Disaster Recovery and Business Continuity Plan

Updated annually

Purpose
Scope
Plan objectives
Disaster definition
Recovery Teams
Team member responsibilities
Instructions for using the business continuity plan
External communications
Emergency management standards
Plan review and maintenance
Alert/Verification/Declaration phase
Business recovery phase

The purpose of this business continuity plan is to prepare the Company in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. All Company sites are expected to implement preventive measures whenever possible to minimize operational disruptions and to recover as rapidly as possible when an incident occurs. The plan identifies vulnerabilities and recommends necessary measures to prevent extended voice communications service outages. It is a plan that encompasses all Company system sites and operations facilities.

The scope of this plan is limited to Production Information Systems and Company Offices. This is a business continuity plan, not a daily problem resolution procedures document.

Serves as a guide for the Company recovery teams.
References and points to the location of critical data.
Provides procedures and resources needed to assist in recovery.
Identifies vendors and customers that must be notified in the event of a disaster.
Assists in avoiding confusion experienced during a crisis.
Identifies alternate sources for supplies, resources and locations.
Documents storage, safeguarding and retrieval procedures for vital records.

Key people (team leaders or alternates) will be available following a disaster.
A national disaster such as nuclear war is beyond the scope of this plan.
This document and all vital records survive the disaster and are accessible.
Each team will have its own documented recovery procedures.

Any loss of utility service (power, water), connectivity (system sites), or catastrophic event (weather, natural disaster, vandalism) that causes an interruption in the service provided by Company operations. The plan identifies vulnerabilities and recommends measures to prevent extended service outages.

• Emergency management team (EMT)
• Disaster recovery team (DRT)
• IT technical services (IT)

Each team member will designate an alternate
All members should keep an updated calling list and contact info of their team.
All members should keep a copy this plan for reference at home and at work.
All team members should familiarize themselves with the contents of this plan.

Invoking the plan

This plan becomes effective when a disaster occurs and remain in effect until operations are resumed at the original location or a replacement location and control is returned to the appropriate management.

Disaster declaration

The senior management team, with input from the EMT, DRT and IT, is responsible for declaring a disaster and activating the various recovery teams as outlined in this plan. The EMT and DRT will respond based on the directives specified by senior management.

Notification

Regardless of the disaster circumstances, or the identity of the person(s) first made aware of the disaster, the EMT and DRT must be activated immediately if any problem at any system or facility would cause the production systems to go down or there is a certain indication that they are about to go down.

Senior management will designate public relations personnel to be the principal contacts with the media (radio, television, and print), regulatory agency, government agencies, and other external organizations following a formal disaster declaration. No other personnel is to discuss the situation with media without consulting with public relations on each instance.

The following procedures are to be followed by system operations personnel and other designated Company personnel in the event of an emergency.

A. Data backup policy

Full and incremental backups should be taken to preserve corporate information assets and should be performed Backups should be stored in a secure, geographically separate location from the original.

B. Emergency Locations

In the event of any situation where access to a building is denied, personnel should report to alternate locations. Primary and secondary locations are listed below.

Primary location

Boston Office
397 Moody St. #202 Waltham, MA 02453, USA

C. In the event of a natural disaster

In the event of a major catastrophe affecting Company facility or Data Center, immediately notify senior management.

Procedure

Step 1. Notify EMT and DRT of pending event, if time permits.

Step 2. If the impending natural disaster can be tracked, begin preparation of site within 48 hours as follows:

Deploy portable power supplies
Deploy support personnel
Deploy replacement modems and phones
Acquire Basic necessities such as:
Cash for one week
Food and water for one week
Supplies, including batteries, flashlights, medical supplies, etc.

Step 3: 24 hours prior to event:

Create an image of the system and files
Backup critical system elements
Verify backup power supplies
Create backups of e-mail, file servers, etC
Notify senior management

D. In the event of a fire

If fire or smoke is present in the facility, evaluate the situation, determine the severity, categorize the fire as major or minor and take the appropriate action as defined in this section. Call 9-1-1 as soon as possible if the situation warrants it.

Attempt to extinguish minor fires using hand-held fire extinguishers.
Call 9-1-1 in the event of a major fire and immediately evacuate the area.
A supervisor should remain nearby until the fire department arrives.
In the event of a major catastrophe, notify senior management.

