Professional Documents
Culture Documents
Peak Security
___________________
Business Continuity and Disaster Recovery Plan
Prepared by:
Nikolas Seropian
Austin Wellman
Michael Lucas
Jonathan Fuentes
Aaron Phillips
Version 1.0
Peak Security BC/DR Plan 2
Table of Contents
Phases 1-3…………………………………. 3
Phases 4-6………………………………... 30
Phases 7-9………………………………... 42
Phases 10-11…………………………..…. 66
Citations………………………………….. 90
Peak Security BC/DR Plan 3
Phases 1-3 of the BC/DR plan will identify all types of potential threats and mission
critical functions as well as assess the impacts that threats or loss of mission critical functions
Natural Threats
political, physical, and natural threats to their existence and operational abilities. With regards to
natural threats, some of the ones that impact on businesses include earthquakes, floods, strong
With regards to the sources of the threats, blizzards originate from strong winds with
snowstorms, earthquakes are caused by the shaking of the earth’s tectonic plates, floods happen
due to lots of rains while tsunamis are caused by high sea waves usually due to the
earthquakes. The avalanches are more like mudslides. While they both fall rapidly from high
areas, avalanches erupt from high mountains die to the melting of ice or snow while mudslides
In terms of the likelihood of occurrence, the shaking of the earth can occur at
any time, melting of snow and wet soil can emerge rampantly depending on earth temperatures
and the level of water in the soil, respectively. Using an upstream loss analysis, the earthquakes,
Peak Security BC/DR Plan 4
blizzards, mudslides and avalanches may destroy the roads so that suppliers cannot access the
distributors. Similar impacts could happen in the seas where strong winds and tsunamis can
Companies are therefore vulnerable to the sources of threats described above in various
ways. For instance, earthquakes destroy buildings, warehouses and products stored in the
production. Floods, avalanches and blizzards could affect people’s access to the business places
while tsunamis may affect the ease of movement of goods through the seas and oceans.
natural threat. For example, in cold regions, the businesses should prioritize avalanches,
blizzards and flooding while in earthquake-prone areas, the same target should be
warehouses are demolished by earthquakes, the goods are also crashed. When blizzards,
mudslides, strong winds and avalanches block roads, the movement of people to conduct their
businesses are impeded. Similarly, during tsunamis, transportation of heavy goods through the
Man-made Threats
Human error. Human errors often cause systems to become logically corrupt or unusable.
An accident as simple as an employee tripping on a cord can bring down an entire storage
system. Predicting the types of human errors that are most likely to occur and having protocols in
Manmade threats are the more common threats to businesses and their networks and
data. These can come in the form of a direct attack on a system in the form of hackers, spam,
viruses, and worms. They can also show themselves in the form of credit card fraud and identity
theft from data stolen from company’s systems. Also, terrorism is a constant threat to
businesses.
Spamming
undesired bulk messages. While the costs of spamming are not easily determined, the general
costs of spam for a company refer to the overhead of preventing spam, including spam blockers,
and loss of productivity due to having someone dedicated to trying to stop the spam mail or the
Phishing
fraudulently acquire sensitive information, such as passwords and credit card details, by
attempts to get people to pass on personal information for the recipient to use it in nefarious
ways. This is a very common threat and would rate this one 8 out 10.
Peak Security BC/DR Plan 6
Virus/Worms
program uses a network to send copies of itself to other nodes (computer terminals on the
network) and it may do so without any user intervention. Unlike a virus, it does not need to
attach itself to an existing program. Worms always harm the network (if only by consuming
bandwidth), whereas viruses always infect or corrupt files on a targeted computer. This attack
Steganography
Steganography is the art and science of writing hidden messages in such a way that no
one apart from the intended recipient knows of the existence of the message. This attack is not a
common threat and takes some skills so I would give this one a 3 out of 10.
Insider Threat
An insider threat occurs when individuals close to an organization who have authorized
access to its network intentionally or unintentionally misuse that access to negatively affect the
organization's critical data or systems. Do not take this one lightly because this one happens
user does not have to click on anything to activate the download. Just accessing or browsing
a website can start a download. Cybercriminals can use drive-by downloads to inject banking
Trojans, steal and collect personal information as well as introduce exploit kits or other malware
to endpoints (Rosencrance, 2019).
a target, such as a server, website, or other network resource, making the target totally
inoperable. The flood of connection requests, incoming messages or malformed packets forces
the target system to slow down or to crash and shut down, denying service to legitimate users or
Ransomware
Ransomware is a form of malware that encrypts a victim's files. The attacker then
demands a ransom from the victim to restore access to the data upon payment. Users are shown
instructions for how to pay a fee to get the decryption key. The costs can range from a few
often these occur, and they are very difficult, almost always lose data if not paid.
Peak Security BC/DR Plan 8
1. Humans are the biggest threats to IT security. These vulnerabilities come from employees,
vendors, and anyone else who has access to a business’s network or IT-related systems.
On one hand, a cyber-attack or data breach can occur simply because of human error or a
lack of cyber security awareness, using easy to guess passwords or employees falling for
phishing scams. They may simply have a moment of forgetfulness or may be tricked by hackers
via social engineering. Attackers frequently use social engineering because they use other tactics
to get information in order to get their victims to either provide the information they want or to
Employees, and even former employees, can be very high cyber security threats. They
may want to profit by selling or using data, or they could maybe want revenge against a current
or former employer, leading them to install malware, download data, or change system settings.
Employees are not the only threat employees of vendors can also pose a threat, however.
Capital One recently made headlines when 100 million customers’ accounts were
it turns out, Capital One used Amazon Web Services for their hosting. The hacker, a former
“140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and
addresses, credit scores, credit limits, balances, and other information, according to the bank and
Capital One expects to face $150 million in costs related to the hack, including customer
notifications, credit monitoring, tech costs, and legal support. This is not taking the potential
and in some cases, even disguise itself. Some types of malware are adaptive such as
metamorphic or polymorphic malware, they can change their code to adapt to the system under
breaches and can cost upwards of millions to secure, contain and protect systems after they have
been breached.
1. Emotet
2. Kovter
3. ZeuS
4. NanoCore
5. Cerber
6. Gh0st
7. CoinMiner
8. Trickbot
9. WannaCry
10. Xtrat
Peak Security BC/DR Plan 10
2. Phishing is a cyber security threat to business small and large. $17,000 is lost every minute
or accounts, gain access to data, get the victim to perform an action such as a wire transfer,
General phishing
Spear phishing
CEO fraud
Smishing
Vishing
Clone phishing
Domain spoofing
URL phishing
Phishing frequently involves the use of social engineering tactics. They can use domain
Facebook together lost more than $100 million to a phishing attack. Crelan Bank in Belgium lost
page forms of eCommerce sites to steal their customers’ financial and payment information. The
jacking each month.
malicious actors known as Magecart. The British Airways attack resulted in more
than 400,000 credit cards being stolen at a projected loss of $17 million. This is in addition to the
record £183 million fine that was imposed against the company due to its lack of General Data
make you non-compliant with industry and regulatory cyber security standards.
have the resources to rush that process in house, so they roll out patches when they can, or they
may need the services of a third-party service provider, a lot of technology remains unpatched,
they examined only three hundred were properly patched.
Peak Security BC/DR Plan 13
helped the spread of WannaCry ransom ware, that cost the Nation Health Service in the UK 100
million Euros. Although Microsoft had released patches for Eternal Blue well beyond the 2017
their systems, or they were operating old systems that no longer had the ability to be patched.
Peak Security BC/DR Plan 14
Infrastructural Threats
Businesses and life have a few connections that can make or break a business on a high to
low level. Depending on the threat being an internal or external threat. Today there are more
threats than ever but with the way of the world most of those threats have solutions or policies
and directions to contain or eliminate the threat itself. The threats and information given below
are examples of threats, policies, and a few solutions that most if not all businesses face today.
