Disaster Recovery

Plan
Template

Notice: Copyright Stay In Business.com - Stay In Business is the legal owner of the template. This may be used
only by the purchaser for business purposes only. The template may not be sold, shared, copied or transmitted to
any third party without the written expressed consent of Stay In Business.

Table of Contents
Section 1 - Goals of a Disaster Recovery Plan.................................................................3
Section 2 - Personnel........................................................................................................4
Section 3 - Application Profile............................................................................................5
Section 4 - Inventory Profile..............................................................................................6
Section 5 - Information Services Backup Procedures.......................................................8
Section 6 - Disaster Recovery Procedures.......................................................................9
Disaster Action Checklist...............................................................................................9
Section 7- Recovery Plan-Mobile Site.............................................................................13
Mobile site setup plan..................................................................................................14
Disaster Plan for Communications...............................................................................14
Electrical service..........................................................................................................14
Section 8 - Recovery Plan - Hot Site...............................................................................15
Hot-site system configuration.......................................................................................16
Hot-site solutions..........................................................................................................16
Section 9 - Restoring the Entire System.........................................................................17
Section 10 - Rebuilding Process.....................................................................................18
Section 11 - Testing the Disaster Recovery Plan............................................................19
Conducting a Recovery Test Check List...................................................................19
Areas to be Tested Check List..................................................................................20
Section 12 - Disaster Site Rebuilding..............................................................................22
Section 13 Infectious/Communicable Diseases Plan...................................................24
Situational Analysis......................................................................................................30
BCDR Plan Deactivation..............................................................................................38
Section 14 BCDR Plan for Data Security Breach.........................................................40
Plan Activation and Notification....................................................................................44
Situational Analysis......................................................................................................47
Personnel.....................................................................................................................52
Section 15 - Record of Plan Changes.............................................................................54

Page 2

Section 1 - Goals of a Disaster

Recovery Plan
The major goals of a disaster recovery plan are:

Minimize interruptions to normal operations.

Limit the extent of disruption and damage.

Minimize the economic impact of the interruption.

Establish alternative means of operation in advance.

Train employees, network engineers and managers on emergency procedures.

Smooth and rapid restoration of service.

Constant review of Frequently Asked Questions (FAQs).

Establishing high WAN/Internet connection reliability and fault tolerance.

Plan for recovering from a security breach

Infectious/Communicable diseases DRBC plan

Page 3

Section 2 - Personnel
The following is a list of all IT personnel who are involved with information technology
aspects. This list should be updated frequently.
Data Processing Personnel
Name

Position

Email

Address

Telephone

Note: Attach a copy of your organization chart to this section of the plan.

Page 4

Section 3 - Application Profile

This is a list of all application personnel who are involved with payroll, accounts
payable/recievable, orders etc.
Application profile
Application Name

Critical?
Yes/No

Fixed
Asset?
Yes/No

Manufacturer

Comments

Comment legend:
1. Runs daily.
2. Runs weekly on ________.
3. Runs bi weekly on ______ and ______
4. Runs monthly on ________.
5. Other _______________

Page 5

Section 4 - Inventory Profile

This is a list of physical inventory that involves your LAN & WAN and other important
equipment. This list should be updated frequently and should include all components of
your network and other business activity.
This list should include the following:
1. Processing units
2. Disk units
3. Models
4. Workstation controllers
5. Personal computers
6. Spare workstations
7. Telephones
8. Air conditioner or heater
9. System printer
10. Tape and diskette units
11. Controllers
12. I/O processors
13. General data communication
14. Spare displays
15. Racks
16. Humidifier or dehumidifier
17. Power Generator?
18. Manufacturing equipment
19. Office equipment
20. Miscellaneous inventory

Page 6

Inventory Profile
Manufacturer

Description

Model

Serial
Number

Own or
Leased

Cost

Note: This list should be audited every ________ months

Miscellaneous Inventory
Description

Quantity

Comments

Note: This list should include all equipment and miscellaneous items that are crucial to restarting
operations

Page 7

Section 5 - Information Services

Backup Procedures
1 Server

Daily, journal receivers are changed at ___________ and at ___________.

Daily, a save of changed objects in the following libraries and directories is

done at _______________________________________
1. ________________________________________
2. ________________________________________
3. ________________________________________
4. ________________________________________
5. ________________________________________
6. ________________________________________
7. ________________________________________
8. ________________________________________

This procedure also saves the journals and journal receivers.

1 On ________ (day) at ________ (time) a complete save of the system is
done
2 All saved media is stored off-site in a vault at ________ (location)
3 Personal Computer
4 It is recommended that all personal computers be backed up. Copies of the
personal computer files should be uploaded to the server on ________ (date)
at ________ (time), just before a complete save of the system is done. It is
then saved with the normal system save procedure. This provides for a more
secure backup of personal computer-related systems where a local area
disaster could wipeout important personal computer systems.

Page 8

Section 6 - Disaster Recovery

Procedures
For any disaster recovery plan, the following three elements should be addressed:

Emergency Response Procedures: To document the appropriate emergency

response to a fire, natural disaster, or any other calamity in order to protect lives
and limit damage.

Backup Operations Procedures: To ensure that essential data processing

operational tasks can be conducted after the disruption.

Recovery Actions Procedures: To facilitate the rapid restoration of a data

processing system following a disaster.

Disaster Action Checklist

A. Plan Initiation

Notify Senior Management

Contact and setup the disaster recovery team

Determine degree of disaster

Implement proper application recovery plan dependent on extent

of disaster (see Section 7. Recovery plan--mobile site)

Monitor progress

Contact backup site and establish schedules

Contact all other necessary personnel

Contact vendors all vendors that are critical to resuming operations

should be contacted

Notify employees of the disruption of service

Page 9

Senior Management
Name

Position

Address

Telephone

Page 10

Follow-Up Checklist

B.

List teams and tasks of each team and individual

Obtain emergency cash and setup transportation to and from the backup
site, if necessary

Setup living quarters, if necessary

Setup eating establishments, as required

List all personnel and their telephone numbers

Establish user participation plan

Setup the delivery and the receipt of mail

Establish emergency office supplies

Rent or purchase equipment, as needed

Determine applications to be run and in what sequence

Identify number of workstations needed

Check out any off-line equipment needs for each application

Check on forms needed for each application

Check all data being taken to the backup site before leaving and leave an
inventory profile at a home location

Setup primary vendors for assistance with problems incurred during

emergency

Plan for transportation of any additional items needed at the backup site

Take directions to backup site

Check for additional magnetic tapes, if required

Take copies of system and operational documentation and procedural

manuals.

