Inspirien Business Continuity Plan
Business Continuity PlanMontgomery, ALLast Updated: 4/7/2020-1-
InspirienBusiness Continuity PlanContentsDocument Change Control .4Version History .4Section I: Introduction.5A.How to Use This Plan .5B.Objectives .5C.Scope .6D.Assumptions .6E.Changes to the Plan/Maintenance Responsibilities .6F.Plan Testing Procedures and Responsibilities .7G.Plan Training Procedures and Responsibilities .7H.Plan Distribution List . 8I.Team Overview . 8Section II: Business Continuity Strategy . 9A.Overview of Plan . 9B.Key Elements of Recovery Capability . 9C.Alternate Worksites . 9D.Business Function Recovery Priorities . 10E.Time Critical Business Functions . 10F.Disaster Recovery File . 11G.Workarounds. 11H.Critical Roles . 13I.Recovery Time Objectives . 14J.PC, Software, and Equipment Needs . 15K.Disaster Declaration Levels and Criteria. 16L.Crisis Level Actions within the First 48 Hours. 18M.Disaster Recovery Timeline . 19Section III: Disaster Management Teams and Responsibilities . 20A.Disaster Management Organization Structure. 20B.Team Responsibilities . 21-2-
InspirienBusiness Continuity PlanC.Process Flows . 26Section IV: Appendices . 34Appendix A – Employee Telephone Lists . 35Appendix B – Recovery Priorities for Critical Business Functions . 36Appendix C – Alternate Site Recovery Resource Requirements . 37Appendix D - Emergency Operations Center (EOC) Locations . 39Appendix E - Vital Records . 40Appendix F - Forms and Supplies . 41Appendix G - Vendor Lists . 42Appendix H - Desktop Computer Configurations . 43Appendix I - Critical Software Resources . 44Appendix J - Alternate Site Transportation Information . 45Appendix K - Alternate Site Accommodations Information . 46Appendix L - Severity Impact Assessments . 47Appendix N - Recovery Tasks List . 49Appendix O - Emergency Evacuation Plan . 50Appendix P – Disaster Scenarios . 51Appendix Q – Test Scenarios . 52Appendix R – Picture Templates . 53-3-
InspirienBusiness Continuity PlanDocument Change ControlMaintenance and periodic updates of the plan are the responsibility of Mary Gibson. Thisincludes updates to all contact information and any changes to information 11/5/20183/18/2020Version1.02.02.12.22.32.4Version HistoryLast Updated ByJake HoraMary Gibson/Jamie MillingMary GibsonMary GibsonMary GibsonMary GibsonChange/ReviewInitial DocumentCompleted DocumentUpdated DocumentAdded Test DatesUpdated DocumentUpdated DocumentModified by: / /Reviewed by: / /Approved by: / /-4-
InspirienBusiness Continuity PlanSection I: IntroductionA. How to Use This PlanIn the event of a disaster which interferes with Inspirien’s ability to conduct business fromits Montgomery office, this plan is to be used by the individuals responsible to coordinatethe business recovery of their respective areas and/or departments. The plan is designed tocontain, or provide reference to, all of the information that might be needed at the time of abusiness recovery.Index of Acronyms: (DMT) Disaster Management Team; (BCP) Business Continuity Plan; (IT)Information Technology; (EOC) Emergency Operations Center; (RTO) Recovery TimeObjective; (RPO) Recovery Point Objective; (DBMS) Database Management SystemSection I, Introduction, contains general statements about the organization of the plan. Italso establishes responsibilities for the testing (exercising), training, and maintenanceactivities that are necessary to guarantee the ongoing viability of the plan.Section II, Business Continuity Strategy, describes the strategy that Inspirien willcontrol/implement to maintain business continuity in the event of a facility disruption.These decisions determine the content of the action plans, and if they change at any time,the plans should be changed accordingly.Section III, Disaster Management Teams and Procedures, lists the Recovery Teamfunctions, those individuals who are assigned specific responsibilities, procedures on howeach of the team members is to be notified, determines what activities and tasks are to betaken, in what order, and by whom in order to affect the recovery.Section IV, Appendices, contains all of the other information needed to carry out the plan.Other sections refer the reader to one or more Appendices to locate the informationneeded to carry out the Team Procedures steps.B. ObjectivesThe objective of the Business Continuity Plan is to coordinate recovery of critical businessfunctions in managing and supporting the business recovery in the event of a facilities(office building) disruption or disaster. This can include short or long-term disasters or otherdisruptions, such as fires, floods, earthquakes, explosions, terrorism, tornadoes, extendedpower interruptions, hazardous chemical spills, and other natural or man-made disasters.A disaster is defined as any event that renders a business facility inoperable or unusable sothat it interferes with the organization’s ability to deliver essential business services.The priorities in a disaster situation are to: Ensure the safety of employees and visitors in the office buildings. (Responsibility ofthe Site Response Team)-5-
