Your Company s Business Continuity Plan

Business Continuity Plan

Rel. 1 Ver. 1 <Date> All rights reserved, 2013, Green Cloud Technologies

Prepared by:

Mike Ward, CBCP

EMERGENCY NOTIFICATION CONTACTS ... 2

<COMPANY> POLICY ... 4

OFFICE LOCATIONS ... 5

INSTRUCTIONS FOR USING THE BUSINESS CONTINUITY PLAN ... 6

EXECUTING THE PLAN ... 6

SBD DECLARATION ... 6

EMERGENCY MANAGEMENT STANDARDS ... 7

DATA BACKUP POLICY ... 7

DATA BACK-UP AND RECOVERY (HARD COPY AND ELECTRONIC) ... 7

SERVER RECOVERY MANAGEMENT ... 7

EMERGENCY MANAGEMENT PROCEDURES ... 8

ALTERNATIVE LOCATION(S) OF EMPLOYEES ... 8

NATURAL DISASTER ... 9

FIRE ... 10

FLOOD OR WATER DAMAGE ... 11

NETWORK SERVICES PROVIDER OUTAGE ... 11

PLAN REVIEW AND MAINTENANCE ... 12

ALERT/VERIFICATION/DECLARATION PHASE... 13

PLAN CHECKLISTS ... 13

FLOW DIAGRAMS ... 14

DISASTER DECLARED ... 16

MOBILIZE INCIDENT RESPONSE/TECHNICAL SERVICES TEAMS/REPORT TO COMMAND CENTER ... 16

CONDUCT DETAILED DAMAGE ASSESSMENT ... 16

BUSINESS RECOVERY PHASE ... 17

APPENDIXES ... 18

APPENDIX A:<COMPANY> RECOVERY TEAMS ... 18

APPENDIX B:EMERGENCY NUMBERS ... 20

APPENDIX C:BUILDING EVACUATION INFORMATION ... 21

APPENDIX D:INVENTORY OF PRIMARY EQUIPMENT AND NETWORK SERVICES ... 22

APPENDIX E:INVENTORY OF BACKUP EQUIPMENT AND SYSTEMS ... 23

APPENDIX F: FORMS ... 24

APPENDIX G:DISASTER RECOVERY FROM GREEN CLOUD TECHNOLOGIES ... 26

Date Summary of changes made Changes made by (Name)

Each emergency contact person must be an associated person of the firm, and at least one emergency contact person must be a member of senior management and a registered principal of the firm. If your firm designates a second emergency contact person who is not a registered principal of your firm, then that contact person must be a member of senior management who has knowledge of the firm’s business operations. If your firm has only one associated person, the second emergency contact must be an individual, either registered with another firm or non-registered, who has knowledge of your firm’s business operations (e.g., your firm’s attorney, accountant or clearing firm contact person).

<Company>

Name

Address

Mobile

Email

Third-Party Contacts

Name

Address

Mobile

Email

<C

OMPANY

>

P

OLICY

Our firm’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and firm property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the firm’s books and records, and allowing our customers to transact business.

The plan identifies vulnerabilities and recommends necessary measures to prevent extended voice communications service outages. It is a plan that encompasses all <Company> system sites and operations facilities.

SIGNIFICANT BUSINESS DISRUPTIONS (SBDS)

Our plan anticipates two kinds of SBDs, internal and external. Internal SBDs affect only our firm’s ability to communicate and do business, such as a fire in our building. External SBDs prevent the operation of the securities markets or a number of firms, such as a terrorist attack, a city flood, or a wide-scale, regional disruption. Our response to an external SBD relies more heavily on other organizations and systems, especially on the capabilities of our clearing firm.

APPROVAL AND EXECUTION AUTHORITY

is responsible for approving the plan and for conducting the

Name Title required annual review.

has the authority to execute this BCP.

