COOP and Contingency Plans

Introduction to Emergency Preparedness Various processes are involved in ensuring business continuity. Listed below are some to give you an idea of how many are: Business continuity plan (BCP) Business recovery (or resumption) plan (BRP) Continuity of operations plan (COOP) Continuity of support plan/IT contingency plan Crisis communications plan Cyber incident response plan Disaster recovery plan (DRP) Occupant emergency plan (OEP)

Introduction to Emergency Preparedness Planning is critical to emergency preparedness. Two types of emergency preparedness plans to look at today: Contingency plans: Geographically specific and protect life safety They help protect the corporate memory of each element They are the gateway to continuity planning Continuity of operations (COOP) plans: Designed to maintain critical functions and operations Together these plans support one another and help organizations prepare for potential disruptions, but need to be supported by an overarching policy framework.

Contingency Planning Policy Statement The contingency planning policy statement should define the organization’s overall contingency objectives and establish the organizational framework and responsibilities for IT contingency planning. Disruption of organizational operations can result in exposing a company to various risks. These risks include Compliance risk, Transaction risk, Reputation risk, and Strategic risk. Organizational leadership and the board of directors are responsible for developing emergency and disaster recovery plans designed to keep disruption of operations at a minimum and the contingency policy and procedures should contain the following key elements: Assigning authority for implementing the emergency disaster recovery plan and identifying who is responsible and their roles Identification of risk Description of data center emergency procedures established to protect personnel and property during emergencies Identification of resource and training requirements Description of backup considerations Standards for testing the disaster recovery plan Guidelines for disaster recovery planning

Policy Development Process Steps The process of creating a sound business continuity and disaster recovery plan can be broken down into several easily understood and accomplished tasks. The policy development process is broken down into the following steps: Consider the potential impacts of disaster and understand the underlying risks. Construct the IT contingency policy. Implement steps to maintain, test, and audit the IT contingency policy. Identify senior management support and ownership. Identify and acquire resources. Define responsibilities. Define project deliverables and timeline and budget.

Policy and Procedure Areas Policies and procedures will address each of the following areas: Statement of need and definitions Example: leadership, management, and directors recognize the need to establish comprehensive emergency and disaster recovery policies and plans to protect employees during emergencies and to provide for the continuity of data processing operations Purpose Example: the purpose of the policy is to protect personnel and property during emergencies and to provide procedures to recover operations should an emergency render any part of the organization’s IT operations or data access unusable or unavailable Specific goals.

Goals Samples of these goals would include: Establish authority and responsibility in the development, implementation, and maintenance of an emergency and disaster recovery policy and plan especially considering the IT department. Provide documentation of any emergency prevention measures that have been implemented. Document backup plans for hardware, programs, and documentation, as well as all data. Document criticality, priority, and dependency of one system on another or applications on specific systems. Establish recovery timeline. Outline strategies for disaster recovery. Establish requirements to periodically test the adequacy of the backups and ability to restore following the recovery plans.

Policy Elements The following are elements to include: Authority Risk management Compliance risk Transaction risk Strategic risk Reputation risk Definitions Emergency procedures Emergency phone numbers Disaster recovery planning User involvement in disaster recovery strategies Standards for testing disaster recovery plan Services Regulatory compliance checklist (if appropriate)

The COOP The purpose of a local continuity of operations plan (COOP) is to establish priorities and procedures to restore operations in the event of a disruption. Plans should cover the restoration of operations as quickly and completely as possible and provide for alternate methods and locations of operations during the disruption.

Getting Started In your overall Continuity of Operations plan, try to address these broad issues: Have you established the organization’s priorities and identified a priority of “people first”? Is authority and responsibility specifically addressed? Who will activate the plan, and how will they do this? When building the content of your COOP plan, a matrix may be the most appropriate format, for example: Function/ System Priority # Rationale for Dependencies and Interdependencies Recovery Goal Minimum Requirements Alternate Method/Location Steps

8 Steps for Continuity of Operations Planning a) Identify Critical Operations and Functions b) Minimum Requirements to perform critical functions Identify Internal and External Dependencies and Interdependencies Determine Alternative Methods and Redundancies of critical functions a) Identify the steps for Recovery and Restoration b) Establish Recovery Goals/Timelines Examine Assumptions Examine Communication methods Examine Financial Issues Implement (Maintain, Review, and Exercise) the Plan

1. Identify Critical Operations and Functions During the initial stage of continuity planning, you should list all the operations and functions for which your area is responsible. Remember to include those tasks or events which take place on a seasonal or quarterly basis. Include descriptions of how these tasks are completed, breaking them down to the most basic level. Hint: It may be useful to ask your people to list what they do during the day in order to identify all tasks.

