pros and cons of the Business Continuity Plan listed below?

Purpose

The purpose of this business continuity and disaster recovery plan is to prepare NewOptMarketing Corporation in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. All NewOptMarketing Corporation sites are expected to implement preventive measures whenever possible to minimize operational disruptions and to recover as rapidly as possible when an incident occurs. This includes disaster recovery processes to recover and protect NewOptMarketing Corporation in the event of a disaster.

The plan identifies vulnerabilities and recommends necessary measures to prevent a catastrophic disaster that could create business failure which would result in shutdown of crucial business processes. It is a plan that encompasses all NewOptMarketing Corporation system sites and operations facilities.

2.Scope

The scope of this plan is limited to all levels of disasters; minor, medium and major impact levels. With all levels of impact studied and analyzed it will allow NewOptMarketing Corporation to determine the impact of each disaster to each business process and establish appropriate contingency measures. This is a business continuity and disaster recovery plan, not a daily problem resolution procedures document.

3.Plan objectives

Serves as a guide for the NewOptMarketing Corporation recovery teams.

References and points to the location of critical data.

Provides procedures and resources needed to assist in recovery.

Identifies vendors and customers that must be notified in the event of adisaster.

Assists in avoiding confusion experienced during a crisis by documenting, testing and reviewing recovery procedures.

Identifies alternate sources for supplies, resources and locations.

Documents storage, safeguarding and retrieval procedures for vital records

4.Assumptions

Key people (team leaders or alternates) will be available following a disaster.

A national disaster such as nuclear war is beyond the scope of this plan. Each support organization will have its own plan consisting of unique recovery procedures, critical resource information and procedures.

Data is backed daily to cloud based storage

5.Disaster definition

Any loss of utility service (power, water), connectivity (system sites), or catastrophic event (weather, natural disaster, vandalism) that causes an interruption in the service provided by NewOptMarketing Corporation operations. The plan identifies vulnerabilities and recommends measures to prevent extended service outages.

5.1 Business Continuity definition

Business continuity is the advance planning and preparation undertaken to ensure that an organization will have the capability to operate its critical business functions during emergency events. NewOptMarketing Corporation will establish procedures in order to continue to conduct day to day operations in the event a disruption occurs.

6.Recovery teams

Emergency management team (EMT)

Disaster recovery team (DRT)

IT technical services (IT)

6.1 Team member responsibilities

Each team member will designate an alternate

All of the members should keep an updated calling list of their work team members' work, home, and cell phone numbers both at home and at work.

All team members should keep this plan for reference at home in case the disaster happens after normal work hours. All team members should familiarize themselves with the contents of this plan.

6.2 Instructions for using the business continuity pl

7.Invoking the plan

The NewOptMarketing Corporation Business Continuity Plan (BCP) and disaster recovery plan becomes effective when the Business Recovery Process (BRP) is initiated after any disaster occurs. The senior management team provides the guidelines and procedures for the BCP to take effect during a disaster and restore the organization's business functions. After management sets up guidelines, senior leadership can use that to implement the BCP and regain operational stability.

8.Disaster declaration

The senior management team, with input from the EMT, DRT and IT, is responsible for declaring a disaster and activating the various recovery teams as outlined in this plan.

In a major disaster situation affecting multiple business units, the decision to declare a disaster will be determined by NewOptMarketing senior management. The EMT and DRT will respond based on the directives specified by senior management.

The response teams are trained to provide dedicated, focused support in the functional areas of their expertise to complete the BRP for specific response, resumption and recovery tasks, responsibilities and objectives. The plan to restore the critical business processes within the stated disaster recovery goals will be determined by senior leadership pending the final decision regarding the disaster declaration.

9.Notification and Justification

Regardless of the disaster circumstances, or the identity of the person(s) first made aware of the disaster, the EMT and DRT must be activated immediately in the following cases:

1 or more systems and/or sites are down concurrently for 8 or more hours

2 or more systems and/or sites are down concurrently for 4 or more hours

Web servers are down for more than 1 hour

Should an individual system or site be down for 8 hours there are backups in place to keep operations flowing while waiting for system restoration. There are 6 locations across the northeast region that houses operational data. Should two or more systems be down this could affect data management infrastructure and further delay operational functions.

