key business activities

those activities essential to deliver outputs and achievement of business objectives.

Recovery Time Objective (RTO)

the time from which you declare a crisis/disaster to the time that the critical business functions must be fully operational in order to avoid serious financial loss.

Resources the means that support delivery of an identifiable output and/or result. Resources may be money, physical assets, or most importantly, people.

Risk Management is the process of defining and analyzing risks, and then deciding on the appropriate course of action in order to minimize these risks, whilst still achieving business goals.

Page

Section 2

Risk Management PlanningWe need to manage the risks to our business by identifying and analyzing the things that may have an adverse effect on your business and choosing the best method of dealing with each of these identified risks.

The questions we need to ask are: What could cause an impact? How serious would that impact be? What is the likelihood of this occurring? Can it be reduced or eliminated?

The following table outlines some of these events.

Page

Risk Management Plan

Prepared by.:………………………………………………………Date: ……………………………Reviewed by: …………………………………………………….. Date: ……………………………

Key:VH = Very HighH = HighM = MediumL = Low

Risk Description:

Lik

elih

oo

d

Imp

act

Pri

ori

ty

Preventative Action Contingency Plans

Interruption to production processes

-breakdown of key and equipment

-damage to plant and equipment (e.g. fire)

H VH H Station armed sentries around perimeter to monitor zombie and renegade activity

Build in redundant power and generators

Equip doors with locks and security system

immediate access to personal resources whilst waiting for insurance payments

Zombie Invasion VH VH VH Snipers and sentries around perimeter at all times

install alarm and video surveillance camera

keep a list of sources for replacement property/equipment .

Page

Data security and backup strategy

How have you protected your data and your network (e.g. virus protection, secure networks and firewalls, secure passwords and data backup procedures)? Detail your backup procedures in the table below.

Data for backup Frequency of backup Backup media/ service Person responsible Backup procedure steps

SQL Databases Daily Replication to alternate datacentre

DataCenter admin Backup is scheduled and runs automatically

DataCenter admin monitors report for sucess

Exchange Mailboxes Daily Replication to alternate datacentre

DataCenter admin Backup is scheduled and runs automatically

DataCenter admin monitors report for success

Sharepoint Environment Daily Replication to alternate datacentre

DataCenter admin Backup is scheduled and runs automatically

DataCenter admin monitors report for success

Page

Section 3

Business Impact AnalysisAs part of the Business Continuity Plan business owners should undertake a Business Impact Analysis which will use the information in your Risk Management Plan to assess the identified risks and impacts in relation to critical activities of your business and determine basic recovery requirements. Critical activities may be defined as primary business functions that must continue in order to support your business.

You need to identify: your critical business activities what the impact to your business would be in the event of a disruption how long could your business survive without performing this activity.

In our Business Impact Analysis we assign Recovery Time Objectives (RTO) to each function. The RTO is the time from which you declare a crisis/disaster to the time that the critical business function must be fully operational in order to avoid serious financial loss.

Page

1. In the following table, lists the business activities that must be performed our ensure your business continues to operate effectively

1 Sharepoint Servers

2 Exchange Servers

3 SQL Servers

4 Remote Access VPN

5 MPLS

2. Detailed Business Activity:

Business Activity Name: Sharepoint Servers

Business Activity Description: Servers responsible for the file sharing, collaboration and intranet/internet presence for the W.R.O.

a) What are the losses if this business activity could not be provided?

Loss of Revenue: N/AIncreased Costs: N/AStaffing: Reduced as people will leave, no longer trusting we can protect themLoss of good will, public image: Without the servers/presence the organization will not be able to grow and find other survivors and the zombies will win.

Comments:

b) For what maximum amount of time could this business activity be unavailable (either 100% or partial) before the losses would occur?

_______________________ hrs

_______________________days

____________1__________ weeks

_______________________months

Comments:

On a scale of 1 to 5 (1 being the Most Important, 5 being the Least Important), where would this business activity fall in terms of being important to the operation of your department or business?

Page

- 1 - 2 - 3 - 4 - 5

Completed By: __________________________ Date: ______________

Page

Business Impact Analysis

Critical Business Activity

Description Priority Impact of loss

(describe losses in terms of financial, staffing, loss of reputation etc)

RTO

(critical period before business losses occur)

Sharepoint Servers Servers responsible for the file sharing, collaboration and intranet/internet presence for the W.R.O.

High Survivors will leave, not trusting our organization

Lack of survivors will mean the Zombies win.

2 days

Exchange Servers Servers to handle email communication for the W.R.O.

High Survivors will leave, not trusting our organization

Lack of survivors will mean the Zombies win.

2 days

SQL Servers Databases servers to support the Exchange and Sharepoint environments

High Survivors will leave, not trusting our organization

Lack of survivors will mean the Zombies win

2 days

Remote Access / VPNCommunication mechanism for survivors to connect and collaborate with the W.R.O.

Medium Survivors will leave, not trusting our organization

Lack of survivors will mean the Zombies win

1 week

Page

Section 4

Incident Response PlanIt is important to have a plan to prepare for a timely response to critical incidents and reduce the impact of those incidents on your previously identified business operations. It also prepares key personnel to provide an effective response to ensure minimal disruption to operations in the event of emergency.

