Вы находитесь на странице: 1из 48

DigiKnight Technologies Inc.

2725 E. Technology Ave, Fremont, CA 94536

Phone: 415-555-2668

Fax: 415-555-2622

Business Continuity/Disaster Recovery Plan


Last Revision Date: 8AUG2017

Revisions Control Table

Date Summary of Changes Changes By (Name)

12DEC2016 Initial Draft Livia Nguyen

14DEC2016 Add Executive Summary Jose A Mejia, Jordon Rude, Livia

Editing Nguyen

8AUG2017 Editing Livia Nguyen

2 | Page
Table of Contents

Revisions Control Table 2


Executive Summary 6
Purpose 7
Scope 7
Objectives 7
Assumptions 8
Disaster Definition 8
Document Revision Procedures 8
Recovery Teams 8
Team Member Responsibilities 9
Department Supervisor Responsibilities 9
Threats Assessment 9
Natural Threats 9
Man-made Threats 10
IT and Technology-based Threats 11
Environmental/Infrastructure Threats 12
Alternative Site Backup Plan 13
Cold Site 13
Warm Site 13
Hot Site 14
Mirrored Site 15
Mobile Site 16
Instructions for activating the plan 16
Procedure to notify and activate the plan 16
Disaster Declaration 17
Emergency Management Procedures 18
In the Event of a Flood or Water Damage 18
In the Event of an Earthquake 19

3 | Page
In the Event of a Fire 19
In the Event of Tornado 20
Appendixes 22
Appendix A: DigiKnight Technologies Inc. Recovery Teams 22
Emergency Management Team (EMT) 22
Purpose: 22
Responsibilities: 22
Disaster Recovery Team (DRT) 22
Purpose: 22
Responsibilities: 22
Information Technology Services (IT) 23
Purpose: 23
Responsibilities: 23
Appendix B: Contact Lists 24
Recovery Team 24
Management Contact 25
Insurance Provider 26
Vendor/Suppliers 26
Appendix C: Equipment Inventory 28
Appendix D: Distribution List 29
Primary 29
Alternatives 30
Appendix E: Risk Mitigation Strategies 32
Appendix F: Legal and Regulatory Constraints 33
Corporate legal and regulatory constraints 33
Definition 33
Appendix G: Template 35
Communication Template to assist in crisis communication situations 35
Appendix H: Service Contract 37
Computers 37
4 | Page
Office Equipment 38
Appendix I: Policy/Procedures 40
Notifying Crisis Communication Command Center Procedure 40
Locating and Testing of Emergency Systems 40
Policy for Shelter and amenities 41
Safety Guidelines Procedures 43
Evacuation Procedure 43
Appendix J: Test Scenario 46
Nature-Based Test Scenario 46
Man-Made-Based Test Scenario 46
Appendix K: Map 47
References 48

5 | Page
Executive Summary

This project is needed because it is known Machines & Hardware Fail, Humans Make Mistakes, Nature is

Unpredictable, and Customers Want Access 24/7/365 A business continuity and disaster recovery plan

will help ensure our company can keep operating during and after unexpected events occur. The

business continuity plan and disaster recovery plans focus on making sure the employees are safe and

the company can continue operating toward the business objectives. We live in a world that requires

constant access and a dependency for many clients and partner providers, a company cannot afford any

down time or time lost due to unmanaged time.

The project will prepare the corporate for any type of possible event that could cause interruption to the

business operation. The project will provide the corporate with a list of policies and procedure that will

guides employees through emergency event. The document will include an evacuation plan that will

help the corporate organized and be ready for any possible event that could harm the company or

employees in the facilities. The project will give the corporate a risk assessment that show what the

company need to avoid or being careful with. This document will also provide the company a look to

the upstream, downstream to business operation based on the specific problem that the corporate can

encounter. It will allow the corporate to understand the impact of a certain event and how to recovery

from the event and continue the business in a short time to avoid losing business assets.

The cost of this project based on the recommendation could exceed millions of dollars, but it will protect

and provide a plan for the corporate in a long run. It is quite an expensive plan, but it provides the

corporate with an alternative option to continue their business and recover from any disaster event that

is a threat to the corporate.

6 | Page
Purpose

The Business Continuity and Disaster Recovery plan document was created to prepare DigiKnight

Technology Inc. corporate for any possible events that could cause interruption to business operation.

The corporate will be able to assess the risk and prepare a plan specifically prepare to fix the problem or

prevent it from happening. This plan will allow the corporate to transition between the main site to an

alternative site to continue business operation in case of event that damage the main work site. The

main objective of this document is to prepare the corporate to continue business function when an

event occur that could cause interruption, but it also prevents it from happening.