1a. Identify Critical Operations and Functions These functions and operations should now be ranked according to their priority for restoration, considering: Requirements that vary in importance depending on critical dates (e.g. Commencement, end of fiscal year, etc.) Prerequisites for each function and operation as they determine the necessary sequence of restoration (i.e. if one particular function is not restored, you cannot proceed to the next step) Value to normal daily operations For future reference, note your rationale in the appropriate column as you revise or validate your plan. This will also assist others in understanding your priorities.

1b. Identify Minimum Requirements to Perform Critical Functions The minimal requirements for working are the resources (the physical space, equipment and personnel) required to fulfill your most vital critical functions. Assume you may have to operate from a different location, with limited equipment and supplies, and with a shortage of qualified personnel. Basic resources may include: Essential personnel (By title and qualifications; number of support staff) Computers (software/hardware) Telephone, fax, stationery, mail services, etc. Supplies or specialized equipment unique to your function (are there currently spares stored at a separate location, or is transportation of equipment feasible? If you use a specialized database, can this be accessed remotely?) Essential office or classroom space – how many people must this space accommodate?

2. Identify Internal/External Dependencies/Interdependencies Organizations must identify those other partners that they rely upon or to which they provide services. It should clearly identify services that are provided to you by other departments/organizations. Services provided by other organizations/internal departments/vendors Services provided to other organizations/internal departments/vendors Specifically identify contracts with outside partners (including a list of contact information for vendors or other departments during an incident) Can these services realistically be depended upon during an incident? If not, are there alternatives?

3. Determine Alternative Methods & Redundancies In the immediate aftermath of an incident, critical functions may need to be restored by alternative methods. Outline interim procedures and locations that would allow part or all of your critical functions to be performed until full restoration. These alternatives need to be realistic and require minimal cost and time. Estimate the duration for which the department would be able to maintain operations without its usual resources. Aspects to consider include: Personnel requirements, telecommuting/remote access, alternate processes, contracted or external services, built-in redundancies. Address technology recovery: How can essential documents/files be preserved and accessed? Are there hard-copies? Storage on flash drive? Is VPN access in place (if feasible)? For how long can the organization function without technology access (for instance, one hour, one week)?

4a. Identify Recovery Steps List the sequence of steps that are required in order to restore each function; designate those aspects that may be restored in parts Hint: A separate list may be useful instead of incorporating all this information into a matrix The steps may include: Necessary facilities/technology/support resources Important contacts Needed contracts Specific personnel (with back-ups) designated, identified, and appropriately tasked Rough estimate of cost, or outline for procuring necessary resources

4b. Establish Recovery Goals/Timeline Recovery goals should identify how quickly each function or operation would ideally be restored (in both short- and long-term). Considerations for recovery goals include: Time when replaced or restored functions are needed Alternate method if required restoration is later than expected Aspects of the function that can be restored in parts

5. Examine Assumptions Before continuing, identify and examine the assumptions on which your plan is based. Example: “Building access card system will be working during an incident, allowing staff and faculty to enter buildings and offices.” Hint: Assumptions should be listed explicitly and may be included as footnotes Considerations include: Impact of disruption of tasks or functions performed by other departments (ex. information back-up by the Division of Information Technology) Time for return/availability of all personnel and/or space for operations Are the assumptions specific? Are they reasonable and realistic? Are they clearly identified?

6. Examine Communication Methods Effective communication is paramount during an incident. Plan for communication up, down, across, and out. Identify incident communication methods and their requirements Establish alternative communication strategies (personal cell phones, for example) Include specific and detailed instructions for communication methods (phone trees, website updates, list-servs, etc.) Include pertinent communication information, like organizational contact lists and helpful internal and external points of contact (e.g. Human Resources Office, Division of Information Technology, contractors, police, fire, etc.)