10.External communications

Corporate public relations personnel are designated as the principal contacts with the media (radio, television, and print), clients, FEMA, OSHA, FTC and other external organizations following a formal disaster declaration.

11.Emergency management standards

Data backup policy

Full and incremental backups preserve corporate information assets and should be performed daily for audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media should be stored in a secure, geographically separate location from the original and isolated from environmental hazards.

Department-specific data and document retention policies specify what records must be retained and for how long. All organizations are accountable for carrying out the provisions of the instruction for records in their organization.

IT follows these standards for its data backup and archiving:

Data retention policy

Backup media is stored at locations that are secure, isolated from environmental hazards, and geographically separate from the location housing the system.

Financial Data

Records greater than seven years old are destroyed every six months.

Records less than three years old must be stored locally off-site.

The system supervisor is responsible for coordinating the transition cycle of financial data with the Accounting and Payroll team.

System image tapes

A copy of the most current image files must be made at least weekly.

This backup must be stored offsite.

The system supervisor is responsible for this activity.

Off-site storage procedures

Tapes and disks, and other suitable media are stored in the respective environmentally secure datacenter facility.

Servers should be backed up to the cloud storage medium on a regular schedule coordinated with the storage vendor.

Access to backup databases and other operational data is tested annually.

Emergency management procedures

The following procedures are to be followed by system operations personnel and other designated NewOptMarketing personnel in the event of an emergency. Where uncertainty exists, the more reactive action should be followed to provide maximum protection and personnel safety.

Note: Anyone not recognized by the operational staff within the IT, HR, Marketing and Accounting divisions as normally having business in the area, must be challenged by the staff who should then notify security personnel to protect organizational data and assets.

These procedures are furnished to all NewOptMarketing management personnel to take home for reference. An employee roster has been included to supply emergency contacts.

In the event of any situation where access to a building housing a system is denied, personnel should report to alternate locations. Primary and secondary locations are listed below.

Alternate Locations

Remote Offices: Pennsylvania

Personnel at the three facilities in this state should attempt to contact the immediate supervisor or direct management via telephone to identify if relocation has been deemed necessary. Voicemail and text messages are acceptable. Home and cell phone numbers are listed in the employee roster within this document. Please access the next closest location to resume operations. Should the incident affect the entire state/region teleworking options such as working from home may be acceptable.

Remote Offices: Maryland

Personnel at the two facilities in this state should attempt to contact the immediate supervisor or direct management via telephone to identify if relocation has been deemed necessary. Voicemail and text messages are acceptable. Home and cell phone numbers are listed in the employee roster within this document. Please access the next closest location to resume operations. Should the incident affect the entire state/region teleworking options such as working from home may be acceptable.

Remote Offices: Ohio

Personnel at the two facilities in this state should attempt to contact the immediate supervisor or direct management via telephone to identify if relocation has been deemed necessary. Voicemail and text messages are acceptable. Home and cell phone numbers are listed in the employee roster within this document. Please access the next closest location to resume operations. Should the incident affect the entire state/region teleworking options such as working from home may be acceptable.

Remote Office: Teleworking

If no facility is available, essential personnel should attempt to contact the immediate supervisor or direct management via telephone to report an instance of relocation and confirm teleworking location. Voicemail and text messages are acceptable. Home and cell phone numbers are listed in the employee roster within this document.

12.Response Scenarios

In the event of a tornado

In the event of a major catastrophe affecting NewOpt facility, immediately notify the OSHA Safety Officer.

Procedure

STEP

ACTION

1

Pull alarm immediately

2

Employees should all go to identify shelter of the workplace

3

Follow proper instructions given by emergency officials and wait for clearance

4

Notify All DRT personnel

In the event of a ransomware to any location, the guidelines and procedures in this section are to be followed

In the event of a power outage

In the event of a flood of a power outage within any computing facilities, the guidelines and procedures in this section are to be followed.