Scope

The scope of this document is assessing any potential risk that could interrupted business operation.

This document is used as a plan to prevent this event from happening or giving the corporate an idea of

what need to be done in a disaster event.

Objectives

Provide guidance in the event of disaster/catastrophic business interruption

Provide reference for critical data (emergency numbers, insurance information, etc.)

Provide a list of disaster recovery procedures and resources

Identify Customers/Vendors to be notified in the event of disaster

Provide Evacuation plan to protect the employees and business

Provide a list of policy and procedure that need to be follow in an emergency event

7 | Page
Assumptions

Key personnel will be available following a disaster

Some disasters are beyond the ability of the company to handle (i.e. nuclear war)

Vital documents, such as this plan, survive the disaster and are accessible immediately

afterwards

Support organizations survive the disaster and are equipped to handle the company's needs

BCDR plan will be updated to support the business needs and requirements

Disaster Definition

Any type of event that could cause interruption to the business operation. It could possibly be a natural

disaster event or threats, such as cyber-attack or man-made threats.

Document Revision Procedures

Disaster Recovery Team (DRT) will create a new risk assessment annually to update the current threats

and possible disaster to the corporate. The Emergency Management Team (EMT) will then review and

create a new plan that could support the current needs. EMT will then present it to the CEO for

approval and update corporate management about the change. Once document revision is approved, it

will be put in place and implement the changes that is need for the update. Information Technology

Services (IT) will be working together with DRT and EMT to implement the changes.

Recovery Teams

Emergency Management Team (EMT)

Disaster Recovery Team (DRT)

8 | Page
Information Technology Services (IT)

Team Member Responsibilities

All team members will keep an updated phone list that lists the phone numbers of other

members of their department at all times in case of emergency after work hours

All team members will be familiar with the plan so that action can be taken quickly in the case of

disaster

Team Members will notify their Department supervisors in the event of disaster and follow

proper procedure.

Team members

Department Supervisor Responsibilities

Department supervisors will maintain a hardcopy of the current plan at their homes in case of

emergency

In the event of emergency, Department Supervisors will begin notifications using the phone list

Department Supervisors will notify senior management in the event of disaster

Threats Assessment

The threats were ranked based on the likelihood of the event taken place and their vulnerability. List of

the percentage of upstream and downstream loss during the event.

Natural Threats

Earthquake

o Upstream: 45%

9 | Page
o Downstream: 45%

Wildfire

o Upstream: 75%

o Downstream: 75%

Tornado

o Upstream: 55%

o Downstream: 55%

Hurricane

o Upstream: 100%

o Downstream: 100%

Earthquake

o Upstream: 45%

o Downstream: 45%

Man-made Threats

Competition

o Upstream: 50%

o Downstream: 50%

Malicious Individual (Hacktivists, hacker group, etc)

o Upstream: 50%

o Downstream: 50%

Disgruntled Employees

10 | Page
o Upstream: 10%

o Downstream: 25%

Politically Motivated Individuals

o Upstream: 50%

o Downstream: 50%

Corporate Espionage

o Upstream: 30%

o Downstream: 25%

IT and Technology-based Threats

Severe Weather

o Upstream: 75%

o Downstream: 75%

Malicious Software

o Upstream: 100%

o Downstream: 100%

Corrupted Data

o Upstream: 50%

o Downstream: 50%

Software Bugs

o Upstream: 50%

o Downstream: 50%

11 | Page
Virus

o Upstream: 40%

o Downstream: 45%

Environmental/Infrastructure Threats

Wildfire

o Upstream: 75%

o Downstream: 75%

Earthquakes

o Upstream: 45%

o Downstream: 45%

Flash Flood

o Upstream: 25%

o Downstream: 25%

Tornado

o Upstream: 10%

o Downstream: 10%

Hurricane

o Upstream: 5%

o Downstream: 5%

12 | Page
Alternative Site Backup Plan

Cold Site

Begin by turning on power and making sure internet is available on site. Designated crews should

already be on their way or on site to begin marking and designating where equipment will be places.

Back on site, crews will be loading what is essential onto moving vehicles. At this point all business

critical will be taken and everything else will be rented out. If renting, the designated personnel will have

already planned with renting company.

IT oversees backing up and deciding what must be taken and what must be left behind. Anything left

behind will be purged of data and disconnected, stored is possible.

Human Resources, payroll, and similar departments will need to backup all essential databases per ITs

instruction. It is up to the individual managers to keep a tab of what is taken and what is left behind.

Once on site, the sections will begin to set up and run barebones business critical operations. IT is

deemed Priority One, followed by equipment crews and Human Resources, and lastly Payroll.

