Emergency Operations California State University Los Angeles



Similar documents
Continuity of Operations Planning. A step by step guide for business

IT Disaster Recovery and Business Resumption Planning Standards

CONTINUITY OF OPERATIONS PLAN TEMPLATE

CONTINUITY OF OPERATION PLAN (COOP) FOR NONPROFIT HUMAN SERVICES PROVIDERS

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

OREGON STATE UNIVERSITY MASTER EMERGENCY MANAGEMENT PLAN

Disaster Recovery Plan Checklist

Business Continuity Planning for Schools, Departments & Support Units

IT Disaster Recovery Plan Template

Business Continuity Planning Toolkit. (For Deployment of BCP to Campus Departments in Phase 2)

Business Unit CONTINGENCY PLAN

Overview of Business Continuity Planning Sally Meglathery Payoff

UNION COLLEGE INCIDENT RESPONSE PLAN

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

Offsite Disaster Recovery Plan

BUSINESS CONTINUITY PLANNING

Massachusetts Institute of Technology. Functional Area Recovery Management Team Plan Development Template

BRYN MAWR COLLEGE EMERGENCY RESPONSE PLAN Revised 3/17/08 (abridged)

Disaster Recovery Plan Documentation for Agencies Instructions

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

All-Hazard Continuity of Operations Plan. [Department/College Name] [Date]

How to Plan for Disaster Recovery and Business Continuity

E Functional Annex Damage Assessment

BUSINESS CONTINUITY PLANNING GUIDELINES

BUSINESS IMPACT ANALYSIS.5

SAMPLE IT CONTINGENCY PLAN FORMAT

Technology Recovery Plan Instructions

Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member

Table of Contents ESF

Emergency Response Plan

Disaster Recovery Planning

Draft 8/1/05 SYSTEM First Rev. 8/9/05 2 nd Rev. 8/30/05 EMERGENCY OPERATIONS PLAN

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Western Washington University Basic Plan A part of Western s Comprehensive Emergency Management Plan

Emergency Management Plan

Business Continuity Planning (800)

Page Administrative Summary...3 Introduction Comprehensive Approach Conclusion

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

CISM Certified Information Security Manager

EMERGENCY PREPAREDNESS AND CRISIS MANAGEMENT PLAN

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Unit Guide to Business Continuity/Resumption Planning

Emergency Management for Small Community Leaders. Establishing Local Emergency Priorities and Managing the Local Emergency Response

EMERGENCY MANAGEMENT POLICY

Creating a Business Continuity Plan for your Health Center

Business Continuity Planning for Risk Reduction

MONTGOMERY COUNTY, KANSAS EMERGENCY OPERATIONS PLAN. ESF14-Long Term Community Recovery

NAIT Guidelines. Implementation Date: February 15, 2011 Replaces: July 1, Table of Contents. Section Description Page

Table of Contents... 1

Ohio Supercomputer Center

University of San Francisco EMERGENCY OPERATIONS PLAN

UCF Office of Emergency Management Strategic Plan

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

BRYN MAWR COLLEGE EMERGENCY RESPONSE PLAN Revised 1/2016 (abridged)

Fire Department Guide. Creating and Maintaining Business Continuity Plans (BCP)

Disaster Preparedness & Response

Why Should Companies Take a Closer Look at Business Continuity Planning?

Temple university. Auditing a business continuity management BCM. November, 2015

South Puget Sound Community College Emergency Operations Plan Annex H RECOVERY

Emergency Preparedness Guidelines

BUSINESS CONTINUITY PLAN

Jefferson Parish Department of Water Emergency Plan

UNION COLLEGE SCHENECTADY, NY EMERGENCY MANAGEMENT PROCEDURES

Maryland Emergency Operations Plan

Massachusetts Institute of Technology Public version Business Continuity Plan

BUSINESS CONTINUITY PLAN OVERVIEW

Building and Maintaining a Business Continuity Program

ANNEX B COMMUNICATIONS

DISASTER RECOVERY PLAN For UNIVERSITY COMPUTING. Fayetteville State University

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Management

CITY OF RICHMOND CONTINUITY OF OPERATIONS (COOP) DEPARTMENT PLAN TEMPLATE

Business Continuity Planning and Disaster Recovery Planning

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

University of California Santa Cruz EMERGENCY RESPONSE PLAN

Business Continuity Plan

Continuity of Operations Actions

MAJOR PLANNING CONSIDERATIONS CHECKLIST

Emergency Response & Recovery Basic Plan

The First Interstate Bank Fire

Overview of how to test a. Business Continuity Plan

Department of Defense INSTRUCTION. Reference: (a) DoD Directive , Defense Continuity Programs (DCP), September 8, 2004January 9, 2009

Facilitated By: Ken M. Shaurette, CISSP, CISA, CISM, CRISC FIPCO Director IT Services

University of California San Francisco Emergency Response Management Plan PART 1 PART 1 OVERVIEW OF EMERGENCY MANAGEMENT.