InspirienBusiness Continuity Plan Mitigate threats or limit the damage that threats can cause. (Responsibility of theSite Response Team)Have advanced preparations to ensure that critical business functions can continue.Have documented plans and procedures to ensure the quick, effective execution ofrecovery strategies for critical business functions.The Inspirien Business Continuity Plan includes procedures for all phases of recovery asdefined in the Business Continuity Strategy section of this document.C. ScopeThe Business Continuity Plan is limited in scope to recovery and business continuance from aserious disruption in activities due to non-availability of Inspirien facilities. The BusinessContinuity Plan includes procedures for all phases of recovery as defined in the BusinessContinuity Strategy of this document. Unless otherwise modified, this plan does not addresstemporary interruptions of duration less than the time frames determined to be critical tobusiness operations.The scope of this plan is focused on localized disasters such as fires, floods, tornados,medical emergencies, active shooter, bomb threat, power failure, system outage, and otherlocalized natural or man-made disasters. This plan is not intended to cover major regional ornational disasters such as regional earthquakes, war, or nuclear holocaust. However, it canprovide some guidance in the event of such a large scale disaster.D. AssumptionsThe viability of this Business Continuity Plan is based on the following assumptions: That a viable and tested IT Disaster Recovery Plan exists and will be put intooperation to restore data center service at a backup site within five to seven days.That Inspirien’s Logistics Coordinator (Meredith Dismukes) and DisasterManagement Team has identified available space for relocation of departmentswhich can be occupied and used normally within two to five days of a facilitiesemergency.That this plan has been properly maintained and updated as required.The functions and roles referenced in this plan do not have to previously exist withinan organization; they can be assigned to one or more individuals as newresponsibilities, or delegated to an external third party if funding for such servicescan be arranged and allocated.E. Changes to the Plan/Maintenance ResponsibilitiesMaintenance of the Business Continuity Plan is the joint responsibility of Business ContinuityTeam, the Disaster Management Team, and the Business Continuity Coordinator (MaryGibson). This document will be maintanted Annually by both the Program Manager andExecutive Assistant.-6-
InspirienBusiness Continuity PlanBusiness Continuity Team is responsible for:Periodically reviewing the adequacy and appropriateness of its Business Continuity strategy. Assessing the impact on the Business Continuity Plan of additions or changes toexisting business functions, procedures, equipment, and facilities requirements.Keeping recovery team personnel assignments current, taking into accountpromotions, transfers, and terminations.Communicating all plan changes to the Business Continuity Coordinator so that theorganization’s IT master Disaster Recovery Plan can be updated.Disaster Management Team is responsible for: Maintaining and/or monitoring offsite office space sufficient for critical functionsand to meet the facility recovery time frames.Communicating changes in the “Organization IT Disaster Recovery Plan” plan thatwould affect groups/departments to those groups/departments in a timely mannerso they can make any necessary changes in their plan.Communicating all plan changes to the Business Continuity Coordinator so that themaster plan can be updated.The Business Continuity Coordinator (Mary Gibson) is responsible for: Keeping the organization’s IT Recovery Plan updated with changes made to thefacilities plans.Coordinating changes among plans and communicating to Business Continuity Planmanagement when other changes require them to update their plans.F. Plan Testing Procedures and ResponsibilitiesBusiness Continuity Plan management is responsible for ensuring the workability of theirBusiness Continuity Plan. This should be periodically verified by active or passive testing.G. Plan Training Procedures and ResponsibilitiesBusiness Continuity Plan management is responsible for ensuring that the personnel whowould carry out the Business Continuity Plan are sufficiently aware of the plan’s details. Thismay be accomplished in a number of ways including; practice exercises, participation intests, and awareness programs conducted by the Business Continuity Coordinator.-7-
