Project – BIA-BCP-DRP-CIRT

 Attached is the template that you must download, complete 

you need to complete the s final document, All pdf attached are the references 

ISOL533 – InfoSecurity & Risk Management Computer Incident Response Team Plan

University of The Cumberlands

Purpose
This plan was developed for Health Network, Inc. (Health Network) and it is classified as the confidential
property of that entity. Due to the sensitive nature of the information contained herein, this plan is
available only to those persons who have been designated as members of one or more incident

management teams, or who otherwise play a direct role in the incident response and recovery processes.

Policy

This document discusses the steps taken by the Computer Incident Response Team during an incident.

1) The person who discovers the incident will call the IT Incident Response department.

2) The IT Incident Response department will create a ticket in the Incident Response database and
document:

a) The name of the caller.

b) Time of the call.

c) Contact information about the caller.

d) The nature of the incident.

e) What equipment or persons were involved?

f) Location of equipment or persons involved.

g) How the incident was detected.

h) When the event was first noticed that supported the idea that the incident occurred.

Incidents will be classified as either Physical or Electronic. The security department will
handle all Physical incidents. The IT department will handle all Electronic incidents.

3) If the incident is validated, the IT Incident Response department will contact the following offices,
as appropriate, with details from the Incident Response database, to ensure they are aware of the
incident:

a) Incident Response manager (via both email and phone messages)

b) The security department (via both email and phone messages)

c) LAN/WAN and Intrusion detection monitoring personnel (via phone)

d) Affected system administrator (via phone)

e) Affected database administrator (via phone)

4) The Incident Response department will research the Incident knowledge-base and add the
following to the Incident Response ticket:

a) Is the equipment affected classified as business critical?

b) The Risk Factor/Impact and RTO of the systems affected?

c) Name of system being targeted, along with operating system, IP address, and location.

d) IP address and any information about the origin of the attack.

ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan

University of The Cumberlands

5) The Incident Response manager will determine which response teams will be mobilized and
contact the IT Incident Response department to have them contact the team members.

6) The contacted Response Team members will meet or discuss the situation over the telephone
and determine a response strategy.

a) Is the incident real or perceived?

b) Is the incident still in progress?

c) What data or property is threatened and how critical is it?

d) What is the impact on the business should the attack succeed? Critical, Major, Minor?

e) What system or systems are targeted, where are they located physically and on the
network?

f) Is the incident inside the trusted network?

g) Is the response urgent?

h) Can the incident be quickly contained?

i) Will the response alert the attacker and if so, how will the response proceed?

j) What type of incident is this? Example: virus, worm, intrusion, abuse, damage.

7) The Response Team lead will update the Incident Response ticket. The incident will be
categorized into the highest applicable level of one of the following categories:

a) Category one – A threat to public safety or life.

b) Category two – A threat to sensitive data

c) Category three – A threat to computer systems

d) Category four – A disruption of services

8) Response Team members will follow one of the established Incident Response procedures (if a
procedure does not exist, the Response Team will develop and document the new procedure).
The following procedures are currently active.

a) Worm response procedure

b) Virus response procedure

c) System failure procedure

d) Active intrusion response procedure – Is critical data at risk?

e) Inactive Intrusion response procedure

f) System abuse procedure

g) Property theft response procedure

h) Website denial of service response procedure

i) Database or file denial of service response procedure

j) Spyware response procedure.

If a new procedure is developed, it will be forwarded to the Incident Response manager once the
incident is resolved so the manager may add it to this document.

ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan
University of The Cumberlands

9) Response Team members will use forensic techniques, including reviewing system logs, looking
for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident
victim to determine how the incident was caused. Only authorized personnel should be
performing interviews or examining evidence, and the authorized personnel may vary by situation
and the organization.

10) Response Team members will recommend changes to the Response Team manager to prevent
the occurrence from happening again or infecting other systems.

11) Response Team members will restore the affected system(s) to the uninfected state. They may
do any or more of the following:

a) Re-install the affected system(s) from scratch and restore data from backups if
necessary. Preserve evidence before doing this.

b) Make users change passwords if passwords may have been sniffed.

c) Be sure the system has been hardened by turning off or uninstalling unused services.

d) Be sure the system is fully patched.

e) Be sure real time virus protection and intrusion detection is running.

f) Be sure the system is logging the correct events and to the proper level.

12) Response Team members will update the ticket with the following:

a) How the incident was discovered.

b) The category of the incident.

c) How the incident occurred, whether through email, firewall, etc.

d) Where the attack came from, such as IP addresses and other related information about
the attacker.

e) What the response plan was.

f) What was done in response?

g) Whether the response was effective.

13) Response Team members will:

a) Make copies of logs, email, and other communication

b) Update the ticket with a list of all witnesses

c) Will keep evidence as long as necessary to complete prosecution and beyond in case of
an appeal.

14) The Response Team manager will notify the police and other appropriate agencies if prosecution
of the intruder is possible.

15) The Response Team manager will assess the damage to the organization and estimate both the
damage cost and the cost of the containment efforts.

16) The Response Team manager will review the response, update policies, and take preventative
steps so the intrusion can’t happen again.

a) Consider whether an additional policy could have prevented the intrusion.

ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan
University of The Cumberlands

b) Consider whether a procedure or policy was not followed which allowed the intrusion, and
then consider what could be changed to ensure that the procedure or policy is followed in
the future.

c) Was the incident response appropriate? How could it be improved?

d) Was every appropriate party informed in a timely manner?

e) Were the incident-response procedures detailed and did they cover the entire situation?
How can they be improved?

f) Have changes been made to prevent a re-infection? Have all systems been patched,
systems locked down, passwords changed, anti-virus updated, email policies set, etc.?

g) Have changes been made to prevent a new and similar infection?

h) Should any security policies be updated?

i) What lessons have been learned from this experience?

ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan
University of The Cumberlands

Appendix A – Incident Response Worksheet

Complete this worksheet for any reported incidents

Preparation:

What tools, applications, laptops, and communication devices were needed to address the Computer
Incident Response for this specific breach?

Identification: When an incident is reported, it must be identified, classified, and documented. During
this step, the following information is needed:

 Identify the nature of the incident
o What Business Process was impacted
o What threat was identified
o What weakness was identified
o What risk was identified
o What was the Risk Factor/Impact of the incident
o What was the RTO, MTD and RPO assigned to the business process
o What hardware, software, database and other resource were impacted

Containment: The immediate objective is to limit the scope and magnitude of the computer/security-
related incident as quickly as possible, rather than allow the incident to continue to gain evidence for
identifying and/or prosecuting the perpetrator.

 What needed to be done to limit the scope of the incident

Eradication: The next priority is to remove the computer/security-related incident or breach’s effects.

 What was done to mitigate the risk of the incident

Recovery: Recovery is specific to bringing back into production those IT systems, applications, and
assets that were affected by the security-related incident.

 What was done to recover the IT systems
o What procedures were used and were they covered in the Disaster Recovery Plan
o Was the Business Continuity Plan executed in response to this incident
o Were any issues identified that would lead to updates to the BIA, BCP or DR plans.

ISOL 533 – Information Security and Risk Management University of the Cumberlands


NOTE: BEFORE TURNING THIS IN, REMOVE THE HIGHLIGHTED TEXT.


Task 1. Complete the BIA table below and use it for the remainder of the assignment. You may want to review your Lab #07 assignment where you developed a BIA table. Information needed to create the Business Functions and Processes below are in the “Project Management Plan” scenario and the “Project Health Network Visual”. Hint: look at the processes that go from the customers and into the systems/applications in the “Project Health Network Visual”.

Business Function or Process

Business Impact Factor

Recovery Time Objective

IT Systems/Apps Infrastructure Impacts

Task 1: Business Impact Analysis – extracts from the Boiler Plate

1. Overview

This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. It was prepared for Health Network, Inc (Health Network).