Warm Site

Process to transfer primary site operations to warm site. This does not mean take everything, only take

what is needed (not available at warm site).

When relocating to an alternate site you must ensure that everything that is vital to your operation is

taken. Not necessarily all equipment, but the important stuff that if not taken could be detrimental to

your operation. Any information that may detail your operation or hold any sort of trade secrets will

need to be taken to the alternate site as well.

13 | Page
When a relocation is necessary management will make the notification. All employees must pack up

what they can, in a safe manner, pack up all of their desk items and prepare them for relocation to the

alternate site. They will grab any documents that are important, or that may be considered important or

secret in nature to the company.

IT will have to ensure proper backups are conducted and ensure that the data is available on backups.

Those backups will have to be removed from the server and taken to the alternate location as well. IT

management will arrange with the service providers of all utilities in use at the main site on shut down

and transfer of specified services such as internet, etc.

Human Resources will need to ensure that they grab and take all of the files that hold any sort of

Personal Identifiable Information and that all of the important documents for the company get taken

with them.

Hot Site

When initial crisis is verified and confirmed, the designated hot site coordinator will take charge.

Assigning pre-designated personnel to the site or another location. HR, payroll, and other critical

departments will begin transporting to hot site.

Hot site coordinator will already be on site performing basic checks to ensure equipment is operational.

Designated personnel will then arrive and begin to assemble in the pre-assembled areas. IT personnel

will make sure all data has been backed up or that all personnel have as accurate data as possible.

The hot site should be operational in under two hours. As the designated hot site coordinator makes

sure that all building functions are operational. This includes electricity, internet, water services, waste

14 | Page
services, etc. The hot site should be completely operational in under 48 hours and will continue to

operate in a normal capacity while the primary site is worked on and investigated.

Mirrored Site

Find a site with the bigger than the primary site because employees will be working in the same place.

Get all of the equipment and devices that the alternative site need. Make sure that there is nothing in

the way when setting up the equipment. Work with services provider and utilities that needed and

added to the new site.

Everything will be copied and taking to the new site to set up like the primary site. All of the equipment

that the company owned will be put in place. Another option is to rent the equipment, which will

decrease the cost going into implementing the plan. All employees will be in charge of getting

equipment and item that they will need for their task.

IT will back up and create a copy of all the data that was currently on the primary site to add to the new

alternative site. All of the backup will now be placed into the new server in the mirrored site. The site

will have to be set up with the same configuration as the primary site since its function will be exactly

the same as the primary site. IT management will be working with service providers and utilities to shut

down the primary site and get the alternative site running.

Human Resources will grab any last files that contain important information to the new site. Everything

that was taken from the primary site need to be documented properly so that it can be track and make

sure that nothing was missing later when moving back to the primary site.

15 | Page
Mobile Site

The Mobile site transport must be acquired and equipped with all necessary equipment to enact an

alternate site. The mobile site should be based in a separate location than the primary and alternate

sites. For quick deployment, it is imperative to have the mobile site ready to go beforehand and all

necessary instruction about the mobile site be made available to the disaster recovery team. In the

event that the Mobile Site is deployed, team members must designate a driver and operators for the

site and follow all directives for arriving at designated location while keeping systems operable and

running.

Instructions for activating the plan

Procedure to notify and activate the plan

Security will do a sweep of the main location to ensure that all members are evacuating from the main

building and that nothing important is left behind. Security can utilize pre-made checklists that double

check to ensure all important assets were removed, all important documents were taken, as well as

ensuring that the building is secure after evacuation is complete.

Upon arrival to the alternate work site, Security will need to do a sweep of the building to ensure no

transients, wild animals, or anything crazy is inside of the building. Once the sweep is complete and the

all clear is given then everyone can head inside and start setting up shop.

First IT will need to ensure that the services that needed to be turned on or transferred to the alternate

site were actually moved. Once that is confirmed then they will need to get the servers back online via

the backups they made before the relocation. After that is completed and tested then they can start

getting the equipment online.

16 | Page
The workers will ensure that they have power at their respective stations, if no power is available then

they will need to notify IT so they can get an electrician on site to fix the dead power line. Workers will

ensure that they have a functioning Lan Connection as well as ensuring that all equipment essential to

the job are functioning as they should. If there are any issues with anything the worker is responsible for

notifying IT so that the issue can be resolved.

HR will ensure that all important documents are accounted for and locked up as necessary. HR will also

ensure that they are functioning at 100% and notify IT in the event of not being able to do their job

because of malfunctioning equipment or access.

