C. size of the company, the company’s line

C. Business Contingency Plan

 

The goal of a business contingency, or
continuity, plan (BCP) is to minimize the disruption to operations during an
emergency or disaster. This is an investment in the future of XYZ Company, one
the organization takes very seriously, and should be approached
proactively.  Steps to implement a BCP
include an analysis of mission-critical data, the creation of a business
contingency policy, designing an implementation plan, and then executing that
plan. (Nieto, 2009)

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

C1.
Strategic Pre-Incident Changes

Good BCP planning starts with preventing
potential problems. That means taking objective steps to plan for an incident
before it happens. There is no single approach that fits all types of incidents
as no two disasters are identical. Much of business contingency planning varies
based on the size of the company, the company’s line of business, locations,
clients and vendors. This initial stage includes preparing for potential
emergencies and planning for a response to and recovery from a disaster.

XYZ Company should
first analyze the organization’s current status starting with the discovery of
mission-critical data.  Key staff should
be included in these discussions in order to make considerations for all
divisions of XYZ Company.  Proprietary
information, e-mail, web data, accounting information, and other sensitive data
should be reviewed to determine the value of loss should it become temporarily
unavailable or lost forever.  This
analysis should calculate the cost for data recovery or recreation, as well as
identify viable solutions that are within budget and also provide a sense of
security to stakeholders.

Although XYZ
Company serves just one client, an international auto manufacturer, it should
invest in an off-site data center, with security measures to protect critical
data from corporate espionage to natural disasters. Currently, data is housed
in a server with a direct link to both XYZ Company and its client’s
headquarters. CSO.com outlines several considerations for building physical
security into a data center. (Scalet, 2015)

Headquarters for
both companies are located directly across a major road from each other, with
both companies running operations in Canada, Mexico and the U.S. This data
center should be 20 miles away from any location of either company.

 Other considerations for this data center include
redundant utilities; avoid windows or use bomb-resistant laminated glass if
windows are required; keep a 100-foot buffer zone around the site; use
retractable crash barriers at vehicle entry points; plan for bomb detection;
limit entry points; ensure fire doors are exit only; install surveillance
cameras around perimeter, at all entrances and exits and at every access point
throughout the building (footage should be digitally recorded and stored
off-site); protect the building’s machinery by restricting access to mechanical
areas and installing concrete walls around external generators and ensure
contractors and repair crews are accompanied by an employee at all times; make
sure HVAC and ventilation systems can be set to recirculate rather than drawing
in air from the outside; use two-factor authentication for sensitive areas and
three-factor authentication for secure areas; prohibit food in computer rooms
and install visitor restrooms for people who don’t have access to the secure
parts of the building.

 

C2a.
Sensitive Data 

Sensitive data for XYZ Company includes
proprietary information related to line set-up and assembly processes. Because
the company serves but one client, both organizations work hand-in-hand to
produce just-in-time wheel assembly for pick-up trucks. The line set-up and
assembly process must be in tune with the clients own manufacturing processes
at their plant across the street. Sensitive data also includes output and
quality control reports, internal communications and financial and human
resource records.

 

C2b.
Normal Data Protection

During normal business hours, data will
be physically protected via several layers of security at the new data center.
The building itself will be designed much like a warehouse, with little to no
windows. 12-inch concrete walls will provide an effective barrier against the
elements and explosive devices. Crash-proof barriers around the exterior of the
building keeps a 100-foot buffer zone. Access to parking lots and loading docks
can be controlled with security guards who operate retractable crash barriers.
Guards can also use mirrors to check underneath vehicles for explosives. These
access points should be kept to two, one main entrance plus a back one for the
loading dock.

         Security
from human threats can be dealt with in multiple ways. Ensure contractors are
escorted by an employee at all times; provide a special visitors-only restroom;
require two- and three-level authentication for employees entering sensitive
and secure areas respectively and prevent access from mechanical areas to
ensure the integrity of electric, water, HVAC and security systems.