2. System Description



3.1.1 Identify Outage Impacts and Estimated Downtime

Estimated Downtime

The table below identifies the MTD, RTO, and RPO for the organizational business processes that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system.



Mission/Business Process

For HNetExchange

MTD

RTO

RPO

MTD

RTO

RPO

Mission/Business Process

For HNetConnect

MTD

RTO

RPO

Mission/Business Process

For HNetPay

Task 2: Business Continuity Plan – extracts from the Boiler Plate



Modify the statements below to reflect this decision. FAILURE TO MODIFY THIS SECTION WILL RESULT IN DEDUCTED POINTS!!!!>

Emergency management standards

Data backup policy

Full and incremental backups preserve corporate information assets and should be performed on a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media should be stored in a secure, geographically separate location from the original and isolated from environmental hazards.

Department-specific data and document retention policies specify what records must be retained and for how long. All organizations are accountable for carrying out the provisions of the instruction for records in their organization.

IT follows these standards for its data backup and archiving:

Tape retention policy

Backup media is stored at locations that are secure, isolated from environmental hazards, and geographically separate from the location housing the system.

Billing tapes

· Tapes greater than three years old are destroyed every six months.

· Tapes less than three years old must be stored locally off-site.

· The system supervisor is responsible for the transition cycle of tapes.

System image tapes

· A copy of the most current image files must be made at least once per week.

· This backup must be stored offsite.

· The system supervisor is responsible for this activity.

Off-site storage procedures

· Tapes and disks, and other suitable media are stored in environmentally secure facilities.

· Tape or disk rotation occurs on a regular schedule coordinated with the storage vendor.

Access to backup databases and other data is tested annually

Task 3: Disaster Recovery Plan – extracts from the Boiler Plate

Disaster Recovery Plan for

OVERVIEW

PRODUCTION SERVER

Location: Enter location

IT INFRASTRUCTURE

Provide details on what systems, applications, databases and equipment are involved.

BACKUP STRATEGY FOR SYSTEM ONE

Daily / Monthly / Quarterly

Choose which strategy on the left is use.

< For each Risk below, 1. Explain how the risk impacts the critical IT Infrastructure, 2. Explain how the Loss impacts the company, and 3. Explain the steps needed to resolve the problem>

DISASTER RECOVERY PROCEDURE

Risk #1: Loss of company data due to HNetPay hardware removed from production systems.

Provide details

Risk #2: Loss of customers due to production outages.

Provide details

Disaster Recovery Plan for

OVERVIEW

PRODUCTION SERVER

Location: Enter location

IT INFRASTRUCTURE

Provide details on what systems, applications, databases and equipment are involved.

BACKUP STRATEGY FOR SYSTEM ONE

Daily / Monthly / Quarterly

Choose which strategy on the left is use.

< For each Risk below, 1. Explain how the risk impacts the critical IT Infrastructure, 2. Explain how the Loss impacts the company, and 3. Explain the steps needed to resolve the problem>

DISASTER RECOVERY PROCEDURE

Risk #1: Loss of company data due to HNetConnect hardware removed from production systems.

Provide details

Risk #2: Loss of customers due to production outages.

Provide details

Disaster Recovery Plan for

OVERVIEW

PRODUCTION SERVER

Location: Enter location

IT INFRASTRUCTURE

Provide details on what systems, applications, databases and equipment are involved.

BACKUP STRATEGY FOR SYSTEM ONE

Daily / Monthly / Quarterly

Choose which strategy on the left is use.

< For each Risk below, 1. Explain how the risk impacts the critical IT Infrastructure, 2. Explain how the Loss impacts the company, and 3. Explain the steps needed to resolve the problem>

SYSTEM DISASTER RECOVERY PROCEDURE

Risk #1: Loss of company data due to HNetExchange hardware removed from production systems.

Provide details

Risk #2: Loss of customers due to production outages.

Provide details

Task 4: Computer Incident Response Team Plan – extracts from the Boiler Plate

· Loss of company information on lost company-owned laptop

Complete all HIGHLIGHTED areas below.
>

Appendix A – Incident Response Worksheet

Preparation
:

What tools, applications, laptops, and communication devices were needed to address the Computer Incident Response for this specific breach?

Identification
: When an incident is reported, it must be identified, classified, and documented. During this step, the following information is needed:

· Identify the nature of the incident

· What Business Process was impacted

· What threat was identified

· What weakness was identified

· What risk was identified

· What was the Risk Factor/Impact of the incident

· What was the RTO, MTD and RPO assigned to the business process

· What hardware, software, database and other resource were impacted

Containment
: The immediate objective is to limit the scope and magnitude of the computer/security-related incident as quickly as possible, rather than allow the incident to continue to gain evidence for identifying and/or prosecuting the perpetrator.

· What needs to be done to limit the scope of the incident

Eradication
: The next priority is to remove the computer/security-related incident or breach’s effects.

· What needs to be done to mitigate the risk of the incident

Recovery
: Recovery is specific to bringing back into production those IT systems, applications, and assets that were affected by the security-related incident.

· What needs to be done to recover the IT systems

· What procedures need to be used and are they covered in the Disaster Recovery Plan

· Would the Business Continuity Plan be executed in response to this incident

· Would any issues be identified that would lead to updates to the BIA, BCP or DR plans.

ISOL

533 – Information Security and Risk Management

DISASTER RECOVERY PLAN

University of the Cumberlands

Information Technology Statement of Intent

This document delineates Health Network, Inc. (Health Network) policies and procedures for
technology disaster recovery, as well as our process-level plans for recovering critical technology
platforms and the telecommunications infrastructure. This document summarizes our
recommended procedures. In the event of an actual emergency situation, modifications to this
document may be made to ensure physical safety of our people, our systems, and our data.

Our mission is to ensure information system uptime, data integrity and availability, and

business continuity.

Policy Statement

Corporate management has approved the following policy statement:

 The company shall develop a comprehensive IT disaster recovery plan.

 A formal risk assessment shall be undertaken to determine the requirements for the disaster
recovery plan.

 The disaster recovery plan should cover all essential and critical infrastructure elements,
systems and networks, in accordance with key business activities.

 The disaster recovery plan should be periodically tested in a simulated environment to ensure
that it can be implemented in emergency situations and that the management and staff
understand how it is to be executed.

 All staff must be made aware of the disaster recovery plan and their own respective roles.

 The disaster recovery plan is to be kept up to date to take into account changing
circumstances.

Objectives

The principal objective of the disaster recovery program is to develop, test and document a well-
structured and easily understood plan which will help the company recover as quickly and
effectively as possible from an unforeseen disaster or emergency which interrupts information
systems and business operations. Additional objectives include the following:

• The need to ensure that all employees fully understand their duties in implementing such a

plan
• The need to ensure that operational policies are adhered to within all planned activities
• The need to ensure that proposed contingency arrangements are cost-effective
• The need to consider implications on other company sites
• Disaster recovery capabilities as applicable to key customers, vendors and others

2

Key Personnel Contact Info

Name, Title Contact Option Contact Number

Work

Alternate

Mobile

Home

Email Address

Alternate Email

Work
Alternate
Mobile
Home
Email Address
Alternate Email

Work
Alternate
Mobile
Home
Email Address
Alternate Email

Work
Alternate
Mobile
Home
Email Address
Alternate Email

Work
Alternate
Mobile
Home
Email Address
Alternate Email

Work
Alternate
Mobile
Home
Email Address
Alternate Email

3

Notification Calling Tree

Person

Identifying

Incident

4

External Contacts

Name, Title Contact Option Contact Number

Landlord / Property Manager

Account Number None

Work
Mobile
Home
Email Address

Power Company

Account Number Work

Mobile
Home
Email Address

Telecom Carrier 1

Account Number Work
Mobile

Fax

Home
Email Address

Telecom Carrier 2

Account Number Work
Mobile
Home
Email Address

Hardware Supplier 1

Account Number Work
Mobile

Emergency Reporting

Email Address

Server Supplier 1

Account Number. Work

Mobile
Fax

Email Address

Workstation Supplier 1

Account Number Work
Mobile
Home
Email Address

Office Supplies 1

Account Number C3095783 Work

Mobile
Home
Email Address

Insurance – Name

5

Name, Title Contact Option Contact Number
Account Number Work
Mobile
Home
Email Address

Site Security –

Account Number Work
Mobile
Home
Email Address

Off-Site Storage 1

Account Number Work

Mobile
Home
Email Address

Off-Site Storage 2

Account Number User ID

Password

Home
Email Address

HVAC –

Account Number Work
Mobile
Home
Email Address

Power Generator –

Account Number Work
Mobile
Home
Email Address

Other –

Account Number Work
Mobile
Home
Email Address

6

External Contacts Calling Tree

7

1 Plan Overview

1.1 Plan Updating

It is necessary for the DRP updating process to be properly structured and controlled. Whenever
changes are made to the plan they are to be fully tested and appropriate amendments should be
made to the training materials. This will involve the use of formalized change control procedures
under the control of the IT Director.