Name Title

PLAN LOCATION AND ACCESS

Our firm will maintain copies of its BCP plan and the annual reviews, and the changes that have been made to it for inspection. An electronic copy of our plan is located:

• In our Green Cloud Virtual Meeting Room: <GC Meeting Room> •

O

FFICE

L

OCATIONS

OFFICE LOCATION #1

Location Address: Primary Contact: Telephone Number: Primary Function:

(i.e. call center, headquarters)

OFFICE LOCATION #2

Location Address: Primary Contact: Telephone Number: Primary Function:

(i.e. call center, headquarters)

OFFICE LOCATION #3

Location Address: Primary Contact: Telephone Number: Primary Function:

I

NSTRUCTIONS FOR

U

SING THE

B

USINESS

C

ONTINUITY

P

LAN

EXECUTING THE PLAN

This plan becomes effective when a SBD occurs. Normal problem management procedures will initiate the plan, and remain in effect until operations are resumed at the original location or a replacement location and control is returned to the appropriate functional management.

SBD

DECLARATION

The senior management team will be responsible for declaring a disaster and activating the various recovery teams as outlined in this plan, with input from:

• Emergency management Team (EMT) • Disaster recovery team (DRT)

• IT technical services (IT)

*Note: Full contact information listed in Appendix A.

In a major disaster situation affecting multiple business units, the decision to declare a disaster will be determined by <Company> senior management. The EMT and DRT will respond based on the directives specified by senior management.

E

MERGENCY

M

ANAGEMENT

S

TANDARDS

DATA BACKUP POLICY

Full and incremental backups preserve corporate information assets and should be performed on a regular basis for

audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media

should be stored in a secure, geographically separate location from the original and isolated from environmental

hazards.

Department-specific data and document retention policies specify what records must be retained and for how long.

All organizations are accountable for carrying out the provisions of the instruction for records in their organization.

DATA BACK-UP AND RECOVERY (HARD COPY AND ELECTRONIC)

Our firm maintains its primary hard copy books and records and its electronic records at:

Our IT Team (see Appendix A) is responsible for the maintenance of these books and records. Our firm maintains the following document types and forms that are not transmitted to our clearing firm:

Our firm maintains its back-up hard copy books and electronics records at:

S

ERVER

R

ECOVERY

M

ANAGEMENT

R

ECOVERY OF

S

ERVERS

M

ANAGED BY

G

REEN

C

LOUD

T

ECHNOLOGIES

<Company> has acquired Disaster Recovery service from Green Cloud Technologies. This service has been retained for the servers listed in Appendix G. Refer to Appendix G for details on server recovery.

R

ECOVERY OF

S

ERVERS

M

ANAGED BY

<C

OMPANY

>

Refer to Appendix D and E for inventory of server equipment and backup equipment. Refer the Business Recovery Phase portion of this document for details on server recovery.

In the event of an internal or external SBD that causes the loss of our paper records, we will physically recover them from our back-up site. If our primary site is inoperable, we will continue operations from our back-up site or an alternate location. For the loss of electronic records, we will either physically recover the storage media or electronically recover data from our back-up site, or, if our primary site is inoperable, continue operations from our back-up site or an alternate location.

E

MERGENCY

M

ANAGEMENT

P

ROCEDURES

The following procedures are to be followed by system operations personnel and other designated <Company> personnel in the event of an emergency. Where uncertainty exists, the more reactive action should be followed to provide maximum protection and personnel safety.

In the event of any situation where access to a building housing a system is denied, personnel should report to alternate locations. Primary and secondary locations are listed below.

ALTERNATIVE LOCATION(S) OF EMPLOYEES

In the event of an SBD, we will move our staff from affected office(s) to the closest of our unaffected office location(s). If none of our other office locations is available to receive those staff, we will move them to:

A

LTERNATE PHYSICAL LOCATION

1:

Location Name: Location Address: Telephone Number:

A

LTERNATE PHYSICAL LOCATION

2:

Location Name: Location Address: Telephone Number:

A

LTERNATE

V

IRTUAL LOCATION

:

In the event of an SBD, we can deploy a virtual meeting location located at: <GC Meeting Room>

NATURAL DISASTER

In the event of a major catastrophe affecting <Company> facility, follow the guidelines and procedures in this section.

STEP 1:

Notify EMT and DRT of pending event, if time permits.

STEP 2:

If the impending natural disaster can be tracked, begin preparation of site within 48 hours as needed:

o Deploy portable generators with fuel within 100 miles.

o Deploy support personnel, tower crews, and engineering within 100 miles.

o Deploy tractor trailers with replacement work space, antennas, power, computers and phones.

o Facilities department on standby for replacement shelters

o Basic necessities are acquired by support personnel when deployed o Cash for one week

o Food and water for one week o Gasoline and other fuels

o Supplies, including chainsaws, batteries, rope, flashlights, medical supplies, etc.