 

C2c.
Disruption Security Measures

When a disruption occurs, the data center
should go on immediate lock-down. No one enters, other than first responders,
and no one leaves. Crash barriers are raised and security staff stand guard at
entry points. Access to critical areas such as servers, mainframes and other IT
equipment is strictly prohibited except by employees carrying the highest level
of authorization. Switch the HVAC system to recirculate to protect people and
equipment from a biological or chemical attack or heavy smoke from a nearby
fire.

 

C2d.
Ethical Use of Data

The core of ethical use of data during a
risk event is transparency and strict adherence to data policies. Sensitive
data should be safeguarded through the BCP, with special consideration given to
what data is collected, the method for collecting it and how long the data is
stored. All employees with access to sensitive data should be well versed on,
and strictly adhere to these policies.

         Only
employees who require sensitive data for their work should have access to it. Data
should not be shared informally. Strong passwords must be used, never shared,
and changed regularly. Personal data should not be disclosed to unauthorized
people, either within the company or externally. Data should be regularly
reviewed and updated and if no longer required, it should be deleted.

         Any
sensitive data recorded on paper files should be kept in a locked fire-proof
safe. Data printouts should not be left lying around and should be shredded
when no longer needed. Data stored on removable data should be kept locked in
fire-proof safes. Data should only be stored on designated servers in the data
center and should be backed up frequently. Security software and a firewall
should be current. Computer screens should be locked when left unattended and
data must be encrypted before being transferred electronically.

 

C3a.
Customer Records

Customer records include proprietary
information related to the customer’s production output, parts design,
corporate expansion into new markets and changes in vehicle design or new
models.

C3b.
Normal Security Measures

Much like sensitive corporate data,
during normal business hours customer records will be physically protected via
several layers of security at the new data center. The building itself will be
designed much like a warehouse, with little to no windows. 12-inch concrete
walls will provide an effective barrier against the elements and explosive
devices. Crash-proof barriers around the exterior of the building keeps a
100-foot buffer zone. Access to parking lots and loading docks can be
controlled with security guards who operate retractable crash barriers. Guards
can also use mirrors to check underneath vehicles for explosives. These access
points should be kept to two, one main entrance plus a back one for the loading
dock.

         Security
from human threats can be dealt with in multiple ways. Ensure contractors are
escorted by an employee at all times; provide a special visitors-only restroom;
require two- and three-level authentication for employees entering sensitive
and secure areas respectively and prevent access from mechanical areas to
ensure the integrity of electric, water, HVAC and security systems.

 

C3c.
Disruption Security Measures

When a disruption occurs, the data center
should go on immediate lock-down. No one enters, other than first responders,
and no one leaves. Crash barriers are raised and security staff stand guard at
entry points. Access to critical areas such as servers, mainframes and other IT
equipment is strictly prohibited except by employees carrying the highest level
of authorization. Switch the HVAC system to recirculate to protect people and
equipment from a biological or chemical attack or heavy smoke from a nearby
fire.

 

C3d.
Ethical Use Protections

Ethics regarding customer records are the
same as for corporate data. The core of ethical use of customer records during
a risk event is transparency and strict adherence to data policies. Customer
records should be safeguarded through the BCP, with special consideration given
to what which records are collected, the method for collecting it and how long
the records are stored. All employees with access to customer records should be
well versed on, and strictly adhere to these policies.

         The
International Association of Privacy Professionals offers several suggestions
for a data protection policy. Only employees who require customer records for
their work should have access to it. Customer records should not be shared
informally. Strong passwords must be used, never shared, and changed regularly.
Personal data should not be disclosed to unauthorized people, either within the
company or externally. Customer records should be regularly reviewed and
updated and if no longer required, it should be deleted.

         Any
customer records in paper files should be kept in a locked fire-proof safe.
Printouts should not be left lying around and should be shredded when no longer
needed. Customer records stored on removable data should be kept locked in
fire-proof safes. Records should only be stored on designated servers in the
data center and should be backed up frequently. Security software and a
firewall should be current. Computer screens should be locked when left
unattended and records must be encrypted before being transferred
electronically. (International
Association of Privacy Professionals, n.d.)

