All Ordain locations are expected to implement preventative measures where possible to mitigate operational disruptions and to respond and recover as quickly as possible in the event of disaster. Scope The BCC scope is limited to the recovery and continuance of business as usual at all Ordain facilities after a complete unplanned disruption of those facilities. This plan will clearly outline specific recovery procedures to be followed which will cover all essential areas of the business.
This plan does not outline the Information Technology strategy for recovery of critical applications, servers or databases, but rather focuses on business continuance procedures in the event of natural disasters related to fires, floods, and other localized natural or man-made occurrences. Necessary audience that may be required after a global catastrophe such as an earthquake or war, will not be covered in this BCC. Objectives The coordination necessary for the recovery of essential business functions is the objective of this Business Continuity Plan.
Should Ordain experience a disruptive catastrophe which may be defined as acts of terror, fires, floods, earthquakes, the procedures defined within this BCC will mitigate total loss of business. Justification With budgets already tight, any interruption to the revenue process is detrimental. This is why the BCC is needed. The following are critical in purporting business processes. Critical needs to management: 1 . Inventory system: tracks the type of raw materials, the vendor, and the quantity. . Georgia plant materials: See Appendix ‘x’ b. Michigan Plant materials: See Appendix c. China Plant materials: See Appendix ‘x’ 2. Wide Area Network: communication among the plants and headquarters, monitoring the inventory, communication with the customer. Critical needs for the Organization: 1. Raw Material 2. Plant workers 3. Meeting Service Level Agreements (SLAP) 1. Business Continuity Organization (a) All the people will be divided up into teams from each department.
These people will each have a task to do in the plan in order to get everything done. This will be a very important role for each department in order to get everything done in a timely manner. (b) Line of authority for network: (I) Chief Information Officer CIO: Maria Train (lie) Manager IT Services: Patricia Miller 1. Network Administrator: Vine Animation (iii) Manager IT Services (Pontiac): Dirk Koru 1 . Network Administrator: Gary Tucker (iv) Manager IT Services (Albany): Stacey Jones 1.
Network Administrator: John Leveler 2. Network Administrator: Bill Monster (v) Manager IT Services (China): Chinese National c) Line of authority for Plants and Materials: (I) UP Operations: Mark Neither 1. Director, Plant Operations (Pontiac): Ronald Nellie a. Assistant Plant Manager: Bernard Encamp b. Production Control Technician: Joshua Stilwell c. Production Control Technician: Annette Tidbits 2. Director, Plant Operations (Albany): Craig Greenberg a. Assistant Plant Manager: Allen Tania b.
Production Control Technician: Renee Kraal (ii) UP International Operations (China): Charles Williamson 1. Director, Plant Operations: Robert Lord a. Assistant Plant Manager: Chinese National 2. Business Analysis (a) Impact analysis What is the extent of the impact? Does this directly affect operations by leaking data or halting production? If yes, proceed to contacting management personnel (Inexperience) If no, proceed with operational process towards reducing the impact on the organization. 3.
Recovery and Restoration Steps necessary to activate IT recovery procedures to support full system restoration and facility functionality are contained within the IT Disaster recovery document. The systems and facility specifications for each location are required to re-establish normal IT operations. The attached Appendix ‘1’ will outline the list for each location. IT staff should be located / contacted and coordination for each site if more than one location exist should be implemented. If cloud services are used coordination with vendor entities should be engaged immediately.
See Appendix ‘2’. Advance procedures for suitable IT system recovery resources should have been in place prior to disaster. This advance procedure should have included fire proof cabinets, off-site storage, system replacements and any other pertinent hardware equipment including virtual server systems. These resources are to be secured and activated. All pertinent business units are to be notified of IT cover implementation process. These individuals are to be informed of any changes to the process, operating hours, contact information, etc…. See Appendix ‘3’. . Data restoration Before data can be restored, the situation must be assessed and a determination as to what type Of restoration is necessary is to be made. Whether restoration to virtual servers, cloud services, or from tape, the type of disaster will dictate the necessary steps to performing a full restores. As outlined in Appendix ‘4’, particular procedures as related to data restoration are to be followed. Once appropriate staff has implemented and completed he restoration process communication should be sent out as outlined with the communication plan. . Business Strategies and requirements (a) Procedures and requirements of all recovery strategies Evaluate recovery actions and activate the appropriate recovery team Evaluate damages and make assessment Restoration priority will be determined based on damage assessment Senior Management is to be notified and kept apprised Of progress Full communication plan should be implemented and ongoing during recovery phase Contact and vendor support with recovery teams should be implemented to begin the restoration and recovery/repair process. ) Procedures and requirements on alternate workmates Co-location contact individuals should be contacted and coordination to assess site should begin Warm site systems have already been periodically tested. Servers should be brought online with necessary configuration changes. Pertinent data should be moved to existing hardware or activated in cloud services and made available for access. Physical access will be determined based on assessments and if necessary for business continuance. (c) Procedures and requirements for IT recovery (nee;org, server, desktops, wireless devices).
