Instructions: Citizens Property Insurance Corporation (CPIC) distributes this survey to vendors and business partners used by groups within the Firm, who are critical to the operational readiness of Citizens Property Insurance Corporation or who provide critical services to Citizens Property Insurance Corporation. Please answer all questions as they relate to the services provided to CPIC as accurately as possible. Questions which are not applicable, please answer Questions for which the answers are to be determined at a later date, please answer TBD Questions for which the answers cannot be determined or are unknown, please answer - Unknown General Vendor/Business Partner Resiliency Questionnaire: A A1 A2 A3 A4 A5 A6 Business Continuity Strategy In the event of a disaster or significant disruption, does your organization have documented plans for business continuity and IT disaster recovery? what type of failure scenarios or outages do you plan for? what duration of time is assumed for each type of failure scenario or outage you plan for? does the plan establish critical business functions with recovery priorities? If you answered Yes to Question (A4), what is the expected recovery time for your critical business functions? does the plan account for interdependencies both internal and external to your organization? (please specify # and hours, days, weeks, months, etc. for each type) 0 4 hours 4 8 hours Within one day 1 2 days More than 2 days Other (please specify) Page 1 of 5
A7 A8 A9 A10 A11 A12 B B1 B2 does the plan cover some, most, or all locations from which you provide your services? what percentage of business as usual servicing capability is the plan designed to address? Do you have a dedicated team of professionals focused on business continuity and/or IT disaster recovery? If you answered No to Question (A9), do you use an external BCP/DR service provider to handle your planning needs? Is your main IT facility or data center located in the same building or office complex occupied by your main business or operations staff? Please provide an illustration or schematic of how your organization s primary, secondary, and/or tertiary servicing centers are setup to provide redundant services to customers. Crisis Communication Do you have a documented crisis management process within your organization? If you answered Yes to Question (B1), does this process cover internal and external communications during a crisis event? Some Most All Other (please specify) 1 10% 11 20% 21 30% 31 50% 51 75% 76 99% 100% _ B3 How would you notify xxx of an outage? B4 B5 Do you provide xxx with detailed contact information in the event of an outage or emergency? Please describe how you notify your team of an incident and direct them through the recovery. Page 2 of 5
C C1 C2 C3 C4 C5 C6 C7 Back Up Facilities Does your organization have an alternate site location for data center recovery If you answered Yes to Question (C1), what is the approx. distance between your production (primary) site and alternate (secondary) site for data center recovery Does your organization have an alternate site location for work area recovery If you answered Yes to Question C3), what is the approx. distance between your production (primary) site and alternate (secondary) site for work area recovery Do you use an external BCP/DR service provider for your data center recovery needs? Do you use an external BCP/DR service provider for your work area recovery needs? If you answered Yes to Question (C6), is your contract with your BCP/DR service provider honored on a first-come/firstserved basis? (please specify # and kilometers, miles, city blocks, etc.) (please specify # and kilometers, miles, city blocks, etc.) C8 What recovery strategy does your organization use for mainframe systems? Active/Active Active/Back-up Vendor Supplied Other C9 What type of recovery strategy does your organization use for distributed systems? Active/Active Active/Back-up Vendor Supplied Other C10 Is the processing capacity of your back-up facility equal to that of your primary facility? Page 3 of 5
C11 If you answered No to Question (C10), what is the capacity ratio of your back up to your primary facility? 1 10% 11 20% 21 30% 31 50% 51 75% 76 99% 100% C12 D D1 Is it feasible to run from you back-up facility for an extended period? (e.g. at least six weeks) Testing is the plan periodically tested? D2 how frequently is the plan tested? Annually Semi-annually Other (please specify) D3 Do you have BCP test dates scheduled over the next 12-18 months? D4 D5 D6 D7 If you answered "Yes" to Question (D3), please list those dates do you involve IT staff, business unit or operations staff or both in your internal BCP/DR tests? would you involve xxx in your external BCP/DR tests? do internal or external auditors review your BCP/DR tests? IT staff only Business Unit or Operations Staff only Both IT and Business Unit or Operations Staff Page 4 of 5
D8 E E1 E2 F F1 If you answered Yes to Question (D1) what components of your systems and infrastructure are tested? September 11 th Did your organization invoke its business continuity or IT disaster recovery plan(s) as a result of the September 11 terrorist attacks? Has your organization enhanced its business continuity planning initiative, or is in the process of enhancing its plans in light of September 11? BCP Support Please provide primary and alternate contact information for communication during an emergency. Applications Middleware Databases Data networks (internal and external) Voice networks (internal and external) Desktop Facilities Voice equipment _ Page 5 of 5