InspirienBusiness Continuity PlanH. Plan Distribution ListThe Business Continuity Plan will be distributed to the following departments and/orindividuals, and will be numbered in the following manner:Plan ID NoLocationPerson Responsible01MeredithMary Gibson02Electronic file: All Employee FolderMary GibsonI. Team OverviewBelow is an over of the teams and the objectives for each team. A full and detailed listingcan be found in Section III.Executive Response Team (Page 20):Makes and oversees the decisions during a disaster. Margaret Nekic Kathy Freyman Brandon Driscoll Meredith DismukesSite Response Team (Page 22):Responsible for the physical security tothe building and damage assessmentsafter a disaster. Brandon Driscoll Mary GibsonDisaster Management Team (Page 21):Determine that all employees accounted for,arranging and directing response actions,communications, logistics and budgets during adisaster. Meredith Dismukes – Commander Brandon DriscollTechnology and Application RecoveryTeam (Page 23):Responsible for the recovery ofnecessary applications and technology. Mary GibsonBusiness Continuity Team (Page 24):Responsible for planning, maintaining and executing the business continuity issues during thedisaster. Mary Gibson Cindy Sawyer Brandon Driscoll Jim Trull Margaret Nekic Pansy Donegan Meredith Dismukes-8-
InspirienBusiness Continuity PlanSection II: Business Continuity StrategyA. Overview of PlanThis document describes the Business Continuity Plan for the Montgomery office. It explainsbusiness continuity measures necessary to recover critical business functions in the event ofa disaster, or if the office is rendered unusable. All advisors should be familiar with theprovisions of the General Crisis Management Plan and of this Business Continuity Plan inparticular.B. Key Elements of Recovery CapabilityPeople – employees understand their roles and responsibilitiesPlan – simple and pragmatic that guides actionsNetwork – enables access to key systems, data, and voiceAlternate Location – a place to relocate to in the event of a disasterTechnology – understanding of key systems and applicationsData – the digital and physical information that you useC. Alternate WorksitesDuring the recovery and business resumption period, the office will focus on reestablishingclient service and business processes. During this period, the office may need to relocatecertain operations to alternate worksites until a more permanent worksite is restored orrelocated. Alternate worksites could include the employee’s residence, a local hotel, orsome other suitable work location appropriately outfitted with technology connectivity andother necessary infrastructure.It should be noted that the team should not enter into contracts or other bindingagreements in advance for such space; however, logical locations should be pre-identifiedfor use should the need arise.Short-term alternate worksites for this office may include: 0 to 2 day:o Employee: Home residenceo Leadership: Margaret’s House2 to 5 days:o Employee: Home residenceo Leadership: Margaret’s House5 days to 2 months:o Alternate worksite determined by realtor and Meredith-9-
InspirienBusiness Continuity PlanThe exact location(s) will be determined at the time of the disaster. Personnel will redeployto the alternate worksites as instructed by the Incident Commander (Meredith Dismukes).D. Business Function Recovery PrioritiesThe strategy is to recover critical business functions at the alternate site location. This canbe possible if an offsite strategy has been put into effect by Disaster Management/Technology Recovery Teams to provide the recovery service. The Technology RecoveryTeam will recover IT functions based on the critical departmental business functions anddefined strategies.Business Functions by Location are listed in Appendix B (Recovery Priorities for CriticalBusiness Functions). “Time Critical Business Functions,” i.e., those of which are of the mostcritical for immediate recovery at the secondary location are:Reference: Appendix B – Recovery Priorities for Critical Business FunctionsE. Time Critical Business FunctionsIn the event of an emergency or disaster that renders the Inspirien office unusable, thefollowing functions must resume quickly in order to avoid a major effect to the business:1. Laptop and Internet/intranet access:Work during and immediately following an office emergency or disaster can usuallycontinue relatively uninterrupted, as long as employees have the ability to work fromtheir residence or other alternate location (i.e., if