Procedure

STEP

ACTION

1

Identity the impact of service outage

2

Contact personnel to inform of service outrage

3

Restore back -up system

4

Establish maintenance for restoring power

In the event of a fire

In the event of fire (servers) within any computing facilities, the guidelines and procedures in this section are to be followed.

Procedure

STEP

ACTION

1

Alert individuals by pulling fire alarms and evacuate to safe fire exits

2

Call 911 and contact DRT to inform about fire

3

Data from servers and information can be transported to backup

4

Identify all damages and inform IT members of the damages

13.Plan review and maintenance

This plan must be reviewed semiannually and exercised on an annual basis. The test may be in the form of a walk-through, mock disaster, or component testing. Additionally, with the dynamic environment present within NewOptMarketing it is important to review the listing of personnel and phone numbers contained within the plan regularly.

The hard-copy version of the plan will be stored in a common location where it can be viewed by site personnel and the EMT and DRT. Electronic versions will be available via NewOptMarketing network resources as provided by IT. Each recovery team will have its own directory with change management limited to the recovery plan coordinator.

14.Alert/Verification/Declaration phase (1-2 hours)

Flow Diagrams

Create a workflow diagram for each risk area based on the identified steps in your procedures and based on what needs to be done within the first 1-2 hours, include decision points in the workflow.

Diagram in case of: Tornados

Diagram in case of: Ransomware

Diagram in case of: Power Outage

Diagram in case of: Fires

Plan checklists

Risk or process area: Building safety

Step

Required data, forms, or other tools or information

1

Identify fire hazards

2

Identify sources of ignition, fuel and oxygen

3

Clean and maintain areas so they have minimal dust

4

Check power sockets for overloading

5

Ensure flammable liquids are properly stored

Risk or process area: Personnel safety

Step

Required data, forms, or other tools or information

1

Identify employees

2

Identify visitors/contractors

3

Identify people with disabilities and evaluate individual needs

4

Identify other people in the immediate vicinity

5

Keep a log of visitors and an office diagram

Risk or process area: Facilities security

Step

Required data, forms, or other tools or information

1

Evaluate risk of fire occurring

2

Evaluate people at risk

3

Reduce and remove fire hazards

4

Remove and reduce risks to people

5

Document escape routes on office diagram

6

Ensure lighting, signs and notices for exits are in working order

15.Notification of incident affecting the site

On-duty personnel responsibilities

If in-hours:

Upon observation or notification of a potentially serious situation during working hours at a system/facility, ensure that personnel on site have enacted standard emergency and evacuation procedures if appropriate and notify the EMT and DRT.

OSHA Safety Officer will inspect the jobsite for safety violations and document said violations. Will also conduct weekly safety meetings and safety inspections will report to the Corporate Safety Manager.

If outside hours:

IT personnel should contact the EMT and DRT.

Personnel should contact the local fire station and authorities if there is a fire after hours.

Provide status to EMT and DRT

Contact EMT and/or DRT and provide the following information when any of the following conditions exist:

Any problem at any system or location that would cause the above condition to be present or there is certain indication that the above condition is about to occur.

The EMT will provide the following information:

Location of disaster

Type of disaster (e.g., fire, hurricane, flood)

Summarize the damage (e.g., minimal, heavy, destruction)

Meeting location that is a safe distance from the disaster scene

An estimated timeframe of when a damage assessment group can enter the facility (if possible)

The EMT will contact the respective market team leader and report that a disaster involving voice communications has taken place.

The EMT and/or DRT will contact the respective NewOpt team leader and report that a disaster has taken place.

16.Decide course of action

Based on the information obtained, the EMT and/or DRT need to decide how to respond to the event: mobilize IT, repair/rebuild existing site (s) with location staff or relocate to a new facility.

17.Inform team members of decision

If a disaster is not declared, the location response team will continue to address and manage the situation through its resolution and provide periodic status updates to the EMT/DRT.