Clinic Business Continuity Plan Guidelines

University of Prince Edward Island. Emergency Management Plan

RPI Employee s Federal Credit Union Business Continuity/Disaster Recovery Plan. January 23, 2012

The Commonwealth of Massachusetts. 1 Ferncroft Road, P.O. Box 3340, Danvers, MA

MARQUIS DISASTER RECOVERY PLAN (DRP)

Table of Contents ESF

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

Wiley College Information Technology (IT) Disaster Recovery Plan

Transcription:

Business Continuity Plan Emergency Operations California State University Los Angeles 1. Objective & Scope 2. Definition of Disaster 3. Risk and Business Impact Analysis Summary 4. Business Continuity Strategy Summary. 5. Business Continuity 6. Contact Information 7. Activities for the Business Continuity Execution Phases. 8. Assignment of Activities, Procedures, and Tasks 9. Business Continuity Plan Appendices a. Crisis communication plan b. External contacts, if any c. Critical office work area equipment & resources d. Critical IT, infrastructure Information, records data, forms e. Alternative office work area information [location] January 2010 Page 1 of 11

1. Objective & Scope 1.1 The objective of the business continuity plan is to reduce consequences of a disruption to an acceptable level through execution of pre-established continuity and recovery procedures. Continuity and recovery of critical processes identified during the business impact analysis are the main focus of the business continuity plan. 1.2 The operational areas covered by this plan include: a. Academic Affairs; b. Administration and Finance; c. Institutional Advancement; d. Information Technology Services; and e. Student Affairs. 2. Definition of Disaster 2.1 A disaster is an event that disrupts mission-critical business processes and degrades their service levels to a point where the resulting financial and operational impact to an organization becomes unacceptable. 2.2 Levels of Disasters and Emergencies: Disasters are classified according to severity to help business continuity teams determine appropriate responses in a timely manner during a crisis situation. Minor: Occur more frequently; effects are often isolated to a small subset of critical business processes; business unit who depend on these processes can continue to function for a certain length of time; cause is usually the failure of a single component, system, or service [Temporary loss of network connectivity, phone system, or Public Safety radio communications]. Intermediate: Occur less frequently but with greater impact; disrupts normal operations of some but not all critical business units; operational disruptions result from major failures of multiple systems and equipment [water leakage, vandalism, power disruptions]. Major: Possibility of occurring very small but extent of impact significant; event disrupts normal operations of most or all critical business processes; inaccessibility or failure of most systems and equipment [Fires, floods, earthquakes, sabotage]. 3. Risk and Business Impact Analysis Summary 3.1 The overall University Business Continuity Plan risk analysis data is used to provide basic information to the development of risk/impact analysis related to an emergency event. Page 2 of 11

3.2 The nature and impact of an emergency event cannot be known until it emerges. Operational continuity planning presents a challenge because it is difficult to know exactly how a unit, the campus, and the wider community will be affected by adverse circumstances presented. 3.3 The highest priority in responding and recovering to any adverse event is the protection of lives and the safety/health of people [students, employees, visitors, vendors, and contractors]. 3.4 The basic continuity goal for the University before, during and after an adverse event is to recover and resume critical operations for teaching, research, and support services in the shortest time possible. This does not mean that every building is accessible, that every class is taught, every employee and student is on campus. It does mean that instruction is occurring and that key services are available. 3.5 Risk to disruption of critical University services includes, but is not limited to: Loss of people [faculty, staff, and students]; Loss of facilities [buildings, classrooms, labs, housing, and offices]; Loss of infrastructure [utilities, telecommunications, data, network, information systems]; and Loss of mission related business and service functions [class scheduling, payroll, financial aid, food services, purchasing]. 3.6 The assumption is made that some key management, operational, and technical personnel will be available and able to make decisions and communicate guidance about recovery and continuity of operations at the system, campus, and unit levels. 3.7 A list of threats and risks from each area [summary spreadsheet format Attachment 3A] has been developed from survey forms distributed to each major component of the University. Analysis was conducted in each area, component, and department that included: Identifying name of organizational component; Basic business requirements; Functions and assets critical to operational needs; and Main business continuity goals. 3.8 General risks in an emergency event includes, but is not limited to: Loss of people [faculty, staff, and students]; Loss of facilities [buildings, classrooms, labs, housing, and offices]; Loss of infrastructure [utilities, telecommunications, data, network, information systems]; and Loss of mission related business and service functions [class scheduling, payroll, financial aid, food services, purchasing]. Page 3 of 11