1.2 Plan Documentation Storage

Copies of this Plan, CD, and hard copies will be stored in secure locations to be defined by the
company. Each member of senior management will be issued a CD and hard copy of this plan to
be filed at home. Each member of the Disaster Recovery Team and the Business Recovery
Team will be issued a CD and hard copy of this plan. A master protected copy will be stored on
specific resources established for this purpose.

1.3 Backup Strategy

Key business processes and the agreed backup strategy for each are listed below. The strategy
chosen is for a fully mirrored recovery site at the company’s alternate sites. This strategy entails
the maintenance of a fully mirrored duplicate site which will enable instantaneous switching
between the live site (headquarters) and the backup site.

KEY BUSINESS PROCESS BACKUP STRATEGY

IT Operations Fully mirrored recovery site

Tech Support – Hardware Fully mirrored recovery site

Tech Support – Software Fully mirrored recovery site

Facilities Management Fully mirrored recovery site

Email Fully mirrored recovery site

Purchasing Fully mirrored recovery site

Disaster Recovery Fully mirrored recovery site

Finance Fully mirrored recovery site

Contracts Admin Fully mirrored recovery site

Warehouse & Inventory Fully mirrored recovery site

Product Sales Fully mirrored recovery site

Maintenance Sales Fully mirrored recovery site

Human Resources Off-site data storage facility

Testing Fully Mirrored Recovery site – Fully mirrored recovery site

Workshop Fully Mirrored Recovery site – Fully mirrored recovery site

Call Center Fully mirrored recovery site

Web Site Fully mirrored recovery site

1.4 Risk Management

There are many potential disruptive threats which can occur at any time and affect the normal
business process. We have considered a wide range of potential threats and the results of our
deliberations are included in this section. Each potential environmental disaster or emergency
situation has been examined. The focus here is on the level of business disruption which could
arise from each type of disaster.

8

Potential disasters have been assessed as follows:

Potential Disaster Probability Rating Impact Rating
Brief Description Of Potential

Consequences & Remedial
Actions

<3> <4>

Probability: 1=Very High, 5=Very Low Impact: 1=Total destruction, 5=Minor annoyance

2 Emergency Response

2.1 Alert, escalation and plan invocation

2.1.1 Plan Triggering Events

Key trigger issues at headquarters that would lead to activation of the DRP are:
• Total loss of all communications
• Total loss of power
• Flooding of the premises
• Loss of the building

2.1.2 Assembly Points

Where the premises need to be evacuated, the DRP invocation plan identifies two evacuation
assembly points:
• Primary – Far end of main parking lot;
• Alternate – Parking lot of company across the street

2.1.3 Activation of Emergency Response Team

When an incident occurs the Emergency Response Team (ERT) must be activated. The ERT will
then decide the extent to which the DRP must be invoked. All employees must be issued a
Quick Reference card containing ERT contact details to be used in the event of a disaster.
Responsibilities of the ERT are to:

• Respond immediately to a potential disaster and call emergency services;
• Assess the extent of the disaster and its impact on the business, data center, etc.;
• Decide which elements of the DR Plan should be activated;
• Establish and manage disaster recovery team to maintain vital services and return to normal

operation;
• Ensure employees are notified and allocate responsibilities and activities as required.

2.2 Disaster Recovery Team

The team will be contacted and assembled by the ERT. The team’s responsibilities include:
• Establish facilities for an emergency level of service within 2.0 business hours;
• Restore key services within 4.0 business hours of the incident;
• Recover to business as usual within 8.0 to 24.0 hours after the incident;

9

• Coordinate activities with disaster recovery team, first responders, etc.
• Report to the emergency response team.

2.3 Emergency Alert, Escalation and DRP Activation

This policy and procedure has been established to ensure that in the event of a disaster or crisis,
personnel will have a clear understanding of who should be contacted. Procedures have been
addressed to ensure that communications can be quickly established while activating disaster
recovery.

The DR plan will rely principally on key members of management and staff who will provide the
technical and management skills necessary to achieve a smooth technology and business
recovery. Suppliers of critical goods and services will continue to support recovery of business
operations as the company returns to normal operating mode.

2.3.1 Emergency Alert
The person discovering the incident calls a member of the Emergency Response Team in the
order listed:

Emergency Response Team
• <_________>
• <_________>
• <_________>

If not available try:
• <_________>
• <_________>

The Emergency Response Team (ERT) is responsible for activating the DRP for disasters
identified in this plan, as well as in the event of any other occurrence that affects the company’s
capability to perform normally.

One of the tasks during the early stages of the emergency is to notify the Disaster Recovery
Team (DRT) that an emergency has occurred. The notification will request DRT members to
assemble at the site of the problem and will involve sufficient information to have this request
effectively communicated. The Business Recovery Team (BRT) will consist of senior
representatives from the main business departments. The BRT Leader will be a senior member of
the company’s management team, and will be responsible for taking overall charge of the
process and ensuring that the company returns to normal working operations as early as
possible.

2.3.2 DR Procedures for Management

Members of the management team will keep a hard copy of the names and contact numbers of
each employee in their departments. In addition, management team members will have a hard
copy of the company’s disaster recovery and business continuity plans on file in their homes in
the event that the headquarters building is inaccessible, unusable, or destroyed.

2.3.3 Contact with Employees

Managers will serve as the focal points for their departments, while designated employees will
call other employees to discuss the crisis/disaster and the company’s immediate plans.
Employees who cannot reach staff on their call list are advised to call the staff member’s
emergency contact to relay information on the disaster.

10

2.3.4 Backup Staff

If a manager or staff member designated to contact other staff members is unavailable or
incapacitated, the designated backup staff member will perform notification duties.

2.3.5 Recorded Messages / Updates

For the latest information on the disaster and the organization’s response, staff members can call
a toll-free hotline listed in the DRP wallet card. Included in messages will be data on the nature
of the disaster, assembly sites, and updates on work resumption.

2.3.7 Alternate Recovery Facilities / Hot Site

If necessary, the hot site at SunGard will be activated and notification will be given via recorded
messages or through communications with managers. Hot site staffing will consist of members of
the disaster recovery team only for the first 24 hours, with other staff members joining at the hot
site as necessary.

2.3.8 Personnel and Family Notification

If the incident has resulted in a situation which would cause concern to an employee’s immediate
family such as hospitalization of injured persons, it will be necessary to notify their immediate
family members quickly.

3 Media

3.1 Media Contact
Assigned staff will coordinate with the media, working according to guidelines that have been
previously approved and issued for dealing with post-disaster communications.

3.2 Media Strategies
1. Avoiding adverse publicity
2. Take advantage of opportunities for useful publicity
3. Have answers to the following basic questions:

 What happened?

 How did it happen?

 What are you going to do about it?