If a disaster is declared, the EMT and/or DRT will notify IT Tech Services immediately for deployment.

Declare a disaster if the situation is not likely to be resolved within predefined time frames.The person who is authorized to declare a disaster must also have at least one backup person who is also authorized to declare a disaster in the event the primary person is unavailable.

Contact general vendors

Local fire station in case of fire

Local police station in case of fire

18.Disaster declared: Mobilize incident response/Technical services teams/Report to command center

Once a disaster is declared, the DRT is mobilized. This team will initiate and coordinate the appropriate recovery actions.Members assemble at the designated location as quickly as possible. The disaster recovery team will communicate to the command center that will be set up at the headquarters which is Philadelphia, Pennsylvania. If the company headquarters are affected or otherwise inhibited the proxy location will be a command center at Baltimore, Maryland.

19.Conduct detailed damage assessment (This may also be performed prior to declaring a disaster.)

1.Under the direction of local authorities and/or EMT/DRT, assess the damage to the affected location and/or assets. Include vendors/providers of installed equipment to ensure that their expert opinion regarding the condition of the equipment is determined ASAP.

A.Participate in a briefing on assessment requirements, reviewing:

(1)Assessment procedures

(2)Gather requirements

(3)Safety and security issues

NOTE:Access to the facility following a fire or potential chemical contamination will likely be denied for 24 hours or longer.

B.Document assessment results using assessment and evaluation forms contained in provided sample forms in an Appendix B

Building access permitting:

Conduct an on-site inspection of affected areas to assess damage to essential hardcopy records (files, manuals, contracts, documentation, etc.) and electronic data.

Obtain information regarding damage to the facility (s) (e.g., environmental conditions, physical structure integrity, furniture, and fixtures) from the DRT.

2.Develop a restoration priority list, identifying facilities, vital records and equipment needed for resumption activities that could be operationally restored and retrieved quickly. Below is a priority list of which locations will be restored in order top down.

Philadelphia

Company Headquarters

Data Center

Baltimore

Data Center

Operations Facility

Cincinnati

Data Center

Operations Facility

3.Recommendations for required resources.

1. Energy source
2. High speed internet connections
3. IT Services
4. Equipment maintenance
5. Data servers
6. Computer systems
7. WIFI access points and access controllers

20.Contact DRT: Decide whether to continue to business recovery phase

The EMT and DRT gather information regarding the event; contacts senior management and provides them with detailed information on status.

Based on the information obtained, senior management decides whether to continue to the business recovery phase of this plan. If the situation does not warrant this action, continue to address the situation at the affected site(s).

21.Business recovery phase (24 hours - full recovery)

This section documents the steps necessary to activate business recovery plans to support full restoration of systems or facility functionality at an alternate/recovery site that would be used for an extended period. Coordinate resources to reconstruct business operations at the temporary/permanent system location, and to deactivate recovery teams upon return to normal business operations.

NewOpt Marketing system and facility operation requirements

The system and facility configurations for each location are important to re-establish normal operations. A list for each location will be included section 11 under Emergency Management Standard.

Notify IT staff/Coordinate relocation to new facility

See Appendix A for IT staff associated with a new location being set up as a permanent location (replacement for site). They will initiate setup of infrastructure and ensure the site is prepared for the supplies to be relocated.

Secure funding for relocation

Decide in advance with suitable backup location resources. Decide in advance with local banks, credit card companies, hotels, office suppliers, food suppliers and others for emergency support. Additionally, the CFO will head up a dedicated group to ensure requirements are met but also budgeted for.

Notify EMT and corporate business units of recovery startup

Notify the appropriate company personnel. Inform them of any changes to processes or procedures, contact information, hours of operation, etc. (This may be used for media information.)

Operations recovered

Assuming all relevant operations have been recovered to an alternate site, and employees are in place to support operations, the company can declare that it is functioning in a normal manner at the recovery location. The stakeholders and DRT leads will be notified as such.