 

C4.
Communication Plan

The BCP communication plan ensures that
all stakeholders have been identified and that consistent messages are sent to
relevant stakeholder groups. Risk messages are sent out at time and with a
frequency that supports business objectives and follows business planning
cycles. The plan should consider assignments about who sends the message, who
prepares the message, the objective of the communication, message content,
delivery method, timing and frequency. Implementing a communication plan also
helps ensure XYZ Company does not face a PR disaster should a risk event occur,
which means the plan must include media policies and procedures.

         This
communication plan should include regular risk reports to the appropriate
stakeholders; intermittent risk assessment workshops; articles about risk in
employee newsletter or posted on the intranet; planned staff training on risk
management and risk management messages in the annual report. This plan should
also contain a list of employees assigned to the crisis team and training so
that team members have the tools and skills to successfully implement the
communication plan. Potential issues and risks should be considered and a
budget for the communication plan should be included.

 

C4a.
Stakeholders

Stakeholders exist internally and
externally. Internal stakeholders include:

·      
Board of Directors

·      
CEO

·      
Management

·      
All Staff

·      
Specific Divisions

External stakeholders include:

·      
Client

·      
Suppliers

·      
Media

C4ai.
Stakeholder Communications

The CEO is responsible for sharing risk
communications with the Board of Directors starting with a phone call to the
Board Chair. The Board Chair will disseminate communications to other board
members via email. The plant manager is responsible for communicating with the
CEO in person and by calling a team meeting for management. Management will
share communication with all staff via the intranet and an email alert about the
intranet posting. Should only specific divisions require communication, the
plant manager will share that with the division leader who will in turn share
in person to direct reports. The plant manager will communicate directly with
the client via a telephone call. The materials manager will communicate via
telephone to suppliers. The communications manager will communicate with media
representatives.

 

C5.
Restoration of Operations

A variety of business components should
be considered for restorations of operations: physical environment; hardware;
connectivity; software and data.

         The
recovery point objective identifies the point in time data must be recovered
and backed up in order for XYZ Company to resume operations. This determines
the frequency at which interval backups need to occur. Reverting back to this
point in time allows XYZ Company to pick up where it left off. The recovery
time objective is the maximum length of downtime before XYZ Company is
negatively impacted. The amount of lost revenue per amount of lost time can
help determine which systems and applications are critical to business
sustainability. These critical systems should take top priority for recovery.

         To
minimize overall impact on XYZ Company, acting quickly and collaborating with
employees, vendors, insurance companies and financial institutions are key. (Chubb Group
of Insurance Companies) Recovery from a risk event such as a
natural disaster should include the following steps:

·      
Make sure anyone in the building is safe.
Get an accurate headcount of employees and visitors and notify emergency
personnel of injuries or missing persons.

·      
Validate the structural integrity of the
building. Allow access only to areas that are well-lit and free of debris and
spills. Make sure the electrical systems are not exposed and check water
supplies for contamination.

·      
Determine if a temporary facility is
needed to limit business interruption.

·      
Implement security procedures.

·      
Activate communication plan to internal stakeholders.

·      
Contact emergency restoration partners.

·      
Confirm accounting and purchasing systems
are online.

·      
Confirm committed, uninterrupted supply
chain vendors.

·      
Contact insurance broker.

·      
Activate communication plan to external
stakeholders.

 

D. BCP Implementation Plan

 

D1.
Implementation of the BCP

In order for XYZ Company to successfully
implement a BCP, the business model must be fully understood. Information;
metrics; products and services; policies; rules and regulations; stakeholders;
vision and strategy are all key elements of this architecture. Know daily
business routines and who is responsible for them. Plan disaster recovery teams
in advance. Reflect any changes to business context and automation systems in
the BCP. Develop straightforward instructions to help people overcome stress in
a disaster. Considerations must be made for the cost and complexity of the BCP
as well as strategies for securing buy-in from all staff and stakeholders.

 

D2.
Communication of the BCP

The BCP should be first shared internally
with key internal stakeholders such as the Board of Directors and top
management staff. A presentation on the plan, including a Q&A session
should be conducted to provide the opportunity for a transparent roll-out of
the plan. Managers can then take the BCP to their teams, stressing the
importance of personal responsibility for the plan and the future of the
company should a disaster strike. The plant manager should share the plan with
the client and answer any questions that are asked.