3.3 Media Team
• <____________________________________________>
• <____________________________________________>

• <____________________________________________>

3.4 Rules for Dealing with Media
Only the media team is permitted direct contact with the media; anyone else contacted should
refer callers or in-person media representatives to the media team.

4 Insurance

As part of the company’s disaster recovery and business continuity strategies a number of
insurance policies have been put in place. These include errors and omissions, directors &
officers liability, general liability, and business interruption insurance.

11

If insurance-related assistance is required following an emergency out of normal business hours,
please contact: <___________________________________________>

Policy Name
Coverage

Type
Coverage

Period
Amount Of
Coverage

Person
Responsible
For Coverage

Next Renewal
Date

5 Financial and Legal Issues

5.1 Financial Assessment

The emergency response team shall prepare an initial assessment of the impact of the incident
on the financial affairs of the company. The assessment should include:

 Loss of financial documents

 Loss of revenue

 Theft of check books, credit cards, etc.

 Loss of cash

5.2 Financial Requirements

The immediate financial needs of the company must be addressed. These can include:

 Cash flow position

 Temporary borrowing capability

 Upcoming payments for taxes, payroll taxes, Social Security, etc.

 Availability of company credit cards to pay for supplies and services required post-disaster

5.3 Legal Actions

The company legal department and ERT will jointly review the aftermath of the incident and
decide whether there may be legal actions resulting from the event; in particular, the possibility of
claims by or against the company for regulatory violations, etc.

6 DRP Exercising

Disaster recovery plan exercises are an essential part of the plan development process. In a
DRP exercise no one passes or fails; everyone who participates learns from exercises – what
needs to be improved, and how the improvements can be implemented. Plan exercising ensures
that emergency teams are familiar with their assignments and, more importantly, are confident in
their capabilities.

Successful DR plans launch into action smoothly and effectively when they are needed. This will
only happen if everyone with a role to play in the plan has rehearsed the role one or more times.
The plan should also be validated by simulating the circumstances within which it has to work and
seeing what happens.

12

Appendix A – Technology Disaster Recovery Plan Templates

Disaster Recovery Plan for
SYSTEM

OVERVIEW

PRODUCTION SERVER Location: Enter location
Server Model: Operating System: CPUs: Memory: Total Disk:
System Handle: System Serial #: DNS Entry: IP Address:
Other:

HOT SITE SERVER

APPLICATIONS
(Use bold for Hot Site)

ASSOCIATED SERVERS

KEY

CONTACTS

Hardware Vendor

System Owners

Database Owner

Application Owners

Software Vendors

Offsite Storage

BACKUP STRATEGY FOR
SYSTEM ONE

Daily / Monthly / Quarterly Choose which strategy on the left you would use and provide
details on why.

SYSTEM ONE
DISASTER RECOVERY
PROCEDURE

Scenario 1
Total Loss of Data

Provide details

Scenario 2
Total Loss of HW

Provide details

13

Database/File Systems

File System as of

Minimal file systems to be
backed-up and restored:

Filesystem kbytes Used Avail %used
Mounted on

Other critical files to
modify

Necessary directories to
create

Critical files to restore

Secondary files to restore

Other files to restore

14

Disaster Recovery Plan for Local Area Network (LAN)

SYSTEM

OVERVIEW

SERVER Location:
Server Model: Operating System: CPUs:
Memory: Total Disk: System Handle: System Serial #:
DNS Entry: IP Address:
Other:

HOT SITE SERVER Provide details

APPLICATIONS
(Use bold for Hot Site)

ASSOCIATED SERVERS

KEY CONTACTS

Hardware Vendor Provide details

System Owners Provide details

Database Owner Provide details

Application Owners Provide details

Software Vendors Provide details

Offsite Storage Provide details

BACKUP STRATEGY for
SYSTEM TWO

Daily Provide details

Monthly Provide details

Quarterly Provide details

SYSTEM TWO
DISASTER RECOVERY
PROCEDURE

Scenario 1
Total Loss of Data

Provide details

Scenario 2
Total Loss of HW

Provide details

15

ADDENDUM

CONTACTS

File Systems

File System as of

Minimal file systems
to be created and
restored from
backup:

Filesystem kbytes Used Avail %used
Mounted on

Other critical files to
modify

Necessary directories
to create

Critical files to restore

Secondary files to
restore

Other files to restore

16

Disaster Recovery Plan for Wide Area Network (WAN)

SYSTEM

OVERVIEW

EQUIPMENT Location:
Device Type: Model No.: Technical Specifications:
Network Interfaces: Power Requirements;
System Serial #: DNS Entry: IP Address:
Other:

HOT SITE EQUIPMENT Provide details

SPECIAL APPLICATIONS

ASSOCIATED DEVICES

KEY CONTACTS
Hardware Vendor Provide details
System Owners Provide details
Database Owner Provide details
Application Owners Provide details
Software Vendors Provide details
Offsite Storage Provide details

Network Services Provide details

BACKUP STRATEGY for
SYSTEM TWO

Daily Provide details
Monthly Provide details
Quarterly Provide details

SYSTEM TWO
DISASTER RECOVERY
PROCEDURE

Scenario 1
Total Loss of Network

Provide details

Scenario 2
Total Loss of HW

Provide details

17

ADDENDUM

CONTACTS

Support Systems

Support system

Critical network
assets

Critical interfaces

Critical files to restore

Critical network
services to restore

Other services

18

Disaster Recovery Plan for Remote Connectivity

SYSTEM

OVERVIEW

EQUIPMENT Location:
Device Type: Model No.:
Technical Specifications: Network Interfaces:
Power Requirements; System Serial #:
DNS Entry: IP Address:
Other:

HOT SITE EQUIPMENT Provide details
SPECIAL APPLICATIONS
ASSOCIATED DEVICES

KEY CONTACTS
Hardware Vendor Provide details
System Owners Provide details
Database Owner Provide details
Application Owners Provide details
Software Vendors Provide details
Offsite Storage Provide details
Network Services Provide details

BACKUP STRATEGY for
SYSTEM TWO

Daily Provide details
Monthly Provide details
Quarterly Provide details

SYSTEM TWO
DISASTER RECOVERY
PROCEDURE

Scenario 1
Total Loss of Network

Provide details

Scenario 2
Total Loss of HW

Provide details

19

ADDENDUM

CONTACTS

Support Systems

Support system


Critical network
assets

Critical interfaces
Critical files to restore
Critical network
services to restore

Other services

20

Disaster Recovery Plan for Voice Communications

SYSTEM

OVERVIEW

EQUIPMENT Location:
Device Type: Model No.:
Technical Specifications: Network Interfaces:
Power Requirements; System Serial #:
DNS Entry: IP Address:
Other:

HOT SITE EQUIPMENT Provide details
SPECIAL APPLICATIONS
ASSOCIATED DEVICES

KEY CONTACTS
Hardware Vendor Provide details
System Owners Provide details
Database Owner Provide details
Application Owners Provide details
Software Vendors Provide details
Offsite Storage Provide details
Network Services Provide details

BACKUP STRATEGY for
SYSTEM TWO

Daily Provide details
Monthly Provide details
Quarterly Provide details

SYSTEM TWO
DISASTER RECOVERY
PROCEDURE

Scenario 1
Total Loss of Switch

Provide details

Scenario 2
Total Loss of Network

Provide details

21

ADDENDUM

CONTACTS

Support Systems

Support system


Critical network
assets

Critical interfaces
Critical files to restore
Critical network
services to restore

Other services

22

Appendix B – Suggested Forms

Damage Assessment Form

Key Business
Process Affected

Description Of Problem Extent Of Damage

_____________

Management of DR Activities Form

• During the disaster recovery process all activities will be determined using a standard

structure;
• Where practical, this plan will need to be updated on a regular basis throughout the disaster

recovery period;
• All actions that occur during this phase will need to be recorded.