they have a telephone, their laptop, anInternet connection, connectivity with their customers and the rest of their team,including access to necessary networks and appropriate technical environments).Reference: G:\Business Continuity Plan - BCP\Computer-Needs-BCP2. Communications:In addition to laptop/internet access, it is advisable that there be an additional way tocommunicate back to the customers. This will be in the form of Nextiva and person cellphones.Reference: G:\Business Continuity Plan - BCP\Master-IT-List3. Access to sensitive documents, physical:In some cases, sensitive documents cannot or should not be removed from the office. Inthe event the office is not available, work may also need to be temporarily suspendeduntil access can be re-established in another properly secured environment and/or thedocuments can be retrieved/recreated.- 10 -
InspirienBusiness Continuity PlanThe following categories of information can be exposed to loss: Any files stored on-site in file cabinets and control file roomsInformation stored on local PC hard drivesAny work in progressReceived and un-opened mailDocuments in offices, work cubes and files4. Access to sensitive documents, network:In some cases, sensitive documents can only be accessible via the Inspirien officenetwork. In the event the office in not available, work may also need to be temporarilysuspended until access can be re-established in another properly secured environmentand/or the documents can be retrieved/recreated.F. Disaster Recovery FileCertain files or supplies have been deemed necessary by Inspirien employees in order tocontinue business operations. These materials will be maintained virtually on the AllEmployee Access File.The disaster recovery file/critical information will be reviewed and updated as necessary ona quarterly basis by Mary Gibson.G. WorkaroundsFor the most part, there are few specific workarounds which can be pre-scripted forInspirien employees. Employees will continue to strive to service their customers as soon assafety and connectivity can be restored and as long as they have their computer equipmentand materials with them.General workaround strategies include:§Access to the network share files – Azure – cloud based.§Access to RoseASP – Dynamics – cloud based, installed on computers already(but most of these are desktops) in the accounting department. They only thingthat needs to be reinstalled on a new computer, would be citrix to connect toRoseASP.§Access to the PAS system – Azure – cloud based.§Access to Origami – Access through the website portal§Access to Clearwater – Access is through a website portal- 11 -
InspirienBusiness Continuity Plan- 12 -
InspirienBusiness Continuity PlanH. Critical RolesIn the event of an emergency or disaster that renders the Inspirien office unusable, thefollowing roles must be enacted quickly in order to avoid a major effect to the business:1. Roles that need to be functional within 0-48 hours 5 Leadership Team (Margaret, Kathy, Brandon, Tiffany, Mary) 1 employee from the Accounting department (Karen) 2 employees from the Claims departmento 1 for the Workers’ Compensation Fund (Shannon)o 1 for Insurance (Kim) 1 employee from Reception (Meredith) 1 employee from Technology (Mary)2. Roles that need to be functional within 48 hours – 5 days All roles need to be funcational within 2 days- 13 -
InspirienBusiness Continuity PlanI. Recovery Time Objectives1. Immediate Response (0–24 hours)All personnel affected by the disaster shall ensure their own personal safety and followthe emergency response procedures outlined in the BCP network folder found s.In the event the Inspirien office is unavailable, personnel who typically work from theaffected office should contact their team lead, who will determine whether the alternateworksite(s) identified in section II C above will be utilized. Any redeployment of personnelor instruction to work from home/alternate location will be communicated to theindividual by their team lead.All personnel will assess the loss of their work in progress and keep a log of all activitiesand expenses related to recovery, including the re-creation of work due to the disaster.2. Short Term (24–48 Hours)Team leads will work together with key management to prioritize personnel assignmentsand shift assignments as necessary. Once resource and engagement priorities areestablished, personnel will be notified of any changes to existing assignments andassignment locations as well as any additional assignments. In most situations, existingteams will continue intact from whatever location makes the most sense for theircircumstances.3. Intermediate Term (48 Hours–5 Days)In the event the office is unavailable for several days, additional alternate worksitearrangements/contracts may be required. Any alternate worksite arrangements shouldbe made in coordination with Facilities/Operations, utilizing any preferred worksitesidentified in section II C.In most cases, work products and papers are stored and accessible electronically.However, where there is the need to access hard copy files in the office – and to theextent it is safe to do so - Facilities/Operations will attempt to facilitate the ability ofemployees to access the needed materials during this timeframe.4. Long Term (5 Days to 2 months)Team leads will continue to assess and optimize staffing assignments. The DMT willevaluate options and decide how the business is to continue.- 14 -
