Business Continuity Plan
Rel. 1 Ver. 1 <Date> All rights reserved, 2013, Green Cloud Technologies
Prepared by:
Mike Ward, CBCP
EMERGENCY NOTIFICATION CONTACTS ... 2
<COMPANY> POLICY ... 4
OFFICE LOCATIONS ... 5
INSTRUCTIONS FOR USING THE BUSINESS CONTINUITY PLAN ... 6
EXECUTING THE PLAN ... 6
SBD DECLARATION ... 6
EMERGENCY MANAGEMENT STANDARDS ... 7
DATA BACKUP POLICY ... 7
DATA BACK-UP AND RECOVERY (HARD COPY AND ELECTRONIC) ... 7
SERVER RECOVERY MANAGEMENT ... 7
EMERGENCY MANAGEMENT PROCEDURES ... 8
ALTERNATIVE LOCATION(S) OF EMPLOYEES ... 8
NATURAL DISASTER ... 9
FIRE ... 10
FLOOD OR WATER DAMAGE ... 11
NETWORK SERVICES PROVIDER OUTAGE ... 11
PLAN REVIEW AND MAINTENANCE ... 12
ALERT/VERIFICATION/DECLARATION PHASE... 13
PLAN CHECKLISTS ... 13
FLOW DIAGRAMS ... 14
DISASTER DECLARED ... 16
MOBILIZE INCIDENT RESPONSE/TECHNICAL SERVICES TEAMS/REPORT TO COMMAND CENTER ... 16
CONDUCT DETAILED DAMAGE ASSESSMENT ... 16
BUSINESS RECOVERY PHASE ... 17
APPENDIXES ... 18
APPENDIX A:<COMPANY> RECOVERY TEAMS ... 18
APPENDIX B:EMERGENCY NUMBERS ... 20
APPENDIX C:BUILDING EVACUATION INFORMATION ... 21
APPENDIX D:INVENTORY OF PRIMARY EQUIPMENT AND NETWORK SERVICES ... 22
APPENDIX E:INVENTORY OF BACKUP EQUIPMENT AND SYSTEMS ... 23
APPENDIX F: FORMS ... 24
APPENDIX G:DISASTER RECOVERY FROM GREEN CLOUD TECHNOLOGIES ... 26
Date Summary of changes made Changes made by (Name)
Each emergency contact person must be an associated person of the firm, and at least one emergency contact person must be a member of senior management and a registered principal of the firm. If your firm designates a second emergency contact person who is not a registered principal of your firm, then that contact person must be a member of senior management who has knowledge of the firm’s business operations. If your firm has only one associated person, the second emergency contact must be an individual, either registered with another firm or non-registered, who has knowledge of your firm’s business operations (e.g., your firm’s attorney, accountant or clearing firm contact person).
<Company>
Name
Address
Mobile
Third-Party Contacts
Name
Address
Mobile
<C
OMPANY
>
P
OLICY
Our firm’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and firm property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the firm’s books and records, and allowing our customers to transact business.
The plan identifies vulnerabilities and recommends necessary measures to prevent extended voice communications service outages. It is a plan that encompasses all <Company> system sites and operations facilities.
SIGNIFICANT BUSINESS DISRUPTIONS (SBDS)
Our plan anticipates two kinds of SBDs, internal and external. Internal SBDs affect only our firm’s ability to communicate and do business, such as a fire in our building. External SBDs prevent the operation of the securities markets or a number of firms, such as a terrorist attack, a city flood, or a wide-scale, regional disruption. Our response to an external SBD relies more heavily on other organizations and systems, especially on the capabilities of our clearing firm.
APPROVAL AND EXECUTION AUTHORITY
is responsible for approving the plan and for conducting the
Name Title required annual review.
has the authority to execute this BCP.