Activity Name:

Reference Number:

Brief Description:

Commencement

Date/Time
Completion
Date/Time

Resources Involved In Charge

_

______

___________

23

Disaster Recovery Event Recording Form

• All key events that occur during the disaster recovery phase must be recorded.
• An event log shall be maintained by the disaster recovery team leader.
• This event log should be started at the commencement of the emergency and a copy of the

log passed on to the business recovery team once the initial dangers have been controlled.
• The following event log should be completed by the disaster recovery team leader to record

all key events during disaster recovery, until such time as responsibility is handed over to the
business recovery team.

Description of Disaster:

Commencement Date:

Date/Time DR Team Mobilized:

Activities Undertaken by DR

Team
Date and

Time
Outcome

Follow-On Action
Required

Disaster Recovery Team’s Work Completed:

Event Log Passed to Business Recovery Team:

_____

____________

24

Disaster Recovery Activity Report Form

• On completion of the initial disaster recovery response the DRT leader should prepare a
report on the activities undertaken.

• The report should contain information on the emergency, who was notified and when, action
taken by members of the DRT together with outcomes arising from those actions.

• The report will also contain an assessment of the impact to normal business operations.
• The report should be given to business recovery team leader, with a copy to senior

management, as appropriate.
• A disaster recovery report will be prepared by the DRT leader on completion of the initial

disaster recovery response.
• In addition to the business recovery team leader, the report will be distributed to senior

management

The report will include:
• A description of the emergency or incident
• Those people notified of the emergency (including dates)
• Action taken by members of the DRT
• Outcomes arising from actions taken
• An assessment of the impact to normal business operations
• Assessment of the effectiveness of the BCP and lessons learned
• Lessons learned
__________

Mobilizing the Disaster Recovery Team Form

• Following an emergency requiring recovery of technology infrastructure assets, the disaster
recovery team should be notified of the situation and placed on standby.

• The format shown below can be used for recording the activation of the DR team once the
work of the damage assessment and emergency response teams has been completed.

Description of Emergency:

Date Occurred:

Date Work of Disaster Recovery Team Completed:

Name of

Team Member
Contact
Details

Contacted On
(Time / Date)

By Whom Response
Start Date
Required

Relevant Comments (e.g., Specific Instructions Issued)

___________

25

Mobilizing the Business Recovery Team Form

 Following an emergency requiring activation of the disaster recovery team, the business

recovery team should be notified of the situation and placed on standby.

 The format shown below will be used for recording the activation of the business recovery
team once the work of the disaster recovery team has been completed.

Description of Emergency:
Date Occurred:

Date Work of Business Recovery Team Completed:

Name of
Team Member
Contact
Details
Contacted On
(Time / Date)
By Whom Response
Start Date
Required

Relevant Comments (e.g., Specific Instructions Issued)

____________

Monitoring Business Recovery Task Progress Form

• The progress of technology and business recovery tasks must be closely monitored during

this period of time.
• Since difficulties experienced by one group could significantly affect other dependent tasks it

is important to ensure that each task is adequately resourced and that the efforts required to
restore normal business operations have not been underestimated.

Note: A priority sequence must be identified although, where possible, activities will be carried out
simultaneously.

Recovery Tasks
(Order of Priority)

Person(s)
Responsible

Completion Date Milestones
Identified

Other Relevant
Information Estimated Actual

1.

2.

3.

4.

5.

6.

7.

___________

26

Preparing the Business Recovery Report Form

 On completion of business recovery activities the BRT leader should prepare a report on the

activities undertaken and completed.

 The report should contain information on the disruptive event, who was notified and when,
action taken by members of the BRT together with outcomes arising from those actions.

 The report will also contain an assessment of the impact to normal business operations.

 The report should be distributed to senior management, as appropriate.

The contents of the report shall include:

 A description of the incident

 People notified of the emergency (including dates)

 Action taken by the business recovery team

 Outcomes arising from actions taken

 An assessment of the impact to normal business operations

 Problems identified

 Suggestions for enhancing the disaster recovery and/or business continuity plan

 Lessons learned

Communications Form

 It is very important during the disaster recovery and business recovery activities that all
affected persons and organizations are kept properly informed.

 The information given to all parties must be accurate and timely.

 In particular, any estimate of the timing to return to normal working operations should be
announced with care.

 It is also very important that only authorized personnel deal with media queries.

Groups of Persons or
Organizations Affected

by Disruption

Persons Selected To Coordinate Communications
to Affected Persons / Organizations

Name Position Contact Details

Customers

Management & Staff

Suppliers

Media

Stakeholders

Others

____________

27

Returning Recovered Business Operations to Business Unit
Leadership

 Once normal business operations have been restored it will be necessary to return the

responsibility for specific operations to the appropriate business unit leader.

 This process should be formalized in order to ensure that all parties understand the change in
overall responsibility, and the transition to business-as-usual.

 It is likely that during the recovery process, overall responsibility may have been assigned to
the business recovery process lead.

 It is assumed that business unit management will be fully involved throughout the recovery,
but in order for the recovery process to be fully effective, overall responsibility during the
recovery period should probably be with a business recovery process team.

____________

Business Process/Function Recovery Completion Form

The following transition form should be completed and signed by the business recovery team
leader and the responsible business unit leader, for each process recovered.

A separate form should be used for each recovered business process.

Name Of Business Process

Completion Date of Work Provided by Business Recovery Team

Date of Transition Back to Business Unit Management

(If different than completion date)

I confirm that the work of the business recovery team has been completed in accordance with
the disaster recovery plan for the above process, and that normal business operations have
been effectively restored.

Business Recovery Team Leader Name: ________________________________________

Signature: ________________________________________________________________

Date: __________________________

(Any relevant comments by the BRT leader in connection with the return of this business
process should be made here.)

I confirm that above business process is now acceptable for normal working conditions.

Name: ___________________________________________________________________

Title: ____________________________________________________________________

Signature: ________________________________________________________________

Date: __________________________

ISOL 533 – Information Security and Risk Management

BUSINESS CONTINUITY PLAN

University of The Cumberlands

1

RESTRICTED

Purpose

The purpose of this business continuity plan is to prepare Health Network, Inc. (Health Network)

in the event of extended service outages caused by factors beyond our control (e.g., natural

disasters, man-made events), and to restore services to the widest extent possible in a minimum

time frame. All Health Network, Inc. (Health Network) sites are expected to implement

preventive measures whenever possible to minimize operational disruptions and to recover as

rapidly as possible when an incident occurs.

The plan identifies vulnerabilities and recommends necessary measures to prevent extended

voice communications service outages. It is a plan that encompasses all Health Network, Inc.

(Health Network) system sites and operations facilities.

Scope

The scope of this plan is limited to the three major systems used by Health Network, Inc. (Health

Network); the HNetExchange Message system, HNetConnect Directory system and HNetPay

Payment system. This is a business continuity plan, not a daily problem resolution procedures

document.

Plan objectives

 Serves as a guide for the Health Network, Inc. (Health Network) recovery teams.

 References and points to the location of critical data.

 Provides procedures and resources needed to assist in recovery.

 Identifies vendors and customers that must be notified in the event of a disaster.

 Assists in avoiding confusion experienced during a crisis by documenting, testing and
reviewing recovery procedures.

 Identifies alternate sources for supplies, resources and locations.

 Documents storage, safeguarding and retrieval procedures for vital records.

Assumptions

 Key people (team leaders or alternates) will be available following a disaster.

 A national disaster such as nuclear war is beyond the scope of this plan.

 This document and all vital records are stored in a secure off-site location and not only
survive the disaster but are accessible immediately following the disaster.

 Each support organization will have its own plan consisting of unique recovery procedures,
critical resource information and procedures.

Disaster definition

Any loss of utility service (power, water), connectivity (system sites), or catastrophic event

(weather, natural disaster, vandalism) that causes an interruption in the service provided by

Health Network, Inc. (Health Network) operations. The plan identifies vulnerabilities and

recommends measures to prevent extended service outages.