3.9 A list of critical assets exposed to emergency events includes, but is not limited to: Instructional and office space; Data, telecommunications, and network accessibility; Student housing; Utility disruption beyond the control of the University; Medical services; Emergency response from outside agencies; and Food, water, and shelter for students, faculty, and staff. 3.10 A list of implemented risk controls includes, but is not limited to: Instructional and office space - Evaluation of existing structures as alternative locations - Review of instructional and work schedules - Prioritization of critical operations - Use of alternative modes of instruction and staff duties Technology considerations - ITS Vice President and CTO and Computer Operations staff evaluation of situation/factors related to network and web-based systems - Back-up critical system and data access planning - Alternative communications systems Student housing - Use of available campus buildings - Alternative off-site and on campus temporary housing - Portable shelters available at the Emergency Operations Center Utility disruption - Generated power installed for critical areas of campus, including Administration, Luckman Complex, University Police, Physical Science, Engineering and Technology, Emergency Operations Center, Plumbers Shop, Biological Science, Facilities Services, Student Health Center, Parking Structure III, Library in support of technology - Portable generated power [4 trailer style and 4 units] - Portable lighting with generators [4] - Portable toilets available at the Emergency Operations Center Medical services - Student Health Center staff and available first aid supplies - First aid supplies maintained in inventory at the Emergency Operations Center Emergency response from outside agencies; - Maintenance of contact points with area emergency response groups - Direct contact with Los Angeles Fire Department via Public Safety Communications Center - Certification of 270 on-campus personnel in Citizen Emergency Response Team through the Los Angeles Fire Department Page 4 of 11

Food, water, and shelter for students, faculty, and staff. - Limited drinking water stored in individual personal packages and 30 gallon drums [25] at Emergency Operations Center - Limited food supplements stored at Emergency Operations Center - Canopies, blankets, cots, tarps, and vinyl tents stored at Emergency Operations Center 4. Business Continuity Strategy Summary. 4.1 During the business continuity strategy development stage, various options were investigated for recovering disrupted data, records, applications, systems, services, equipment, and facilities. This section summarizes the recovery options selected for major organizational components. 4.2 Major component business continuity plan summary Area / Component Academic Affairs Information Technology Administrative Student Services Basic Business Requirements Instruction & support of instruction activities; Faculty and staff support; Research. Technology security; Data/network access; Telecommunications; Data retrieval and maintenance; Web based programs. Support related technology; Communicate with student based clubs and organizations; Inventory control; Planning and construction support; Utility management; Purchasing & budget controls; Employee relations and management; Security and safety; Coordination of emergency response; Student Housing; Contracts and grants administration; Food service; Vendor contact. Provide academic records; Acknowledge & make admission eligibility decisions; provide student record related data to University and per Educational and government codes; Peer monitoring; Coordinate special educational programs [example: Summer Bridge]; Deliver health services; Career counseling; Financial Aid; Early Entrance Program; Assistance to disabled students. Functions & Assets Critical to Operational Needs Class rosters; Schedule of classes; Class specific records; Instructional equipment & space; Student contact information; Research records. Computer / network equipment; Critical records via back-up; Trained staff; Telecommunications equipment. Archived documents and records; Staff awareness of emergency procedures; Alternative technology, including laptops, portable radios, and cellular phones; Staff rosters and contact listings; Maintenance of emergency operations center and inventoried supplies; Temporary work facilities and locations; Hazardous materials inventory. Computer / network equipment; Critical records via back-up; Trained staff; Telecommunications equipment; Access to network database systems; Alternative locations to service students in relations to records, admissions, financial aid, and counseling. Main Business Continuity Goals Continue to deliver and support instructional activities & research; Provide appropriate student services to students, faculty and staff. Maintain plans, procedures, and means to respond to emergency events that resolve service disruptions; Coordinate data & network back-up activities to protect critical information. Thorough communication plan; Maintain Checklists for critical operations; Establish satellite locations for business activities; Ensure procedures for critical data retrieval and back-up are current; Establish manual approval processes for financial operations; Train personnel in emergency responsibilities. Communication plan that includes students, faculty, & staff; Maintain Checklists for critical operations; Establish satellite locations for business activities; Ensure procedures for critical data retrieval and back-up are current; Coordinate activities closely with all other major components of the campus in support of instructional mission. Page 5 of 11