Name Title
PLAN LOCATION AND ACCESS
Our firm will maintain copies of its BCP plan and the annual reviews, and the changes that have been made to it for inspection. An electronic copy of our plan is located:
• In our Green Cloud Virtual Meeting Room: <GC Meeting Room> •
O
FFICE
L
OCATIONS
OFFICE LOCATION #1
Location Address: Primary Contact: Telephone Number: Primary Function:(i.e. call center, headquarters)
OFFICE LOCATION #2
Location Address: Primary Contact: Telephone Number: Primary Function:(i.e. call center, headquarters)
OFFICE LOCATION #3
Location Address: Primary Contact: Telephone Number: Primary Function:I
NSTRUCTIONS FOR
U
SING THE
B
USINESS
C
ONTINUITY
P
LAN
EXECUTING THE PLAN
This plan becomes effective when a SBD occurs. Normal problem management procedures will initiate the plan, and remain in effect until operations are resumed at the original location or a replacement location and control is returned to the appropriate functional management.
SBD
DECLARATION
The senior management team will be responsible for declaring a disaster and activating the various recovery teams as outlined in this plan, with input from:
• Emergency management Team (EMT) • Disaster recovery team (DRT)
• IT technical services (IT)
*Note: Full contact information listed in Appendix A.
In a major disaster situation affecting multiple business units, the decision to declare a disaster will be determined by <Company> senior management. The EMT and DRT will respond based on the directives specified by senior management.
E
MERGENCY
M
ANAGEMENT
S
TANDARDS
DATA BACKUP POLICY
Full and incremental backups preserve corporate information assets and should be performed on a regular basis for
audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media
should be stored in a secure, geographically separate location from the original and isolated from environmental
hazards.
Department-specific data and document retention policies specify what records must be retained and for how long.
All organizations are accountable for carrying out the provisions of the instruction for records in their organization.
DATA BACK-UP AND RECOVERY (HARD COPY AND ELECTRONIC)
Our firm maintains its primary hard copy books and records and its electronic records at:
Our IT Team (see Appendix A) is responsible for the maintenance of these books and records. Our firm maintains the following document types and forms that are not transmitted to our clearing firm:
Our firm maintains its back-up hard copy books and electronics records at:
S
ERVER
R
ECOVERY
M
ANAGEMENT
R
ECOVERY OFS
ERVERSM
ANAGED BYG
REENC
LOUDT
ECHNOLOGIES<Company> has acquired Disaster Recovery service from Green Cloud Technologies. This service has been retained for the servers listed in Appendix G. Refer to Appendix G for details on server recovery.
R
ECOVERY OFS
ERVERSM
ANAGED BY<C
OMPANY>
Refer to Appendix D and E for inventory of server equipment and backup equipment. Refer the Business Recovery Phase portion of this document for details on server recovery.
In the event of an internal or external SBD that causes the loss of our paper records, we will physically recover them from our back-up site. If our primary site is inoperable, we will continue operations from our back-up site or an alternate location. For the loss of electronic records, we will either physically recover the storage media or electronically recover data from our back-up site, or, if our primary site is inoperable, continue operations from our back-up site or an alternate location.
E
MERGENCY
M
ANAGEMENT
P
ROCEDURES
The following procedures are to be followed by system operations personnel and other designated <Company> personnel in the event of an emergency. Where uncertainty exists, the more reactive action should be followed to provide maximum protection and personnel safety.
In the event of any situation where access to a building housing a system is denied, personnel should report to alternate locations. Primary and secondary locations are listed below.
ALTERNATIVE LOCATION(S) OF EMPLOYEES
In the event of an SBD, we will move our staff from affected office(s) to the closest of our unaffected office location(s). If none of our other office locations is available to receive those staff, we will move them to:
A
LTERNATE PHYSICAL LOCATION1:
Location Name: Location Address: Telephone Number:
A
LTERNATE PHYSICAL LOCATION2:
Location Name: Location Address: Telephone Number:
A
LTERNATEV
IRTUAL LOCATION:
In the event of an SBD, we can deploy a virtual meeting location located at: <GC Meeting Room>
NATURAL DISASTER
In the event of a major catastrophe affecting <Company> facility, follow the guidelines and procedures in this section.