7. Examine Financial Issues During an incident, organizations will likely accrue additional expenses necessary to maintain or restore operations. It is critical to identify a method for tracking incident-related expenses. Has the financial manager for the department been consulted about the specifics for the plans? Does s/he have an alternate? How should expenses accrued during an incident be documented? What alternative methods exist for paying for needed materials (disaster lines of credit, credit card, cash, etc.)? If a cost estimate has been conducted for your organization, has this information been included?

8. Implement the Plan Once your plan is written, decide who will be responsible for its maintenance, review, and dissemination, and how they will do this. Is your plan available in hard copy to the people who must use it in an incident? Is there a schedule for reviewing the plan? Who will be responsible for updating the materials? Who will provide copies of the plan to all departmental employees?

COOP to Contingency Plan Your local COOP will be useful in preparing your local contingency plan, since your functions and priorities are already determined. A local contingency plan provides geographically specific information to support local preparation for, response to, and recovery from an incident, therefore, protecting life-safety. It includes procedures regarding expectations and responsibilities, contact information, and indoor post-evacuation rendezvous points.

Introduction: The Local Contingency Plan Questions answered by the Local Contingency Plan: WHO: Designates individuals and invests them with authority WHAT: Expectations and procedures associated with an incident WHEN: The tasks that need to be performed before, during, and after an incident WHERE: Identifies key locations for incident planning and response, including locations of emergency equipment, escape routes, and indoor post-evacuation rendezvous points WHY: Protects people and serves as a gateway to continuity HOW: Explains the way your department should prepare and respond

Overview of Contingency Planning PREPARATION AND INFORMATION GATHERING This stage focuses on identifying existing procedures, plans, and policies, identifying priorities for planning, and examining your capabilities and vulnerabilities. WRITING AND TESTING THE PLAN Using the information collected during the first stage, a plan is prepared that addresses specific needs and priorities. Once the plan is complete and disseminated, it should be explained and practiced. MAINTAINING AND AUDITING THE PLAN Once the plan is written, it must be reviewed and updated annually (at least) to ensure its efficacy.

Sections of the Local Contingency Plan At a minimum your contingency plan should include the following sections: Introduction Responsibilities Communications and Resources Preparation Response Recovery Implementation

Steps of Local Contingency Planning To successfully write and implement a local contingency plan, the following sequence of steps may be useful: Examine Your Location (Introduction section) Assign Responsibilities Examine Communications and Resources Plan your Preparation Write the Response Section Write the Recovery Section Implement the Plan

1. Examine Your Location Before you begin writing your contingency plan, you must first identify and examine the area your plan covers. Include the actual address/location and departments covered An examination of your location will help you identify alternate routes out of your building and where the nearest emergency equipment and supplies are.

2. Assign Duties and Responsibilities Prior to an incident, it is useful to assign specific roles and responsibilities, such as: Ensuring faculty and staff are aware of and understand the plan Designating those who have authority to make departmental decisions Identifying individual expectations during an incident Providing guidance to faculty and staff regarding their obligation, responsibility, and authority to students Inform your department personnel of their responsibility to protect people, property, and vital interests, even in the absence of communication with direct supervisors or decision-makers. Your plan needs to describe the responsibilities that faculty, students, and staff have regarding people with special needs.

3. Examine Communications and Resources You must ensure that your plan CLEARLY identifies and describes the use of communication tools. Examples: voicemail (what number should be called, and who will update the outgoing message?); e-mail (sent to and from whom?); department list-serv (is the list-serv current? Who has access to send messages?)

4. Write the Preparation Section This section includes critical items and procedures that will be important during an incident: Identify the location of existing emergency equipment and supplies: Fire alarms, fire extinguishers, first aid kits, water, food, flashlights, battery-powered radios, AEDs, etc. (if available) Identify the location of alternate stairwells and routes out of the building Note: Mention any hazardous materials or special equipment stored in or near your offices or classrooms that could become harmful (even if they are safely contained)

4. Write the Preparation Section Identify the location of principal and alternate indoor post-evacuation rendezvous sites. Ensure that these sites are realistic: Within comfortable walking distance and in opposite directions (in case one direction becomes unsafe) Indoors and large enough to accommodate students, faculty, and staff Property that is attended or accessible Develop and include a current list of personnel, including emergency contact information; assign someone the task of keeping it current and with bringing it to the indoor post-evacuation rendezvous point.

