[Insert Company Logo]

[Insert Company Logo] Business Continuity and Disaster Recovery Planning (BCDRP) Manual 1

Table of Contents Critical Business Information 4 Business Continuity and Disaster Recover Planning (BCDRP) Personnel 5 Additional Personnel 6 Meeting Information 7 Potential Hazards 8 Critical Organizational Assets - Information Systems 9 Organizational Assets Matrix 10 Critical Organization Assets Prioritization of Critical Applications and Data 11 Critical Organizational Assets Personnel 12 Critical Organizational Assets Facilities 13 Critical Organizational Assets Equipment 14 Critical Organizational Assets Other 15 Critical Operations 16 Critical Third Party Entities 19 Data Safety and Recovery Initiatives 24 Alternate Locations 28 Critical Recovery Location Supplies List 30 Miscellaneous Recovery Location Supplies List 34 Employees and Workforce Members Notification Procedures 35 Testing Procedures 36 Insurance Information 40 Appendix A: Emergency Mode Operation Plan 43 Appendix B: Testing and Revision Procedures 46 Appendix C: Applications and Data Criticality Analysis 49 Business Continuity and Disaster Recovery Planning (BCDRP) Manual 2

Overview [Insert Company Logo] Business Continuity and Disaster Recovery Planning (BCDRP) refers to an organization s ability to effectively plan and recover from a disaster and/or unexpected event, ultimately resuming operations as necessary. While there are numerous terms and phrases that encompass the broader subject of BCDRP, with countless numbers of organizations, industry associations, and best practices advocated, they all essentially illustrate a consistent theme, which is properly planning for the unexpected and hoping to recover as quickly and comprehensively as possible. A comprehensive BCDRP template should include, at a minimum, the following elements: Critical Business Information Business Continuity and Disaster Recover Planning (BCDRP) Personnel Additional Personnel Meeting Information Potential Hazards Critical Organizational Assets - Information Systems Organizational Assets Matrix Critical Organization Assets Prioritization of Critical Applications and Data Critical Organizational Assets Personnel Critical Organizational Assets Facilities Critical Organizational Assets Equipment Critical Organizational Assets Other Critical Operations Critical Third Party Entities Data Recovery Initiatives Alternate Locations Critical Recovery Location Supplies List Miscellaneous Recovery Location Supplies List Employees and Workforce Members Notification Procedures Testing Procedures Insurance Information Appendix A: Emergency Mode Operation Plan Appendix B: Testing and Revision Procedures Appendix C: Applications and Data Criticality Analysis Business Continuity and Disaster Recovery Planning (BCDRP) Manual 3

Critical Business Information Primary Business Location Secondary Business Location(s) Business Name Business Name Street Address Street Address City, State, Zip Code City, State, Zip Code Telephone Number Telephone Number Primary Emergency Contact Primary Point of Contact Secondary Point of Contact Secondary Emergency Contact Telephone Number Telephone Number Alternate Telephone Number Secondary Telephone Number E-mail Address E-mail Address Emergency Contact Information Non-emergency Police Electricity Provider Non-emergency Fire Gas Provider Insurance Provider water Provider Other (e.g., equipment manufacturer) Other (e.g., property management) Other (e.g., Spill Clean-Up) Other (e.g., property security) Other (e.g., IT support contractor) Other (e.g., bank agent) Other Other Other Other Business Continuity and Disaster Recovery Planning (BCDRP) Manual 4

Business Continuity and Disaster Recover Planning (BCDRP) Personnel Name Title Phone Email Responsibility Business Continuity and Disaster Recovery Planning (BCDRP) Manual 5

Additional Personnel Name Title Phone Email Responsibility Business Continuity and Disaster Recovery Planning (BCDRP) Manual 6

Meeting Information Note: It is critically important for all BCDRP personnel to meet on a regular basis for helping ensure the adequacy and sufficiency of the plan itself. As such, the following matrix is to contain vital information regarding the date, time, location, and matters discussed regarding the BCDRP initiatives. Date Time Location General Subject Matter Discussed Business Continuity and Disaster Recovery Planning (BCDRP) Manual 7

