business impact analysis and process reviewiawatchconferences.com/iawatch3602017/… · web...

Business Continuity Policies and Plan

DATE

Key Information Building Contact

o Management ……….. xxx.xxx.xxxx (24 hr. emergency line #)o Security ……………… xxx.xxx.xxxx

Emergency Phone Lines xxx.xxx.xxxx Appendix Bo Staff ……………… xxx.xxx.xxxxo Clients ……………… xxx.xxx.xxxx

Emergency Website: https://www.xxxxx.como Documents are posted to the website at the time of emergency (NOT kept on the site

permanently for security reasons)o Documents to be posted are available on the flash drives held by the BCP Administratorso Regular Users

User ID: xxxxxxx Password: (to be created)

o BCP Administrators -- can post announcements User ID: xxxxxxxx Password: (see password list)

o Instruction for posting to the Emergency Website: Appendix So List of docs to be posted to the Emergency Website: Appendix E

Emergency Email Website: https://xxxxxxxxxx.como User ID: your [YOUR COMPANY] email address ([email protected])o Password: find in password sheet

Staff Phone Numbers Appendix F Alternate Business Locations Appendix R

Quick Action Plans Snow Day

1. Leave message on both Emergency Phone Lines for Staffs and Clients (above)2. Post message (a Word document) to Emergency Website

Fire in building1. Leave message on both Emergency Phone Lines for Staffs and Clients (above)2. Post message (a Word document) to Emergency Website

INCLUDE instructions for accessing Emergency Email Website3. Post client contact information and employee phone list to Emergency Website (both files

are on flash drives in password sheet envelope) General disaster (major earthquake)

1. Leave message on both Emergency Phone Lines for Staffs and Clients (above)2. Post message (a Word document) to Emergency Website

INCLUDE instructions for accessing Emergency Email Website INCLUDE instructions on where and when to meet outside the affected area

3. Post client contact information and employee phone list to Emergency Website (both files are on flash drives in password sheet envelope)

[YOUR COMPANY] Business Continuity Plan of 21

mailto:[email protected]

https://xxxxxxxxxx.com/

ContentsOVERVIEW....................................................................................................................................5BUSINESS IMPACT ANALYSIS AND PROCESS REVIEW...................................................10DOCUMENTATION AND SOFTWARE....................................................................................12FACILITIES DESCRIPTION.......................................................................................................16PLANNING FOR EMERGENCY SITUATIONS........................................................................20

Natural Disasters........................................................................................................................20Man-Made Disasters..................................................................................................................20Closing the office.......................................................................................................................22

RECOVERY..................................................................................................................................24PERSONNEL CONSIDERATIONS.............................................................................................26

Appendix A: Business Continuity Plan Disclosure Statement..................................................27Appendix B: Telecommunications............................................................................................28Appendix C: Printer Material Sources.......................................................................................35Appendix D: Insurance Company Contact Information............................................................36Appendix E: Client List.............................................................................................................37Appendix F: Emergency Call Tree............................................................................................38Appendix G: Password List.......................................................................................................42Appendix H: Annual Plan Review Checklist............................................................................43Appendix I: Vendor/Agency Call List.......................................................................................45Appendix J: Annual Plan Review Checklist..............................................................................51Appendix K: Recovery Boxes Inventory...................................................................................52Appendix L: Furniture Fixtures, Computers.............................................................................53Appendix M: Event Log............................................................................................................54Appendix N: Technology Recovery Plan..................................................................................55Appendix O: [Building name] Building Emergency Procedures..............................................63Appendix P: Business Impact Analysis.....................................................................................67Appendix Q: Directions for Changing [YOUR COMPANY] Mail Delivery...........................72Appendix R: Alternative Office Location.................................................................................73Appendix R(a): Alternative Office Location Agreement..........................................................74Appendix S: Emergency Website (OUREVAULT) Instructions..............................................76Appendix T: Business Contingency Team…………………………………………………... 79Supplemental A: Additional Vendors........................................................................................80


BUSINESS IMPACT ANALYSIS AND PROCESS REVIEW

A Business Impact Analysis (BIA) establishes which business processes and functions are most critical to the survival of the organization so that they can be properly protected. The BIA provides an estimate of the maximum tolerable downtime for each process, with a plan to restore the areas of greatest exposure as soon as possible.