STEP 1:
Notify EMT and DRT of pending event, if time permits.STEP 2:
If the impending natural disaster can be tracked, begin preparation of site within 48 hours as needed:o Deploy portable generators with fuel within 100 miles.
o Deploy support personnel, tower crews, and engineering within 100 miles.
o Deploy tractor trailers with replacement work space, antennas, power, computers and phones.
o Facilities department on standby for replacement shelters
o Basic necessities are acquired by support personnel when deployed o Cash for one week
o Food and water for one week o Gasoline and other fuels
o Supplies, including chainsaws, batteries, rope, flashlights, medical supplies, etc.
STEP 3:
24 hours prior to event:o Create an image of the system and files o Back up critical system elements
o Verify backup generator fuel status and operation o Create backups of e-mail, file servers, etc. o Fuel vehicles and emergency trailers o Notify senior management
FIRE
If fire or smoke is present in the facility, evaluate the situation, determine the severity, categorize the fire as major or minor and take the appropriate action as defined in this section. Call 9-1-1 as soon as possible if the situation warrants it. • Personnel are to attempt to extinguish minor fires (e.g., single hardware component or paper fires) using hand-held
fire extinguishers located throughout the facility. Any other fire or smoke situation will be handled by qualified building personnel until the local fire department arrives.
• In the event of a major fire, call 9-1-1 and immediately evacuate the area.
• In the event of any emergency situation, system security, site security and personal safety are the major concerns. If possible, the operations supervisor should remain present at the facility until the fire department has arrived.
• In the event of a major catastrophe affecting the facility, immediately notify senior management.
STEP 1:
Dial 9-1-1 to contact the fire department.STEP 2:
Immediately notify all other personnel in the facility of the situation and evacuate the area.STEP 3:
Alert emergency personnel.Provide them with your name, extension where you can be reached, building and room number, and the nature of the emergency. Follow all instructions given.
STEP 4:
Alert the EMT and DRT.Note: During non-staffed hours, security personnel will notify the Senior Executive
responsible for the location directly.
STEP 5:
Notify Building Security.Local security personnel will establish security at the location and not allow access to the site unless notified by the Senior Executive or his/her designated representative.
STEP 6:
Contact appropriate vendor personnel to aid in the decision regarding the protection of equipment if time and circumstance permit.STEP 7:
All personnel evacuating the facilities will meet at their assigned outside location (assembly point) and follow instructions given by the designed authority. Under no circumstances mayFLOOD OR WATER DAMAGE
In the event of a flood or broken water pipe within any computing facilities, follow the guidelines and procedures in this section.
STEP 1:
Assess the situation and determine if outside assistance is needed; if this is the case, dial 9-1-1 immediately.STEP 2:
Immediately notify all other personnel in the facility of the situation and be prepared to cease voice operations accordingly.STEP 3:
Water detected below the raised floor may have different causes:• If water is slowly dripping from an air conditioning unit and not endangering equipment, contact repair personnel immediately.
• If water is of a major quantity and flooding beneath the floor (water main break), immediately implement power-down procedures. While power-down procedures are in progress, evacuate the area and follow management’s instructions.
N
ETWORK
S
ERVICES
P
ROVIDER
O
UTAGE
In the event of a network service provider outage to any location, follow the guidelines and procedures in this section.
STEP 1:
Notify senior management of outage.Determine cause of outage and timeframe for its recovery.
STEP 2:
If outage will be greater than one hour, route all calls via alternate services.If it is a major outage and all carriers are down and downtime will be greater than 12 hours, deploy alternate communications plan, if available.
PLAN REVIEW AND MAINTENANCE
This plan must be reviewed semiannually and exercised on an annual basis. The test may be in the form of a walk-through, mock disaster, or component testing. Additionally, with the dynamic environment present within <Company>, it is important to review the listing of personnel and phone numbers contained within the plan regularly.
The hard-copy version of the plan will be stored in a common location where it can be viewed by site personnel and the EMT and DRT. Electronic versions will be available via <Company> network resources as provided by IT. Each recovery team will have its own directory with change management limited to the recovery plan coordinator.
G
REENC
LOUDA
NNUALC
HECK-
UP&
O
NGOINGR
ESTORALT
ESTINGGreen Cloud will schedule an annual check-up of your virtual server environment including a mock server restoration exercise. Changes or updates discovered in our test restoration will be documented in this Plan.