IT procedures will be determined by type Of disaster Natural disaster steps. See Appendix ‘5’ Fire disaster. See Appendix ‘6’. Severely should be determined and 911 contacted as needed. Actions for IT staff are outlined in Appendix ‘6’ document. Network Outage. See Appendix ‘7’ for steps to repair systems and bring servers back on line Water damage. See Appendix ‘8’ for guidelines to recovery. 6. Recovery Procedures (a) Objectives Identify the basis in which recovery is required – per type of disaster.
Proceed with following plan per each type of disaster: For physical disasters, utilize cloud backups and/or externally stored data. For technical disasters, utilize cloud backups and/or externally stored data. For intrusion incidents, in-depth research is to be carried out to determine root cause of intrusion, restore security to source of intrusion. (b) Physical disasters – This section will be about what physical disaster need to be covered in the plan. Fire – in case of a fire emergency 911 should be called.
Each department should have a fire team in place and that’s when they should go into action. Each department’s fire team should assess the fire and then see what needs to be done. Break down assignments for each fire team so that everything is covered. If the fire gets out of hand then the company need to have a cold site ready to move into so that operations can get back up and running. Flood – Most likely a flood will happen if pipes burst so certain areas of the building should be on raised floors. All the technical equipment should be on raised floors such as the server rooms.
Disaster teams should be in place to take over how to go about making sure that everything is in place. If the flood is severe then moving operations to a cold site could be beneficial. Earthquake – Earthquakes can happen any. Inhere at any time. Ordain needs to have a plan in place to help prevent data loss. The buildings need to be checked for strength and how solid they are in case of an earthquake. Earthquakes can knock out power and other utilities even if the building stand so a backup site should be talked about.
A cold site could work for this and be able to get the company back up and running in a timely manner. Power Outage – In case of power outages a UPS system should be in place. That way vital information can be saved until the power comes back on. Backup generators can help the Ordain keep the lights on for critical areas of the company. (c) Technical disasters Hardware failure Software failure Service provider failure Communication line failure (d) Intrusion incident Definition: unauthorized access of any sort to network systems.
Response planning Asses the incident Communicate incident Indemnify type and severity Document evidence Recover systems Document incident Asses damage and cost Review response Update policy 7. Plan Review and Maintenance The plan should be reviewed bi-annually or in the case of an incident. The review will ensure that the information in the plan is correct and maintenance will include updating any wrong information, such as names of employees’ involved and contact information. Any needed updates will be made based n recent incidents. This area will serve as a guide for key members of the management team.
It will only lay out the plan objectives. (a) Assumptions Assumptions that can be made will contain some of the following: All personnel listed in the plan willing and available to work where assigned If it is an IT emergency, will there be access to original documents How long before you can enter the building How long will critical systems be restored In “X” hours (b) Disaster Definition Defining disasters includes understanding the threat of disasters, the types of disasters possible, as well as the impact the disaster may have on the organization.
Having a plan in place which respectfully outlines this is paramount understanding how to react to the disasters of each type. Water disasters, and natural disasters can be closely related as they occur in relation to weather, often seen in advance by weather patterns depicted on news broadcasts. Fire disaster generally occurs due to faulty equipment, wiring, or are sometimes the product of natural disasters.
Lastly, the threat of a data breach disaster is very real in most organizations and would closely relate to the network configuration and security plan in place. 8. Communication Plan a. Once a disaster has been declared whichever team is responsible for a particular location will manage the situation and provide periodic status updates to the appropriate recovery team.
A brief meeting of executive management and key individuals should be convened if possible, the situation assessed, procedure documentation located, and information gathered to determine next course of action. B. IT staff will be notified immediately and deployed appropriately. C. Once situation is assessed and is unlikely to be recovered quickly, authorized individuals or their backups should communicate time frames and status-updates hourly or as needed to radical staff members. Appendixes Appendix 1.
Recovery Response preparedness In the event of a major catastrophe affecting Ordain Manufacturing Facilities, immediately notify Ordain Management / Emergency Response Team. STEP ACTION Notify the Appropriate recovery team of pending event, if time permits. 2 f impending natural disaster can be tracked, begin preparation of site within 48 hours as follows: Confirm critical data is protected and backed-up to tape, external drive or Cloud Services Confirm that current images (virtual or imaged HAD) of critical servers are ready and deployable.
Confirm alternative reward (similar or dissimilar) is available for restoration or temporary virtual machine. Acquire basic necessities pertaining to system access: Power generators if necessary Power Cords and network cables Access Points are functional Or replacement Systems are available Supplies, including tools, cell phones, software and portable computers are ready and available 3 24 hours prior to event: Create an image of the system and files.
Back up critical system elements. Verify backup generator fuel status and operation. Create backups of e-mail, file servers, etc. Notify Senior Management Of plans. Appendix 2: Vendor list Server and computer equipment suppliers Company name Contact Work Mobile/Cell phone Communications and network services suppliers Appendix 3. Business unit Notification List Emergency Management Team Name Address Home Disaster Recovery Team Information Technology Team Appendix 4.
Restoration Process Task to be completed at restoration point Ensure access to proper equipment for restore (servers and backup software), system must also have network access and access to locations where images reside Determine what type of restore is needed, (I. E. To dissimilar hardware, similar hardware, from virtual machine to bare metal yester or virtual boot from imaged backups) The type of restore will determine the remaining steps in this process. Retrieve Shadow Protect Recovery Environment CD and insert into system on which the restore will take place.