STEP 3:

24 hours prior to event:

o Create an image of the system and files o Back up critical system elements

o Verify backup generator fuel status and operation o Create backups of e-mail, file servers, etc. o Fuel vehicles and emergency trailers o Notify senior management

FIRE

If fire or smoke is present in the facility, evaluate the situation, determine the severity, categorize the fire as major or minor and take the appropriate action as defined in this section. Call 9-1-1 as soon as possible if the situation warrants it. • Personnel are to attempt to extinguish minor fires (e.g., single hardware component or paper fires) using hand-held

fire extinguishers located throughout the facility. Any other fire or smoke situation will be handled by qualified building personnel until the local fire department arrives.

• In the event of a major fire, call 9-1-1 and immediately evacuate the area.

• In the event of any emergency situation, system security, site security and personal safety are the major concerns. If possible, the operations supervisor should remain present at the facility until the fire department has arrived.

• In the event of a major catastrophe affecting the facility, immediately notify senior management.

STEP 1:

Dial 9-1-1 to contact the fire department.

STEP 2:

Immediately notify all other personnel in the facility of the situation and evacuate the area.

STEP 3:

Alert emergency personnel.

Provide them with your name, extension where you can be reached, building and room number, and the nature of the emergency. Follow all instructions given.

STEP 4:

Alert the EMT and DRT.

Note: During non-staffed hours, security personnel will notify the Senior Executive

responsible for the location directly.

STEP 5:

Notify Building Security.

Local security personnel will establish security at the location and not allow access to the site unless notified by the Senior Executive or his/her designated representative.

STEP 6:

Contact appropriate vendor personnel to aid in the decision regarding the protection of equipment if time and circumstance permit.

STEP 7:

All personnel evacuating the facilities will meet at their assigned outside location (assembly point) and follow instructions given by the designed authority. Under no circumstances may

FLOOD OR WATER DAMAGE

In the event of a flood or broken water pipe within any computing facilities, follow the guidelines and procedures in this section.

STEP 1:

Assess the situation and determine if outside assistance is needed; if this is the case, dial 9-1-1 _immediately.

STEP 2:

Immediately notify all other personnel in the facility of the situation and be prepared to cease _{voice operations accordingly.}

STEP 3:

Water detected below the raised floor may have different causes:

• If water is slowly dripping from an air conditioning unit and not endangering equipment, contact repair personnel immediately.

• If water is of a major quantity and flooding beneath the floor (water main break), immediately implement power-down procedures. While power-down procedures are in progress, evacuate the area and follow management’s instructions.

N

ETWORK

S

ERVICES

P

ROVIDER

O

UTAGE

In the event of a network service provider outage to any location, follow the guidelines and procedures in this section.

STEP 1:

Notify senior management of outage.

Determine cause of outage and timeframe for its recovery.

STEP 2:

If outage will be greater than one hour, route all calls via alternate services.

If it is a major outage and all carriers are down and downtime will be greater than 12 hours, deploy alternate communications plan, if available.

PLAN REVIEW AND MAINTENANCE

This plan must be reviewed semiannually and exercised on an annual basis. The test may be in the form of a walk-through, mock disaster, or component testing. Additionally, with the dynamic environment present within <Company>, it is important to review the listing of personnel and phone numbers contained within the plan regularly.

The hard-copy version of the plan will be stored in a common location where it can be viewed by site personnel and the EMT and DRT. Electronic versions will be available via <Company> network resources as provided by IT. Each recovery team will have its own directory with change management limited to the recovery plan coordinator.

G

REEN

C

LOUD

A

NNUAL

C

HECK

-

UP

&

O

NGOING

R

ESTORAL

T

ESTING

Green Cloud will schedule an annual check-up of your virtual server environment including a mock server restoration exercise. Changes or updates discovered in our test restoration will be documented in this Plan.

A

LERT

/V

ERIFICATION

/D

ECLARATION PHASE

PLAN CHECKLISTS

Response and recovery checklists and plan flow diagrams are presented in the following two sections. The checklists and flow diagrams may be used by IT members as "quick references" when implementing the plan or for training purposes.