In addition, company documentation is analyzed to determine the impact of documentation loss and the most expedient method to recover the documentation, if appropriate.

Finally, each software application is analyzed to determine the most expedient method to reestablish the application.

Critical business processes are listed below and a table showing the BIA is listed in Appendix P.

Process Importance Process Dependencies Downtime

BCP Website High External web service None

Answering Telephones High Phone circuits available 1 day

Bank deposits High Banks open 1 day

E-mail retention High Computers; power 2 days

Firewalls High None 2 days

Voice Mail Retrieval High Phone circuits available 3 days

Faxing HighPhone circuits available; Fax machine available 3 days

Schwab Trade processing High Phone circuits available; internet 5 days

Internet Access Moderate DSL circuit, router, firewall, LAN 2 days

E-mail Moderate

External email service, DSL circuit, email server, firewall, router, LAN 2 days


Connection to SEI Moderate Internet SEI connection 2 days

Process Importance Process Dependencies Downtime

Daily SEI downloads Moderate

SEI ability to provide data, Portfolio Center, Internet SEI connection 5 days

CRM Moderate Install in temporary location 5 days

Trading/Rebalancing Moderate CRM, Portfolio Center, internet 5 days

Client Tax payment processing Moderate SEI systems 5 days

Payroll processing Moderate ADP 2 weeks

Quarterly Performance Reports Moderate

Portfolio Center, SEI, CRM, Computers; power 2 weeks

Quarterly Tax Reports ModeratePortfolio Center, SEI, CRM, Computers; power 2 weeks

Daily Schwab downloads Low Portfolio Center 30 days

Webpage provider LowPortfolio Center, internet ISP connection 30 days

U. S. Mail Low Transportation 3 days

FedEx Low Transportation 3 days

UPS Low Transportation 3 days

Employee benefit processing Low LAN systems and internet 1 month

Monthly Billing on Schwab accounts Low

Portfolio Center, CRM, Computers; power 1 month

Application Extender Low Computers; power 1 month


DOCUMENTATION AND SOFTWARE

Below are document classifications based on [YOUR COMPANY]’s business practice and daily operation.

Vital Records (V): Records or documents, for legal, regulatory, or operational reasons, cannot be irretrievably lost or damaged without materially impairing the organization’s ability to conduct business.

Important Records (I): Records or documents that, if damaged or destroyed, would cause considerable inconvenience and/or require replacement or recreation at considerable expense.

Useful Records (U): Records or documents that is helpful but not required on a daily basis.

Document Class Contents Document Type

Backup, if originals destroyed Comments

SOFTWARE

Software applications are stored on an external hard drive which is kept at XXX. Licenses for the software are kept as scanned images on the same hard drive. The copies of the software on


the drive are updated quarterly. The password list for all network passwords is kept with this hard drive.


FACILITIES DESCRIPTION

Server Computers

[YOUR COMPANY] operates over xx physical and virtual servers, a storage area network disk array and a tape backup system using Backup software.

The servers have redundant power supplies and the file servers and storage area network have RAID arrays for drive redundancy.

Data Backups

A weekly schedule of tape backups is maintained for all server data using Backup software. Full backups are performed starting each Friday night and running until the following Monday. Incremental backups are then performed Tuesday thru Thursday nights. The weekly backup sets are retained on site for one week and then rotated offsite to Iron Mountain on a four week schedule. Quarter end tapes are retained offsite for one year and year end tapes are retained offsite permanently.

Maintenance actions for Data Backups: Daily review the Backup log from the night before. Maintain the daily tapes in a secure onsite location until being sent offsite to Iron

Mountain

Employee Workstations

The majority of employees have a computer at his or her home that could be used during disaster recovery. The employees will be able to access our BCP Website to obtain critical client, vendor and corporate information.

Restoration of Computer Services

For a period of up to two weeks, it is expected that employees will work remotely from their home computers while at the same time, a skeleton group of employees sets up a central command location in one of the [Temp Office Vendor] locations.

Should the main [YOUR COMPANY] office remain unavailable for more than two days, new computer equipment will be purchased. Servers, network equipment and tape backup devices will be purchased on an express basis from a vendor offering immediate shipping, most likely XXX.