Starting with Critical Infrastructure Threats ranging from security and government are
concerned about the vulnerabilities. In a recent Reuters article, Dan Coats, Director of National
Intelligence, said: “The system was blinking red. Here we are nearly two decades later and I’m
here to say the warning lights are blinking red again,” Coats specifically marked Russia, China,
Iran and North Korea as “daily” attackers of America’s computer networks, at federal, state and
local government agencies level, in addition to U.S. corporations, and academic institutions.
Cyber Threats are becoming one of the bigger threats of today. Focusing on anything from
the old money move to data in the spectrum of corporations and personal information. In
continuing to read the article (Tal, 2018), you see more into the thoughts, process and execution
of such a threat. The list of cyber threats increases rapidly. The following list represents a partial
Terrorists and other non-state actors seeking to destroy, incapacitate, or exploit critical
infrastructures to threaten national security, cause mass casualties, weaken the economy,
Criminal groups, attacking systems, using spam, phishing, and spyware/malware, identity
Individuals and groups “grazing” the cyber world in search of victims, for a combination
systems to coordinate attacks and to distribute phishing schemes, spam, and malware
attacks.
Disgruntled insiders, poorly trained employees, incompetent contractors – all creating the
National intelligence and psychological operations organizations, using cyber tools for
goals.
Spammers using the above methods to distribute unsolicited e-mail with hidden or false
Being passed by Cyber style threats but with the evolution of technology with the inclusion
of more online banking and e-commerce. Financial threats are still one of the higher threats to a
business and people past, present and will most likely continue into the future. There are many
ways to categorize a company's financial risks. Those being listed from the article (Maverick,
2019), being market risk, credit risk, liquidity risk, and operational risk.
There are four broad categories of financial risk that most companies must contend with.
Market risk is what happens when there is a substantial change in the particular
Credit risk is when companies give their customers a line of credit; also, a company's risk
Liquidity risk refers to how easily a company can convert its assets into cash if it needs
SWOT (strengths, weaknesses, opportunities and threats) to the company and industry are
really you break down of what could slow or stop progression of a businesses future. Reading
into the article (Business Blogs, 2019) elaborating more, of how again certain threats can be
influential to a business.
1 – Technology
example, ‘going digital’ or taking your business online will please many customers but not those
adverse to change. These people are typically in the ‘laggards’ group of the technology adoption
Many industries struggle directly or indirectly with the speed of technological change,
and sometimes they can be replaced by startups providing a product or service which is far
superior. For example, Uber and ridesharing, has disrupted the taxi industry, and some may say
One of the biggest dangers a business faces is in believing that they are invincible to
these forces and one area which is also as worrying today as it was yesterday is cybercrime. No
website is safe or protected entirely from hackers and they are using innovative ways to get to
On a positive note, technology has bought companies closer to their customers. Software
and apps have increased efficiencies within the business and opened up the global economy
insofar as the clothes are likely to have been made in more than one country.
2 – Globalization
Each business is now competing in every market in the world. This, again, is a product of
technology but has also become a point for concern in and of itself. It is easier than ever to send
work overseas, find products from other parts of the world, and communicate with potential
partners in other countries. This all creates new challenges for businesses.
Due to international laws, a company may be limited in what they can do about some of
these challenges, but that only means they need to be more creative in how they combat them.
For example, if your company’s product or service can be outsourced overseas at a much lower
cost, you need to think about another way to make yourself more appealing at a higher price
This is also influenced by the development of technology but is much more a matter of
people. Job seekers are becoming more and more able to find work they can perform from the
comfort of their own home. Not only that, but the most youthful members of the labor force
If a company does not adjust to the needs and demands of the new labor market, they can
We touched on this topic earlier, and now we’re in the 5th industrial revolution changes
are happening faster and on a much larger scale than they have ever occurred before. This means
that a business could make a shift in strategy today that is the right decision, but in a short time,
The level of flexibility that companies need is something relatively new. While it is
essential to display a level of consistency so that consumers know what to expect, if a company
allows that consistency to turn into stubborn continuity, there will be a price to pay.
Most threats are external to a business. In an article from the Hartford’s Business owners
Playbook (The Hartford, 2021) Finding weaknesses, which are hard to self-identify objectively,
are normally seen when you look around your world and communicate with peers and customers
The economy. If you sell something consumers need in any economy, you will fare better
than others.
Material shortage. Tensions in an oil-producing country result in big price hikes, raising
Your computer system is hacked. This can knock your website out for days during a
Employment in your industry is strong. This can make it hard to find skilled workers.
Market demand dries up. Think Blockbuster falling behind Netflix because of its late start
streaming content.
Like said earlier in this document, threats create opportunities by making a person or
newer adaptation.
When combating or overcoming any threats in a business, you find that the same information
from an article on how to cope with threats, we are relatively experienced in maintaining a level
of composure and tenacity to tackle the threat head on with a game plan. That can make anyone
in the organization feel confident. Later in the same article it continues to show how having a
plan and good belief in a set plan can pay off. (Blanks, 2013) Keep your focus the truth is,
focusing on these threats could become an obsession, it might even become a full-time job! Our
secret is not to let it bother us. Of course, we keep our fingers on the pulse, but we find looking
at new threats pointless, we focus on what we’re doing right and improve each of them bit by
bit.
We keep on target with synchronized plans and make our overall targets very clear. We
sat down and planned out the next five years for our business and that’s broken down further into
a one-year plan and quarterly targets we need to strive for to make the five-year plan happen.
Each of the directors sticks to this and our departmental managers stick to their plans, focusing
Worrying gets you nowhere; I remember how anxious we were over Amazon’s expansion plans
into office supplies. We need not have been, we have continued to grow every year, even with
Amazon’s buying power and economies of scale. There was nothing we could do, and as it turns
To sum up, with business it is your own success that you need to focus on, not the strengths of
other operators in the marketplace. Drown out the noise created by your competitors and instead
keep focused on the objectives you can achieve from within. It’s those, and those alone, you
“A mission-critical task, service, or system is one whose failure or disruption would cause an
The term mission-critical is a description used for any essential service that is necessary
in order for normal operations to continue. These are operations within a business that cannot be
interrupted under any circumstances if the business is to continue production of their services.
Some examples of mission-critical functions are databases and process control software which
are crucial to companies that run on mainframes and workstations. There are also functions like
emergency call centers, computerized patient records, data storage centers and communication
systems that are mission critical. If these services were to fail to continue, they could cause
severe disruption of services, heavy financial losses, and even loss of life.
With so many different functions that can seem so critical, it can seem difficult to decide
which functions are the most important to focus on protecting. Different parts of a company may
rely on different things, such as HR needing their payroll application to function, marketing
needing their CRM system to sell products, or manufacturing needing its automated inventory
management system to even make anything. But while all of those may be true, there must be an
Within the IT department, there are functions critical to the company in order to keep a
business going after a disaster, for example, creating, managing and storing backups of all data
before a disaster. If a failure occurs, the moment systems return online, a backup of everything
will need to be ready to go that very day in order to ensure a quick return to functionality. It is
also important ensure the confidentiality, integrity and availability of critical business data. A
For Peak Security, the two requirements to keep the business functional are internet and
email access as well as being able to travel to customer sites. If a loss of internet or email access
were to occur, it would have to be brought back up within 48 hours in order to keep business
lines moving and to maintain access to SH mail servers, customer servers, and SH web servers.