Ensure that all personnel involved know their tasks

Notify insurance companies

Page 11

Recovery Start-up Procedures for Use After a Disaster

1. Notify (name of company and individual) of Disaster Recovery Services of the
need to utilize service and of recovery plan selection.
Note: Guaranteed delivery time countdown begins at the time (name of company
and individual) is notified of recovery plan selection.

Disaster notification numbers (phone number of DR site) or (alternate

number). These telephone numbers are in service from ________ am/pm
until ________ am/pm Monday through Friday.

2. Disaster notification number (after hours number)

This telephone number is in service for disaster notification after business hours,
on weekends, and during holidays. Please use this number only for the
notification of the actual disaster.
3. Provide (name) with an equipment delivery site address (when applicable), a
contact, and an alternate contact for coordinating service and telephone numbers
at which contacts can be reached 24 hours a day.
4. Contact power and telephone service suppliers and schedule any necessary
service connections.
5. Notify (name of DR Coordinator) immediately if any related plans should change
.

Page 12

Section 7- Recovery Plan-Mobile Site

1. Notify (name) of the nature of the disaster and the need to select the mobile site
plan.
2. Confirm in writing the substance of the telephone notification to (name) within 48
hours of the telephone notification.
3. Confirm all needed backup media are available to load the backup machine.
4. Prepare a purchase order to cover the use of backup equipment.
5. Notify (name) of plans for a trailer and its placement (Location address and
exact site). (See the Mobile site setup plan in this section).
6. Depending on communication needs, notify telephone company (name and
number of Telephone Company or representative) of possible emergency line
changes.
7. Begin setting up power and communications at (back up site address).

Power and communications are prearranged to hook into when trailer

arrives.

At the point where telephone lines come into the building (mark entry point),
break the current linkage to the administration controllers (mark point).
These lines are rerouted to lines going to the mobile site. They are linked to
modems at the mobile site. The lines currently going from (begin point to
end point would then be linked to the mobile unit via modems.

This could conceivably require (company name) to redirect lines at

(address) complex to a more secure area in case of disaster.

8. When the trailer arrives, plug into power and do necessary checks.
9. Plug into the communications lines and do necessary checks.
10. Begin loading system from backups (see Section 9. Restoring the Entire
System).
11. Begin normal operations as soon as possible

Daily jobs

Daily saves

Weekly saves

Page 13

12. Plan a schedule to backup the system in order to restore on a home-base

computer when a site is available. (Use regular system backup procedures).
13. Secure mobile site and distribute keys as required.
14. Keep a maintenance log on mobile equipment.
15. Keep log on people, keys, equipment etc at DR site

Mobile site setup plan

Attach the mobile site setup plan here.

Disaster Plan for Communications

Attach the communication disaster plan, including the wiring diagrams.

Electrical service
Attach the electrical service diagram here.

Page 14

Section 8 - Recovery Plan - Hot Site

The disaster recovery service provides an alternate hot site. The site has a backup
system for temporary use while the home site is being reestablished.

Notify (name of contact and name of company) of the nature of the disaster and
of its desire for a hot site.

Request air shipment of modems to (address) for communications. (See (name

and contact of person in charge) for communications for the hot site.).

Confirm in writing the telephone notification to (name of company and contact)

within 48 hours of the telephone notification.

Begin making necessary travel arrangements to the site for the operations team.

Confirm that all needed tapes are available and packed for shipment to restore
on the backup system.

Prepare a purchase order to cover the use of the backup system.

Review the checklist for all necessary materials before departing to the hot site.

Make sure that the disaster recovery team at the disaster site has the necessary
information to begin restoring the site. (See Section 12 - Disaster Site
Rebuilding).

Provide for travel expenses (cash advance).

After arriving at the hot site, contact home base to establish communications
procedures.

Review materials brought to the hot site for completeness.

Begin loading the system from the save tapes.

Begin normal operations as soon as possible

a. Daily jobs
b. Daily saves
c. Weekly saves

1. Plan the schedule to backup the hot-site system in order to restore on the homebase computer.

Page 15

Hot-site system configuration

Attach the hot-site system configuration here.

Hot-site solutions
FatPipe Networks has developed a host of products that ensure the highest level of
WAN reliability, redundancy, and maximum bandwidth for disaster recovery planning,
including data mirroring and remote storage. As the inventor and multiple patents holder
of Router Clustering technology -- which aggregates multiple data lines from the same
or separate ISPs -- FatPipe provides dynamic, intelligent and automatic failover of
downed WAN connections.
FatPipe Networks also makes available several other solutions for corporations that are
implementing or wanting to enhance their current disaster recover/continuity plans.
FatPipe offers dual power supply units for power backup and auto-failover units. The
failover unit can be placed at the customer premise or at a remote location, such as a
remote storage site or disaster recovery site.
In addition, FatPipe provides site load balancing capabilities, where traffic can be
shared between one or more remote site units utilizing all lines available at each
location. This is used when inbound connectivity to Internet accessible servers is
critical. This technology utilizes FatPipes Site Load Balancing feature. The servers
located in geographically separate locations can have identical or similar information in
two or more locations. For more information www.fatpipeinc.com

Page 16

Section 9 - Restoring the Entire

System
To get your system back to the way it was before the disaster, use the procedures on
recovering after a complete system loss in the Backup and Recovery section.
Before You Begin: Find the following tapes, equipment, and information from the onsite tape vault or the off-site storage location:
1. If you install from the alternate installation device, you need both your tape media
and the CD-ROM media containing the Licensed Internal Code.
2. All tapes from the most recent complete save operation
a. The most recent tapes from saving security data (SAVSECDTA or
SAVSYS)
3. The most recent tapes from saving your configuration, if necessary
b. All tapes containing journals and journal receivers saved since the most
recent daily save operation
4. All tapes from the most recent daily save operation
c. PTF list (stored with the most recent complete save tapes, weekly save
tapes, or both)
5. Tape list from most recent complete save operation
6. Tape list from most recent weekly save operation
7. Tape list from daily saves
8. History log from the most recent complete save operation
9. History log from the most recent weekly save operation
10. History log from the daily save operations
11. The Software Installation book
12. The Backup and Recovery book
13. Modem manual
14. Tool kit

Page 17

Section 10 - Rebuilding Process

The management team must assess the damage and begin the reconstruction of a new
data center. If the original site must be restored or replaced, the following are some of
the factors to consider:
1. What is the projected availability of all needed computer equipment?
2. Will it be more effective and efficient to upgrade the computer systems with
newer equipment?
3. What is the estimated time needed for repairs or construction of the data site?
4. Is there an alternative site that more readily could be upgraded for computer
purposes?
Once the decision to rebuild the data center has been made, go to Section 12 - Disaster
Site Rebuilding.