A
LERT
/V
ERIFICATION
/D
ECLARATION PHASE
PLAN CHECKLISTS
Response and recovery checklists and plan flow diagrams are presented in the following two sections. The checklists and flow diagrams may be used by IT members as "quick references" when implementing the plan or for training purposes.
FLOW DIAGRAMS
1. PROVIDE STATUS TO EMT AND DRT
Contact EMT and/or DRT and provide the following information when any of the following conditions exist: (See Appendix
A for contact list.)
•
Two or more facilities are down concurrently for three or more hours.
•
Any problem at any system or location that would cause the above condition to be present or there is
certain indication that the above condition is about to occur.
The EMT will provide the following information:
•
Location of disaster
•
Type of disaster (e.g., fire, hurricane, flood)
•
Summarize the damage (e.g., minimal, heavy, total destruction)
•
Meeting location that is a safe distance from the disaster scene
The EMT will contact the respective market team leader and report that a disaster involving voice
communications has taken place. The EMT and/or DRT will contact the respective <Company> team leader
and report that a disaster has taken place.
2. D
ECIDE COURSE OF ACTION
Based on the information obtained, the EMT and/or DRT need to decide how to respond to the event:
mobilize IT, repair/rebuild existing site (s) with location staff, or relocate to a new facility.
3. INFORM TEAM MEMBERS OF DECISION
a) If a disaster is not declared, the location response team will continue to address and manage the
situation through its resolution and provide periodic status updates to the EMT/DRT.
b) If a disaster is declared, the EMT and/or DRT will notify IT Tech Services immediately for deployment.
c)
Declare a disaster if the situation is not likely to be resolved within predefined time frames. The
person who is authorized to declare a disaster must also have at least one backup person who is also
authorized to declare a disaster in the event the primary person is unavailable.
D
ISASTER DECLARED
MOBILIZE INCIDENT RESPONSE/TECHNICAL SERVICES TEAMS/REPORT TO COMMAND CENTER
Once a disaster is declared, the DRT is mobilized. This team will initiate and coordinate the appropriate recovery
actions. Members assemble at the designated location as quickly as possible. See Emergency Management
Standards for emergency locations.
CONDUCT DETAILED DAMAGE ASSESSMENT
1.
Under the direction of local authorities and/or EMT/DRT, assess the damage to the affected location
and/or assets. Include vendors/providers of installed equipment to ensure that their expert opinion
regarding the condition of the equipment is determined ASAP.
A.
Participate in a briefing on assessment requirements, reviewing:
(1)
Assessment procedures
(2)
Gather requirements
(3)
Safety and security issues
B.
Conduct an on-site inspection of affected areas to assess damage to essential hardcopy
records (files, manuals, contracts, documentation, etc.) and electronic data.
C.
Obtain information regarding damage to the facility (s) (e.g., environmental conditions,
physical structure integrity, furniture, and fixtures) from the DRT.
D.
Document assessment results
2.
Develop a restoration priority list, identifying facilities, vital records and equipment needed for
resumption activities that could be operationally restored and retrieved quickly.
B
USINESS RECOVERY PHASE
This section documents the steps necessary to activate business recovery plans to support full restoration of
systems or facility functionality at an alternate/recovery site that would be used for an extended period of time.
Coordinate resources to reconstruct business operations at the temporary/permanent system location, and to
deactivate recovery teams upon return to normal business operations.
1. <C
OMPANY
>
SYSTEM AND FACILITY OPERATION REQUIREMENTS
The system and facility configurations for each location are important to re-establish normal operations.
2. NOTIFY IT STAFF/COORDINATE RELOCATION TO NEW FACILITY
See Appendix A for IT staff associated with a new location being set up as a permanent location (replacement
for site).
3. SECURE FUNDING FOR RELOCATION
Make arrangements in advance with suitable backup location resources. Make arrangements in advance with
local banks, credit card companies, hotels, office suppliers, food suppliers and others for emergency support.