InspirienBusiness Continuity PlanJ. PC, Software, and Equipment NeedsThe following space and equipment requirements are likely to be needed at an alternateworksite (see section II C for preferred alternate worksite location) in the event that theInspirien office is inaccessible following a disaster:People, PCs, Equipment, and Software Needed Within Initial Two Weeks0–4848 Hours -HoursWorkspaces at an alternatefacility (includes a desk,chair)5 Days5 Days – 2monthsTotal Resources Required14404040Telephones (should alignwith # of workspaces unlessVoIP to be utilized) * Theseare softphones oneveryones cell phone.14404040Computers with PCstandard image (does notinclude laptops personnelwould typically have withthem)14404040Printers0011Fax ations: Fulllist found onsOther:- 15 -
K. Disaster Declaration Levels and CriteriaA Disaster Declaration is a formal announcement by pre-authorized personnel that adisaster or severe outage has occurred and that triggers pre-arranged recovery actions (e.g.,relocation to an alternate site).The following teams have been identified as critical path towards the ultimate decision ofdisaster activation / declaration:TeamCommunicateExecutive ResponseTeamMeredith DismukesDisaster ManagementTeamMeredith Dismukes- 16 -ParticipateMargaret NekicKathy FreymanBrandon DriscollMeredith DismukesBusiness ContinuityTeam (please refer tosection III B)DecideMargaret NekicKathy FreymanBrandon DriscollPrimary: Meredith DismukesSecondary: Mary Gibson
Disaster Declaration Levels and CriteriaSeverity LevelDisaster ManagementDisaster24hrs - UpCriteria Crisis3-24hrs Severe impact to several critical applicationsresulting in the inability of PAS to provide criticalfunctions, processes or servicesOutage expected to exceed the RTO (48 hrs) toresolve Moderate to severe impact to one or more criticalapplications that has the potential to compromisethe ability of PAS to provide critical functions,processes or services if not restored within 48 hoursOutage may or may not exceed the RTO (48 hrs) toresolvePotential to replace damaged equipment or restoredata locally within RTO (48 hrs)An issue is considered ‘Critical’ when Businesscritical applications are impacted, regardless of thecause IncidentCritical0-3hrsActionsHigh While not as serious as a critical issue, high impactissues causing a major disruption in providing serviceto the business requiring immediate attention- 17 - Immediately escalate through Executive Leadershipand Declare (activate BCP)Mobilize recovery teams and begin recovery processActivate business continuity plans (workaroundprocedures for critical processes dependent on OTCapplications)Assess damage to determine the extent of thedisruptionDecide if business continuity plans should beactivatedIf outage is expected to exceed OTC RTO (48 hours)or if the impact expands to additional criticalsystems, escalate to Disasterotherwise addressvia incident managementDMT immediately communicates incident to usersand other affected parties via email.Provide hourly status updatesIf outage is expected to exceed target resolutiontime for critical incidents (1 business day), escalateto CrisisConsider activation of business continuity plansDMT immediately communicates incident to usersand other affected parties via email.Provide regular status updates
InspirienBusiness Continuity PlanL. Crisis Level Actions within the First 48 Hours3- 18 -
InspirienBusiness Continuity PlanM. Disaster Recovery Timeline- 19 -
Section III: Disaster Management Teams and ResponsibilitiesA. Disaster Management Organization Structure- 20 -
B. Team ResponsibilitiesExecutive Response Team ResponsibilitiesTeam / RoleExecutive ResponseTeamEmployee(s) Margaret NekicKathy FreymanBrandon DriscollMeredith DismukesAt Time-of DisasterResponsibilitiesOn-going Responsibilities Sponsorship of recoveryplanning teams- 21 - Oversight and decisionmaking during therecovery effort