As there is a 48-hour window, this luckily means that minor outages should not pose an
immediate threat to the company, however, other forms of longer lasting disasters could
potentially cause a network outage to last longer than that amount of time. As Peak Security is
responsible for establishing strategic relationships with their clients and partners as well as
providing them with services spanning the entire service chain and security solutions, being
unable to successfully perform these due to a long outage or inability to travel could have dire
effects on the company’s reputation, partnership’s and income that come from them, as well as
potentially require additional costs to fix any necessary hardware (in the event outages are
caused from broken hardware, or transportation needs to be repaired). While the max tolerable
downtime is two days, the recovery time and cost of such disasters will depend on the cause of
the disasters as well as how much the damage the disasters have caused, as outages or loss of
It would be best for the company to have some forms of backups to help keep forms of
transportation ready as well as secondary forms of internet connectivity. These can be in the
General Liability Insurance: Every business, even if home-based, needs to have liability
insurance. The policy provides both defense and damages if you, your employees or your
products or services cause or are alleged to have caused Bodily Injury or Property Damage to a
third party. Contacting the insurance company is relatively easy in today’s workplace. You are
Property Insurance: If you own your building or have business personal property,
policy that will protect you if you have a fire, vandalism, theft, smoke damage etc. You may
also want to consider business interruption/loss of earning insurance as part of the policy to
Business owner’s policy (BOP): A business owner policy packages all required coverage
a business owner would need. Often, BOP’s will include business interruption insurance,
company’s specific needs, you can alter what is included in a BOP. Typically, a business owner
will save money by choosing a BOP because the bundle of services often costs less than the total
are injured on the job. This type of insurance provides wage replacement and medical benefits to
those who are injured while working. In exchange for these benefits, the employee gives up his
rights to sue his employer for the incident. As a business owner, it is very important to have
worker’s compensation insurance because it protects yourself and your company from legal
complications. State laws will vary, but all require you to have workers compensation if you
Data Breach: If the business stores sensitive or non-public information about employees
or clients on their computers, servers or in paper files they are responsible for protecting that
information. If a breach occurs either electronically or from a paper file a Data Breach policy
Simply put, the cost of your insurance will depend on what your business does and how
much of it you do. Depending on the type of operation you run, you may need to purchase
several different types of additional coverage (i.e., if your business has delivery vehicles, you
will need to get commercial auto coverage). But for starters, here are a couple of examples:
A tiny shoe repair cobbler nestled on the corner of a quiet downtown street would need a
combination of property and liability coverage, which might run at about $1,200/year. If they
had additional employees and needed workers' compensation, that aspect of the coverage might
A large gas company based in Louisiana that owns wells and trucks and has several
locations as well as tons of employees might pay more than $10 million/year for coverage.
Peak Security BC/DR Plan 26
aware of as well as potential risks and hazards that could affect either an individual person,
and changes in weather patterns in recent years affecting climate enough to cause various
hurricanes each year. While many organizations have found ways to mitigate the spread of
for all employees, it is still a huge risk to productivity should an outbreak occur.
Additionally, hurricanes and changes in weather patterns can lead to floods and other natural
disasters which can affect the physical location of many companies, as well as potentially affect
the data for employees and clients because an outage may occur and without a proper recovery
be mindful of for an information technology company, all because of the potential impact that
these disasters could have on the data being protected or secured. Disasters such as these,
especially building science and security in place- such as safe rooms- are crucial to ensure that
the necessary rooms are protected. With most of the data securing private information of clients
for the organization, it is imperative that it be locked down not only digitally but
o Then using this information, write a memo to the Task Coordinator detailing your
findings.
In order to mitigate fallout from any of these potential disasters, FEMA has developed many
IPAWS: The Integrated Public Alert & Warning System provides local alerts, but is a national
system providing mobile notifications and alerts regarding any type of emergency that may pose
a threat.
and non-profit companies that qualify and have been affected by natural disasters
Preparedness Grant: A particular funding option for non-emergency situations. This type of
Hazard Mitigation: This funding option is put in place prior to a disaster in an effort to avoid
possible emergency situation from occurring. It can help with pre-planning and managing
Threat and Hazard Identification & Risk Assessment: THIRA is a FEMA service that offers
prepare for potential hazards or emergencies. FEMA offers a community level and a national
level of this type of assessment depending on the nature of the risk or community. The
assessment service allows a community to determine the capabilities that need to be in place to
collaboration.
manage and have long-term support following an emergency. Resources are also provided as a
completed in order to determine what type of resources/support are necessary in case of possible
As we prepare our resources to recover from the recent data breach, it is worth considering some
of the services offered by FEMA, the Federal Emergency Management Agency. Because the
nature of our data focuses on cyber security, a Preparedness Grant from FEMA is a potential
option for financial support. The Homeland Security Preparedness Grant can offer financial
assistance to help us mitigate potential risk from domestic, cyber security attacks which can
Preparing an application for this grant will mean that we are proactive in securing our networks
to the utmost ability, affording our customers with peace of mind and security in their data. The
recent attack shows that even when we attempt to think of everything that could theoretically
breach our system, surprises may occur and having a plan in place allows us to recovery quickly
Please consider this grant and review the application process found on FEMA’s website
directly. Should I be able to offer support in this application, please do let me know as I believe
this is the best route for the organization to go moving forward and from a financial stability and
security standpoint.
https://www.fema.gov/
Peak Security BC/DR Plan 30
Phases 4-6 will create plans for different types of backup sites, develop a procedure to
notify and activate an alternate worksite and create an inexpensive and feasible backup solution
Cold Site
Executive Summary
A cold backup site for business continuity and disaster recovery (BCDR) has little in it.
Unlike a hot site that is fully set up and ready to go, allowing for easy relocation and minimal
downtime. The cold site, therefore, only contains the essentials. Relocating to a cold site requires
setting up equipment, making the necessary installations, and loading the necessary software to
The first major advantage a cold back-up site is the cost component. A cold back-up site
contains the least number of essentials that are needed in case relocation is needed. This includes
connection to power, internet, water, and adequate space adequate for relocation. For example, a
cold site does not require maintenance costs, any equipment, or I.T personnel, since the site is
barely functional. In comparison to hot or ware back-up sites, a cold site is the least capital
intensive.
Peak Security BC/DR Plan 31
A significant disadvantage of a cold backup site is the time component. In the case of a
disaster, the business needs to relocate to the back-up site and resume operations with
expediency. With a cold back-up site, the recovery time is much longer considering that
everything must be set-up afresh. Businesses such as Peak security may not have high tolerance
Costs
While costs incurred are minimal in the short term, any incidences that mandates the
company to relocate to the backup site may result in the company incurring significant
expenses. First, in the case of a disaster recovery event, a company with only a cold back-up site
will lose all its data, and recovery may be impossible or expensive (Redhat, 2021). Businesses
with hot sites safeguard the protection of their data. Secondly, a recovery event to a cold site
could result in significant costs because of down-time. The time that the business halts
operations can be costly because it is not engaged in money making operations, but still has
expenses. Getting operations back to a state of full operations may cost more than running a hot
back-up site.
Peak Security BC/DR Plan 32
Location
The backup location will be in Portland, Oregon. This is because Portland is ranked as
the safest place to live to avoid natural disasters. To avoid a disaster recovery event, Portland is a
metropolis that would allow for expedient resumption of operations, with the least likely hood of
recurring disasters.
Equipment
Equipment needed to run the cold back-up facility includes an office space, electricity,
internet access, cooling system, and air conditioning, communication equipment, and water.
Additional Resources
There should be security detail to safeguard the premises and minimal equipment from
Conclusion
Cold sites for disaster recovery are sites that have minimal equipment in them. A
significant advantage of cold back-up sites is that in the short term, they are cost effective.
They have little equipment to maintain, therefore the company can save funds. Eventually, cold
back-up sites are unappealing because they take longer to set up, making the business suffer
longer down-times, and costs the business more if a disaster recovery event occurs. It is therefore
advisable to compare the short term and long-term benefits of back-up site varieties before
Warm site
A warm site is considered the middle ground between the cold site and the hot site. A
warm site is a backup facility that has the network connectivity and the necessary hardware
equipment already pre-installed. However, a warm site cannot perform on the same level as the
production center because they are not equipped in the same way. Therefore, a warm site has less
operational capacity than the primary site. Moreover, data synchronization between the primary
and the secondary sites is performed daily or weekly, which can result in minor data loss. A
warm site is perfect for organizations which operate with less critical data and can tolerate a
short period of downtime. This type of a DR site is the second most expensive option.