Page 18

Section 11 - Testing the Disaster

Recovery Plan
In successful contingency planning, it is important to test and evaluate the plan
regularly. Data processing operations are volatile in nature, resulting in frequent
changes to equipment, programs, and documentation. These actions make it critical to
consider the plan as a changing document. Use this checklist as you conduct your test
and decide what areas should be tested:

Conducting a Recovery Test Check List

Item

Yes No Applicable

Not
Applicable

Comments

Select the purpose of the test. What aspects

of the plan are being evaluated?
Describe the objectives of the test. How will
you measure successful achievement of the
objectives?
Meet with management and explain the test
and objectives. Gain their agreement and
support.
Have management announce the test and
the expected completion time.
Collect test results at the end of the test
period.
Evaluate results. Was recovery successful?
Why or why not?
Determine the implications of the test
results. Does successful recovery in a
simple case imply successful recovery for all
critical jobs in the tolerable outage period?
Make recommendations for changes. Call
for responses by a given date.
Notify other areas of results. Include users
and auditors.
Change the disaster recovery plan manual
as necessary.

Page 19

Areas to be Tested Check List

Item

Not
Yes No Applicable Applicable

Comments

Recovery of individual application systems

by using files and documentation stored offsite.
Reloading of system tapes and performing
an IPL by using files and documentation
stored off-site.
Ability to process on a different computer.
Ability of management to determine priority
of systems with limited processing.
Ability to recover and process successfully
without key people.
Ability of the plan to clarify areas of
responsibility and the chain of command.
Effectiveness of security measures and
security bypass procedures during the
recovery period.
Ability to accomplish emergency evacuation
and basic first-aid responses.
Ability of users of real-time systems to cope
with a temporary loss of on-line information.
Ability of users to continue day-to-day
operations without applications or jobs that
are considered not critical.
Ability to contact key people or their
designated alternates quickly.
Ability of data entry personnel to provide the
input to critical systems by using alternate
sites and different input media.
Availability of peripheral equipment and
processing, such as printers and scanners.
Availability of support equipment, such as air
conditioners and dehumidifiers.
Availability of support: supplies,
transportation, and communication.

Page 20

Distribution of output produced at the

recovery site.
Availability of important forms and paper
stock.
Ability to adapt plan to lessen disasters.

Page 21

Section 12 - Disaster Site Rebuilding

1. Floor plan of data center distribute to key employees
2. Determine current hardware needs and possible alternatives. (See Section 4 Inventory profile).
a. Data center square footage, power requirements and security
requirements.
b. Area (square feet)
c. Power requirements (describe)
d. Security requirements: locked area, preferably with combination lock on
one door establish procedures: key employee responsible, access
restrictions, locked areas. Access to locked areas, CCTV, monitoring
e. Floor-to-ceiling studding
f. Detectors for high temperature, water, smoke, fire and motion key
employee responsible and initial safety check to determine if all safety
systems are working and in place.
g. Raised floor

Page 22

Floor plan
Include a copy of the proposed floor plan here.
Vendors
Vendors - Include vendor information here.
Company Name

Contact

Address

Telephone

Page 23

Section 13
Infectious/Communicable Diseases
Plan
Recent events such as the Ebola outbreak have made it imperative for companies to
start thinking about policies and procedures in case an employee is infected. For
companies that have employees that travel - a well thought out plan is essential.
Each business is different. The following gives a guideline of the elements of a BCDR
plan. Each business should modify this to suit needs.
Executive Management
List names and contact information of the following personnel here. Also include their
area of responsibility
1. BCDR plan coordinator
2. Manager - Human Resources
3. Manager - Financial
4. Manager Legal
5. Manager Technical and Data Security
6. Manager Site and building security
7. Manager Industrial Health and Safety
8. Other list names, contact information and area of responsibility
Also discuss plan goals, Recovery Point and Recovery Time Objectives. Management
should also communicate to employees in general, their support of the plan and
introduce various key personnel who will be tasked with continuity and recovery
operations.
1. Plan Objectives
The aim of this plan is to allow (company name) to respond effectively in a safe
manner and recovery from an Infectious/Communicable disease outbreak. The
main objectives are:

Reduce exposure and transmission among employees

Ensure essential services and operations are maintained

Reduce economic impact

Other list any other objectives relevant to your organization

Page 24

2. Supporting Plans and Resources

List any other plans that support your plans for example county or city plans.
3. Overview
List an overview of the Infectious/Communicable disease that you are writing the
plan for. The description should ideally include a history of the disease in
question and include the following:

Description of the Infectious/Communicable disease

Its prevalence locally and globally

Prognosis of an infected person

Treatment options

Current government directives if any

Precautions to prevent infection

International considerations where outbreaks are and local intelligence

gathered. Also, determine if any employees have travelled to these areas
and ensure they are safe and are not the cause of an outbreak among
employees

Other relevant information

4. City, County, State and National Health Agency Roles and Assistance

Determine all public agencies that may play a part in case of an

Infectious/Communicable disease outbreak at your company

Contact agencies and determine who will be the point person at the
agency during outbreaks gather and record contact information

All local and state ordinances and laws should be understood. Your
BCDR plan should not violate these.

Sharing your plan with agencies and asking for their opinion is a good way
to fine tune plans develop personal relationships

Depending on jurisdiction, one or more than one agency will be the

coordinating agency.

They can make public recommendations regarding interactions with your

business

Page 25

They will have the power to enforce various ordinances to ensure

outbreaks are contained. These include protective gear and isolation
orders

Medical they can assist with all health and health safety issues.