Disaster Declaration

The disaster declaration statement should include the general disaster information:

Notification and clarification of event

Impact of event

Current status and condition of people, facilities, and equipment

Frequency of updates, estimated time of next update

The disaster declaration statement should include specific information and instructions for various

stakeholders and groups including:

Employees

Vendors, suppliers, contractors

Customers

Business partners

17 | Page
Community and media

Legal and regulatory notification requirements

Emergency Management Procedures

These procedures are for DigiKnight Technologies Inc. personnel in the event of a disaster. If these

procedures are unclear, personnel should seek guidance from team leaders or disaster response teams.

If immediate action is required, priority should be given to personnel safety.

These procedures will be given to all DigiKnight Technologies Inc. management personnel for reference.

If personnel cannot access their workspace, they are to contact their team leads or department

supervisor for a secondary workspace.

In the Event of a Flood or Water Damage

In the event of a flood or broken water pipe within the facilities, follow the instruction on the

procedure below:

See if the emergency can be contained by turning off the water main, or nearest source of

water. If it is flooding, try to contain the flooding to one area and try to plug the source.

Notify maintenance immediately to shut down power to the affected area of the building to

help prevent any electrical fires that may trigger from water damage.

Immediately notify management of the situation and call 9-1-1 if needed.

Notify all personnel in the building of the situation and have them prepare to evacuate if

needed.

18 | Page
Personnel will evacuate if needed to a predetermined assembly area by department and will all

be accounted for.

In the Event of an Earthquake

In the event of a major earthquake, follow the evacuation plan and look for shelter by followed

supervisor instruction.

See if the situation is okay, check yourself and the surrounding area for any injured persons or

building damage.

If life is at risk, or rescue is needed immediately called 9-1-1

If there are any power lines exposed from damages incurred by the earthquake notify

maintenance so the power can be turned off to help prevent any shock, or electrical fires from

causing further damage.

Immediately notify management of the situation and about any injuries or damages that were

caused.

Notify all personnel in the building of the situation and have them prepare to evacuate if

needed.

Personnel will evacuate if needed to a predetermined assembly area by department and will all

be accounted for.

In the Event of a Fire

If any type of fire event is happening, immediately follow the evacuation plan and leave the building by

following supervisor instruction. Supervisor will be contacting for emergency help by using the

emergency response contact list to stop the fire.

19 | Page
See if the emergency can be contained by use of fire extinguisher first. If it's out of control find

the nearest fire alarm and trigger the alarm and call 9-1-1.

Immediately notify management of the situation, where the fire is at, and any team, or

department that may be affected.

Notify all personnel in the building of the situation and have them prepare to evacuate if

needed.

Personnel will evacuate if needed to a predetermined assembly area by department and will all

be accounted for.

In the Event of Tornado

In the event of a Tornado within any of the three building facilities, the guidelines and procedures in this

section are to be followed.

As soon as a tornado is noticed or there is notification of a tornado prepare for the worst.

Immediately notify management of the situation

Prepare for shelter in place if necessary

Board up all the windows in the building and ensure that people stay away from any doors or

windows.

Ensure that emergency kits are distributed that include candles, a battery powered radio,

blankets, water, and some food items that are nonperishable.

Notify all personnel in the building of the situation and have them prepare to evacuate if able or

needed.

20 | Page
Personnel will evacuate to a predetermined assembly area by department and will all be

accounted for if needed.

21 | Page
Appendixes

Appendix A: DigiKnight Technologies Inc. Recovery Teams

Emergency Management Team (EMT)

Note: see Appendix B for contact information

Purpose:

The EMT is intended to coordinate disaster recovery operations, evaluate and declare disaster

conditions, communicate with senior management.

Responsibilities:

Evaluate recovery actions and coordinate recovery efforts

Evaluate any damage assessments

Determine recovery priorities

Keep senior management informed as to the progress of recovery efforts

Disaster Recovery Team (DRT)

Note: see Appendix B for contact information

Purpose:

The DRT is intended to determine recovery need and that recovery operations are proceeding as

necessary.

Responsibilities:

Establish command center and secondary work locations

22 | Page
Notify all department supervisors and ensure that they have activated their disaster

recovery plan, if necessary

Take appropriate action to return business to normal operations

Prepare a post-disaster recovery report

Coordinate recovery plans and ensure plans are kept up to date

Information Technology Services (IT)

Note: see Appendix B for contact information

Purpose:

IT will assist recovery efforts by facilitating technology restoration.