Location
The choice of location is primarily dictated by how sensitive and critical the data is, how
big the allocated budget is, and what types of disaster the area is most subjected to. If you want
to ensure near real-time data synchronization between the primary and the secondary sites, both
sites should be located relatively close to each other. However, in this case, a disaster might
affect both locations at the same time, leaving you with no chance for system recovery. On the
other hand, if the sites are situated too far away from each other, issues with data synchronization
might occur. Moreover, it would then be necessary to hire new IT personnel responsible for
Hot Site
Developing multiple levels of back up options is a crucial part of disaster recovery and
ensuring future business continuity. Whereas a cold site backup location requires a customer to
have their own materials, equipment and management themselves, a hot site backup location
essentially replicates what was already created elsewhere- equipment included. Both options
allow for solid disaster recovery of any lost materials and ultimately, the best way to determine
the ideal option for any organization will be to consider the usage and role of the client
themselves as well as allowing them to determine which option is best for their specific data.
A hot site location can be the best option for an organization if reducing downtime and
loss of productivity are crucial for the company. While this sounds ideal in theory, it can mean
an increase in expenses overall and therefore, will not be viable for smaller organizations.
Additionally, if a hot site location is created, data is fully replicated so the chances of losing
anything crucial are slim to none. Because the secondary site should be located nearby but not in
the same building, the chances of a single shutdown affecting both locations is also very rare.
Ideally, a hot site is set up directly after the initial or primary location is created so that the
Business continuity is the number one benefit to a hot site as the entire organization
could essentially move to the secondary location should a disaster occur, leaving the company
with no need to shut down to restore anything. The biggest con of a hot site is the cost. Because
the secondary site still accrues rent, has electricity costs and even costs to run in general, an
organization must be able to sustain both locations financially. If the benefit of quick recovery
and limited downtime outweighs the costs associated with the secondary location or hot site, it is
Peak Security has determined that an ideal recovery plan includes the use of a hot site
location to limit the potential downtime of the organization should a disaster occur. Despite the
potential downsides, a hot site will be the most secure, productive way to maintain business
continuity and since our main site location is already operational, a hot site can now be
created. Ensuring that an exact replication of site, services, and resources is created and available
is essential in safeguarding that there will be no downtime or production loss should a disaster
occur. Because of the costs associated with the creation of this hot site, Peak Security will be
making the same financial investment that we had during the creation of the primary site location
as it is assumed that the loss of production time would have a greater impact on revenue than it
Of the resources needed to stand up the hot site or secondary location, cloud data
infrastructure is crucial. In the event of a disaster, access to client data will be necessary and
essential. Having data on the cloud can present its own risks; however, the ability to share
between locations will make it a dramatic benefit in the case of a disaster. Additionally, servers
large enough to hold all data stored at the primary location will be just as important for the hot
site so that when the site does become primary, storage limits are not met right away and the
same production time can go into effect at the secondary location (now the primary location,
Because the hot site location will be an exact replica of the primary location, thought
should also go into infrastructure when it comes to upholding a traditional office environment.
While minutia like vending machines, snacks or even office supplies can be determined when
and if the site becomes fully operational, having equipment like working desktop
monitors, computers and even small office products like mice, keyboards and headsets will be
necessary. The goal should be that if need be, the hot site can be fully functional within less than
a day meaning all employees can migrate over to the new location without any delay in having to
The most important resource for the hot site is funding. Because of the extra costs for
upholding the building, buying the equipment and materials and securing all the data, money
becomes the primary resource needed. Without the funding, the hot site location cannot exist in
the way that it needs to in order to reduce downtime and productivity in the event of a
who are aware of the need for the hot site to become functional, in case of disaster event, will be
crucial as well. Without these resources already in place on stand-by, so to speak, there could be
additional delay in the usage of the secondary location which negates the benefits of the hot site.
Ideally, all involved with Peak Security can and will be using the secondary location (hot site) as
their primary location within less than 24 hours of a disaster occurring and affecting the original
primary location.
Peak Security BC/DR Plan 37
Mobile Site
When most people think of starting or running a business, they follow the typical
humdrum idea of everything in one building. Anyone in the IT department can verify that that is
no longer the truth. As times change and business go more high-tech involving e-commerce
ranging from sales, marketing and even customer information. Not only the customer side of
things but also in house, employee records and more are now being saved in different locations
Since the invention of the internet and intranet companies that focus on data security,
backup, and recovery. Moving more personal and professional flies electronically is riskier
nowadays than it was to have the secretary or office worker walk it down the hall or to a
different floor to be added in manually or filed by hand. Below you will find that there is even a
Found on the website of Datastorage Corp. the flat out tells you that doing a mobile style
backup is the new way of the future. The article stated, (Datastoragecorp, 2020)“Gone are the
days when the Fortune 500 companies were the only ones that could afford state-of-the-art data
recovery solutions. Advances in technology and the utility model of computing now enable you
to achieve powerful disaster recovery and business continuity benefits—with the simplicity and
affordability you require.” letting their potential customer know they are up to date and on par
Even the National Records Center or NRC also have options and information for
companies and personal record cloud or mobile data management. The NRC states, (National
Records Center, 2021) “Safeguarding critical business data today means more than having a
backup plan: It means ensuring that every aspect of backup, transmission, storage and recovery
meet stringent privacy and security requirements to protect your confidential customer, patient,
NRC’s E-Backup and Restore data backup, archiving and recovery service utilizes
proven technology previously available only to Fortune 500 companies, but with an interface
designed to be used by any size organization. It is user-friendly, reliable, secure and cost-
effective.”
Companies like Crash Plan make it clear that other programs, (Crash Plan/ Code42
Software, 2020) such as Dropbox or One Drive does not support all for a business yet more for
the consumer on an individual basis. Crash Plan, IDrive and more have set employees and
business mottos that have gained reputations as some of the best companies to assist, manage
and, ease any company into using mobile or off-site data management.
Peak Security BC/DR Plan 39
Mirror Site
A mirror site is created when a set of files within a computer server or drive has been
copied to another server or drive, making it so that the files are available in more than just a
single place. This is done by linking two systems together so that they will continually match
each other. Mirroring can be used with disks (such as in the form of RAID) or on servers. The
mirrored servers can also both be at entirely different locations. If a computer malfunction
In a hot swap, the system signals that a disk failure has occurred and switches to the
mirrored disk. This allows for a quick, seamless transition that the user may not even recognize
without being given a notification that a malfunction had already happened. With a hot standby,
a backup from the active disk is put onto the remaining disk. A new disk is installed, creating a
new backup system, while the malfunctioning one is discarded. Little data is lost during this
There are many pros to a mirror site. It is very efficient in that it can synchronize changes
without any lag or loss, as well as perform backups quickly. It requires less bandwidth than other
data replicating methods while also having no limitations on geography. No special hardware is
required either, meaning a lower cost compared to other methods. Database mirroring also
There are also many cons, however. Mirroring is limited to two servers, so losing both at
once can still cost all data. Real time mirroring also means that incorrect changes on the main
drive also affect the backup as well as increasing wear of drives. It can also lead to a lot less
storage space as everything has to be saved twice and could also require additional cooling if
adding a second disk. Database mirroring can also be difficult to remove from a system.
There are a few options to choose from when looking for back-up solutions for the
VMware infrastructure. Data can be backed up to the cloud, storage area network, tape or
detachable drive. Cloud and SANs are online forms of storage while tapes and drives are
using one of the online options is not a bad idea for day to day needs. VMware has a cloud
option in the form of vSphere Replication’s VMware Site Recovery Manager. With this,
Appliance Management Interface within vSphere can also be used to back up vCenter Server
However, for more important data, such as info on the defensive measures other
companies may send to Peak Security, a drive or tape could be used instead. When compared,
the only real advantage of tape over drive is cost, and it isn’t much of a big difference, so as long
as cost isn’t a major concern, using drives to perform full yet quick backups of vital data can be
helpful, and can prevent issues with backups being sent to the cloud when there are internet
issues.