Procedure

Step 1: Dial 9-1-1 to contact the fire department.
Step 2: Immediately notify all facility personnel of the situation and evacuate
Step 3: Alert the EMT and DRT.
Step 4: Notify Building Security.
Step 5: Contact appropriate vendor personnel to aid in the decision regarding the protection of equipment.
Step 6: All personnel evacuating the facilities will meet at their assigned outside location

E. In the event of a network services provider outage

In the event of a network service provider outage to any location, the guidelines and procedures in this section are to be followed.

Procedure

Step 1: Notify senior management of outage.
Step 2: Determine cause of outage and timeframe for its recovery.
Step 3: If outage will be greater than one hour, route all calls via alternate services like mobile phones and all data via Mobile Hotspots.

F. In the event of a flood or water damage

In the event of a flood or broken water pipe within any facilities, the guidelines and procedures in this section are to be followed.

Procedure

Step 1: Assess the situation and determine if outside assistance is needed; if this is the case, dial 9-1-1 immediately.
Step 2: Immediately notify all other personnel in the facility of the situation.
Step 3: If water is not endangering equipment, contact repair personnel immediately.
Step 4: If water is of a major quantity, immediately implement power-down procedures. While power-down procedures are in progress, evacuate the area.

This plan must be reviewed semi-annually and should be exercised on an annual basis. Additionally, it is important to review the listing of personnel and phone numbers contained within the plan regularly. The hard-copy version of the plan will be stored in a common location where it can be viewed by site personnel and the EMT and DRT. Electronic versions will be available via Company extranet.

A. Notification of incident

If in-hours:
Upon observation or notification of a potentially serious situation during working hours at a system/facility, ensure that personnel on site have enacted standard emergency and evacuation procedures if appropriate and notify the EMT and DRT.

If outside hours:
Upon observation or notification of a potentially serious situation after working hours at a system/facility, contact IT personnel and if appropriate and notify the EMT and DRT.

B. Provide status to EMT and DRT

Contact EMT and/or DRT and provide the following information:

Location of disaster
Type of disaster (e.g., fire, hurricane, flood)
Summarize the damage or Impact (e.g., minimal, heavy)
Summarize System or Facility that is down
Summarize Steps to discover/reproduce
Document the Time it was discovered

C. Decide course of action

Based on the information obtained, the EMT and/or DRT need to decide how to respond to the event: mobilize IT, repair/rebuild existing site (s) with location staff, or relocate to a new facility.

D. Inform team members of decision

If a disaster is not declared, the location response team will continue to address and manage the situation through its resolution and provide periodic status updates to the EMT/DRT.

If a disaster is declared, the EMT and/or DRT will notify IT Tech Services immediately for deployment.

The EMT or DRT will declare a disaster if the situation is not likely to be resolved within predefined time frames. The person who is authorized to declare a disaster must also have at least one backup person who is also authorized to declare a disaster in the event the primary person is unavailable.

E. Contact general vendors

Once a disaster is declared, the DRT is mobilized. This team will initiate and coordinate the appropriate recovery actions including contacting appropriate vendors.

F. Conduct detailed damage assessment

Under the direction of local authorities and/or EMT/DRT, assess the damage to the affected location and/or assets. Include vendors/providers of installed equipment to ensure that their expert opinion regarding the condition of the equipment is determined ASAP.

Building access permitting:

Conduct an on-site inspection of affected areas to assess damage to essential hard copy records (files, manuals, contracts, documentation, etc.) and electronic data.
Obtain information regarding damage to the facility (s) (e.g., environmental conditions, physical structure integrity, furniture, and fixtures) from the DRT.

Develop a restoration priority list, identifying facilities, vital records and equipment needed for resumption activities that could be operationally restored and retrieved quickly.

G. Contact DRT: Decide to continue to Business Recovery Phase

The EMT and DRT gather information regarding the event; contacts senior management and provides them with detailed information on status. Based on the information obtained, senior management decides whether to continue to the business recovery phase of this plan at an alternate site or to continue to address the situation at the affected site(s).

This section documents the steps necessary to activate business recovery plans to support full restoration of systems or facility functionality at an alternate/recovery site that would be used for an extended period of time.

A. Gather system and facility operation requirements

B. Notify IT staff/Coordinate relocation to new facility

C. Secure funding for relocation

Make arrangements in advance with local banks, credit card companies, hotels, office suppliers, food suppliers etc.

D. Notify EMT and corporate business units of recovery startup

Notify the appropriate company personnel. Inform them of any changes to processes or procedures, contact information, hours of operation, etc.

E. Operations recovered

Assuming all relevant operations have been recovered to an alternate site, and employees are in place to support operations, the company can declare that it is functioning in a normal manner at the recovery location.