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

2

RESTRICTED

Recovery teams

Emergency management team (EMT)

Disaster recovery team (DRT)

IT technical services (IT)

Team member responsibilities

 Each team member will designate an alternate

 All of the members should keep an updated calling list of their work team members’ work,
home, and cell phone numbers both at home and at work.

 All team members should keep this plan for reference at home in case the disaster happens
after normal work hours. All team members should familiarize themselves with the contents

of this plan.

Instructions for using the business continuity plan

Invoking the plan

This plan becomes effective when a disaster occurs. Normal problem management procedures

will initiate the plan, and remain in effect until operations are resumed at the original location or

a replacement location and control is returned to the appropriate functional management.

Disaster declaration

The senior management team, with input from the EMT, DRT and IT, is responsible for

declaring a disaster and activating the various recovery teams as outlined in this plan.

In a major disaster situation affecting multiple business units, the decision to declare a disaster

will be determined by senior management. The EMT and DRT will respond based

on the directives specified by senior management.

Notification

Regardless of the disaster circumstances, or the identity of the person(s) first made aware of the

disaster, the EMT and DRT must be activated immediately in the following cases:

 Two or more critical systems and/or sites are down concurrently for three of more hours

 Any critical or major systems are down concurrently for eight or more hours

 Any problem at any system or network facility that would cause the above conditions to be
present or there is certain indication that either of the conditions are about to occur

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

3

RESTRICTED

External communications

Corporate public relations personnel are designated as the principal contacts with the media

(radio, television, and print), regulatory agency, government agencies, and other external

organizations following a formal disaster declaration.

Emergency management standards

Data backup policy

Full and incremental backups preserve corporate information assets and should be performed on

a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are

considered critical. Backup media should be stored in a secure, geographically separate location

from the original and isolated from environmental hazards.

Department-specific data and document retention policies specify what records must be retained

and for how long. All organizations are accountable for carrying out the provisions of the

instruction for records in their organization.

IT follows these standards for its data backup and archiving:

Tape retention policy

Backup media is stored at locations that are secure, isolated from environmental hazards, and

geographically separate from the location housing the system.

Billing tapes

 Tapes greater than three years old are destroyed every six months.

 Tapes less than three years old must be stored locally off-site.

 The system supervisor is responsible for the transition cycle of tapes.

System image tapes

 A copy of the most current image files must be made at least once per week.

 This backup must be stored offsite.

 The system supervisor is responsible for this activity.

Off-site storage procedures

 Tapes and disks, and other suitable media are stored in environmentally secure facilities.

 Tape or disk rotation occurs on a regular schedule coordinated with the storage vendor.

 Access to backup databases and other data is tested annually.

Emergency management procedures

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

4

RESTRICTED

The following procedures are to be followed by system operations personnel and other

designated organizational personnel in the event of an emergency. Where uncertainty exists, the

more reactive action should be followed to provide maximum protection and personnel safety.

Note: Anyone not recognized by the IT staff as normally having business in the area must be

challenged by the staff who should then notify security personnel.

These procedures are furnished to management personnel to take home for reference. Several

pages have been included to supply emergency contacts.

In the event of any situation where access to a building housing a system is denied, personnel

should report to alternate locations. Primary and secondary locations are listed below.

Alternate locations Workplace:

 Attempt to contact your immediate supervisor or management
via telephone. Home and cell phone numbers are included in

this document

Workplace:

 Attempt to contact your immediate supervisor or management
via telephone. Home and cell phone numbers are included in

this document

In the event of a natural disaster

In the event of a major catastrophe affecting company facility, immediately notify the BCP

Project Manager.

Procedure

STEP ACTION

1
Notify EMT and DRT of pending event, if time permits.

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

5

RESTRICTED

2
If the impending natural disaster can be tracked, begin

preparation of site within 48 hours as follows:

 Deploy portable generators with fuel within 100 miles.

 Deploy support personnel, tower crews, and engineering
within 100 miles.

 Deploy tractor trailers with replacement work space,
antennas, power, computers and phones.

 Facilities department on standby for replacement
shelters

 Basic necessities are acquired by support personnel
when deployed:

 Cash for one week

 Food and water for one week

 Gasoline and other fuels

 Supplies, including chainsaws, batteries, rope,
flashlights, medical supplies, etc.

3
24 hours prior to event:

 Create an image of the system and files

 Back up critical system elements

 Verify backup generator fuel status and operation

 Create backups of e-mail, file servers, etc.

 Fuel vehicles and emergency trailers

 Notify senior management

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

6

RESTRICTED

In the event of a fire

If fire or smoke is present in the facility, evaluate the situation, determine the severity, categorize

the fire as major or minor and take the appropriate action as defined in this section. Call 9-1-1 as

soon as possible if the situation warrants it.

 Personnel are to attempt to extinguish minor fires (e.g., single hardware component or paper
fires) using hand-held fire extinguishers located throughout the facility. Any other fire or

smoke situation will be handled by qualified building personnel until the local fire

department arrives.

 In the event of a major fire, call 9-1-1 and immediately evacuate the area.

 In the event of any emergency situation, system security, site security and personal safety are
the major concerns. If possible, the operations supervisor should remain present at the facility

until the fire department has arrived.

 In the event of a major catastrophe affecting the facility, immediately notify senior
management.

Procedure STEP ACTION

1
Dial 9-1-1 to contact the fire department.

2

Immediately notify all other personnel in the facility of the

situation and evacuate the area.

3 Alert emergency personnel on:

Provide them with your name, extension where you can be

reached, building and room number, and the nature of the

emergency. Follow all instructions given.

4

Alert the EMT and DRT.

Note: During non-staffed hours, security personnel will

notify the Senior Executive responsible for the location

directly.

5

Notify Building Security.

Local security personnel will establish security at the

location and not allow access to the site unless notified by

the Senior Executive or his/her designated representative.

6 Contact appropriate vendor personnel to aid in the decision

regarding the protection of equipment if time and

circumstance permit.

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

7

RESTRICTED

7 All personnel evacuating the facilities will meet at their

assigned outside location (assembly point) and follow

instructions given by the designed authority. Under no

circumstances may any personnel leave without the

consent of supervision.

In the event of a network services provider outage

In the event of a network service provider outage to any location, the guidelines and

procedures in this section are to be followed.

Procedure STEP ACTION

1
Notify senior management of outage.

Determine cause of outage and timeframe for its recovery.

2
If outage will be greater than one hour, route all calls via

alternate services.

If it is a major outage and all carriers are down and

downtime will be greater than 12 hours, deploy satellite

phones, if available.

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

8

RESTRICTED

In the event of a flood or water damage

In the event of a flood or broken water pipe within any computing facilities, the guidelines

and procedures in this section are to be followed.

Procedure

STEP ACTION

1

Assess the situation and determine if outside assistance is

needed; if this is the case, dial 9-1-1 immediately.

2

Immediately notify all other personnel in the facility of the

situation and be prepared to cease voice operations

accordingly.

3

Immediately notify all other personnel in the facility of the

situation and be prepared to cease operations accordingly.

4

Water detected below the raised floor may have different

causes:

 If water is slowly dripping from an air conditioning
unit and not endangering equipment, contact repair

personnel immediately.

 If water is of a major quantity and flooding beneath the
floor (water main break), immediately implement

power-down procedures. While power-down

procedures are in progress, evacuate the area and

follow management’s instructions.

Plan review and maintenance

This plan must be reviewed semiannually and exercised on an annual basis. The test may be in

the form of a walk-through, mock disaster, or component testing. Additionally, with the dynamic

environment present within the organization, it is important to review the listing of personnel and

phone numbers contained within the plan regularly.

The hard-copy version of the plan will be stored in a common location where it can be viewed by

site personnel and the EMT and DRT. Electronic versions will be available via the organization’s

network resources as provided by IT. Each recovery team will have its own directory with

change management limited to the recovery plan coordinator.