Responsibilities:

Provide guidance on replacement/repair of damaged equipment

Salvage equipment that can be used in recovery efforts

23 | Page
Appendix B: Contact Lists

Recovery Team

Administrative Support Team

Address: 2725 E. Technology Ave. Fremont, CA 94536

Personnel: Mark Saunders

Phone Number: 415-555-2668

Fax Number: 415-555-2622

IT Team

Address: 2725 E. Technology Ave. Fremont, CA 94536

Personnel: Alivia McKellips

Phone Number: 415-555-8352

Management

Address: 2725 E. Technology Ave. Fremont, CA 94536

Personnel: Taylor Copeland

Phone Number: 415-555-3415

BC/DR Team

Address: 2725 E. Technology Ave. Fremont, CA 94536

Personnel: Melvin Martin

Phone Number: 415-555-4516

Crisis Management Team

Address: 2725 E. Technology Ave. Fremont, CA 94536

Personnel: Jesse Quinn


24 | Page
Phone Number: 415-555-5237

HR

Address: 2725 E. Technology Ave. Fremont, CA 94536

Personnel: Kurt Lloyd

Phone Number: 415-555-6815

Management Contact

DigiKnight Technologies Inc.

Address: 2725 E. Technology Ave, Fremont, CA 94536

Phone Number: 415-555-2668

Fax: 415-555-2622

CEO: 415-555-7841

Administration: 415-555-8643

Sales Department: 415-555-6312

Manufacturing Department: 415-555-6161

Research & Development Department: 415-555-3223

Maintenance Department: 415-555-3970

Advertising Department: 415-555-3131

Shipping Department: 415-555-6431

Purchasing Department: 415-555-3298

Security Department: 415-555-3852

IT Department: 415-555-8352

25 | Page
Insurance Provider

Agent: Michael Rizzo

Address: 38750 Paseo Padre Parkway Ave A-3 Fremont, CA 94536-6169

Phone number: 512-791-8611

Vendor/Suppliers

Computer Vendors

o Dell

Address: One Dell Way Round Rock, Texas 78662

Toll Free Number: 1-800-WWW-DELL

o HP

Address: 3000 Hanover Street Palo Alto, CA 94304-1185

Toll Free Number: 800-282-6672

o Boldata

Address: 48363 Fremont Blvd. Fremont, CA 94538

Toll free Number: 800-923-2653

Suppliers

o Blank DVD/CD/Cases

The Tech Geek

Address: 48965 Warm Springs Blvd Fremont, CA 94539

Toll Free Number: 1-800-456-0825

Disc Makers

26 | Page
Address: 7905 N. Route 130 Pennsauken, NJ 08110-1402

Toll Free Number: 800-468-9353

Phone Number: 856-663-9030

Dub-It Media Services

Address: 1110 North Tamarind Avenue Hollywood, CA 90038

Toll Free Number: 1-888-99DUB-IT

Phone Number: 323-993-9570

ISSI Business Solutions

Address: 22122 20th Ave SE #152 Bothell, WA 98021

Toll Free Number: 1-800-660-3586

Phone Number: 425-483-4801

o Packaging Box

Customized Packaging Solutions Inc.

Address: 8333 24th Avenue P.O. Box 278060 Sacramento, CA 95826

The Packaging House, Inc.

Address: 6330 North Pulaski Road Chicago, IL 60646-4594

Toll Free Number: 800-966-1808

o Paper

JC Paper

Address: 47422 Kato Rd Fremont, CA 94538

Phone Number: 510-413-4700

27 | Page
Appendix C: Equipment Inventory

Building One

o 10 computers

Building Two

o 27 computers

Building Three

o 10 Server

o 20 computers

28 | Page
Appendix D: Distribution List

Primary

Administration

o Mark Saunders mdaunders@DigiKnight.com

Sales

o Diane Ford - dford@DigiKnight.com

Manufacturing

o Linda Kraemer - lkraemer@DigiKnight.com

Research & Development

o Carlton Bowden - cbowden@DigiKnight.com

Maintenance

o Michael Winters - mwinters@DigiKnight.com

Advertising

o Michael Churchill - mchurchill@DigiKnight.com

Shipping

o Kenneth Gilliam - kgilliam@DigiKnight.com

Purchasing

o Katherine Cavenaugh - kcavenaugh@DigiKnight.com

Security

o Brett Kelcey - bkelcey@DigiKnight.com

IT

o Alicia McKellips - amckellips@DigiKnight.com


29 | Page
Alternatives

Administrative Support Team

o 2POC: Jennifer Taft

o Phone Number: 415-555-0690

o Email: jtaft@digiknight.com

IT Team

o 2POC: John Teller

o Phone Number: 415-555-0420

o Email: jteller@digiknight.com

Management

o 2POC: Jack Reacher

o Phone Number: 415-555-7337

o Email: jreacher@digiknight.com

BC/DR Team

o 2POC: Denise Andrews

o Phone Number: 415-555-5304

o Email: dandrews@digiknight.com

Crisis Management Team

o 2POC: Julia Magallenas

o Phone Number: 415-555-5765

o Email: jmagallenas@digiknight.com

30 | Page
HR

o 2POC: Kurt Cobain

o Phone Number: 415-555-5775

o Email: kcobain@digiknight.com

31 | Page
Appendix E: Risk Mitigation Strategies

Risk Buffering would entail the involvement of failsafe and backups to ensure the success of the

implemented plan. If plan A falls through, plan B is enacted and ensures that plan A is restored to its

fullest.