5. Write the Response Section Address your organization’s response in the event of a variety of circumstances (e.g. fire, hazardous mail, etc.): Include or direct people to Shelter-in-Place guidance Provide Evacuation guidance Specify who will have authority during an incident to dismiss or redirect customers, contractors, or staff Detail methods of communication both inside and outside the department (including emergency contact information for staff/employees) It is critical that faculty/staff or some other designated person reports post-evacuation attendance to the per your plan Include important Organizational phone numbers Examples: Security, Key Management Personnel, Environmental Health and Safety, Medical, Facilities Management, Facilities Management, etc.

5. Write the Response Section Ensure individuals are aware of the organization’s policy for notification and reporting: All contacts from the media should be referred to the Media Relations Office All contacts from the families of employees should be referred to a central office to ensure consistent service and response to all inquiries All contacts from the families of faculty and staff should be referred to the Office of Media Relations.

6. Write the Recovery Section This section provides guidance in the immediate aftermath of an incident, and is a gateway to your continuity of operations plan: Provide guidance on how and when your staff should contact you to inform you of their status (for example, to a specific voicemail) Establish a procedure for alerting faculty, staff, and other personnel as to when and where work will reconvene (for instance, through email, online bulletin boards, facebook, phone, etc.) Determine procedures for reporting damaged property (for instance, how will an unusable workspace be reported?) and securing alternate locations

7. Implement the Plan A finished plan is useless if it is not kept current or the people it is designed to protect are unaware of its existence. A specific person or position should be made responsible for distributing and updating the plan: All members of the department and frequent visitors must be given a copy and made aware of its critical components Implement a review schedule to keep the plan current Think about providing a plan summary, wallet card, or “cheat sheet” for those individuals this plan protects.

Remember ALL employees Ensure that your plan considers everyone, including facilities management, contractors, interns, part-time employees, and visitors/guests who use the surrounding space and choose a primary and secondary indoor post-evacuation rendezvous point large enough to incorporate them and accessible to all Your plan must provide guidance to employees regarding their obligation, responsibility, and authority to visitors and handicapped persons All plans should contain alternate methods of communication to ensure everyone can be communicated with during a disruption – including persons with physical/mental disabilities

Local Contingency Plan Wallet Card Sample OUR LOCAL CONTINGENCY PLAN: Evac Point is TOKYO HALL 7th FLOOR +Emergency contact number for PD: 4-6111. If this is not working, dial 911. +Check status at caaa.emergency.com or 222-994-5050 +Location of Emergency Supplies: Fire Alarms: elevator lobby and outside office (7011) First Aid Kit: under the microwave Fire Extinguisher: above the copier +In case of a medical emergency, contact Tokyo Police, then send someone to meet the ambulance. Avoid moving the victim unless absolutely necessary, and only perform emergency medical procedures if you are qualified to do so. +For more information, please refer to the complete local plan, available from your supervisor or online at caaa.sadvisories.com in Annex A of the organization Incident Response Manual. + When to Stay Put: In a crisis, Shelter in Place (stay inside in a windowless, interior room) unless the building has received structural damage or you receive directions to do otherwise. + When to Move: Only evacuate to move to a location of greater safety. When evacuating, take your Contingency Card and keys, and use the stairs. If there is smoke or fire, cover your nose and mouth, staying low to the floor. + Our principal post-evacuation rendezvous point is the Abrams Great Hall in the Marvin Center. The Center Lobby is our alternate location. Once there, check in with your supervisor or the Office Manager. + By COB on day of an incident leave a message on the Office voicemail 222-994-6600 indicating safety, location and contact information.

Local Contingency Plans and Guidelines Ensure local contingency plans are posted in at each location/building and in all Incident Manuals A Contingency Planning Guide and a Planning Checklist should be located on internal organization websites