Peak Security BC/DR Plan 41
Alternate Worksite
Email – nikserop@uat.edu
Phases 7-9 will develop a communication template as well as create a disaster declaration
essential supplies, BC/DR activation steps, an assessment for determining structural damage, and
checklists for contacting disaster recovery specialists as well as working suppliers. It will also
identify addresses of appropriate emergency response organizations, policies for locations and
Crisis Communication
Peak Security, Inc is a technology security-based firm established by leading minds in the
security sector. It has a high-quality security industry experience, providing a variety of services
aimed at helping their clients to achieve their security goals. These services include software
development, security consulting, security assessment, penetration testing (Peak Security, Inc,
2021). Like other organizations, especially in a highly sensitive security industry, Peak Security,
Inc often face crisis situations. One of the most common forms of crisis that Peak Security can
encounter financial where it can experience difficulties to meet its financial obligations, thus
causing reputational damage. The second common type of crisis it can face is personnel-related,
such as employee turnover, which would affect its performance and reputation (Sheehan and
wrongdoings due to organizational malpractices. Another form of crisis the company can face is
2017). The final type of crisis that Peak Security can face is natural, such as flooding or current
health crisis caused by Covid-19 pandemic. Depending on the type of crisis that Peak Security
Peak Security BC/DR Plan 43
situations. The following communication template will assist to serve that purpose.
Communication Template
Spokesperson Response
When Peak Security finds itself in a crisis, it would be important to have an assigned
spokesperson to speak on its behalf. This person can be the company executive, or the CEO, or
the Chairman, or someone who the company feel is best suited to represent the
as his or her actions would influence how key stakeholders will respond to the crisis situation.
Regardless of how smooth operations are running at Peak Security at the moment, the
company should always prepare for a crisis to occur. Proactive damage control serves this
purpose as it helps to prevent or reduce the effects of a crisis before it starts (Sheehan and Quinn-
Allan, 2017). Having a proactive damage control will facilitate a more credible and
compelling communication during a crisis as the firm can refer to it (Coombs, 2017). For
example, it can refer to different security protocols that were employed before, during and after
Case Escalation
resolved on the individual level before they reach an unmanageable level. It is critical to create
an escalation system within Peak Security to help in diffusing the issue before it gets to a viral
Peak Security BC/DR Plan 44
tipping point. Often, the escalation system is created within a management team and/or customer
service team where they work on time-sensitive or complex cases (Ndlela, 2018). Case
escalation system is vital in managing complex crisis situations and ensuring that they are
Distribution Channels
situations. They include face-to-face meetings with employees, emails, printed communique, and
social media. Due to extensive digitalization around the world, social media has become a nearly
Frequency of Communication
Some items regarding the crisis can change frequently and should be updated regularly. While
there could be standard frequency of the communication, such as twice a day, the frequency can
Communication Log
Peak Security, Inc can confirm that a fire broke out on February 2, 2020 at 8 PM at our
premises causing severe disruption to our services. No fatalities or injuries have been reported.
An investigation is taking place into the cause of the fire. Our chief investigation officer is
liaising with the local police department to establish what could have led to the fire, including if
Peak Security, Inc would like to express our commitment to restore the services as soon as
possible and to assure our clients, employees and the entire public that we are taking this matter
very seriously and we are moving at speed to establish the full details.
We have set up a call center to respond to all inquiries regarding the incident and any other
information regarding the company and our services. We will provide further updates as soon as
While access to our physical office has currently been affected, we continue to provide services
remotely. We would also like to provide an assurance to all our clients that no data or
information has been compromised by the fire incident. All stakeholders, including employees,
vendors, contractors, and customers can still access our online portal for various services.
Role Assignments
Peak Security BC/DR Plan 47
effectiveness of your communication and role assignments helps Recovery Time Objectives,
within projected time. (Yantz, 2019) Workstations, procuring equipment that was damaged,
redirecting phone services, assessing damages, and updating clients, as well as assessing data
loss. With clear assignments and expectations in place, your team can work more efficiently to
bring systems back online and minimize negative impacts following a disaster.
Kinds of disasters that you would need to prepare for listed in the same article would be:
(Yantz, 2019) User Error: This includes accidental deletions, shadow IT, and other issues that
permissions were to suddenly be away from the office due to some accident, personal
Equipment Failure: Most modern businesses rely heavily on technology of some sort, and that
Malware: Malware is a constant threat to businesses, and it has evolved over the years to
Natural Disasters: Most businesses fear natural disasters of certain types, and it’s largely due to
There are many steps to preparing for a disaster and there are even more issues with each
person involved with the article in Akita Box there could be 10 main steps. Listed below are just
(Kelly, 2019)
Step 9: Train and educate internal personnel on your emergency response plan.
Key Employees
Key employees are a little better pointed out in the article from the Hearst newspaper
written to take some of the hard work out of trying to find out who your own business would
identifies key employees who must be able to resume work after a disaster. These include senior
executives, customer service staff, sales representatives, and production planners. These are the
employees responsible for making important decisions about the business or keeping customers
informed during the recovery period. In a related article by Greenwald and Dorherty LLC even
having your employee’s emergency contact information can make them key employees as well
is just that – the identity of the person to call in case of emergency. Unfortunately, emergencies
Vendor Directories need to be more like the one presented by Media Brain shown
Expense Reporting
Financial Services
Liability Insurance
Marketing Communications
Tax Services
Peak Security BC/DR Plan 50
After establishing all of that for the business, addressing and identifying the organizations or
at https://www.fema.gov/emergency-managers/risk-management.
trained personnel, along with the physical and cyber resources, that provide a wide range of
prevention, preparedness, response, and recovery services during both day-to-day operations and
incident response.
Peak Security BC/DR Plan 51
Exit Route
Make exit route design permanent. Ensure that the number of exit routes is adequate
based on the number of employees, the size of the building, its occupancy, and the arrangement
of the workplace. Separate an exit route from other workplace areas with materials that have the
proper fire resistance-rating for the number of stories the route connects. Ensure that exit routes
meet width and height requirements. The width of exit routes must be sufficient to accommodate
the maximum permitted occupant load of each floor served by the exit route. Ensure that doors
used to access exit routes have side hinges and swing in the direction of travel (depending on
occupancy and hazard areas). Design exit routes that lead to an outside area with enough space
for all occupants. An outdoor exit route is permitted but may have additional site-specific
requirements.
First Aid
Ensure that medical personnel are ready and available for advice and consultation on the
overall employee safety and health condition in the workplace. Provide trained personnel and
adequate first aid supplies to render first aid when a medical facility is not in near proximity to
the workplace. Provide suitable facilities for immediate emergency use if exposure to injurious
Structure
is safe to occupy. An experienced structural engineer will arrive on site to assess the damage and
assist the property owner in understanding the next steps for re-construction. Based on the
Peak Security BC/DR Plan 52
engineer’s findings, a summary memo will be provided with recommendations for needed
repairs. Project time frames can vary widely and are subject to many external factors. The major
factors involved in determining the timeline for design of a project are the size of project and the
1. Unlikely
An unlikely hazard is extremely rare, there is a less than 10 per cent chance that it will happen.
2. Seldom
Seldom hazards are those that happen about 10 to 35 per cent of the time.
3. Occasional
An occasional hazard will happen between 35 and 65 per cent of the time.
4. Likely
5. Definite
These hazards will occur 90 to 100 per cent of the time. You can be nearly certain it will
manifest.
Calculate Consequences
Peak Security BC/DR Plan 54
1. Insignificant (A)
The consequences are insignificant and may cause a near negligible amount of damage. This
hazard poses no real threat. Examples: loss of $1K, no media coverage and/or no bodily harm.
2. Marginal (B)
The consequences are marginal and may cause only minor damage. This hazard is unlikely to
have a huge impact. Examples: loss of $10K, local media coverage and/or minor bodily harm.
3. Moderate (C)
The consequences are moderate and may cause a sizeable amount of damage. This hazard cannot
be overlooked. Examples: loss of $100K, regional media coverage and/or minor bodily harm.
4. Critical (D)
The consequences are critical and may cause a great deal of damage. This hazard must be
addressed quickly. Examples: loss of $1M, national media coverage, major bodily harm and/or
police involvement.
5. Catastrophic (E)
The consequences are catastrophic and may cause an unbearable amount of damage. This hazard
is a top priority. Examples: loss of $10M+, international media coverage, extreme bodily harm
1. Low
Low risks can be ignored or overlooked as they usually are not a significant threat. A definite
hazard with insignificant consequences, such as stubbing your toe, may be low risk.