Risk avoidance is the elimination or avoidance of certain crucial risks that could inevitable impact the

company in a detrimental fashion. The nature of the solution is to mitigate risks based on choices

available.

Risk Control involves plotting and devising an alternative plan that may implement a different solution

as a backup to limit the amount of risk a company may encounter. This may include being more in

control of the risks that present themselves within a company such as lack of security. Risk control

seems to be the ultimate fallback in case a company is about to go bankrupt from loss of sales or

damages that exceed the operating cost annually.

Risk transfer and contracting typically occurs on the contractual level where one party agrees to share

some of the risk with another entity. That being said, this solution seems to demand a certain amount of

risk in return for rewards or kickbacks amongst the participants involved. Companies that contract their

services out to third party personnel typically use risk transfer and contracting. Contracts typically

extend to a maximum of 3-6

32 | Page
Appendix F: Legal and Regulatory Constraints

Corporate legal and regulatory constraints

Company should advise a legal team or legal staff and have them provide input on legal issues.

Dependent upon contents of message, possible company regulations for intellectual property or

sensitive data/documentation that can be used against the company. These regulations may

include a sort of self-destruct initiative or disposal process to not allow the information to get

into the wrong hands. This may also apply to private companies that may have a strong public

image that do not want to be defaced to the public.

o Control timing of release.

o Mitigate issues before public release.

o Messages delete every hour on the hour.

o Or the opposite, regulation may include that messages CANNOT be deleted.

Other Legal constraints could include failure to report to federal agencies such as OSHA, DHHS,

DHS and complying with HIPAA.

o Fines and penalties entailed with failure to comply with federal agencies.

o Potential lawsuits by employees.

o Protection of employee information.

Definition

Intellectual Property - a work or invention that is the result of creativity, such as a manuscript or

a design, to which one has rights and for which one may apply for a patent, copyright,

trademark, etc.

33 | Page
Sensitive Information - data that is protected against unwarranted disclosure. Access to

sensitive information should be safeguarded. Protection of sensitive information may be

required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary

considerations.

OSHA - The Occupational Safety and Health Administration, more commonly known by its

acronym OSHA, is responsible for protecting worker health and safety in the United States.

DHHS - Acronym for the U.S. Department of Health and Human Services. Also known as HHS.

The U.S. Department of Health and Human Services has two types of operating divisions: The

Human Services and the Public Health Service Operating Divisions.

DHS - The United States Department of Homeland Security (DHS) is a federal agency designed to

protect the United States against threats. Its wide-ranging duties include aviation security,

border control, emergency response and cybersecurity.

HIPAA - Acronym that stands for the Health Insurance Portability and Accountability Act, a US

law designed to provide privacy standards to protect patients' medical records and other health

information provided to health plans, doctors, hospitals and other health care providers.

34 | Page
Appendix G: Template

Communication Template to assist in crisis communication situations

To whom it may concern,

On (mm/dd/yyyy) at approximately (0123) an event took place at our company due to natural

weather conditions. Everything is under control and we are working with local disaster recovery

agencies to get us back online and fully operational. During this time, we will be working hard to ensure

that everything that needs to be done will be done in a timely manner and in the safest way possible.

Our goal is to ensure that this incident is contained with zero incidents and that we are able to fully

recover in the quickest amount of time possible. If you need any further information, please feel free to

contact our Public Affairs Officer at (123)456-7890. Thanks for your understanding.

General disaster information including:

Notification and Clarification of event (What happened, How it happened)

Impact of event (Systems impacted, Personnel affected, Buildings or assets)

Current status and condition of personnel, buildings, and assets

Frequency of updates and estimated time of next update

Specific Information/Instructions pertaining to specific groups:

Employees

Vendors, suppliers and contractors

Customers

Business partners

35 | Page
Community and media

Legal and regulatory notification requirements

Contact information for additional information

Public Affairs Officer

Jack Sparrow

(123)456-7890

jsparrow@DigiKnight.com

36 | Page
Appendix H: Service Contract

Computers

Dell

o Contract expire every year on December 29th

o Contract can be renewed without changes every year

o Same day service will only be accepted if request was made before 3 pm

o Computer serial number is DGK12389-# (# is the number of computer)

o Called 1-888-555-5897 for service

HP

o Contract expire on February 22nd every year

o Contract can be renewed without changes every year

o Provide 34 house and all year service without additional charge

o Computer serial number is DGK55879-# (# is the number of computer)

o Called 1-888-555-5237 for service

Boldata

o Contract only offer to send maintenance personnel on site from Monday to Friday

between noon to 5 pm

o Contract expire on March 9th every three year

o Serial number is DGK-# (# is the number of computer)