FLOW DIAGRAMS

1. PROVIDE STATUS TO EMT AND DRT

Contact EMT and/or DRT and provide the following information when any of the following conditions exist: (See Appendix

A for contact list.)

•

Two or more facilities are down concurrently for three or more hours.

•

Any problem at any system or location that would cause the above condition to be present or there is

certain indication that the above condition is about to occur.

The EMT will provide the following information:

•

Location of disaster

•

Type of disaster (e.g., fire, hurricane, flood)

•

Summarize the damage (e.g., minimal, heavy, total destruction)

•

Meeting location that is a safe distance from the disaster scene

The EMT will contact the respective market team leader and report that a disaster involving voice

communications has taken place. The EMT and/or DRT will contact the respective <Company> team leader

and report that a disaster has taken place.

2. D

ECIDE COURSE OF ACTION

Based on the information obtained, the EMT and/or DRT need to decide how to respond to the event:

mobilize IT, repair/rebuild existing site (s) with location staff, or relocate to a new facility.

3. INFORM TEAM MEMBERS OF DECISION

a) If a disaster is not declared, the location response team will continue to address and manage the

situation through its resolution and provide periodic status updates to the EMT/DRT.

b) If a disaster is declared, the EMT and/or DRT will notify IT Tech Services immediately for deployment.

c)

Declare a disaster if the situation is not likely to be resolved within predefined time frames. The

person who is authorized to declare a disaster must also have at least one backup person who is also

authorized to declare a disaster in the event the primary person is unavailable.

D

ISASTER DECLARED

MOBILIZE INCIDENT RESPONSE/TECHNICAL SERVICES TEAMS/REPORT TO COMMAND CENTER

Once a disaster is declared, the DRT is mobilized. This team will initiate and coordinate the appropriate recovery

actions. Members assemble at the designated location as quickly as possible. See Emergency Management

Standards for emergency locations.

CONDUCT DETAILED DAMAGE ASSESSMENT

1.

Under the direction of local authorities and/or EMT/DRT, assess the damage to the affected location

and/or assets. Include vendors/providers of installed equipment to ensure that their expert opinion

regarding the condition of the equipment is determined ASAP.

A.

Participate in a briefing on assessment requirements, reviewing:

(1)

Assessment procedures

(2)

Gather requirements

(3)

Safety and security issues

B.

Conduct an on-site inspection of affected areas to assess damage to essential hardcopy

records (files, manuals, contracts, documentation, etc.) and electronic data.

C.

Obtain information regarding damage to the facility (s) (e.g., environmental conditions,

physical structure integrity, furniture, and fixtures) from the DRT.

D.

Document assessment results

2.

Develop a restoration priority list, identifying facilities, vital records and equipment needed for

resumption activities that could be operationally restored and retrieved quickly.

B

USINESS RECOVERY PHASE

This section documents the steps necessary to activate business recovery plans to support full restoration of

systems or facility functionality at an alternate/recovery site that would be used for an extended period of time.

Coordinate resources to reconstruct business operations at the temporary/permanent system location, and to

deactivate recovery teams upon return to normal business operations.

1. <C

OMPANY

>

SYSTEM AND FACILITY OPERATION REQUIREMENTS

The system and facility configurations for each location are important to re-establish normal operations.

2. NOTIFY IT STAFF/COORDINATE RELOCATION TO NEW FACILITY

See Appendix A for IT staff associated with a new location being set up as a permanent location (replacement

for site).

3. SECURE FUNDING FOR RELOCATION

Make arrangements in advance with suitable backup location resources. Make arrangements in advance with

local banks, credit card companies, hotels, office suppliers, food suppliers and others for emergency support.

4. N

OTIFY

EMT

AND CORPORATE BUSINESS UNITS OF RECOVERY STARTUP

Using the call list in Appendix A, notify the appropriate company personnel. Inform them of any changes to

processes or procedures, contact information, hours of operation, etc. (This may be used for media

information.)

5. O

PERATIONS RECOVERED

Assuming all relevant operations have been recovered to an alternate site, and employees are in place to

support operations, the company can declare that it is functioning in a normal manner at the recovery

location.