2. Medium
Medium risks require reasonable steps for prevention but they’re not a priority. A likely hazard
3. High
High risks call for immediate action. An occasional hazard with critical consequences, such as a
4. Extreme
Extreme risks may cause significant damage, will occur, or a mix of both. They are a high
extreme risk.
Your risk action plan will outline steps to address a hazard, reduce its likelihood, reduce its
A risk assessment matrix simplifies the information from the risk assessment form, making it
easier to pinpoint major threats in a single glance. This convenience makes it a key tool in the
risk management process. Every risk assessment matrix has two axes: one that measures the
consequence impact and the other measures likelihood. To use a risk matrix, extract the data
In the event of an emergency requiring the need to evacuate the office environment, Peak
Security has outlined a strategic and specific evacuation plan. Please see below for a copy of
the map of the building, and the specific route that has been designated to follow in the case of
Peak Security BC/DR Plan 58
an emergency which requires the need for evacuation. Before following the evacuation plan, it is
decided that each person is responsible for a total shut down of their system as well as turning off
and unplugging their towers and anything in their workspace connected to a plug. Servers are set
up for automatic shut down in the event of a power outage or emergency and cloud back ups will
be put in place to secure the information and allow for external access if need be.
areas within the building are not required. In the event of an emergency that blocks doors or
prohibits evacuation, a specific shelter in place plan will be created; however. If a specific alarm
is sounded, all employees will begin to follow through with the next steps of the evacuation
plan. The evacuation plan specifies that the front doors will be used in an emergency. The reason
for this is because of the features provided by the doors, and the option for more people to exit
swiftly given that they are double doors versus a single door frame. Employees will follow a
primary exit route using the map below and due to the size of the building, only one route will be
required. Once the building has been evacuated, employees will gather at a designated location
outside of the building where vehicles will be provided in the form of vans and/or busses from a
specific organization that will be designated and contacted at the first sign of any emergency. As
most employees will likely live locally or at least in state, lodging for the night will not be
provided unless the emergency itself requires it (compromised data or specific, immediate threat
from a volatile individual or group of individuals). Depending on the secure nature of the data,
In case of emergency causing the need for evacuation, it will be important to determine
who is responsible for ensuring that all employees are accounted for. Using employee manifests
any missing persons through verification with the human resources department will provide
accuracy and the least amount of room for error. The organization has a limited number of
employees so the hope is that accounting for all people and ensuring that proper communication
be necessary due to the size of the organization. Instead, the use of cell phones, text messages
and the use of colored cards held up to reiterate safety of a group or set of people. Because the
office is in Arizona, the important weather protection to have will be water and sunscreen in the
case of the need to spend long periods of time outside. The water and sun protection will
be stored in a closet in the front office nearest to the door. Employees will be evaluated multiple
Peak Security BC/DR Plan 60
times during the evacuation to ensure that their mental and physical well-being is intact
In an office as small as the one for Peak Security, establishing safe areas in case of a
Shelter-in- Place situation can be a challenge. What becomes most important is security of the
safe area and assurance that an intruder is not able to clearly identify the area. A panic room, of
sorts, is created in the event of a need for a shelter in place plan. This will not only keep staff
safe from any intruders who may come into the office but will also act as a safe space should an
external threat be located outside of the building affecting the staff’s ability to vacate. The panic
room will be in a small space just off of the main conference room but will not be designated on
the map in an effort to keep the room a secret from outsiders who may view the map.
Inside of the room, supplies will be kept lasting a team of up to 10 employees for 3-4
months. This will include excess water, non-perishable foods, as well as nutrient rich vitamins to
ensure that the health of the employees is key. Generic clothes of various sizes will be provided
along with blankets and other comfort supplies; however, these will be kept in limited quantity,
prioritizing other supplies like food and water as those are deemed more essential. There are
shelves set up within the panic room and boxes storing all of the supplies; however, space is
Lead employees will be briefed on locations of importance such as circuit breakers, water
lines and utility closets. Only those in these positions will be made aware of the shelter in place
Peak Security BC/DR Plan 61
plan to reduce the number of people informed of where the resources may be. In case of this type
of emergency, the lead will prepare the room and ensure that employees are accounted for in the
room and briefed on the situation. From there, the lead employee will be the only person to leave
the room until the all-clear has been given by emergency personnel. This person will locate the
gas and power line should they need to do so and will have blueprints indicating areas of
importance should they need to be accessed at any time during the shelter in place process.
Peak Security BC/DR Plan 62
providers
Contact information and locations of disaster
providers
How facilities and locations should be
Items to include in procedures for working Status (e.g., Completed, Pending, or N/A)
investors
A list of executives assigned to stockholder
efforts
A process to provide stockholders and
complete
Items to include in procedure for working Status (e.g., Completed. Pending, or N/A)
providers
Contact information and locations of suppliers
service providers.
What to tell suppliers and service providers
about disasters
What to tell them about recovery of
operations
What suppliers and service providers should
Items to include in procedures for working Status (e.g., Completed, Pending, or N/A)
providers
Contact information and locations suppliers
about disasters
Peak Security BC/DR Plan 65
operations
What suppliers and service providers should
Phases 10-11 will create assessments for determining inventory, develop a set of policies
and procedures for employees to follow, and inspect hazardous materials as well as vital records.
Test scenarios will also be made along with a tabletop test. There is also a memo to the CEO on
The management of businesses uses inventory to facilitate the regular supply of goods
and services at customers' convenience. The cost of making and managing inventory remains
significantly high. However, business managers take the risk of running stocks to facilitate the
effective running of the business. Some of the areas of concern for running an inventory at a
damaged site include financial loss, salvage and restoration, operations disruption, and salvage
operation.
The provision of quality goods and services that enable clients to realize their goals and
objectives helps enterprises build a large and strong customer base. However, damages in the
Peak Security BC/DR Plan 66
operation site expose goods to potential destruction; thus, it lowers the value and increases loss
to the firm (Peltz et al., 2014). Site damage interferes with the business operation since it deflects
concentration to efforts to salvage and restoration efforts to limit the extent of loss that the
business may suffer. The practice of attracting and retaining customers relies on the
Financial Loss
Damages to the property lead to financial loss for the business since it limits the potential
to sell the goods profitably. The analysis should consider the extent of destruction of the goods
and the rate of destruction to determine the potential for selling the goods at relatively reduced
prices (Peltz et al., 2014). Again, the assessment should consider the actual prices for purchasing
the goods and the operating cost, such as refrigeration cost. Businesses incur losses when
The price of goods drops significantly because of the reduction in value after damage. It
exposes the business to potential loss because of the difficulty to fetch the purchasing value. The
assessment should consider the cost of salvaging goods after destruction. It should also consider
the possible cost of restoring the goods to ensure that they attain a relatively good quality that
fetches significant selling value (Peltz et al., 2014). Determining the cost of salvaging and
restoring damaged goods helps the management understand the fall in prices and plan
accordingly.
minimize the business's negative impacts. The assessment should consider the technological
requirement and related costs to ensure that the organization continues with function.
Furthermore, identifying the timeline of salvage operation helps the management prepare
accordingly with the human and capital resources to promote the salvage operation's
new operating strategies after suffering losses. Continued operations help the firm mitigate high
The practical business operation involves investment in goods, services, and utilities that
provide an enabling environment for the interaction between business operators and consumers.
The attainment of smooth operations relies on the management's ability to determine the
Lo Brano, Galatioto, & Bonomolo, 2017). The assessment should consider the cost of installing
and maintaining buildings and available utilities and the potential disruption of operations due to
the damages on buildings and other utilities. It facilitates the actualization of mitigation
measures.
Building and utilities face regular changes in prices due to the political and economic
atmosphere. The business management should consider potential changes in the cost of buying
the utilities to ensure that proper arrangements exist to mitigate potential inaccessibility in the
consider arrangements for the regular supply of authentic utilities to ensure the protection of
machines and resources that may suffer damages due to the use of low-quality utilities.