5. Planning Assumptions
Several assumptions have to be made when developing these plans. From the
extent of the outbreak to its severity to personnel, reasonable assumptions have
to be made. However, assumptions made should be listed and rationale given if
applicable. Some of the assumptions that should be considered are

Duration of outbreak

This assumption can be made depending on the disease. Since most

disease life phases are known, reasonable assumptions can be made.

Prevention and Treatment

Public health agencies or departments can be very useful in determining

the best course of action.

Staff Make a reasonable assumption about the number of staff that could
be infected. This will determine staff availability for vital and critical
functions.

Vendors and Outside Service Providers

A list of vendors and contact information should be developed for various services and
products. Remember to determine lead times needed for each.
Plan Activation and Notification
1. Plan Activation
The activation of the entire plan or only a part are dependent on a variety of
factors. IF any or all of the following are met the plan should be activated.
a. Any public health agency issues an alert or warning in the same general
area as the business.

Page 26

b. Business functions are disrupted due to employee absence due to

sickness
c. Disruption of essential services
d. Concern among staff of possibility of getting infected. While this may be
reduced with the correct information, these concerns have to be taken
seriously.
e. Add other criteria here
f. Authority to Activate BCDR
It is important that activation of a BCDR plan is only carried out on the
direct orders of a manager who has to authority to take this step. Since a
manager with this authority may not be available when disaster strikes, 3
or 4 senior managers should have this authority. It is recommended that
at least one of the authorized managers be in a different geographic
location. Give names below:
a. Name and title of BCDR activation authority
b. Name and title of BCDR activation authority
c.

Name and title of BCDR activation authority

d. Name and title of BCDR activation authority

2. Notification
During an emergency, there are various stake holders that have to be informed
about the disaster. However, messages have to be tailored to the group that
receives it.

All employees message

(Insert message here)
Sample message: The Disaster Recovery plan for (name disease) has been
activated. The plan was activated due to (reason). We will keep you
informed by (name more of information text, email, video, website
announcement etc) every hour on the hour unless circumstance prevent us.
You are instructed to: (give instructions here do not come to office, report at
Page 27

a different site etc).

BCDR Team
(Insert message here)
Sample message: The BCDR plan for (name disease) has been activated.
Report for your assignments per the BCDR plan. In case you need to refer to
the BCDR plan, copies of the plan can be obtained at (name source
website, cloud etc). You should call our DR number (give emergency number
here) immediately to check in.

Customers
(Insert message here)
Sample message: Dear (name) this is to inform you that we have activated
our BCDR plan due to (give reason). We will strive to ensure you will see little
or no disruption. Please call the hot line we have set up (give number) for
further information. One of our specialists, assigned to ensure our valued
customers are not inconvenienced will also be contacting you shortly to
discuss the situation and inform you of the actions we will take to minimize
the effects of the disaster. We thank you for your understanding and
coorporation.

Vendors
(Insert message here)
Sample message: Dear (name) this is to inform you that we have activated
our BCDR plan due to (give reason). We will strive to ensure you will see little
or no disruption. Please call the hot line we have set up (give number) for
further information. One of our specialists, assigned to ensure our valued
vendors are not inconvenienced will also be contacting you shortly to discuss
the situation and inform you of the actions we will take to minimize the effects
of the disaster. We thank you for your understanding and coorporation.

Other
(Insert message here)

Authority and Command

1) BCDR Response Organization and Structure
Page 28

The following will be the organization and structure of the response to the
Infectious/Communicable disease emergency. All or parts may be activated and
modified as needed during the emergency
2. Response Management
Once the Infectious/Communicable diseases BCDR plan has been activated, the
Incident Commander will be (Name, Title and Contact information of Incident
Commander). In case he or she cannot assume command, the following are
authorized to assume Incident Command

Alternate 1 (name, title and contact information)

Alternate 2 (name, title and contact information)

Alternate 3 (name, title and contact information)

Other add name per requirement

If the first alternate is unable to take command, the command moves to the next
person on the list. Unable to take command is defined as given below. It is
advisable to carefully consider who is capable of leading during emergency especially non managerial employees. They should have leadership qualities
and have the respect of their colleagues.

Not able to carry out assignment due to physical limitations, death or

geographic location.

Unable to contact within (hours)

Alternate has been assigned another duty

Other insert per requirement

Page 29

Situational Analysis
1. Mission Statement
This BCDR plans mission is to disseminate information on activation to all
stakeholders giving information about the nature of the disaster, the response
and actions each stakeholder has to perform during the crisis.
2. BCDR Plan Implementation
A BCDR plan is only as good as its implementation. To this end to ensure that
the BCDR plan meets the objective of business continuity and quick recovery,
input of various plan stakeholders is important in the planning stage itself.
a. Status of Infectious/Communicable Disease
A vital part of plan activation and implementation is knowledge of the
current status of the Infectious/Communicable disease outside and within
the business. To this end, source of information the business will use in
such cases should be identified and listed. Source that will be used are:

Local/County Health Department (give URL and information

helpline numbers)

State Health Department (give URL and information helpline

numbers)

Centers for Diseases Control and Prevention (give URL)

World Health Organization (give URL)

News organization (give list)

Other sources (give name and URL per requirement)

b. Infectious/Communicable Disease Control and Safety Recommendations

Recommendations issues by Local/County/State health agencies should
be monitored and implemented. List sources of information below:

Local/County Health Department (give URL and information

helpline numbers)

State Health Department (give URL and information helpline

Page 30

numbers)

Centers for Diseases Control and Prevention (give URL)

World Health Organization (give URL)

News organization (give list)

Other sources (give name and URL per requirement)

c. Community
Every business exists in a community and goodwill and respect is an
important part of business operations. When confronted with these
diseases in the community, a business should gather all possible
information to ensure proper action can be taken. Local health services
will provide information. In case the outbreak is within a business, it is
important to inform local agencies. Information flow through these
agencies to the public is important in maintaining public relations
d. Customer Relationships
If a business has activated its BCDR plan, customer and it is important for
the business to understand why customer behavior has changed. The
BCDR of plan should have steps in place to handle the change in behavior
and revenue flows. This is important to ensure financial viability of the
business during this crisis.
e. Vendor Relationships
Vendor relationships mean change during the crisis. If the vendor service
being provided is on-site it may be even affected to a greater extent than
normal. If the vendor is providing services that do not require a physical
presence, then the relationship might not be affected to a great extent.
However there should be a clear understanding between the business and
the vendor what can be expected by each party. As soon as the BCDR
plan is activated, vendors especially the critical ones, should be contacted
and a clear understanding of expectations should be established. The
following a list of vendor, contact information and services provided

Vendor Name, Contact Information, Services provided.