Immediate Response Checklist

INCIDENT RESPONSE ACTIONS TAKEN

Have you: assessed the severity of the incident? evacuated the site if necessary? accounted for everyone? identified any injuries to persons? contacted Emergency Services? implemented your Incident Response Plan? started an Event Log? activated staff members and resources? appointed a spokesperson? gained more information as a priority? briefed team members on incident? allocated specific roles and responsibilities? identified any damage? identified critical activities that have been disrupted? kept staff informed? contacted key stakeholders? understood and complied with any

regulatory/compliance requirements? initiated media/public relations response?

Page

Emergency kit

If there is damage to the building or if it must be evacuated and operations need to be moved to an alternative location, the emergency kit can be picked-up and quickly and easily carried off-site or alternatively stored safely and securely off-site.

Documents: Business Continuity Plan – your plan to recover your business or

organisation in the event of a critical incident. List of employees with contact details – include home and mobile

numbers, and even e-mail addresses. You may also wish to include next-of-kin contact details.

Lists of customer and supplier details. Contact details for emergency services. Contact details for utility companies. Building site plan (this could help in a salvage effort), including

location of gas, electricity and water shut off points. Evacuation plan. Latest stock and equipment inventory. Insurance company details. Financial and banking information. Engineering plans and drawings. Product lists and specifications. Formulas and trade secrets. Local authority contact details. Headed stationery and company seals and documents.

Equipment: Computer back-up tapes/disks/USB memory sticks or flash drives. Spare keys/security codes. Torch and spare batteries. Hazard and cordon tape. Marker pens (for temporary signs). General stationery (pens, paper, etc). Mobile telephone with credit available, plus charger. Dust and toxic fume masks. Shotguns Hand Guns Ammunition Flame thrower Tank

Page

Roles and Responsibilities

This table allows you to assign responsibility for completion of each task to one of your designated roles. You will then assign each role, or multiple roles, to one or more staff members and assign back-up staff as appropriate.

The staff members involved should then be given this table in order to understand their roles and as a task assignment list for completion of pre-emergency planning and emergency tasks. You should customise this table to suit your business’s needs and structure.

ROLE DESIGNATED EMPLOYEES ALTERNATE

Team Leader Name: Joe GrazianoContact Information:555-123-4567

Name: Eric WrightContact Information:555-123-4567

Emergency Responsibilities: ensure the Business Continuity Plan has been activated oversee smooth implementation of the response and recovery section of

the plan determine the need for and activate the use of an alternate operation site

and other continuity tasks communicate with key stakeholders as needed provide important information to the Communication Officer for distribution keep key staff apprised of any changes to situation.

ROLE DESIGNATED EMPLOYEES ALTERNATE

Title Name:Contact Information:

Name:Contact Information:

ROLE DESIGNATED EMPLOYEES ALTERNATE

Title Name:ContactInformation:

Name:ContactInformation:

Page

Key Contact Sheet

Contact List – InternalUse this table to document your staff emergency contact details. Each business will have different positions identified in its contact list.

Person Contact number/s

Email Responsibilities

- Joe Graziano 555-123-4567

JoeG@wro.net Team Leader

- Eric Wright 555-123-4567

EricW@wro.net Alternate Team Leader

Contact List – ExternalUse this table to document external services (including Emergency Services) contact details. Each business will have different external suppliers and stakeholders.

Key contacts Contact number/s

Sherrif Rick Grimes / 555-123-4432

Crossbow Specialist Daryl Dixon / 555-321-3848

Amunition Expert Glen Rhee / 555-098-1234

Hacker Dade Murphy / 555-987-1357

Electronics Expert Luther Strickell / 555-567-9753

Buy More Specialist Charles Bartowski / 555-1234-9876

Cereal Specialist Emanuel Goldstein / 555-123-3456

Page

Event Log

Use the Event Log to record information, decision and actions in the period immediately following the critical event or incident.

Date Time Information / Decisions / Actions Initials

Page

Section 5

Recovery After a disaster is declared recovery is the phase where we perform our critical activities as soon as possible to return operations to a normal functioning state.

The table below outlines critical events and tasks and processes to be handled in order to restore systems and services.

Page

Recovery Plan

Critical Business Activities

Preventative/Recovery Actions Resource Requirements/

Outcomes

Recovery Time Objective

Responsibility Completed

Datacenter compromised by Zombies

Site recovery manager fail over to secondary and tertiary datacenter

Research new warehouses and scrap yards

Identify alternative production site.

1 week Business owner/ operator

Page

Incident Recovery Checklist

You will need to customise this list to include information specific to your business.

INCIDENT RESPONSE ACTIONS

Now that the crisis is over have you:

refocused efforts towards recovery?

deactivated staff members and resources as necessary?

continued to gather information about the situation as if effects you?

assessed your current financial position? reviewed cash requirements to restore

operations? contacted your insurance broker/company? developed financial goals and timeframes

for recovery? kept staff informed? kept key stakeholders informed? identified information requirements and

sourced the information? set priorities and recovery options? updated the Recovery Plan? captured lessons learnt from your

individual, team and business recovery?

Page

Page

Section 6

Rehearse, Maintain and ReviewIt is critical that we rehearse our plan to ensure that it remains relevant and useful. This will be done as part of a training exercise and is a key factor in the successful implementation of the plan during an emergency.

Training schedule

Record details of your training schedule in the table below:

Training Date Training type Comments

0/0/0 Evacuation drill All personnel evacuated and accounted for within acceptable timeframe.

Review schedule

Record details of your review schedule in the table below:

Review date Reason for review Changes made

0/0/0 New personnel in new roles

Plan updated to reflect changes to roles and responsibilities

Page