Printed Materials

A small number of marketing materials for both companies are held off site. A small number of office forms are held on site.

Maintenance actions for printed materials: Store a one-month supply of all printed marketing materials in the Recovery Boxes kept

at XXX. See Appendix K, Recovery Box Contents, for a list of contents.

Because in-house print materials are often time-sensitive, it is undesirable to have a large stockpile. Store an electronic copy on a flash drive along with a one hard copy of each document in the Recovery Box. Make copies as needed. Replace the copies in the Recovery box as changes are made.

Maintain a list of the printing sources and usual order quantities for these materials in Appendix C, Printed Materials Sources.

Computer Printing Capability

Printers will either be purchased or staff personal printers may be used temporarily. During disaster periods, most communications will be by telephone, when circuits are available.

Telephone Capability

The components of the main office telephone system emergency response are listed in Appendix B, Telecommunications. All of our direct dial numbers are programmed to automatically re-direct to a remote number (xxx.xxx.xxxx) should our incoming lines or phone-switch go down for any reason.

If we have a problem with our phone switch or our incoming phone lines (i.e. just a technical problem not a disaster) we will call and have the 800 number re-directed to a phone at the front desk.

If there is a disaster, all of our lines will be redirected to a voice mail box. As part of the emergency action plan, one individual will be designated by the Coordinator to monitor the emergency line voice mail box and take the action necessary to respond.

In addition, we have arranged for our Employee Emergency call line to be a remotely located number (xxx-xxx.xxxx). The Voice Mail on this phone will be used to keep employees informed and as a place for them to leave messages.


Email Capability

Maintenance actions for Emails: Maintain key employee home email addresses in Appendix F, Emergency Call Tree.

The company uses an external email service through which all email into and out of the company passes. Instructions for accessing the company email on this external email service will be posted on the BCP Website in the event of an emergency and are on the emergency card provided to all staff.

Annually test access to the external email service.

Banking and Custodial Considerations

[YOUR COMPANY] maintains a banking relationship with:

Your Bank(s) – See Appendix I

[YOUR COMPANY] maintains corporate accounts with:

Your custodian - Acct number xxx-xxx Address, City State, phone

Maintenance actions for Banking:Maintain deposits slips and extra checks for banks in the Recovery Box. See Appendix K, Recovery Box Inventory.

Supplementary actions for Banking:Contact banks, brokerage firms, and trust companies to let them know the status of the office building. See Appendix I.

Alternate Office Location

[YOUR COMPANY] plans to have its employees operate from their homes on a temporary basis should our sole office, located __________________ be unavailable. Should it be determined that our sole office will not be accessible for a period of greater than five business days, [YOUR COMPANY] will retain temporary office quarters in a location appropriate to the nature of the event.

We have a contract with [Temp Office Vendor]s which gives us priority rights on available space in any of their three Puget Sound locations should a disaster occur. They also have offices in [other states].

Temp Office Vendors are supported by a technology team located in city, state, that can provide assistance on an interim basis should [YOUR COMPANY] need to relocate to a Temp office site. In addition, our 800 number could be directed to the office location for answering by their receptionist during normal business hours.


On an annual basis, xxx, General Manager of [Temp Office Vendor]s will be contacted to ensure agreement remains in force and will be honored.

Contact NameContact emailContact Phone

Contact information for [Temp Office Vendor]s’ local offices is shown below. A copy of [YOUR COMPANY]’s agreement with [Temp Office Vendor] will be kept in their file.

[Temp Office Vendor]s Locations

[list locations with physical address, phone, fax, email, cell phones, and other contact information]


PLANNING FOR EMERGENCY SITUATIONS

Natural Disasters

In known emergencies, employees will be given instructions ahead of time. In cases where employees should stay home, the Coordinator will notify all employees via:

Voice Mail message left on the Employee Emergency call line xxx.xxx.xxxx A posting on the Disaster Recovery site and the external email.

Immediate Actions – Known Emergencies Secure the office as much as possible.

Refer to actions contained in the [YOUR COMPANY], [Building name] Building, Emergency Procedures located in Appendix O for further directions.