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

9

RESTRICTED

Notification of incident affecting the site

On-duty personnel responsibilities

If in-hours:
Upon observation or notification of a potentially serious situation during working hours at a

system/facility, ensure that personnel on site have enacted standard emergency and evacuation

procedures if appropriate and notify the EMT and DRT.

If outside hours:
IT personnel should contact the EMT and DRT.

Provide status to EMT and DRT

Contact EMT and/or DRT and provide the following information when any of the following

conditions exist: (See Appendix B for contact list.)

 Two or more facilities are down concurrently for three or more hours.

 Any problem at any system or location that would cause the above condition to be present or
there is certain indication that the above condition is about to occur.

The EMT will provide the following information:

 Location of disaster

 Type of disaster (e.g., fire, hurricane, flood)

 Summarize the damage (e.g., minimal, heavy, total destruction)

 Meeting location that is a safe distance from the disaster scene

 An estimated timeframe of when a damage assessment group can enter the facility (if
possible)

 The EMT will contact the respective market team leader and report that a disaster involving
voice communications has taken place.

The EMT and/or DRT will contact the respective team leader and report that a

disaster has taken place.

Decide course of action

Based on the information obtained, the EMT and/or DRT need to decide how to respond to the

event: mobilize IT, repair/rebuild existing site (s) with location staff, or relocate to a new facility.

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

10

RESTRICTED

Inform team members of decision

If a disaster is not declared, the location response team will continue to address and manage the

situation through its resolution and provide periodic status updates to the EMT/DRT.

If a disaster is declared, the EMT and/or DRT will notify IT Tech Services immediately for

deployment.

Declare a disaster if the situation is not likely to be resolved within predefined time frames.

The person who is authorized to declare a disaster must also have at least one backup person who

is also authorized to declare a disaster in the event the primary person is unavailable.

Contact general vendors

Disaster declared: Mobilize incident response/Technical services teams/Report to
command center

Once a disaster is declared, the DRT is mobilized. This team will initiate and coordinate the

appropriate recovery actions. Members assemble at the designated location as quickly as

possible. See Appendix E for emergency locations.

Conduct detailed damage assessment (This may also be performed prior to
declaring a disaster.)

1. Under the direction of local authorities and/or EMT/DRT, assess the damage to

the affected location and/or assets. Include vendors/providers of installed

equipment to ensure that their expert opinion regarding the condition of the

equipment is determined ASAP.

A. Participate in a briefing on assessment requirements, reviewing:

(1) Assessment procedures

(2) Gather requirements

(3) Safety and security issues

NOTE: Access to the facility following a fire or potential chemical

contamination will likely be denied for 24 hours or longer.

B. Document assessment results using assessment and evaluation forms
contained in Appendix G.

Building access permitting:

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

11

RESTRICTED

 Conduct an on-site inspection of affected areas to assess damage to
essential hardcopy records (files, manuals, contracts,

documentation, etc.) and electronic data.

 Obtain information regarding damage to the facility (s) (e.g.,
environmental conditions, physical structure integrity, furniture,

and fixtures) from the DRT.

2. Develop a restoration priority list, identifying facilities, vital records and

equipment needed for resumption activities that could be operationally restored

and retrieved quickly.

3. Recommendations for required resources.

Contact DRT: Decide whether to continue to business recovery phase

The EMT and DRT gather information regarding the event; contacts senior management and

provides them with detailed information on status.

Based on the information obtained, senior management decides whether to continue to the

business recovery phase of this plan. If the situation does not warrant this action, continue to

address the situation at the affected site(s).

Business recovery phase (xx hours – full recovery)

This section documents the steps necessary to activate business recovery plans to support full

restoration of systems or facility functionality at an alternate/recovery site that would be used for

an extended period of time. Coordinate resources to reconstruct business operations at the

temporary/permanent system location, and to deactivate recovery teams upon return to normal

business operations.

system and facility operation requirements

The system and facility configurations for each location are important to re-establish normal

operations. A list for each location will be included in Appendix F.

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

12

RESTRICTED

Notify IT staff/Coordinate relocation to new facility

See Appendix A for IT staff associated with a new location being set up as a permanent location

(replacement for site).

Secure funding for relocation

Make arrangements in advance with suitable backup location resources. Make arrangements in

advance with local banks, credit card companies, hotels, office suppliers, food suppliers and

others for emergency support.

Notify EMT and corporate business units of recovery startup

Using the call list in Appendix B, notify the appropriate company personnel. Inform them of any

changes to processes or procedures, contact information, hours of operation, etc. (This may be

used for media information.)

Operations recovered

Assuming all relevant operations have been recovered to an alternate site, and employees are in

place to support operations, the company can declare that it is functioning in a normal manner at

the recovery location.

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

13

RESTRICTED

Appendixes

Appendix A: recovery teams

Emergency management team (EMT)

Note: See Appendix B for contact list. Suggested members to include: senior
management, human resources, corporate public relations, legal, IT services, risk
management and operations

Charter:
Responsible for overall coordination of the disaster recovery effort; evaluation and determining

disaster declaration; and communications with senior management.

Support activities:
The EMT:

 Evaluate which recovery actions should be invoked and activate the recovery teams

 Evaluate damage assessment findings

 Set restoration priority based on the damage assessment reports

 Provide senior management with ongoing status information

 Act as a communication channel to corporate teams and major customers

 Work with vendors and IRT to develop a rebuild/repair schedule

Disaster recovery team

Note: See Appendix B for contact list

Charter:
Responsible for overall coordination of the disaster recovery effort; establishment of the

emergency command area; and communications with senior management and the EMT.

Support activities:

 Coordinate with EMT and senior management

 Determine recovery needs

 Establish command center and assembly areas

 Notify all company department heads and advise them to activate their plan(s) if applicable,
based upon the disaster situation

 If no disaster is declared, take appropriate action to return to normal operations using regular
staff

 Determine if vendors or other teams are needed to assist with detailed damage assessment

 Prepare post-disaster debriefing report

 Coordinate the development of site-specific recovery plans and ensure they are updated semi-
annually

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

14

RESTRICTED

IT technical services (IT)

Charter
IT will facilitate technology restoration activities.

Support activities
 Upon notification of disaster declaration, review and provide support as follows:

1. Facilitate technology recovery and restoration activities, providing guidance on
replacement equipment and systems, as required

2. Coordinate removal of salvageable equipment at disaster site that may be used for
alternate site operations

Appendix B: Recovery team contact lists

Emergency management team (EMT)

Name Address Home Mobile/Cell Phone

Disaster recovery team (DRT)

Name Address Home Mobile/Cell Phone

IT technical services

Name Address Home Mobile/Cell Phone

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

15

RESTRICTED

Appendix C: Emergency numbers

First responders, public utility companies, others

Name Contact Name Phone

Appendix D: Contact list

Name Address Home Mobile/Cell Phone

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

16

RESTRICTED

Appendix E: Emergency command center (ECC) locations

Emergency command center –

Primary: Address

Room XXXX

City, State

Contact: “coordinator of rooms/space – (xxx) xxx-xxxx

Alternate: Address

Room XXX

City, State

Contact: “coordinator of rooms/space – (xxx) xxx-xxxx

Emergency command center –
Primary: Address
Room XXXX
City, State

Contact: “coordinator of rooms/space – (xxx) xxx-xxxx

Alternate: Address
Room XXX
City, State

Contact: “coordinator of rooms/space – (xxx) xxx-xxxx

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

17

RESTRICTED

Appendix F: Forms

Incident/disaster form

Upon notification of an incident/disaster situation the on-duty personnel will make the initial

entries into this form. It will then be forwarded to the ECC, where it will be continually updated.

This document will be the running log until the incident/disaster has ended and “normal

business” has resumed.