Potential Hazards Note: It is critically important to identify all potential hazards which can cause serious interruption to one s business, along with challenges for resuming critical operations. Fire Potential Hazard Response Measures to Such Hazards Hazardous or Chemical release incident Flood or Flash Flood Winter or Severe Storm Earthquake Communications Failure Radiological or Explosive accident Bomb Threat - Civil Disturbance Loss of Key Supplier, Customer or Employee Data Loss or Compromise Pandemic Influenza Terrorist Event Foreign or Domestic Fire Other Business Continuity and Disaster Recovery Planning (BCDRP) Manual 8

Critical Organizational Assets Information Systems Securing an organization's critical information systems landscape is highly dependent upon a number of industry leading initiatives, such as system provisioning and hardening, defense-in-depth and layered security, along with numerous other provisions. Yet just as important is the ability to comprehensively document and record all organizational assets - computers, hardware, software, etc. - anything of value to an entity. The National Institute of Standards and Technology (NIST) describes an asset as Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g. locks, cabinets, keyboards). Knowing all of your assets, along with detailed information regarding various elements, is a must for information security best practices. After all, you can t protect what you don t know you have, thus information asset inventory & identification is critical for today s security conscious organizations. While there are a number of asset inventory software systems currently available, many tend to target large, enterprise-wide organizations, though they can still be useful for smaller organizations, or just for purposes of focusing on information assets. Simply search for I.T. asset inventory management software and you ll find numerous providers. At a minimum, the following elements (i.e., identifiers ) are to be used for information asset inventory & identification, when applicable: Type of system resource Network devices (firewalls, routers, switches, load balancers, etc.) Type of system resource Servers (physical and or/logical, and the underlying operating systems and applications residing on such servers). Version number or application type Primary function Physical element: A stand-alone product, or a virtual element, such as an instance, etc. Internal hostname Name of product or solution (such as the vendor purchased from) Serial number some other type of non-hostname identification element Relevant IP or routing information (if applicable) Physical location Logical location Party or parties responsible for system administration End users of system (if applicable) Detailed listing of any regulatory compliance mandates, such as those for PCI compliance, SSAE 16 reporting, HIPAA, FISMA, GLBA, etc. Detailed listing of any solutions configured onto or supporting the system resource if applicable, such as the following: o Audit trails and logging o File Integrity Monitoring (FIM) Change Detection Software (CDS) o Anti-virus o Other Business Continuity and Disaster Recovery Planning (BCDRP) Manual 9

Organizational Assets Matrix Asset Hostname Asset Description Serial Number Physical Location Asset Owner Asset Users Does Asset Contain PII? Other Business Continuity and Disaster Recovery Planning (BCDRP) Manual 10

Critical Organization Assets Prioritization of Critical Applications and Data It is important to have in place a prioritized list of specific applications and data for helping determine which applications or information systems get restored first and/or which must be available at all times. Please list such information in the following tables below: Application Priority Ranking (1 to 99) Hostname of Server for which Application Resides on Application Description Serial Number Physical Location Asset Owner Asset Users Does Asset Contain PII? Other Business Continuity and Disaster Recovery Planning (BCDRP) Manual 11

Critical Organizational Assets Personnel, Facilities, Equipment, Other Critical organizational assets include much more than information systems, they also include personnel, facilities, equipment, and other applicable assets. It is therefore important to comprehensively identify such assets, along with providing vital information for each item, and most importantly, what impact would they have on your business if such assets were not readily available, destroyed, damaged, missing, etc. Critical Organization Assets (PERSONNEL) Impact on your business if such assets were not readily available, destroyed, damaged, missing, etc. Business Continuity and Disaster Recovery Planning (BCDRP) Manual 12

Critical Organization Assets (FACILITIES) Impact on your business if such assets were not readily available, destroyed, damaged, missing, etc. Business Continuity and Disaster Recovery Planning (BCDRP) Manual 13

Critical Organization Assets (EQUIPMENT) Impact on your business if such assets were not readily available, destroyed, damaged, missing, etc. Business Continuity and Disaster Recovery Planning (BCDRP) Manual 14

Critical Organization Assets (OTHER) Impact on your business if such assets were not readily available, destroyed, damaged, missing, etc. Business Continuity and Disaster Recovery Planning (BCDRP) Manual 15