For longer-term situations, employees should call the Employee Emergency call line and/or contact the BCP Website for specific information. In addition, the telephone call tree and corporate voicemail will be used to keep in touch with employees.

Unexpected Emergencies due to Natural Disasters:

Plan Coordinators and floor wardens to provide directions to staff depending on whether or not the emergency occurs during business hours.

Refer to plans established in Appendix O. Activate an alternate office location if there is structural damage to the office building.

Man-Made Disasters

Gas/Chemical hazard

The office building is heated with natural gas. The smell of gas may be prevalent in the office if a rooftop heating unit malfunctions. This is especially noticeable on the left side of the office because that rooftop unit pulls in 15% outside air continuously when the air handler fan is running.

Immediate actions if natural gas is smelled in the main office area: Notify the Front Desk. Front Desk should contact Building Management at xxx.xxx.xxxx. Evacuate staff from the building. Do not change the position of any electrical switches to avoid creating a spark that could

ignite fire.


If a noxious odor other than natural gas is detected in the office area: Notify the Front Desk and/or Building management at xxx.xxx.xxxx Staff should be notified if an evacuation is necessary.

Supplementary actions: Contact other employees to determine the extent of the situation and to determine if everyone is safe.

Internet Outage

A large-scale Internet outage is plausible, either through technical malfunctions of Internet servers or a denial of service because of jamming by hackers.

[YOUR COMPANY] is dependent upon Internet service for client email communications and daily downloads from their custodians. Although these downloads are important, several days can pass before the loss of Internet access becomes a financial burden on the Company.

Aside from a wide scale internet failure, one of the network appliances (routers, firewalls, etc.) in the server closet could fail, causing a local Internet outage.

Immediate actions: Request that each of the custodians holding client assets maintain the [YOUR

COMPANY] daily files until Internet access is restored. It is likely that these custodians will take this action on their own volition because of the large number of financial advisors that would be affected in a large-scale Internet outage.

Minimize trading by telephone in order to minimize downloads the following day.

Supplementary actions: If the outage lasts more than one business day, clients will be notified as they call into

the office. Custodians will be contacted directly and trading will continue via telephone orders.

Loss of One or More Servers

Theft of one or more of the servers or a total loss of the servers due to fire or water damage will have a serious impact on daily operations.

The servers have uninterruptible power supplies to isolate them from power spikes and power dips. The servers also have redundant power supplies to increase reliability.

Immediate actions if the loss was due to theft: Notify the [your city] Police Department and [Building name] Building Security. Avoid touching any objects that would thwart forensic evidence. Advise the Chief Compliance Officer that there has been a loss of confidential client

information and an event has occurred as defined by the Information Security Policy.


Notify the insurance company using the information in Appendix D.

Supplementary actions: If the servers are damaged but not stolen, assess the extent of the damage and the

possibility of recovery in a reasonable period. If the servers are not recoverable then replacements will be purchased immediately and

the servers will be rebuilt from offsite software backups. Contact _____ to purchase new servers. If immediate replacements cannot be

obtained, locally purchased equipment may be used.

Computer Virus

A large-scale computer virus could affect many of the computers in the office in a relatively short period.

Immediate actions: Alert all employees of the event. Assess who has been affected and who appears to be unaffected. Take measures to stem further infections.

Supplementary actions: Use unaffected computers to conduct business. Wait for an antidote from the anti-virus vendor. Cleanse affected computers.

Closing the office

After studying up-to-date information about a particular situation, the Coordinator(s) will decide whether or not to close the office.

The Coordinator(s) are prepared to communicate a decision to employees both on the job as well as during non-working hours.

Depending on the severity of the event and circumstances surrounding the event, the Emergency Phone tree may be initiated, as well as text and email are sent to employees’ mobile phones and personal emails informing them of the Employee Emergency call line and the Emergency Website. All employees are expected to participate in this activity and to rely upon the Employee Emergency call line to keep posted on the status of events.


In the case of an emergency, Employees will be expected to call the Employee Emergency call line or access the Emergency Website to determine the status of our office and, if the office is open, to make every effort to report to work at their normal reporting time unless otherwise advised by the Coordinator(s).