InspirienBusiness Continuity PlanDisaster Management Team ResponsibilitiesThe Disaster Management Team is responsible for: Determining that all individuals are accounted forSelecting and directing other employees to manage first aid, crowd control,traffic control, communications, and response actionsEnsuring that the appropriate Federal, National, and Local agencies are notifiedas required by rules and regulationsEnsuring that the appropriate Executives are notifiedDeterming the budget and tracking expenses during a disaster periodArranging logistics for the alternate siteTeam / RoleIncident CommanderBudget & ContractsCoordinatorEmployee(s) Lead mock recoveryexercises (tabletoptesting) Reporting of all responseand recovery –relatedactivities to the executiveresponse team Determine overallexpense guidelines duringdisaster periodInsurance Track recovery-relatedexpensesReport updates toincident commanderMeredith DismukesBrandon Driscoll Meredith Dismukes(coordinator)Kathy FreymanMargaret NekicCindy Sawyer Meredith Dismukes CommunicationsPersonnel CoordinatorLogistics coordinator Meredith DismukesAt Time-of DisasterResponsibilitiesOn-going Responsibilities Maintain standardcommunication scriptsMaintain automated callsystem communications Determine Inspirien HRsupport for recovery team Provide HR support torecovery teams asrequired Maintain pre-arrangedlodging and travelarrangements for recoverypersonnel Execute travel, lodginglogistics planReport expenses tobudget & contractscoordinatorReport updates toincident commander - 22 -Execute internal disastercommunicationsproceduresRespond to IT andvendor disaster inquiries
Site Response Team ResponsibilitiesThe Site Response Team is responsible for emergency response after a disaster,conducting damage assessment, and providing physical security to buildings after anevent. Other responsibilities include: Ordering an evacuation of building if neededEnsuring that prompt actions are taken to prevent or minimize harm toemployees, the
The Inspirien Business Continuity Plan includes procedures for all phases of recovery as defined in the Business Continuity Strategy section of this document. C. Scope The Business Continuity Plan is limited in scope to recovery and business continuance from a serious disruption in activities due to non-availability of Inspirien facilities.
11/19/2015 7 Today we will: Define business continuity Compare and contrast business continuity with emergency management Describe the elements of a viable continuity plan Illustrate the process used to plan for continuity of operations Identify strategies for building support for business continuity activities and programs Review case studies and identify the lessons
Business Continuity Plan Overview Existing BC Plan Layout BCM Team Document Page: 1 Layout of Proposed BCCM Template Business Continuity Plan Components and sequencing description This document is designed to help explain the contents of an example Business Continuity Plans, so . Last Test Annual Plan Annual Plan Quality Review Annual Call .
The Business Continuity and Recovery Plan is intended to be used in addition to your Emergency Preparedness and Response Plan. Some key differences between these plans are: Business Continuity and Recovery Plan Business Continuity and Recovery Plan This plan is for use o
Continuity of Operations Division via e-mail at . FEMA-NCP-Federal-Continuity@dhs.gov. Questions concerning this template may be directed to: National Continuity Programs . Continuity of Operations Division . Federal Emergency Management Agency . 500 C Street, SW, Suite 515 . Washington, DC 20472 . FEMA-NCP-Federal-Continuity@dhs.gov (202) 646-3187
Continuity Plan. The XXXXXXXX Business Continuity Plan is enacted with the purpose of ensuring continued business activity in the event of an emergency and ensuring the safety of all employees. Failure to comply with the XXXXXXXX Business Continuity Plan or any directives issued by the Em
The Business Continuity Plan is accessible in paper format via the EPLO for the Trust or electronically via the intranet. Figure 3. The Business Continuity Planning Process 1.7 Identify Critical services To develop a complete Business Continuity plan it is very important that the business i
Surface Continuity Palette Evaluate Continuity Surface Continuity The Surface Continuity evaluation allows users to check the relationship between two surfaces based on the position (G0), tangent (G1), and curvature (G2) continuity. Green indicates that the continuity is acceptable between surface
another language. A “Secondary Section” is a named appendix or a front-matter section of the Docu-ment that deals exclusively with the relationship of the publishers or authors of the Document to the Document’s overall subject (or to related matters) and contains noth-ing that could fall directly within that overall subject. (For example .