A

PPENDIXES

APPENDIX A: <COMPANY> RECOVERY TEAMS

E

MERGENCY MANAGEMENT TEAM

(EMT)

Responsible for overall coordination of the disaster recovery effort; evaluation and determining disaster declaration; and communications with senior management. Suggested members to include: senior management, human resources, corporate public relations, legal, IT services, risk management and operations.

Name Address Home Mobile/Cell Phone

D

ISASTER RECOVERY TEAM

(DRT)

Responsible for overall coordination of the disaster recovery effort; establishment of the emergency command area; and communications with senior management and the EMT.

IT

TECHNICAL SERVICES

(IT)

Responsible for IT will facilitate technology restoration activities.

Name Address Home Mobile/Cell Phone

APPENDIX B: EMERGENCY NUMBERS

F

IRST RESPONDERS

,

PUBLIC UTILITY COMPANIES

,

OTHERS

Company Name Contact Work Mobile/Cell Phone

S

ERVER AND COMPUTER EQUIPMENT SUPPLIERS

Company Name Contact Work Mobile/Cell Phone

Green Cloud Technologies Support 115 N. Brown Street. Greenville, SC 877-465-1217 864-214-0913

C

OMMUNICATIONS AND NETWORK SERVICES SUPPLIERS

APPENDIX C: BUILDING EVACUATION INFORMATION

Attach copy of evacuation plan here.

APPENDIX D: INVENTORY OF PRIMARY EQUIPMENT AND NETWORK SERVICES

APPENDIX E: INVENTORY OF BACKUP EQUIPMENT AND SYSTEMS

APPENDIX F: FORMS

I

NCIDENT

/

DISASTER FORM

Upon notification of an incident/disaster situation the on-duty personnel will make the initial entries into this form. It will then be forwarded to the ECC, where it will be continually updated. This document will be the running log until the incident/disaster has ended and “normal business” has resumed.

TIME AND DATE:

TYPE OF SBD:

BUILDING ACCESS ISSUES:

PROJECTED IMPACT TO OPERATIONS:

CRITICAL EQUIPMENT STATUS FORM

Recovery team: __________________________________________

Equipment Condition Salvage Comments

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Legend Condition: OK - Undamaged

DBU - Damaged, but usable

DS - Damaged, requires salvage before use D - Destroyed, requires reconstruction

APPENDIX G: DISASTER RECOVERY FROM GREEN CLOUD TECHNOLOGIES

This appendix documents the restoral process provided by Green Cloud Technologies and the procedures to initiate a server recovery.

COMMUNICATION

Customer will contact Green Cloud Operations via telephone to notify that a server recovery is needed. The Operations team is accessible at 877-465-1217, option 1.

Green Cloud Operations is staffed 7am-7pm Monday through Friday, with 24/7 on-call support Saturday, Sunday and after hours

Upon contact, Green Cloud Operations will refer points of contact to designated conference bridge for exchange of documentation, transfer of information, and status updates

SERVERS

The following servers are covered (included) in the Green Cloud Disaster Recovery plan. Any additional machines or devices not listed are implicitly excluded from the plan. Per discovery, it’s understood that the servers are to be restored in the following order, each within the provided timeframes:

o DOMAIN CONTROLLER – 2 hours o TERMINAL SERVICES – 2 hours o EXCHANGE – 2 hours

o WEB – 2 hours

NOTE: During the restoral process, the following services/applications will be disabled to speed up the recovery:

o Third party virus protection o Local backup services

CUSTOMER

REQUIREMENTS

Per discovery, the customer will need to fulfill the following requirements to assist in the speed to recovery in the event of a disaster:

o Provide local user accounts for each member server of the domain

o Provide new network information in the event that a VPN connection is required to the restored VM infrastructure

NETWORK

During the communication of the disaster event, it should be relayed to Green Cloud if there need to be accommodations for long term access to the Virtual Machine environment (e.g. virtual private networking). By default, the above servers will be made accessible via Remote Desktop Protocol (RDP) only.

RESTORAL

_{As part of the Disaster Recovery service, the restored Virtual Machine(s) will be available in the Green} Cloud infrastructure for a period of 10 business days, after which Virtual Server services will commence and become billable. During this time, should the customer wish to migrate the restored Virtual Machine(s), a VMDK image file will be provided for each server requested.