37 | Page
o Call 1-888-555-1497 for service

We Sell Software Inc.

o 24-hour customer support telephone service

o Cover all office, sales, administration, and any other software program that the

companies has.

o Called 1-888-9876 for software service

Office Equipment

Copy/Fax machines

o Contract expire on November 7th every year

o Service contract covers normal working hours at the company.

o Send new unit if necessary

o Broken units need to be send back

o Contract number for all office equipment is OEIDKG-125

o All devices serial number are DGK191

o Called 1-888-555-1576 for service

Production Machines

o Production machine are serviced on site by the maintenance staff

o Contact We FixEm Inc. if the maintenance staff cannot repair the broken production

machine.

38 | Page
o Called 1-888-555-0567 for We FixEm Inc. service

o Machine does not have serial number because it is custom built

o Contract number is WFDK4898

39 | Page
Appendix I: Policy/Procedures

Notifying Crisis Communication Command Center Procedure

In the event that the Crisis Communication Command Center needs to be contacted management will

need to ensure that IT is notified and aware of all situations and tasks that need to be completed.

The BC/DR team will work with management and IT to ensure continuity of all information that needs

to be known.

The BC/DR team will work with the Crisis Management team and coordinate all efforts with the Crisis

Communication Command Center.

Locating and Testing of Emergency Systems

General Requirements:

Exit route design must be permanent.

Ensure exit doors swing in the direction of travel.

All exits must be clearly marked and lit with red EXIT signs.

Post appropriate signs for other doors stating, NOT AN EXIT.

Emergency Alarms

Alarms must be regularly checked and tested in accordance with regulations.

Emergency action plan implemented to evacuate personnel and integrated with local or state/Federal

agencies in accordance with emergency.

40 | Page
Emergency medical and first aid equipment must be put in accessible locations and clearly marked.

First aid equipment must be maintained and supplied.

Train personnel in adequate use of first aid equipment.

Fire suppression systems must be checked and maintained according to system regulations.

Fire suppression systems must be placed in readily accessible areas.

Fire extinguishers should be only approved portable systems.

Written fire prevention plan that includes what to do when a major fire hazard occurs. Procedures for

dealing with the hazard and who to contact to help control the hazard.

OSHA Regulations

Policy for Shelter and amenities

Close the business. Bring everyone into the room(s). Shut and lock the door(s).

If there are customers, clients, or visitors in the building, provide for their safety by asking them

to stay not leave. When authorities provide directions to shelter-in-place, they want everyone

to take those steps now, where they are, and not drive or walk outdoors.

Unless there is an imminent threat, ask employees, customers, clients, and visitors to call their

emergency contact to let them know where they are and that they are safe.

Turn on call-forwarding or alternative telephone answering systems or services. If the business

has voice mail or an automated attendant, change the recording to indicate that the business is

closed, and that staff and visitors are remaining in the building until authorities advise it is safe

to leave.
41 | Page
Close and lock all windows, exterior doors, and any other openings to the outside.

If you are told there is danger of explosion, close the window shades, blinds, or curtains.

Have employees familiar with your buildings mechanical systems turn off all fans, heating and

air conditioning systems. Some systems automatically provide for exchange of inside air with

outside air these systems, in particular, need to be turned off, sealed, or disabled.

Gather essential disaster supplies, such as nonperishable food, bottled water, battery-powered

radios, first aid supplies, flashlights, batteries, duct tape, plastic sheeting, and plastic garbage

bags.

Select interior room(s) above the ground floor, with the fewest windows or vents. The room(s)

should have adequate space for everyone to be able to sit in. Avoid overcrowding by selecting

several rooms if necessary. Large storage closets, utility rooms, pantries, copy and conference

rooms without exterior windows will work well. Avoid selecting a room with mechanical

equipment like ventilation blowers or pipes, because this equipment may not be able to be

sealed from the outdoors.

It is ideal to have a hard-wired telephone in the room(s) you select. Call emergency contacts

and have the phone available if you need to report a life-threatening condition. Cellular

telephone equipment may be overwhelmed or damaged during an emergency.

o Use duct tape and plastic sheeting (heavier than food wrap) to seal all cracks around the

door(s) and any vents into the room.