Consideration of the change in prices of building and utilities ensure the management prepares
Damaged buildings and utilities may not contribute to realizing identified goals and
salvage and restoration may limit the potential for suffering high losses. The analysis of salvage
and restoration efforts should consider related costs and the tools needed to enhance the
consider government regulation on the quality of salvaged and restored utilities applied in the
Timelines
The operations of businesses rely heavily on the accessibility to proper structures and
utilities since they create an enabling environment for producing quality goods. The analysis
should consider the timeline for the potential purchase and construction of new utilities
and resources. It should also consider the potential for restoration and related costs to enable the
management to put a necessary execution arrangement. The analysis should also consider the
extent of damage to utilities such as gas, electricity, and water and the potential for accessibility
Peak Security BC/DR Plan 69
2017). It enables the management to respond decisively and lower potential future risks.
Conclusion
disruption, and salvage operation as strategies to appropriately respond to the destruction of the
enterprise's utilities and buildings. The management's role includes the determination of
measures that facilitate the regular supply of goods and services that meet the needs of
The best time to determine the presence of hazardous materials is before the contract is
written. Specifications that accurately reflect current conditions benefit and protect all
stakeholders.
Peak Security BC/DR Plan 70
When hazards are unexpectedly found post-contract, the work schedule gets thrown off,
expenses mount, and failure to properly address the danger may even result in legal action.
The party who wins most from the situation is the contractor, who can justifiably charge a
premium rate for emergency response services. Safety comes first — but at a high cost when the
Resource Records:
Resource Records are usually a name to IP Address (IPv4 or IPv6) mapping (or vice
versa). DNS Resource Records are used to answer DNS client queries. Resource Records are
added to the DNS server for the portion of the DNS namespace which the DNS Server is
Vital Records:
Certain vital records contain information critical to the continued operation or survival of
an organization during or immediately following a crisis. Such records are necessary to continue
operations without delay under abnormal conditions. They contain information necessary to
recreate an organization’s legal and financial status and preserve the rights and obligations of
To determine the retention period for your records, it’s important to: Perform a record
inventory of all physical and electronic records, establish a standardized record classification
system, and conduct research on all federal, state, and local requirements.
Your records management program should support policies and procedures both legally
and operationally. Policies and procedures set the standard for a compliant records management
system. They should include the management of all records and media types. A well-strategized
manner, your policies and procedures will work simultaneously with your business continuity
management program is the ability to access your information when it’s needed. Companies need
Peak Security BC/DR Plan 72
Indexing parameters, including date, subject matter, creator, and location of the record, are
MEMO
Peak Security
on the current power grid. During this evaluation period, many Peak Security
In order to best evaluate the impact of the recent outage, all circuit breakers
and fuses should be checked. Also, all systems will require a file system
integrity check upon rebooting to ensure that data was not lost as a result of
the outage. No major updates were scheduled to be in play during the time of
the outage so with any luck all data will be intact upon rebooting.
completed and reviewed, a return to office plan will be implemented for any
Objectives:
Peak Security BC/DR Plan 75
Nikolas Seropian
Jonathan Fuentes
Peak Security BC/DR Plan 76
Safety Policies
state and local laws. All employees will sign safety contact agreeing to follow the safety
2. In the event of emergency, any employees affected and/or a part of the emergency will
be expected to provide a write up of the event, outlining the details as it affected them
directly.
4. Peak Security agrees to uphold a safe, functional working environment at all times.
Memorandum
From: Michael Lucas
Date: 2/11/21
Topic: Natural disasters
The following steps can be used as a guideline when developing your own mock
exercise. Keep in mind that you need to tailor this to meet the needs and demands of your
organization.
1. Choose A Scenario
Open your plan and review the results of your business impact assessment - select an
incident that could realistically happen. For example, you could build a scenario around an
2. Communication Strategy
Determine who in the company will know about your mock scenario. You will likely
need to communicate this with one person in your IT department and key team leaders. Be
careful of telling too many people about the mock disaster (some people are not great at keeping
secrets).
3. Outside Assistance
You are going to need some external individuals to help you execute your mock disaster.
Contact your local fire department and emergency personnel - explain to them what it is you
want to do and why you want to do this. Remember this is a good chance for them to test out
Once you have a scenario and have worked out how you will execute the disaster the next
thing to do is to put it into action. For our fire example, this likely means you will be contacting
key team members in the middle of the night to let them know about the fire. This will set the
Peak Security BC/DR Plan 79
mock disaster into action. Now your crisis communication plan and mechanisms will be tested,
and the employee responses can be measured and evaluated. Also, you will be able to test your
off-site working plans, your ability to communicate effectively with media and other third
parties, your disaster recovery strategy, and your business continuity plan. Learn more about the
5. Analyze
Take your time with this - do not rush this step. Once the mock disaster has concluded,
you need to review all the notes, actions, what worked and did not work - use this information to
update your plan. You may need to refine your communication strategy - for example, you may
find that your employees only respond to push notifications and that email failed. You may need
to update the hardware people are using to work from home. Your third-party contact list may
need to be better distributed. These are all good things to know - it is better to discover this
Find out what the experience was like for your employees. These are the people who you
are relying on to run the organization, so it is vital that they are comfortable with the disaster
preparedness plan and how it is implemented. Remember that most employees do not have
confidence in their company’s ability to be prepared for a disaster - you do not want to be such a
company.
Landslide scenario
Peak Security BC/DR Plan 80
Springs, seeps, or saturated ground in areas that have not typically been wet before.
Ancillary structures such as decks and patios tilting and/or moving relative to the main
house.
Rapid increase in creek water levels, possibly accompanied by increased turbidity (soil
content).
Sudden decrease in creek water levels though rain is still falling or just recently stopped.
Sticking doors and windows, and visible open spaces indicating jambs and frames out of
plumb.
A faint rumbling sound that increases in volume is noticeable as the landslide nears.
Unusual sounds, such as trees cracking or boulders knocking together, might indicate
moving debris.
Peak Security BC/DR Plan 81
At the top or along the nose of ridges, set back from the tops of slopes.
Do not build near steep slopes, close to mountain edges, near drainage ways, or natural
erosion valleys.
Contact local officials, state geological surveys or departments of natural resources, and
university departments of geology. Landslides occur where they have before, and in
identifiable hazard locations. Ask for information on landslides in your area, specific
a very detailed site analysis of your property, and corrective measures you can take, if
necessary.
Watch the patterns of storm-water drainage near your home, and note the places where
runoff water converges, increasing flow in channels. These are areas to avoid during a
storm.
Learn about the emergency-response and evacuation plans for your area. Develop your
o Have flexible pipe fittings installed to avoid gas or water leaks, as flexible fittings are
more resistant to breakage (only the gas company or professionals should install gas
fittings).
o In mudflow areas, build channels or deflection walls to direct the flow around
buildings. Remember: If you build walls to divert debris flow and the flow lands on a
Stay alert and awake. Many debris-flow fatalities occur when people are sleeping. Listen
of intense rainfall. Be aware that intense, short bursts of rain may be particularly
dangerous, especially after longer periods of heavy rainfall and damp weather.
If you are in areas susceptible to landslides and debris flows, consider leaving if it is safe
to do so. Remember that driving during an intense storm can be hazardous. If you remain
at home, move to a second story if possible. Staying out of the path of a landslide or
Listen for any unusual sounds that might indicate moving debris, such as trees cracking
or boulders knocking together. A trickle of flowing or falling mud or debris may precede
larger landslides. Moving debris can flow quickly and sometimes without warning.
If you are near a stream or channel, be alert for any sudden increase or decrease in water
flow and for a change from clear to muddy water. Such changes may indicate landslide
activity upstream, so be prepared to move quickly. Do not delay! Save yourself, not your
belongings.
Be especially alert when driving. Bridges may be washed out, and culverts overtopped.
roadsides are particularly susceptible to landslides. Watch the road for collapsed
pavement, mud, fallen rocks, and other indications of possible debris flows.
Be aware that strong shaking from earthquakes can induce or intensify the effects of
landslides.
Contact your local fire, police, or public works department. Local officials are the best
Inform affected neighbors. Your neighbors may not be aware of potential hazards.
Advising them of a potential threat may help save lives. Help neighbors who may need
assistance to evacuate.
Evacuate. Getting out of the path of a landslide or debris flow is your best protection.