Critical Operations One s operations are essential for ensuring the success of a business, thus it s important to identify all critical operations for the organization, key resources, and the necessary procedures for restoring operations after a disaster strikes. Description of Critical Operations: List of Personnel Involved in the administration and facilitation of such operations: Description of Assigned Duties Contact Information (1). (2). (3). (4). (5). (6). (7). (8). List of Critical Supplies, Resources, Equipment Needed for such Operations to Function (1). (6). (11). (2). (7). (12). (3). (8). (13). (4). (9). (14). (5). (10). (15). Detailed description of procedures to undertake for restoring and resuming operations in the event of a disaster (1). (2). (3). (4). (5). (6). (7). (8). (9). (10). Business Continuity and Disaster Recovery Planning (BCDRP) Manual 16

Description of Critical Operations: List of Personnel Involved in the administration and facilitation of such operations: Description of Assigned Duties Contact Information (1). (2). (3). (4). (5). (6). (7). (8). List of Critical Supplies, Resources, Equipment Needed for such Operations to Function (1). (6). (11). (2). (7). (12). (3). (8). (13). (4). (9). (14). (5). (10). (15). Detailed description of procedures to undertake for restoring and resuming operations in the event of a disaster (1). (2). (3). (4). (5). (6). (7). (8). (9). (10). Business Continuity and Disaster Recovery Planning (BCDRP) Manual 17

Description of Critical Operations: List of Personnel Involved in the administration and facilitation of such operations: Description of Assigned Duties Contact Information (1). (2). (3). (4). (5). (6). (7). (8). List of Critical Supplies, Resources, Equipment Needed for such Operations to Function (1). (6). (11). (2). (7). (12). (3). (8). (13). (4). (9). (14). (5). (10). (15). Detailed description of procedures to undertake for restoring and resuming operations in the event of a disaster (1). (2). (3). (4). (5). (6). (7). (8). (9). (10). Business Continuity and Disaster Recovery Planning (BCDRP) Manual 18

Critical Third Party Entities Organizations today often rely on the services of many downstream third-party service providers, ranging from operational services to highly essential information security services, and much more. It is therefore important to list and thoroughly document all relevant third-party service providers, and the procedures the organization will undertake for ensuring continuation of services (as much as possible) from the relevant third-party providers. Name of Third Party Entity Contact Person Name: Email: Telephone 1: Telephone 2: Street: City: State: Zip Code Street: City: Country Region Postal Code Contact Information Physical Address (North America) Contact Information (International) Description of Services Provided Procedures to Undertake for Ensuring Continuation of Services from Third Party in the Event of a Disaster Business Continuity and Disaster Recovery Planning (BCDRP) Manual 19

Appendix A [Insert Company Logo] Emergency Mode Operation Plan Emergency Mode Operation Plan Date: HIPAA 164.308(A)(7)(ii)(C) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Approved by: Adoption Date: Other: Overview In accordance with mandated organizational security requirements set forth and approved by management, [company name] has established a formal Emergency Mode Operation Plan. This comprehensive policy document is to be implemented immediately along with all relevant and applicable procedures. Additionally, this policy is to be evaluated on a(n) [annual, semi-annual, quarterly] basis for ensuring its adequacy and relevancy regarding [company name]'s needs and goals. Purpose This policy and supporting procedures are designed to provide [company name] with a documented and formalized Emergency Mode Operation Plan in accordance with the Health Insurance Portability and Accountability Act (HIPAA), along with other applicable regulatory compliance requirements and best practices. Additionally, this policy also serves as the organization s primary, enterprise-wide Emergency Mode Operation Plan. Compliance with the stated policy and supporting procedures helps ensure the safety and security of all [company name] system resources that store, process, and/or transmit Protected Health Information (PHI), and other applicable sensitive and confidential information. Scope This policy and supporting procedures encompasses all system resources that store, process, and/or transmit Protected Health Information (PHI), and other applicable sensitive and confidential information, and that are owned, operated, maintained, and controlled by [company name] and all other system resources, both internally and externally, that interact with these systems, and all other relevant systems. Internal system resources are those owned, operated, maintained, and controlled by [company name] and include all network devices (firewalls, routers, switches, load balancers, other network devices), servers (both physical and virtual servers, along with the operating systems and applications that reside on them) and any other system components deemed in scope. External system resources are those owned, operated, maintained, and controlled by any entity other than [company name], but for which these very resources may impact the confidentiality, integrity, and availability (CIA) and overall security of the cardholder data environment and any other environments deemed applicable. Business Continuity and Disaster Recovery Planning (BCDRP) Manual 20