4. N
OTIFY
EMT
AND CORPORATE BUSINESS UNITS OF RECOVERY STARTUP
Using the call list in Appendix A, notify the appropriate company personnel. Inform them of any changes to
processes or procedures, contact information, hours of operation, etc. (This may be used for media
information.)
5. O
PERATIONS RECOVERED
Assuming all relevant operations have been recovered to an alternate site, and employees are in place to
support operations, the company can declare that it is functioning in a normal manner at the recovery
location.
A
PPENDIXES
APPENDIX A: <COMPANY> RECOVERY TEAMS
E
MERGENCY MANAGEMENT TEAM(EMT)
Responsible for overall coordination of the disaster recovery effort; evaluation and determining disaster declaration; and communications with senior management. Suggested members to include: senior management, human resources, corporate public relations, legal, IT services, risk management and operations.
Name Address Home Mobile/Cell Phone
D
ISASTER RECOVERY TEAM(DRT)
Responsible for overall coordination of the disaster recovery effort; establishment of the emergency command area; and communications with senior management and the EMT.
IT
TECHNICAL SERVICES(IT)
Responsible for IT will facilitate technology restoration activities.
Name Address Home Mobile/Cell Phone
APPENDIX B: EMERGENCY NUMBERS
F
IRST RESPONDERS,
PUBLIC UTILITY COMPANIES,
OTHERSCompany Name Contact Work Mobile/Cell Phone
S
ERVER AND COMPUTER EQUIPMENT SUPPLIERSCompany Name Contact Work Mobile/Cell Phone
Green Cloud Technologies Support 115 N. Brown Street. Greenville, SC 877-465-1217 864-214-0913
C
OMMUNICATIONS AND NETWORK SERVICES SUPPLIERSAPPENDIX C: BUILDING EVACUATION INFORMATION
Attach copy of evacuation plan here.APPENDIX D: INVENTORY OF PRIMARY EQUIPMENT AND NETWORK SERVICES
APPENDIX E: INVENTORY OF BACKUP EQUIPMENT AND SYSTEMS
APPENDIX F: FORMS
I
NCIDENT
/
DISASTER FORM
Upon notification of an incident/disaster situation the on-duty personnel will make the initial entries into this form. It will then be forwarded to the ECC, where it will be continually updated. This document will be the running log until the incident/disaster has ended and “normal business” has resumed.TIME AND DATE:
TYPE OF SBD:
BUILDING ACCESS ISSUES:
PROJECTED IMPACT TO OPERATIONS:
CRITICAL EQUIPMENT STATUS FORM
Recovery team: __________________________________________Equipment Condition Salvage Comments
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Legend Condition: OK - Undamaged
DBU - Damaged, but usable
DS - Damaged, requires salvage before use D - Destroyed, requires reconstruction
APPENDIX G: DISASTER RECOVERY FROM GREEN CLOUD TECHNOLOGIES
This appendix documents the restoral process provided by Green Cloud Technologies and the procedures to initiate a server recovery.
COMMUNICATION
Customer will contact Green Cloud Operations via telephone to notify that a server recovery is needed. The Operations team is accessible at 877-465-1217, option 1.Green Cloud Operations is staffed 7am-7pm Monday through Friday, with 24/7 on-call support Saturday, Sunday and after hours
Upon contact, Green Cloud Operations will refer points of contact to designated conference bridge for exchange of documentation, transfer of information, and status updates
SERVERS
The following servers are covered (included) in the Green Cloud Disaster Recovery plan. Any additional machines or devices not listed are implicitly excluded from the plan. Per discovery, it’s understood that the servers are to be restored in the following order, each within the provided timeframes:o DOMAIN CONTROLLER – 2 hours o TERMINAL SERVICES – 2 hours o EXCHANGE – 2 hours
o WEB – 2 hours
NOTE: During the restoral process, the following services/applications will be disabled to speed up the recovery:
o Third party virus protection o Local backup services
CUSTOMER
REQUIREMENTS
Per discovery, the customer will need to fulfill the following requirements to assist in the speed to recovery in the event of a disaster:
o Provide local user accounts for each member server of the domain
o Provide new network information in the event that a VPN connection is required to the restored VM infrastructure