Curl into a tight ball and protect your head if escape is not possible.
Stay away from the slide area. There may be danger of additional slides.
Listen to local radio or television stations for the latest emergency information.
Watch for flooding, which may occur after a landslide or debris flow. Floods sometimes
follow landslides and debris flows because they may both be started by the same event.
Check for injured and trapped persons near the slide, without entering the direct slide
Help a neighbor who may require special assistance - infants, elderly people, and people
with disabilities. Elderly people and people with disabilities may require additional
assistance. People who care for them or who have large families may need additional
Look for and report broken utility lines and damaged roadways and railways to
appropriate authorities. Reporting potential hazards will get the utilities turned off as
Check the building foundation, chimney, and surrounding land for damage. Damage to
foundations, chimneys, or surrounding land may help you assess the safety of the area.
Replant damaged ground as soon as possible since erosion caused by loss of ground
Seek advice from a geotechnical expert for evaluating landslide hazards or designing
corrective techniques to reduce landslide risk. A professional will be able to advise you
of the best ways to prevent or reduce landslide risk, without creating further hazard.
Memo
Peak Security
There will be multiple steps in testing the functionally of our BC/DR plan. As
Peak Security BC/DR Plan 86
there are many potential threats as well as many ways to prepare for them,
objectives of the tests would be to ensure that no matter what threats may
occur, whether natural or man-made, all important data is protected and that
It may take weeks to set up and will require hiring employees to install and
test hardware, as well as multiple drills to make sure that everything holds up
in the many possible situations. The BC/DR documentation will go over more
specifics as to how different tests will be run and the roles my team will play
checks to full on drills that will have equipment tested in ways as if an actual
disaster has occurred (i.e., shutting off power to devices to make sure they
protect data properly, performing live drills with Peak Security staff to make
It can be important to do constant tests with old and new members of the
protection will pop up. Having members already experienced with the new
function properly, while new members can further evaluate and possibly
As it is important for to know what the BC/DR plan entails, steps should be
made to help employees in reviewing the plan that will be a long read. Time
does not rush them to the point it is too much to take in at once. I would
recommend a meeting take place to allow the plans to be passed out for the
asked, pages to be reviewed again, and employees to get a drink and take care
of other personal needs to help them retain attention in the next reading.
3. Recycle bin –
4. Easy uploads –
6. Document versioning –
There may be times where the current BC/DR plan must be updated. It is important that that the
incident occurs. If the company or my team believe changes need to be made, once both sides
agree, my team can look at the current state of the company and make revisions based on that.
Peak Security BC/DR Plan 89
Once the BC/DR team has come up with possible changes to the plan, stakeholders can be
notified of the intended changes. If the changes are agreed upon, another meeting can be held by
Peak Security to pass out the new versions of the plan and review them the same way as before.
Once everyone is caught up, testing of the new plan can take place if needed to make sure the
Citations
Phases 1-3-
Botzen, W. W., Deschenes, O., & Sanders, M. (2019). The economic impacts of natural
disasters: A review of models and empirical studies. Review of Environmental Economics
and Policy, 13(2), 167-188.
Monllor, J., & Murphy, P. J. (2017). Natural disasters, entrepreneurship, and creation after
destruction: A conceptual approach. International Journal of Entrepreneurial Behavior
& Research.
Onyshchenko, S., Maslii, O., & Ivanyuk, B. (2019, October). The Impact of External Threats to
the Economic Security of the Business. In 2019 7th International Conference on
Modeling, Development and Strategic Management of Economic System (MDSMES
2019) (pp. 156-160). Atlantis Press.
Rosencrance, L. (2019, June 28). Top 10 types of information security threats for IT
teams. Retrieved January 22, 2021,
from https://searchsecurity.techtarget.com/feature/Top-10-types-of-information-security-
threats-for-IT-teams
Peak Security BC/DR Plan 90
Phases 4-6-
Peak Security BC/DR Plan 91
Redhat. (2021). 8.3.2. Backup Sites: Cold, Warm, and Hot Red Hat Enterprise Linux 4 | Red Hat
https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/4/html/introduction_to_system_administration/s2-disaster-
recovery-sites.
https://www.nakivo.com/blog/overview-disaster-recovery-sites/.
from https://searchdisasterrecovery.techtarget.com/definition/warm-site
Alday, J. (2018, August 29). Disaster recovery: Cold Sites, hot sites, and Why Do I care?
and-why-do-i-care/
us/business/compare/
Datastoragecorp. (2020, 1 1). Protect Your Data Like a Fortune 500 company. Data protection
https://www.datastoragecorp.com/protect-your-data-like-a-fortune-500-company/
National Records Center. (2021, 1 1). E-Backup and Restore Solutions. E-Backup and Restore
Solutions. https://nationalrecordscenters.com/e-backup-and-restore-solutions/
Peak Security BC/DR Plan 92
Sullivan, E. (2016, November 09). What is mirror site? - definition from whatis.com. Retrieved
from https://searchstorage.techtarget.com/definition/mirror
Vmware. (2021, February 05). What is VSPHERE replication & How does it help in disaster
https://www.vmware.com/products/vsphere/replication.html
Ostlund, C. (2014, May 19). Tape backup vs. Disk Backup: Which is right for your business?
right-for-your-business
Collins, T. (n.d.). Full backup vs. incremental backup VS. DIFFERENTIAL Backup: Which is
incremental-backup-vs.-differential-backup-which-is-best
Phases 7-9-
Publishing.
University Press.
Peak Security BC/DR Plan 93
https://www.greenwaldllp.com/law-clips/employers-obtain-employees-emergency-contact-
information/
https://smallbusiness.chron.com/company-disaster-plan-examples-62111.html
to
MediaBrains Inc. & SHRM. (2021). Business Services:. Human Resource Vendor Directory.
https://vendordirectory.shrm.org/category/business-services
https://www.cisa.gov/emergency-services-sector
Yantz, M. (2019, 8 26). Backup and Recovery, Best Practices, Business. Backup and Recovery,
recovery-plan/
that range from fraud, (n.d.). How to use a risk assessment matrix [with template].
Principal emergency response and preparedness. (n.d.). Retrieved February 04, 2021,
from https://www.osha.gov/Publications/osha3122.html
Peak Security BC/DR Plan 94
assessment
https://www.ready.gov/business/implementation/emergency
https://www.fema.gov/sites/default/files/2020-07/planning-considerations-evacuation-
and-shelter-in-place.pdf
Phases 10-11-
network decision support tool for assessing the energy performance and the
Italy. Energy, 137, 1201-1218. doi:10.1016/j.energy.2017.05.200
Peltz, E., Brauner, M. K., Keating, E. G., Saltzman, E., Tremblay, D., & Boren, P. (2014). DoD
https://www.ironmountain.com/resources/whitepapers/i/important-versus-vital-records-
NS1. “DNS: Types of DNS Records, DNS Servers and DNS Query Types.” DNS: Types of DNS
https://www.omnisecu.com/tcpip/what-is-dns-resource- record.php#:~:text=Resource
%20Records%20are%20usually%20a,the%20DNS%20Serv er%20is%20hosting.
Accessed 9 2 2021.
Zak, Julie. “5 Essential Benefits of the Pre-Project Hazardous Materials Inspection and
benefits-of-the-pre-project-hazardous-materials-inspection-and-survey/.
Oman. (2016, March). What is essential to test after a power surge for an unprotected pc?
power-surge-for-an-unprotected-pc
Hout, O. (2019, September 16). 6 scenarios for business continuity PLAN TESTING. Retrieved
from https://www.agilityrecovery.com/article/6-scenarios-business-continuity-
plan-testing
Drake, K. (2020, August 24). Disaster recovery testing scenarios. Retrieved February 11, 2021,
from https://ongoingoperations.com/blog/it-disaster-recovery-scenarios/
Peak Security BC/DR Plan 96
from https://www.nature.com/scitable/topicpage/lesson-8-landslides-hazards-8704578/
Eisenhauer, T. (2014, October 31). 10 most important features in a social document management
most-important-features-in-a-social-document-management-system