Please note that when referencing the term "system component(s)" or system resource(s) it implies the following: Any network component, server, or application included in or connected within an organization s overall information systems landscape. Policies [Company name] is to ensure that the Emergency Mode Operation Plan policies and supporting procedures adheres to the following conditions for purposes of complying with the mandated organizational security requirements set forth and approved by management: In the event of a disaster or any other event that requires implementation of the Business Continuity and Disaster Recovery Plan (BCDRP), [company name] will take immediate action for ensuring the confidentiality, integrity, and availability (CIA) of information systems (systems) that store, process, and/or transmit Protected Health Information (PHI) or any other related sensitive and confidential healthcare data. While accessing data for operations is essential, the first priority when invoking the Emergency Mode Operation Plan is to ensure the safety and security of PHI at all times, regardless of the affect this mandate may have on the continuation of business operations. When such a plan in invoked, authorized personnel are to adhere to the numerous mandates and related procedures put forth within the [company name] Business Continuity and Disaster Recovery Plan (BCDRP). Specifically, this requires all personnel employees, users of information systems, other applicable workforce members to work together in a collaborative fashion for ensuring the safety and security of PHI. Major policy mandates for the Emergency Mode Operation Plan include the following: o Determine alternative security measures for protecting PHI. o Having all necessary resources (i.e., hardware, software, communications, personnel, thirdparty entities, etc.) available for assisting in the protection of PHI. o The use of both manual and/or automated controls as needed. o Streamlining procedures as necessary. o Limiting access rights to systems and facilities. o Ensuring constant communication with all relevant entities. o Successfully transitioning out of the Emergency Mode Operation Plan and back to normal operations. By implementing the Business Continuity and Disaster Recovery Plan (BCDRP), [company name] is taking the necessary and proactive steps for ensuring the confidentiality, integrity, and availability of information systems (systems) that store, process, and/or transmit Protected Health Information (PHI) or any other related sensitive and confidential healthcare data. Procedures [Company name] has developed and implemented a comprehensive emergency mode operation plan process, which encompasses the following categories and supporting activities listed below. These policy Business Continuity and Disaster Recovery Planning (BCDRP) Manual 21

Directives will be fully enforced by [company name] for ensuring the emergency mode operation plan initiatives are executed in a formal manner and on a consistent basis for all specified systems. Determining Alternative Security Measures for Protecting PHI Please list and describe any other relevant information for this specific section of the Emergency Mode Operation Plan. Generally speaking, measures relating to Determining Alternative Security Measures for Protecting PHI should be covered in a well-written, comprehensive Business Continuity and Disaster Recovery Plan, for which you have received. Having all necessary resources available for assisting in the protection of PHI Please list and describe any other relevant information for this specific section of the Emergency Mode Operation Plan. Generally speaking, measures relating to Having all necessary resources available for assisting in the protection of PHI should be covered in a well-written, comprehensive Business Continuity and Disaster Recovery Plan, for which you have received. Using Manual and/or Automated Controls as Needed Please list and describe any other relevant information for this specific section of the Emergency Mode Operation Plan. Generally speaking, measures relating to Using Manual and/or Automated Controls as Needed should be covered in a well-written, comprehensive Business Continuity and Disaster Recovery Plan, for which you have received. Streamlining Procedures as Necessary Please list and describe any other relevant information for this specific section of the Emergency Mode Operation Plan. Generally speaking, measures relating to Streamlining Procedures as Necessary should be covered in a well-written, comprehensive Business Continuity and Disaster Recovery Plan, for which you have received. Limiting Access Rights to Systems and Facilities Please list and describe any other relevant information for this specific section of the Emergency Mode Operation Plan. Generally speaking, measures relating to Limiting Access Rights to Systems and Facilities should be covered in a well-written, comprehensive Business Continuity and Disaster Recovery Plan, for which you have received. Constant Communication with all Relevant Entities Please list and describe any other relevant information for this specific section of the Emergency Mode Operation Plan. Generally speaking, measures relating to Constant Communication with all Relevant Entities should be covered in a well-written, comprehensive Business Continuity and Disaster Recovery Plan, for which you have received. Successfully Transitioning out of the Emergency Mode Operation Plan Please list and describe any other relevant information for this specific section of the Emergency Mode Operation Plan. Generally speaking, measures relating to Successfully Transitioning out of the Emergency Mode Operation Plan should be covered in a well-written, comprehensive Business Continuity and Disaster Recovery Plan, for which you have received. Business Continuity and Disaster Recovery Planning (BCDRP) Manual 22