5. Business Continuity 5.1 This section of the business continuity plan defines the organization of the business continuity teams, and their roles and responsibilities. may be broken into three main components: Crisis management; Business resumption; and Technical and operational recovery. 5.2 Members of a team are chosen based on their knowledge and experience of activities, procedures, and the tasks assigned to the team. The teams are staffed with the personnel who perform the same or similar tasks under normal conditions. Crisis Management Group Business Resumption Group Technical and Operational Recovery Group 5.3 Crisis Management Group Overview 5.3.1 The Crisis Management Group [CMG] controls the execution of the business continuity plan, emergency response plan, and crisis communication plan. During the initial and subsequent periods of the crisis, the CMG uses a crisis management center to conduct its operations [operationally coordinated from the EOC]. 5.3.2 It is essential for this group have at least one senior manager as the team leader, responsible for its overall guidance. The President is the University s designated CMG leader and has the final decision and authority to invoke the plan. Other members of the team include the leaders of emergency response, damage assessment, crisis communication, notification, resource procurement and logistics, and risk assessment teams. These members provide information about their functional responsibilities activities to the CMG. The CMG can include representatives from IT, human resources, legal, and finance departments, as well as representatives from other relevant business units. Page 6 of 11

5.4 Business Resumption Group Overview 5.4.1 The Business Resumption Group [BRG] has the role of: Conducting an overall assessment of the University s immediate needs; Monitoring the recovery progress and status; and Coordinating the operational recovery activities and IT recovery activities between business units [Divisions]. 5.4.2 Each major component/division of the campus should be represented within the BRG. This group validates the successful recovery of operational and IT processes. 5.5 Technical and Operational Recovery Group Overview 5.5.1 This group consists of IT and non-technology based operational representatives. Examples of areas/functions represented are: Information and Administrative Technology Services; Administration and Finance; Student Affairs; Academic Affairs; Environmental Health and Safety; Data and Critical Record backup retrieval support personnel; and Administration support coordination personnel. 5.5.2 should be formed to address specific concerns within designated areas. An example would be to form a subgroup to address technology based issues, and different group to review operational problems. Another alternative is to give a group a specific problem and then insure representatives from all contributors to the solution are present within the unit. 6. Contact Information 6.1 Contacting personnel spread across the organization tends to be difficult under normal conditions; in a disaster it can prove to be even more difficult to contact the teams and their members. Therefore, it is critical to maintain accurate and up-todate contact information within the business continuity effort through the development of a Communication Plan. 6.2 A common approach for maintaining contact information is to use a "call tree" along with a "contact list". A call tree is a hierarchical structure that represents team members and their notification sequence. A team member represented as a node in the call tree list is notified by another member at a higher level node if they are linked together. Each node for a team member in the call tree should reference another member of the team designated as an alternate contact person. 6.3 A Communication Plan consists of the following elements: a. Communication objectives b. Authorized communication coordinator. Page 7 of 11

c. Conditions for invoking the plan. d. Plan assumptions. e. List of contacts for issuing updates. f. Message Content: 1) General information - a) Notification and clarification of disruptive event b) Impact of the event c) Current status and conditions d) Time of next update 2) Specific requests or directions for a) Students b) Employees c) Public 3) Contact details for additional information. g. Means of communication: 1) Media 2) Telephone (landline, satellite, etc.) 3) Email h. Frequency of communication. i. Crisis communication approval and authorization process. j. Plan update log. 6.4 The overall goal of the plan is for members to already know if they are critical and must respond in an emergency situation without waiting for a contact. Nonessential personnel should not come to campus until contacted. This will reduce difficulties in the management of personnel not primarily related to the University s response to the emergency incident. 7. Activities for the Business Continuity Execution Phases. 7.1. This part of the document describes various phases for executing the Business Continuity Plan. A disruptive event may trigger execution of both the Emergency Response Multihazard Plan and the Business Continuity Plan simultaneously. The Business Continuity Plan consists of six primary phases. Phase 1: Initial Response and Notification A preliminary problem report is prepared as an immediate response to a disruption. Appropriate teams are notified based on the type and extent of the damage. Phase 2: Problem Assessment and Escalation A detailed problem report is prepared after a thorough inspection of the disrupted site. Appropriate teams are notified based on the findings in the detailed problem assessment report. Page 8 of 11

