... 1 Chapter 1 Introduction... 4 1.1 Executive Summary... 4 1.2 Goals and Objectives... 5 1.3 Senior Management and Board of Directors Responsibilities... 5 1.4 Business Continuity Planning Processes... 6 1.4.1 Risk Assessment Process... 6 1.4.2 Business Impact Analysis Process... 7 1.4.3 Recovery Strategy Development Process... 8 1.4.4 Business Continuity Plan Development... 9 1.4.5 Testing Process... 9 Chapter 2 Business Continuity Plan Overview... 11 2.1 Scope... 11 2.2 Business Continuity Planning and Technology Recovery Definitions... 12 2.3 Business Continuity Plan Objective... 12 Chapter 3 Business Description... 14 3.1 Office Locations... 14 3.1.1 Corporate headquarters... 14 3.1.2 Branch locations... 14 3.1.3 Alternate (emergency) location(s)... 14 3.2 Data Center Locations... 14 3.2.1 Main Data Center... 14 3.2.2 Secondary Data Center(s)... 15 3.2.3 Data Backup/Recovery and Application Failover Sites... 15 Chapter 4 Event Types... 16 1
4.1.1 Business Interruptions... 16 4.1.2 Technology Disasters... 16 Chapter 5 Plan Logistics... 18 5.1 Approvals, Maintenance, Revisions and Execution Authority... 18 5.2 Plan Location, Distribution and Access... 18 Chapter 6 Risk Assessment... 19 6.1 Risk Scenarios... 19 6.2 Gap Analysis... 20 Chapter 7 Business Impact Analysis (BIA)... 22 7.1 Determine Levels of Importance by Business Function... 23 7.2 Estimate Downtime Tolerances by Business Function... 23 7.2.1 Recovery Time Objectives... 23 7.2.1 Recovery Point Objectives... 24 7.3 Identify Resource Requirements... 24 7.4 Establish the Critical Path for Recovery... 25 Chapter 8 Business Continuity Organization... 26 8.1 Organizational Responsibilities... 26 8.2 Employee Responsibilities... 27 8.3 Duties... 27 Chapter 9 Event Phases Objectives... 28 9.1 Response Phase Objectives... 28 9.2 Business Resumption Phase Objectives... 28 9.3 Relocation Phase Objectives (only if relocation is necessary)... 28 9.4 Return to Business as Usual Phase Objectives (only if relocation was necessary)... 29 Chapter 10 Test Plans and Execution... 30 2
10.1 Test Plan Complexity... 30 10.2 Phase 1: Table Top Testing... 31 10.3 Phase 2: Technology Failover... 31 10.4 Phase 3: Technology Failover and Off-site Business Operations... 32 10.5 Continuing Refinements... 33 Chapter 11 General Event Preparedness... 34 11.1 Emergency Management / Crisis Response Team Call Tree... 35 11.2 Critical Path to Recovery... 36 11.3 List of Employees and Contact Information... 37 11.4 List of Vendors and Service Providers and Contact Information... 38 11.5 List of Customers and Contact Information... 39 11.6 List of Equipment Suppliers and Data Storage Locations... 40 11.7 List of Communications Carriers, ISPs, Internet Hosting... 41 11.8 Event Checklist... 42 11.9 Technology and Infrastructure Recovery Checklist... 43 3
Introduction Executive Summary Chapter 1 Introduction 1.1 Executive Summary In today s environment, businesses leaders are increasingly aware of potential threats to their businesses that may appear in many forms terrorism, catastrophic natural disasters, pandemics and cyber-attacks. Regulators likewise have taken a more careful view of the financial services industry s overall ability to respond to and recover from disruptive events that could impact the entire financial system and undermine the public s trust. recognizes the value of having in place a plan to protect its assets, to minimize its financial losses, to maintain its business operations and to recover its technology in the case of unplanned disruptive events. It is essential to to maintain continuity of its operations in support of its customers, business associates, stakeholders, regulatory obligations, and s own financial status and reputation. This policy is intended to serve as the framework for developing [Sample Client] s unique Business Continuity Plan. It is the policy of to develop and maintain a Business Continuity Plan that considers strategies and procedures to recover, resume and maintain its critical business functions, processes and responsibilities. This Business Continuity Planning Policy is intended to provide the framework for developing and maintaining a Business Continuity Plan that is specific to the business needs, strategic goals and risk appetite of [Sample Client], and is relative to its size and complexity. Senior Management and the Board of Directors (henceforth Management ) is committed to establishing and maintaining emergency procedures, backup facilities, and a comprehensive plan that allows for the timely recovery and resumption of operations and the fulfillment of the responsibilities and obligations of. Management fully supports and participates in the development, monitoring, testing, and regular maintenance of a Business Continuity Plan (the Plan). The Plan will initially be developed in-house; however, may determine that an outsourced vendor provides the best solution and implementation for the company. 4
Business Continuity Plan Overview Scope Chapter 2 Business Continuity Plan Overview The Business Continuity Plan is a statement of prepared actions to be taken and decisions to be made before, during, and after a significant business disruption event or a threat thereof. A business disruption event is: An unwanted event that threatens personnel, buildings, technology, services, operational procedures, the ability to conduct business, and/or the reputation of, and which requires specific measures to return to business as usual. An event may be caused by such things as: a loss of utility service, communications or connectivity; by a significant breach in security; or by a catastrophic event that causes a disruption in s ability to function and provide service to its clients. Events may be of short duration (a few hours to a day or two) or long duration where recovery involves long term or permanent relocation of facilities, infrastructure and personnel. Business disruption events include: Fires Severe weather (tornados, hurricanes, blizzards) Natural disasters (floods, volcanos, earthquakes) Environmental disaster (toxic spills, explosions, plane crashes) Criminal activity (burglary, terrorism, vandalism, random shootings) Pandemics or localized epidemics 2.1 Scope The Plan is intended to help manage risks that threaten the survival of. It provides a framework to ensure adequate resilience so that can continue to operate and serve our customers and comply with regulatory requirements if we encounter an event that impacts our ability to conduct business as usual. 11
General Event Preparedness Emergency Management / Crisis Response Team Call Tree 11.1 Emergency Management / Crisis Response Team Call Tree These individuals are those who make crisis level decisions, who determine the appropriate response to an incident and who declare an emergency and invoke the Plan. Name/Position [Name 1] [Alt. Name] [Name 2] [Alt. Name] Calls these names: [Name A] [Name B] [Name C] [Name D] [Name E] [Name F] [Name G] [Name H] [Name I] [Name J] Home phone Mobile phone Home email Contact made? Using the top-down organization chart as a guide, will develop a Call Tree that directs and expedites the flow of communications during an event. Each level of the Call Tree should include a primary and alternate member to ensure adequate access and representation at each level. The Call Tree will identify which individuals call specific other people; this would follow organization reporting and cross-business team partners as sub-groups. Each level will be responsible for furthering the communication to the next subgroup to the extent required. The Call Tree will include a method for recording a success/failure result in reaching each member. The example table above will be expanded to multiple levels of calling responsibility. 35