Vendor Name, Contact Information, Services provided.

Page 31

Vendor Name, Contact Information, Services provided.

f. Business Operations
Operations will be affected mainly due to staff strength. Businesses
should pre-determine what critical business functions are and how to
handle them. Staff functions may have to be reassigned to fill gaps.

Critical Operation 1 name, department, minimum staff needed

(names of staff should be included if known, however it mut be kept
updated.

Critical Operation 2 - name, department, minimum staff needed

(names of staff should be included if known, however it mut be kept
updated..

Critical Operation 3 - name, department, minimum staff needed

(names of staff should be included if known, however it must be
kept updated.

The following operations can be suspended or curtailed

Non Critical Operation 1 (give details)

Non Critical Operation 2

Non Critical Operation 3

g. Staffing
The BCDR plan should have a staffing plan. To do this, reasonable
assumptions must be made. List functions, staff strength and
assumptions in this section.
Communications
a. Stakeholders
During disasters, communications are critical in ensuring smooth handling
of the disaster. Communications to various stakeholders will be different
and the manner and mode of communications vary. It is important to
ensure, the entire business speaks with one voice and therefore it is
prudent to assign an empowered committee to channel communications
through. The stakeholders are:
Page 32

Employees

Customers

Vendors

Government Agencies

Community

Other specify per local requirement

a. Empowered Communications Committee

The following employees are assigned to the committee through whom all
communication will be routed.

Director of Communications (Chair of committee)

Member 1 (name & title)

Member 2 (name & title)

Member 2 (name & title)

Other per local business requirements

b. Messaging
The content of message to each group of stakeholders can be
predetermined because it is a initial message informing that the BCDR
plan has been activated. After the initial message goes out, the next batch
of messages can be crafted to meet needs.
i. Employees
Sample message (edit to suit business needs)
The company has activated the BCDR plan for
Infectious/communicable diseases with effect from (date and time).
This message is to inform you of the activation of the plan. The
company places a very high value on keeping employees informed
as time progresses. A follow-up message will be sent shortly
informing you of the actions the company will be taking and the role

Page 33

and actions we expect you to take. We will be establishing a

hotline before the close of business today.
ii.Customers
Sample message (edit to suit business needs)
The company (company name) has activated its BCDR plan for
Infectious/communicable diseases with effect from (date and time).
This message is to inform you of the activation of the plan. The
company places a very high value on keeping our valued
customers informed as time progresses. A follow-up message will
be sent shortly informing you of the actions the company will be
taking to ensure the effect on our customers is kept to a minimum.
A company representative assigned to assist you will be contacting
you shortly. We appreciate your understanding and patience as we
resolve the situation
iii.Vendors
The company (company name) has activated its BCDR plan for
Infectious/communicable diseases with effect from (date and time).
This message is to inform you of the activation of the plan. The
company places a very high value on keeping our valued vendors
informed as time progresses. A follow-up message will be sent
shortly informing you of the actions the company will be taking to
ensure the effect on our vendors is kept to a minimum. A company
representative assigned to assist you will be contacting you shortly.
We appreciate your understanding and patience as we resolve the
situation

iv.Government Health Agencies

The company (company name) has activated its BCDR plan for
Infectious/communicable diseases with effect from (date and time).
This message is to inform you of the activation of the plan.
A representative designated to establish statutory and regular
communications will be contacting you shortly. We appreciate your

Page 34

patience and your guidance in resolving this crisis at the earliest.

v.Community
The company (company name) has activated its BCDR plan for
Infectious/communicable diseases with effect from (date and time).
This message is to inform you of the activation of the plan.
We deeply value the relationship we have with the community. We
believe open and honest communications are essential to ensure
that the crisis is resolved speedily while ensuring the safety and
welfare of the public.
We will shortly issue a communiqu with more details. Till such
time we ask for your patience. We have been good neighbors and
we will strive to ensure our actions comply or exceed local
requirement for such a crisis. We thank you for yor goodwill and
patience.
vi.Other
Add message per local business requirement
c. Dissemination of Information
Information will be disseminated per the following modes

Phones hot line (internal and external give numbers here), text,
voice mail, recorded messages, call tree, call centers.

Electronic email, website messaging (give URL), online chat

Personal meetings, town halls meetings, etc

Media TV, Radio, Newspaper, Press Releases and Conferences

Other insert per local business requirement

d. Urgent Communiqu
Determine what modes will be used to communicate urgent messages to

Page 35

each group of stake holders

Example - Employees by phone tree
e. Regular Updates
Example Employees website updates
Personnel
The effect of Infectious/Communicable diseases on employees is hard to predict. Past
experience has shown that during severe outbreaks, 20 to 30% staff can be absent.
Naturally, this will have a direct bearing on business operations. Both the paces of
operations are slowed down to match available man-power or pace kept constant and
only critical operations are carried out. Planning is essential. Communications are key
to ensuring that employees that are sick stay home and those that are called to work in
unfamiliar areas know the reason why. A mission statement such as the one below is
useful (modify to meet local business requirement)
(Name of business) is committed to ensuring a safe environment for all employees.
During an infectious/communicable disease emergency that requires activation of the
companys BCDR plan, the company will make every effort to carry our normal business
operations. In the event there is a shortage of staff, the company will restrict operations
to those essential for business continuity. Staff that fall ill will be required to stay home.
Non punitive absentee policies will be in effect and the company will stand by
employees that fall sick. Other employees may be temporarily reassigned to other
duties with adequate training. The entire focus will be on recovery with minimal
employee disruption.
a. Employee Leave Policy During Emergency
During the crisis, expect absentee rates to be 20 to 30% above normal.
Some employees may not have leave left and may report for work when
they are sick. This prolongs the crisis. Some may not have leave but
have to stay home to care for sick family. Whatever the cause, a policy
has to be in place during the activation of the BCDR plan. This policy
should clearly spell how the company will handle sickness and leave. It
should be communicated to all employees.
Insert company sickness and leave policy here.
b. Work From Home and Flexible Working Hours