To maintain the normal flow of operations, it may be necessary to request employees to work. The Coordinator should first try to obtain volunteers. If the number of volunteers is not sufficient, the Coordinator will then require selected employees to assist in order to maintain the necessary workflow. When electing those employees required to work, the Coordinator should keep in mind the skills needed and the individual needs of the employee with respect to the particular emergency. Protection of family members always takes precedence over preservation of business assets.

Employees may be required to perform duties that are normally outside their responsibilities.


RECOVERY

Reestablishing Business Operations

Rebuilding and reestablishing the work area following a major disaster may require substantial planning and execution.

Email and/or text message will be sent to employees’ emails and mobile numbers with instruction to call Employee Emergency Line (xxx.xxx.xxxx).

Employees will be expected to check the Employee Emergency call number or check the BCP Website to stay updated and to check in with their manager/team lead.

The following steps are directed only towards initial data gathering and salvage tasks that may be necessary for the immediate decision making process and for data that may be helpful in designing the replacement facility.

Damage Assessment

The Coordinator will initiate damage assessment by performing a walk-through with other staff members and the landlord, taking photographs if possible. During this walk-through consultation with the landlord, the Coordinator will perform a preliminary analysis for total facility downtime. Throughout the tour, the Coordinator should attempt to photograph areas of damage from at least three (3) angles. Each staff member will independently record their assessment of damage to furniture, facilities, hardware, storage media, environmental capabilities, and security features.

Use the office inventory list in Appendix L, Furniture, Fixtures, & Computers, as a starting point for a damage checklist to establish the extent of the loss.

At the completion of the tour, the staff will reconvene to develop the disaster recovery strategy after completing an analysis of damage and probable downtime. Coordinators will determine next steps, whether or not employees will be asked to work from home, duration, and if a skeleton crew will be asked to work from an offsite location.

Detailed Damage Assessment

The Coordinator or his or her designee will contact the insurance company representative to have disaster customer service personnel assigned to [YOUR COMPANY] for detailed damage assessment.

Maintenance actions: Maintain Appendix D, Insurance Company Contact Information.


Annually, during Plan review, call the insurance company numbers to assure the accuracy of the contact information.

Update Appendix L, Furniture, Fixtures & Computers, during Plan review.

Salvage actions:Based on the inventory and damage assessment recorded above, the CCO will determine what will be removed for repair and what will be scrapped. After consultation with and approval of the insurance underwriters, each item will be tagged with a green tag for repair or a red tag for scrap. The Disaster Recovery Team will coordinate removal of the equipment.

Equipment Ordering

Use Corporate Credit Card to purchase any necessary supplies

New Office Space

Temporary office space has been pre-arranged through [Temp Office Vendor]s. If [YOUR COMPANY]’s offices will be unavailable permanently, contact landlord and

realty firms for assistance in locating alternate office space during a long-term recovery.


Appendix K: Recovery Boxes Inventory

Box 1 - Items Description Desired Quantity

QuantityChecked

Business Continuity Plan

Copy of BCP 1

Deposit Slips/Checks [your bank] (1 checkbook of 25 checks for each of the following entities: xxx corporate, xxx Client acct, xxx & [YOUR COMPANY])

25/100 checks

Pens 24

Miscellaneous office supplies

Glue stick, whiteout, highlighter (2), Post-it Notes (small and large)

Legal Pads 10 note pads (letter size) 10

Stamps Postage first class mailings (Forever stamps)

120 total

Stationery First and second sheets 100 each

Envelopes [YOUR COMPANY] envelopes, variety of sizes

100

Large envelopes 9” x 12” & 10” x 13” for sending pocket folders

100

Mailing Labels [YOUR COMPANY] pre-printed labels 100

Forms All forms; photos of office space Flash Drive

Bank Account stamps [your bank] corporate & client accts 1

Map Map of [your city and local] area 1

[Building name] Bldg. [Building name] Bldg. Emergency Instructions

1

Box 2 - Items

Communication’s flash drive and printed list

Electronic copies of Communication documents for marketing and business development. Password: xxxx11

1

Marketing Materials Capabilities handbook, pocket brochure, Green brochure, Blue folders

50 each

BD Materials Presentation front and back covers and tabs, press release stationary

10 set/100 sheets