TIME AND DATE

________________________________________________________________________

TYPE OF EVENT

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

LOCATION

________________________________________________________________________

________________________________________________________________________

BUILDING ACCESS ISSUES

________________________________________________________________________

________________________________________________________________________

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

18

RESTRICTED

PROJECTED IMPACT TO OPERATIONS

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

RUNNING LOG (ongoing events)

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

19

RESTRICTED

Critical equipment status form

CRITICAL EQUIPMENT STATUS

ASSESSMENT AND EVALUATION FORM

Recovery team: __________________________________________

[———-STATUS———]

Equipment Condition Salvage Comments

1. ___________________ ______________ ______ _________________________

2. ___________________ ______________ ______ _________________________

3. ___________________ ______________ ______ _________________________

4. ___________________ ______________ ______ _________________________

5. ___________________ ______________ ______ _________________________

6. ___________________ ______________ ______ _________________________

7. ___________________ ______________ ______ _________________________

8. ___________________ ______________ ______ _________________________

9. ___________________ ______________ ______ _________________________

10. __________________ ______________ ______ _________________________

11. __________________ ______________ ______ _________________________

12. __________________ ______________ ______ _________________________

13. __________________ ______________ ______ _________________________

14. __________________ ______________ ______ _________________________

15. __________________ ______________ ______ _________________________

Legend

Condition: OK – Undamaged

DBU – Damaged, but usable

DS – Damaged, requires salvage before use

D – Destroyed, requires reconstruction

ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands

20

RESTRICTED

Appendix G: Building evacuation information

Appendix H: Inventory of primary equipment and

network services

Appendix I: Inventory of backup equipment and systems

Appendix J: Approved vendor list

Server and computer equipment suppliers

Company Name Contact Work Mobile phone

Communications and network services suppliers

Company Name Contact Work Mobile phone

Provide evacuation procedures

Provide list of equipment

and

network services
Provide list of equipment

ISOL533 – Information Security and Risk Management

BUSINESS IMPACT ANALYSIS

University of the Cumberlands

1. Overview

This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the

HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. It was

prepared on Health Network, Inc (Health Network).

1.1 Purpose

The purpose of the BIA is to identify and prioritize system components by correlating them to the

mission/business process(es) the system supports, and using this information to characterize the impact

on the process(es) if the system were unavailable.

The BIA is composed of the following three steps:

1. Determine mission/business processes and recovery criticality. Mission/business processes
supported by the system are identified and the impact of a system disruption to those processes
is determined along with outage impacts and estimated downtime. The downtime should
reflect the maximum that an organization can tolerate while still maintaining the mission.

2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the
resources required to resume mission/business processes and related interdependencies as
quickly as possible. Examples of resources that should be identified include facilities, personnel,
equipment, software, data files, system components, and vital records.

3. Identify recovery priorities for system resources. Based upon the results from the previous
activities, system resources can more clearly be linked to critical mission/business processes.
Priority levels can be established for sequencing recovery activities and resources.

This document is used to build the HNetExchange Message system, HNetConnect Directory system and

HNetPay Payment system Business Contingency Plan (BCP) and is included as a key component of the

BCP. It also may be used to support the development of other contingency plans associated with the

system, including, but not limited to, the Disaster Recovery Plan (DRP).

2. System Description

{Provide a general description of system architecture and functionality as provided in the scenario

instructions. Indicate the operating environment, physical location, general location of users, and

partnerships with external organizations/systems. Include information regarding any other technical

considerations that are important for recovery purposes, such as backup procedures. Provide a diagram,

as an appendix, of the architecture, including inputs and outputs and telecommunications connections.}

ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands

3. BIA Data Collection

{Normally data collection can be accomplished through individual/group interviews, workshops, email,

questionnaires, or any combination of these. For this assignment, review the scenario and include

information you would expect to obtain during the normal data collection process}

3.1 Determine Process and System Criticality

Step one of the BIA process – Working with input from users, managers, mission/business process

owners, and other internal or external points of contact (POC), identify the specific mission/business

processes that depend on or support the information

system.

Mission/Business Process Description

3.1.1 Identify Outage Impacts and

Estimated Downtime

Outage Impacts

The following impact categories represent important areas for consideration in the event of a disruption

or impact.

Values for assessing category Risk Factors/Impact:

 Critical = “1”

 Major = “2”

 Minor = “3”

Values for assessing category Recovery Time Objectives (RTO):

 Critical-1 = 4 hours

 Critical-2 = 8 hours

 Critical-3 = 24 hours

 Major-1 = 36 hours

 Major-2 = 48 hours

 Minor = 1 week

The table(s) below summarizes the impact on each mission/business process if the HNetExchange
Message system, HNetConnect Directory system and HNetPay Payment system were unavailable.

ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands

Mission/Business Process

for HNetExchange

Impact Category

Risk Factor RTO Describe the Impact if unavailable

Mission/Business Process

for HNetConnect

Impact Category
Risk Factor RTO Describe the Impact if unavailable

Mission/Business Process

for HNetPay

Impact Category
Risk Factor RTO Describe the Impact if unavailable

Estimated Downtime

Working directly with mission/business process owners, departmental staff, managers, and other

stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.

 Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time
leaders/managers are willing to accept for a mission/business process outage or disruption and
includes all impact considerations. Determining MTD is important because it could leave
continuity planners with imprecise direction on (1) selection of an appropriate recovery method,
and (2) the depth of detail which will be required when developing recovery procedures,
including their scope and content.

 Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system
resource can remain unavailable before there is an unacceptable impact on other system
resources, supported mission/business processes, and the MTD. Determining the information

ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands

system resource RTO is important for selecting appropriate technologies that are best suited for

meeting the MTD.

 Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or
system outage, to which mission/business process data must be recovered (given the most
recent backup copy of the data) after an outage.

The table below identifies the MTD, RTO, and RPO for the organizational mission/business processes

that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment

system.
Mission/Business Process

For HNetExchange
MTD RTO RPO

Mission/Business Process

For HNetConnect
MTD RTO RPO

Mission/Business Process

For HNetPay
MTD RTO RPO

3.2 Identify Resource Requirements

The following table identifies the resources that compose the HNetExchange Message system,

HNetConnect Directory system and HNetPay Payment system including hardware, software, and other

resources such as data files.

System Resource/Component Description

It is assumed that all identified resources support the mission/business processes identified in Section 3.1

unless otherwise stated.

ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands

3.3 Identify Recovery Priorities for System Resources

The table below lists the order of recovery for resources. The table also identifies the

expected time for recovering the resource following a “worst case” (complete rebuild/repair or

replacement) disruption.

 Recovery Time Objective (RTO) – RTO defines the maximum amount of time that a system
resource can remain unavailable before there is an unacceptable impact on other system

resources, supported mission/business processes, and the MTD. Determining the information

system resource RTO is important for selecting appropriate technologies that are best suited for
meeting the MTD.

Priority # System Resource/Component
Recovery Time

Objective

ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands

Table 1 – BIA worksheet

Business Function or Process
Business
Impact
Factor

Recovery
Time

Objective
IT Systems/Apps
Infrastructure Impacts

Calculate your order
275 words
Total price: $0.00

Top-quality papers guaranteed

54

100% original papers

We sell only unique pieces of writing completed according to your demands.

54

Confidential service

We use security encryption to keep your personal data protected.

54

Money-back guarantee

We can give your money back if something goes wrong with your order.

Enjoy the free features we offer to everyone

  1. Title page

    Get a free title page formatted according to the specifics of your particular style.

  2. Custom formatting

    Request us to use APA, MLA, Harvard, Chicago, or any other style for your essay.

  3. Bibliography page

    Don’t pay extra for a list of references that perfectly fits your academic needs.

  4. 24/7 support assistance

    Ask us a question anytime you need to—we don’t charge extra for supporting you!

Calculate how much your essay costs

Type of paper
Academic level
Deadline
550 words

How to place an order

  • Choose the number of pages, your academic level, and deadline
  • Push the orange button
  • Give instructions for your paper
  • Pay with PayPal or a credit card
  • Track the progress of your order
  • Approve and enjoy your custom paper

Ask experts to write you a cheap essay of excellent quality

Place an order