Page 36

In order to minimize contact with fellow employees, a work from home or

flexible work policy can be activated during the emergency. Once again
this has to be clearly articulated and communicated.
Insert the Work from Home and Flexible Working Hours policy here
c. Business Travel
A clear policy that details the business travel policy during the emergency
should be developed.
Insert business travel policy here
d. Illness Protocol
A protocol for employees calling in sick or those that become sick during
work should be in place. This protocol must include the following at a
minimum
i. Employee calling in sick company medical personnel or
supervisor should speak with person by phone.
ii.Compare employee symptoms with those that are issued by health
agencies. If the employee has symptoms, they should be advised
to stay home and seek medical advice. If they do not have the
symptoms of the infectious or communicable diseases, then they
should be advised to call later. It is better to err on the side of
caution. They should be reassured that no punitive action will be
taken.
iii.If the employee falls sick during work, they should be isolated and
given medical attention. If required to go home, they should be
advised to avoid public transportation. Travel assistance if possible
should be offered (develop policy according to your company
business needs). Disinfecting work station should be a part of the
policy.
iv.Advice all sick employees to follow guidelines issued by local
health agency.

Page 37

v.Communicate with employee who is at home to reassure them.

vi.Ask them to return to work once they are cleared by medical
personnel.
b. Personnel Committee
An empowered committee to develop emergency personnel policies and
their implementation should be constituted.
i. Director Personnel
ii.Member 1 policy matters
iii.Member 2 - training and reassignment
iv.Member 3 - tracking
v.Member 4 temporary work assignment
vi.Member 5 inter department coordination and liaison
vii.Member 6 - other

BCDR Plan Deactivation

An orderly deactivation of the plan is just as important as activation. The policies that
will be followed when transitioning back to normal should be detailed in this section.
a. Plan Deactivation Announcement
Management should announce the end of the crisis. This is very
important as it will give employees, customers, vendors and other
stakeholders confidence that the company is back on track and the worst
is over.
b. Transition to Normal Operations
The following should be considered and policies developed
i. Work assignments for staff (specially if some staff are yet to report
to work)
ii.Transition from temporary assignments to regular assignments
Page 38

iii.SOP modifications if any

iv.Ramp up schedule for hours of operation
v.Response documentation for fine tuning BCDR plan
vi.Community outreach and appreciation
vii.Other
c. Formal end of emergency notification
d. Assessment of BCDR Plan Performance
As a part of the continuous improvement curve, an internal assessment
that reviews plan performance is essential. A panned versus actual
analysis should be conducted and this will enable current plans to be
modified for the better.

Page 39

Section 14 BCDR Plan for Data

Security Breach
Cyber crime is on the rise. Hackers are continuously checking companys network
security to gain entry. Once they have secured entry, they either maliciously destroy or
steal data to be used fraudulently. While many small companies do not have in house
resources to ensure they are secure from attacks, even large companies are vulnerable
(Target Corp & Sonly Corp). Theft of data is a real possibility and companies should be
prepared with a BCDR plan to handle such a crisis.
There a few key points to remember when it comes to security planning
1 Awareness know the system you have and what data you are gathering and
why
2 Minimize collect and retain only data that is needed the less you collect the
less you have to protect
3 Protect it ensure only authorized people have access. Hard copies should e
under lock and key
4 Disposal establishment of proper data disposal procedures
5 Planning good planning improves security exponentially
Executive Management
This is the team that is in overall charge of efforts to develop, implement and execute a
BCDR plan. It is comprised mainly of senior managers.
List names and contact information of the following personnel here. Also include their
area of responsibility
1. BCDR plan coordinator
2. Manager - Human Resources
3. Manager - Financial
4. Manager Technical and Data Security
5. Manager Site and building security
6. Other list names, contact information and area of responsibility
Also discuss plan goals, Recovery Point and Recovery Time Objectives. Management
should also communicate to employees in general, their support of the plan and
introduce various key personnel who will be tasked with continuity and recovery
operations.

Page 40

BCDR Purpose and Objectives

The purpose of this plan is to develop sound data security procedures to prevent
breaches. In the event breaches occur the BCDR is a plan to minimize damage.
Technical Committee
The management committee should first form a technical committee. This committee
should be tasked to review all aspects of the network WAN, LAN, Security
Procedures, Data Security, Data Backup, Personnel, and Infrastructure. Once this has
been completed, the recommendation for improvement should be conveyed to the
management team. Approved changes should be implemented ASAP.
1. Technical Committee Lead (name and contact information)
2. Team Member 1 (name and contact information)
3. Team Member 2 (name and contact information)
4. Other (input per local requirement)
Typically, committee members should be technical personnel who are knowledgeable in
IT security issues. If in house expertise is not available, the committee should be
authorized to secure assistance from consultants. The review should include at a
minimum
1 Inventory all desktops, laptops, mobiles, home systems, digital copies and
scanners should be inventoried to determine what types of data are stored. If
data is stored on these devices, what is the level of protection in case of loss or
theft? Is the data password protected or encrypted?
2 Hard copies of information what is the system in place for sensitive data stored
on hard copies. Is it kept under lock and key at all times. Do authorized people
only have access to this? Determine security of disposal procedures.
3 Other sensitive data data gathered from your website, call centers, through
employees, HR department can all be potentially sensitive and should be
secured. What are the procedures in place for that?
4 Sources of Data it is important to know the sources of data coming into a
business. The level of security required for each type and source of data is also
required.
5 Data collection points where in the business process is each type of data
collected. What are the security measures in place at each point.