Phase 3: Disaster Declaration The detailed problem report is reviewed and a decision is made on whether or not to declare a disaster. A disaster declaration statement is prepared in this phase. The remaining phases are executed once a disaster is declared. Phase 4: Plan Implementation Logistics Logistical procedures are executed to prepare the recovery environment and mobilize the required teams and resources for the recovery and resumption, and normalization phases. Phase 5: Recovery and Resumption Critical IT and non-it resources are recovered and critical process work is resumed at the following facilities: alternate IT recovery facility, alternate office work area, and crisis management. Phase 6: Normalization The environment and operations are normalized to pre-disaster conditions by transitioning from an alternate recovery facility to either the restored original site or to another facility. 7.2. The execution of the business continuity plan begins with Phase 1, Initial Response and Notification, and results in the preliminary problem report. Phase 2, Problem Assessment and Escalation, follows and results in a detailed problem report. If the findings of these two phases indicate a serious business impact, the crisis management group is mobilized to manage the execution of the business continuity plan. 7.3. Phase 3, Disaster Declaration, is executed by the crisis management team and Phase 4, Plan Implementation Logistics, begins once the disaster is declared. Phases 3 and 4 are normally executed at the crisis management center. 7.4. Phase 5, Recovery and Resumption, occurs at the alternate recovery facilities or locations. Phase 5 can begin during the same time period as Phase 4. For instance, recovery at the alternate office work area may begin as soon as the required logistics are completed; even though, logistics for other alternate recovery facilities have not been completed. 7.5. Phase 6, Normalization, typically focuses on the restoration of the damaged site back to operational standards previously established for each function. 8. Assignment of Activities, Procedures, and Tasks 8.1 Each major University division must provide a Business Continuity Team that will be assigned specific responsibilities related to Phases 1-6 that was outlined in Section 7 of this document. The purpose of this section is as follows: Page 9 of 11

Assign high-level activities to business continuity teams. Assign procedures and tasks (identified in the preceding section) to team members. Provide any additional useful information for managing and controlling activities, such as a time line for high-level activities. 8.2 Each business continuity plan execution phase specifies high-level activities needed to complete the phase. The business continuity teams and their team members are assigned predefined procedures and tasks that are used to implement the high-level activities. 8.3 The information in this section is represented through a set of tables [spreadsheets] for use as checklists, or quick resource guides. These tables show activities, procedures, and tasks for the team. The following is an example of the assigned activities and tasks for the Administration and Finance Division related to Business Continuity for Phases 1 and 2. Phase Description Person Assigned & Functional Unit Activity 1 Initial Responses & Notification Director, Public Safety [EOC] Receive Initial alert from campus; Notify senior management Respond to campus Director, Administrative Technology & Support Services Director, Public Safety [at EOC] to the Policy Group [Crisis Management Team] Notify & mobilize damage assessment team Conduct preliminary assessment Determine cause Evaluate extent of damage & report Notify senior management of findings Phase Description Person Assigned & Functional Unit Activity 2 Problem Assessment & Escalation Vice President, Administration and Chief Financial Officer Receive the preliminary problem report Director, Environmental Health & Safety Director, Planning & Construction Director, Facilities Services Vice President, Administration and Chief Financial Officer Review problem report for the extent and impact of damage Assess health and safety risks Assess building & Structural Damage Assess utility & equipment damage Determine level of disaster/incident: Minor, Intermediate, or Major Notify Senior management Phase 3, Disaster Declaration, would move the response to a problem back to a more centralized and controlled setting closely related to the University s Disaster Response Plan [Multihazard Emergency Plan]. An example of the grid or table is illustrated below. Page 10 of 11

Phase Description Person Assigned & Functional Unit Activity 3 Disaster Declaration President, or senior management official available, in consultation with Policy Group [Crisis Management Team] Vice President, Institutional Advancement [EOC Planning] President, or senior management official available Review disaster level, risks, and impacts Review available recovery options Prepare a disaster declaration statement for the President with the following elements: Date/time of disaster; level of disaster [minor, intermediate, major]; selected recovery options; estimated time to recovery; contacts for clarification and additional information. Issue disaster statement Phases 4-6 [Plan Implementation Logistics, Recovery and Resumption, and Normalization] would be addressed globally from the University s Disaster Response Plan and at the division level. An example related to Plan Implementation Logistics is the requirement to have each division assess the impact of the disaster on their equipment [computers, printers, office furniture, etc.] and prepare a detailed report of losses. This report would then be processed through the Logistics and Finance Sections of the Emergency Operations Center for documentation purposes and action. 9. Business Continuity Plan Appendices [subject to change through continued evaluation activities]. a. Crisis communication plan b. External contacts, if any c. Critical office work area equipment & resources d. Critical IT, infrastructure Information, records data, forms i. Alternative office work area information [location] Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information