Write down the names of everyone in the room, and call your business designated emergency

contact to report who is in the room with you, and their affiliation with your business

(employee, visitor, client, customer.)


42 | Page
Keep listening to the radio or television until you are told all is safe or you are told to evacuate.

Local officials may call for evacuation in specific areas at greatest risk in your community.

Safety Guidelines Procedures

Understand and follow corporate provided sate procedure.

Report any sickness or injury to the supervisor.

In the result of injury causes bone fracture, or other severe condition, employees must be

removed from the current job until medical attention was given properly.

Avoid wearing loose clothing accessory in case it got caught in machinery.

Always pay attention to the surrounding to avoid hurting yourself and other around.

Wear protective equipment if required for the task at all time.

Make sure that there are nothing blocking the emergency exit way at all time.

Keep your own work area clean

Shut down any machinery before doing any maintenance.

Only authorized personnel are allowed to operated tow motors and lift trucks.

Do not run around in working area.

Do not temper with anything that you are not responsible for (such as the electric control)

Report any unsafe incident or action to supervisor immediately.

Evacuation Procedure

Water Emergency (flood, rain, water main)

See if the emergency can be contained by turning off the water main, or nearest source

of water. If it is flooding, try to contain the flooding to one area and try to plug the

source.
43 | Page
Notify maintenance immediately to shut down power to the affected area of the

building to help prevent any electrical fires that may trigger from water damage.

Immediately notify management of the situation and call 9-1-1 if needed.

Notify all personnel in the building of the situation and have them prepare to evacuate if

needed.

Personnel will evacuate if needed to a predetermined assembly area by department and

will all be accounted for.

Earthquake

See if the situation is okay, check yourself and the surrounding area for any injured

persons or building damage.

If life is at risk, or rescue is needed immediately call 9-1-1

If there are any power lines exposed from damages incurred by the earthquake notify

maintenance so the power can be turned off to help prevent any shock, or electrical

fires from causing further damage.

Immediately notify management of the situation and about any injuries or damages that

were caused.

Notify all personnel in the building of the situation and have them prepare to evacuate if

needed.

Personnel will evacuate if needed to a predetermined assembly area by department and

will all be accounted for.

44 | Page
Fire

See if the emergency can be contained by use of fire extinguisher first. If it's out of

control find the nearest fire alarm and trigger the alarm and call 9-1-1.

Immediately notify management of the situation, where the fire is at, and any particular

team, or department that may be affected.

Notify all personnel in the building of the situation and have them prepare to evacuate if

needed.

Personnel will evacuate if needed to a predetermined assembly area by department and

will all be accounted for.

Tornado

As soon as a tornado is noticed or there is notification of a tornado prepare for the

worst.

Immediately notify management of the situation

Prepare for shelter in place if necessary

Board up all the windows in the building and ensure that people stay away from any

doors or windows.

Ensure that emergency kits are distributed that include candles, a battery powered

radio, blankets, water, and some food items that are nonperishable.

Notify all personnel in the building of the situation and have them prepare to evacuate if

able or needed.

Personnel will evacuate to a predetermined assembly area by department and will all be

accounted for if needed.


45 | Page
Appendix J: Test Scenario

Nature-Based Test Scenario

In preparation for nature-based threats to Digiknight corp. We will be conducting a mandatory

test scenario to prepare for the event of an earthquake. Training for this event will include proper

assessment techniques for determining damage after an earthquake which will including but not be

limited to instruction on how to clear debris and remove equipment from any damage areas, how to

stop all production equipment when and if necessary, and what steps to take to insure safe practices

while doing so. This training will also include instructions on how to contact and notify all high-level

employees, maintenance teams, and other personnel in the event of an emergency situation. A drill will

be conducted to assess the level of efficiency for the earthquake action plans reviewed in training

sessions.

Thank you for your cooperation in this matter

Man-Made-Based Test Scenario

In preparation for man-made based threats to Digiknight corp. We will be conducting a

mandatory test scenario to prepare for the event of a network outage. Training for this event will

include procedures for notifying high level employees, IT teams, and other personnel, as well as how to

determine the cause of an outage and the time frame for its recovery. This training will be broken down

into several parts depending on the scale and time frame of each scenario outage. A drill will be

conducted to assess the level of efficiency for network outage action plans that will be reviewed in these

training sessions.

Thank you for your cooperation in this matter.

46 | Page
Appendix K: Map

47 | Page
References

https://definedterm.com/a/definition/1528

http://www.omnisecu.com/ccna-security/types-of-backup-sites.php

http://vladlen.info/publications/computer-generated-residential-building-layouts/

https://www.osha.gov/Publications/osha3122.html

48 | Page

Оценить