Page 41

6 Once data is gathered how is it stored? If it is first gathered in hard copies

how is it transferred?
7 Establish who has access to data at each collection point.
8 Physical security of data inventory all physical data and the security procedures
established
9 Electronic security of data
o Thorough review of network infrastructure and points of vulnerability
o Determine security procedures
o Identify connectivity to devices that store sensitive information. Determine
security procedures and assess vulnerabilities
o Determine if sensitive data is encrypted what encryption protocols are
used
o What anti-virus measures are in place? Are they updated regularly?
o An employee downloading unauthorized software is a major security
threat. What measures are in place to manage this?
o What Operating Systems are being used? Are they updated regularly and
security patches up to date?
o Thoroughly review all web applications and determine their security. Hey
are commonly the targets of hacking.
o Management of passwords this is a particularly difficult task because
employees can be very lax. Constant training, requirement of a level of
pass word difficulty and regular changing will improve security.
o Password activated screen savers after a period of inactivity is a very
basic security feature that should be implemented company wide.
o Conduct regular employee training to warn them about security risks
o Determine who is using laptops and their need to do so. Also determine if
each of these laptops are password secured or data encrypted. Loss or
theft of laptops is a very common security breach.
o Wireless and remote access these are frequent security weak points.
Limiting the number of devices that can connect to them is a good idea.
Once the technical committee has done a end to end review of all security aspects of
the business, a report to management with recommendations should be prepared.
Page 42

Once management approves, recommendations should be incorporated expeditiously.

Small and medium size business oftentimes does not have in house expertise to
thoroughly analyze potential vulnerabilities. Securing the assistance of an expert
consultant should be considered. This upfront expense is far cheaper than dealing with
a security breach.
Plan Assumptions
Every disaster will be different and no amount of planning can expect to cover all
eventualities. However, plans tailored to specific situations (even without all details
known) can be developed. Some assumptions will have to be made. These should be
listed as a part of the overall plan.
Some assumptions of a generic nature are given below. Businesses should revise
these and add per their own set of circumstances
1. Data security breach will not require moving personnel to a different site
2. Since in house expertise is available no outside vendor will be used. If in house
expertise is not available then the services of the following consultants will be
used
a. Consultant 1/consulting company 1 (name and contact information)
b. Consultant 2/consulting company 2 (name and contact information)
c. Add per business requirement
3. All members of the IT department will be a part of the plan execution
4. All product and software requirements during the execution of the BCDR plan will
be fulfilled by one of the following:
d. Vendor 1 (name and contact information)
e. Vendor 2 (name and contact information)
f. Add per business requirement
5. Other add to this list per business requirements

Page 43

Plan Activation and Notification

1. Plan Activation
The activation of the entire plan or a part of te plan depends on a variety of
factors. Each business should evaluate their situation and act accordingly. For
the plan to be activated the any one of the following should be met:
a. Business website has been hacked
b. Sensitive data has been compromised
c. Sensitive storage infrastructure has been compromised or stolen
d. Laptop or other device with sensitive data has been stolen or lost
e. Other per business requirement
2. Plan Activation Authority
The following people has the authority to activate the plan. The authority will be
in descending order and if unable to activate, authority passes down the list
f. Name and title of BCDR activation authority
g. Name and title of alternate 1
h. Name and title of alternate 2
i. Other per business requirement
3. Notification
Breach of data security is serious and affects several people employees,
management, customers. Therefore a plan to notify each group is essential.
While a general message notifying all stakeholders may be enough initially, tailor
made messages for each group will be more effective
j. All employees message
(Insert message per business requirement)

Page 44

Sample message (edit per your business situation): The BCDR plan for a
breach of data security has been activated. The plan was activated due to
(give reason). We will keep you informed by (name mode of information
text, email, video, website announcement, etc) every hour on the hour
unless circumstances prevent us. You are instructed to (give instructions
here do not use company laptop till it is checked by an expert etc). Call
the following number that has been established for more information and
instructions.
k. BCDR Team
(Insert message per business requirement)
Sample message (edit per your business situation): The BCDR plan for a
breach of data security has been activated. Report for your assignments
per the BCDR plan. In case you need to refer to the plan, it can be
obtained securely at (name source cloud, website etc). You should call
the falling number (give number) immediately and check in. All leave and
vacations have been cancelled.
l. Customers
(Insert message per your business requirement)
Sample message (edit per your business situation): Dear (name) this is
to inform you we have activated our BCDR plan for a breach of data
security. We are working urgently to secure our data and systems to
minimize further issues. Please be assured we take this situation very
seriously and will keep you updated periodically by (text, email, video,
public announcements, press conferences etc). We have set up a hotline
(number) to answer any questions you may have. We request your
patience and we work to resolve this situation.
m. Vendors
(Insert message per your business requirement)
Sample message (edit per your business situation): Dear (name) this is
to inform you we have activated our BCDR plan for a breach of data
security. We are working urgently to secure our data and systems to
minimize further issues. Please be assured we take this situation very

Page 45

seriously and will keep you updated periodically by (text, email, video,
public announcements, press conferences etc). We have set up a hotline
(number) to answer any questions you may have. We request your
patience and we work to resolve this situation. One of our specialists will
contact you shortly.
n. Other
(Insert message her per your requirements)
Authority and Command
The following will be Authority and command structure during a data security breach
1) BCDR Response Organization and Command Structure
The following is the organization and command structure for the response to a
breach of data security. All or parts may be activated or mdified during this
emergency.

2. Response Management
Once the BCDR plan for a data security breach has been activated, the incident
commander will be (Name, Title, Contact Information of Commander). In case he
or she cannot assume command, the following are authorized to assume
command in descending order
a. Alternate 1 (name, title and contact number)
b. Alternate 2 (name, title and contact number)
c. Alternate 3 (name, title and contact number)
d. Other add name per requirement
If the first alternate is unable to take command, the command moves to the next
person on the list. Unable to take command is defined below. It is advisable to
carefully consider who is capable of leading during emergency especially non
managerial employees. They should have leadership qualities and have the

Page 46

respect of their colleagues.

a. Not able to command due to physical limitations, death or geographic
location
b. Unable to contact within (hours)
c. Alternate has been assigned other duties
d. Other (insert per business requirement)