 

D3.
Monitoring and Testing of the BCP

Review the BCP quarterly.  XYZ Company should gather those who helped
create the plan, as well as any other key staff who hold responsibilities
outlined within the plan.  The overall
plan should be discussed, with special attention given to possible gaps in the
plan.  New staff and board members should
be trained on the BCP. 

Disaster role-playing sessions should be held to
help key players gain familiarity with their duties.  A dry-run training can be conducted to help identify
any errors and improvements that can be made to the plan.

A simulation of the disaster can be conducted,
starting at the immediate response to a disaster and running through getting
operations back up to full capacity. 
Data recovery, staff safety, asset management, relocation, and
communication should all be tested.  This
simulation should be scheduled on an annual basis.

Prevent the stoppage of full XYZ Company
operations during simulation testing by scheduling these activities outside of
regular business hours.  Regular review
sessions can be held to a few hours at a time during the work week.

 

D4.
Adjustment of the BCP

Once the plan has
been developed, it is critical to test the effectiveness of the plan as well as
staff response to an emergency and their responsibilities within the BCP, and
to monitor and adjust the plan as necessary. (Sharrieff, n.d.)
As testing and review occur, changes will become apparent. Likewise, as XYZ
Company and its client changes, the plan will also need to be adjusted. Changes
such as adding new equipment; renovations to the building or changes in
staffing positions who play a key role in the plan will force a review of the
plan. The BCP should become an integral part of the overall business operations
of XYZ Company.

After testing and
identifying possible gaps in the plan, adjustments should be made in order to
ensure full efficacy.  Team members
should make note of known problems with the portion(s) of the plan with which
they are involved, and bring these back to the team for review and
discussion.  Adjustments should be made
to the written document, and re-testing should begin to confirm that these
changes do indeed correct problems. 
Additionally, as the organization changes over time, and needs change,
the plan should be revisited and revised on a regularly scheduled basis.  Rewriting the BCP can be time consuming,
which means reprints should only be done on an agreed schedule. (Hiles, 2007)  As the version of the document changes, so
should the version number.  Each section
can be given a whole numeral, with the .1 increment increasing with each
revised version.  For example, the
section outlining communication can be assigned the number 3.0.  After two edits to this particular section,
the number is adjusted to 3.2. 

 

D4a.
Communication of Changes

As changes are made to the plan, updates
should be sent to key stakeholders in a timely manner. An intranet announcement
to management and an email to the Board Chair and client will alert them of the
changes.

Communicate the importance of the plan and
testing to all levels of the company. 
Knowing XYZ Company has taken steps to devise and implement such a plan
will help drive trust with those making financial investments in the company,
including its client, stockholders and staff.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

References

Chubb Group of Insurance Companies. (n.d.). Tips for
Resuming Business in the Wake of a Disaster. Warren, NJ.
Head, G. (2005, February). Why Link Risk
Management and Ethics? Retrieved from irmi.com.
Hiles, A. (2007). BC Plan Testing. In The
Definitive Handbook of Business Continuity Management (2nd ed., p. 5).
John Wiley & Sons.
International Association of Privacy Professionals.
(n.d.). Sample Data Protection Policy. Retrieved from
https://iapp.org/resources/article/sample-data-protection-policy-template-2/#
Nieto, T. (2009, November 16). How to Implement a
Disaster Recover, Business Continuity Plan. Retrieved from eWeek:
http://www.eweek.com/database/How-to-Implement-a-Disaster-Recovery-Business-Continuity-Plan/
Scalet, S. (2015, March 31). How to build
physical security into a data center. Retrieved from CSO.com:
www.csoonline.com/article/2112402/physical-security/physical-security-19-ways-to-build-physical-security-into-a-data-center.html
Sharrieff, M. (n.d.). How to Conduct Testing of a
Business Continuity Plan. Retrieved from Houston Chronicle:
http://smallbusiness.chron.com/conduct-testing-business-continuity-plan-4526.html