Situational Analysis
1. Mission Statement
This BCDR pans mission is to systematically handle a data security breach while
disseminating information to all stakeholders.
2. BCDR Plan Implementation
Any BCDR plan is only as good as its implementation. In order to achieve this,
the plan must meet the objectives of business continuity and recovery. Input of
various parts of a business is important to ensure that the plan is well rounded
and acceptable to all employees. Plans developed with employee input generally
are the best. A top down plan, where upper management develops the plan and
foists it on employees usually fails during execution.
a. Status of Data Protection
Knowledge of the current trends in data protection is vital to ensuring that
data will be secure and not vulnerable to hacking. To do this, it is prudent
to have multiple sources of information that describe and detail various
advances in data protection. Sources that will be used are
i. Information Source 1
ii.Information Source 2
iii.Other
b. Customers
If a business has activated a BCDR plan due to a security breach, it is
natural for customers to be concerned if their personal data has been
Page 47

compromised. This may cause a change in customer behavior and may

substantially affect revenue flow. Therefore any plan should have steps in
place to handle these reactions. For example, business that have
suffered data security breaches have offered their customers free data
monitoring for a year. In addition they have offered monetary
compensation. Each business is different and each is urged to think
through steps that are needed to ensure customers remain loyal
c. Vendors
Vendor data is just as important as customer data. If vendor data is
compromised, it may affect vendor operations and oftentimes may spill
over to their operations. It is important to retain vendor confidence to
ensure they will continue supplying you. Company personnel should e
assigned to the task of contacting all major vendors as soon as possible
once the BCDR plan is activated. Proactive communication indicates the
business takes protection of vendor information seriously and will make
them more likely to continue the relationship. The following is a list of the
vendors in descending order of importance:
i. Vendor Name, Contact Information, Service Provided
ii.Vendor Name, Contact Information, Service Provided
iii.Vendor Name, Contact Information, Service Provided
d. Business Operations
Loss of data or the possibility data may be contaminated may lead to
curtailing of business operations. All businesses should pre-determine
what critical business functions are and develop steps to handle them.
i. Critical Business Operation 1 name, department, minimum staff
needed
ii.Critical Business Operation 2 name, department, minimum staff
needed
iii.Critical Business Operation 3 name, department, minimum staff
needed
iv.Other add per business requirement
v.Non critical business operations that can be curtailed during plan

Page 48

activation are
1 Non Critical Operation 1 - Name, department
2 Non Critical Operation 2 - Name, department
3 Other add per business requirement
e. Staffing Plan
The BCDR should have a staffing plan when activated. Staff duties may
have to be rearranged during this period. List functions, staff strength and
assumptions in this section.
Communications
a. Stakeholders
During disasters, communications are critical in ensuring smooth handling
of the disaster. Communications to various stakeholders will be different
and the manner and mode of communications vary. It is important to
ensure, the entire business speaks with one voice and therefore it is
prudent to assign an empowered committee to channel communications
through. The stakeholders are:
i. Employees
ii.Customers
iii.Vendors
iv.Other specify per local requirement
b. Empowered Communications Committee
The following employees are assigned to the committee through whom all
communication will be routed.
i. Director of Communications (Chair of committee)
ii.Member 1 (name & title)
iii.Member 2 (name & title)
iv.Member 2 (name & title)

Page 49

v.Other per local business requirements

b. Messaging
The content of message to each group of stakeholders can be
predetermined because it is a initial message informing that the BCDR
plan has been activated. After the initial message goes out, the next batch
of messages can be crafted to meet needs.
i. Employees
Sample message (edit to suit business needs)
The company has activated the BCDR plan for data security breach
with effect from (date and time). This message is to inform you of
the activation of the plan. The company places a very high value
on keeping employees informed as time progresses. A follow-up
message will be sent shortly informing you of the actions the
company will be taking and the role and actions we expect you to
take. We will be establishing a hotline before the close of business
today.
ii.Customers
Sample message (edit to suit business needs)
The company has activated the BCDR plan for data security breach
with effect from (date and time). This message is to inform you of
the activation of the plan. The company places a very high value
on keeping our valued customers informed as time progresses. A
follow-up message will be sent shortly informing you of the actions
the company will be taking to ensure the effect on our customers is
kept to a minimum. A company representative will be made
available to assist you. We appreciate your understanding and
patience as we resolve the situation
iii.Vendors
The company has activated the BCDR plan for data security breach
with effect from (date and time). This message is to inform you of
the activation of the plan. The company places a very high value
on keeping our valued vendors informed as time progresses. A
follow-up message will be sent shortly informing you of the actions
the company will be taking to ensure the effect on our vendors is

Page 50

kept to a minimum. A company representative assigned to assist

you will be contacting you shortly. We appreciate your
understanding and patience as we resolve the situation.
iv.Other
Add message per business requirements
f. Dissemination of Information
Information will be disseminated per the following modes
i. Phones hot line (internal and external give numbers here), text,
voice mail, recorded messages, call tree, call centers.
ii.Electronic email, website messaging (give URL), online chat
iii.Personal press conference, meetings, town halls meetings, etc
iv.Media TV, Radio, Newspaper, Press Releases and Conferences
v.Other insert per local business requirement
g. Urgent Communiqu
Determine what modes will be used to communicate urgent messages to
each group of stake holders
Example - Employees by phone tree
c. Regular Updates
Example Employees website updates

Page 51

Personnel
During crisis, employees may be required to carry out duties in new areas and support
other departments. In this section add all personnel policies that will be in effect.
Remember, even during emergencies, all policies should adhere to prevailing federal,
state and local laws. A committee that oversees issues regarding personnel should be
constituted. Take HR/legal advice to ensure compliance.
a. Personnel Committee
i. Director Personnel
ii.Member 1 policy matters
iii.Member 2 training and reassignment
iv.Member 3 tracking
v.Member 4 temporary work assignment
vi.Member 5 inter departmental coordination and liaison
vii.Other add per business requirement
BCDR Plan Deactivation
An orderly deactivation of the plan is just as important as activation. The policies that
will be followed when transitioning back to normal should be detailed in this section.
a. Plan Deactivation Announcement
Management should announce the end of the crisis. This is very
important as it will give employees, customers, vendors and other
stakeholders confidence that the company is back on track and the worst
is over.
b. Transition to Normal Operations
The following should be considered and policies developed
i. Work assignments for staff (specially if some staff are yet to report
to work)
ii.Transition from temporary assignments to regular assignments
iii.SOP modifications if any

Page 52

iv.Ramp up schedule for hours of operation

v.Response documentation for fine tuning BCDR plan
vi.Other
c. Formal end of emergency notification
d. Assessment of BCDR Plan Performance
As a part of the continuous improvement curve, an internal assessment
that reviews plan performance is essential. A panned versus actual
analysis should be conducted and this will enable current plans to be
modified for the better.

Page 53

Section 15 - Record of Plan Changes

Keep your plan current. Keep records of changes to your configuration, your applications, and
your backup schedules and procedures.

Page 54