ntw440 Finalbcdrplan Team1 Peaksec

Peak Security BC/DR Plan 1
Peak Security
___________________
Business Continuity and Disaster Recovery Plan
Prepared by:
Nikolas Seropian
Austin Wellman
Michael Lucas
Jonathan Fuentes
Aaron Phillips
Version 1.0
Table of Contents
Phases 1-3…………………………………. 3
Phases 4-6………………………………... 30
Phases 7-9………………………………... 42
Phases 10-11…………………………..…. 66
Citations………………………………….. 90
BC/DR Phase 1-3
Phases 1-3 of the BC/DR plan will identify all types of potential threats and mission
critical functions as well as assess the impacts that threats or loss of mission critical functions
will have on Peak Security.
Natural Threats
Businesses face different types of threats to their existence including economic,
political, physical, and natural threats to their existence and operational abilities. With regards to
natural threats, some of the ones that impact on businesses include earthquakes, floods, strong
winds, tsunamis, avalanches, mudslides, and blizzards among
others (Onyshchenko, Maslii & Ivanyuk, 2019). The following paragraphs evaluate the sources
of the threats, likelihood of occurrences which shall be followed by prioritization and impacts of
the priority threats.
With regards to the sources of the threats, blizzards originate from strong winds with
snowstorms, earthquakes are caused by the shaking of the earth’s tectonic plates, floods happen
due to lots of rains while tsunamis are caused by high sea waves usually due to the
earthquakes. The avalanches are more like mudslides. While they both fall rapidly from high
areas, avalanches erupt from high mountains die to the melting of ice or snow while mudslides
occur due to wet soil from higher grounds.
In terms of the likelihood of occurrence, the shaking of the earth can occur at
any time, melting of snow and wet soil can emerge rampantly depending on earth temperatures
and the level of water in the soil, respectively. Using an upstream loss analysis, the earthquakes,
blizzards, mudslides and avalanches may destroy the roads so that suppliers cannot access the
distributors. Similar impacts could happen in the seas where strong winds and tsunamis can
prevent ships from ferrying business goods.
Companies are therefore vulnerable to the sources of threats described above in various
ways. For instance, earthquakes destroy buildings, warehouses and products stored in the
industries (Botzen, Deschenes & Sanders, 2019). Mudslides may harm the equipment of
production. Floods, avalanches and blizzards could affect people’s access to the business places
while tsunamis may affect the ease of movement of goods through the seas and oceans.
The prioritization of the list of threats to a company depends on the frequency of the
natural threat. For example, in cold regions, the businesses should prioritize avalanches,
blizzards and flooding while in earthquake-prone areas, the same target should be
mitigated (Monllor & Murphy, 2017). Each of these threats has differing
impacts on business operations. As described above, when infrastructure like roads and
warehouses are demolished by earthquakes, the goods are also crashed. When blizzards,
mudslides, strong winds and avalanches block roads, the movement of people to conduct their
businesses are impeded. Similarly, during tsunamis, transportation of heavy goods through the
seas are affected.

Man-made Threats
Human error. Human errors often cause systems to become logically corrupt or unusable.
An accident as simple as an employee tripping on a cord can bring down an entire storage
system. Predicting the types of human errors that are most likely to occur and having protocols in
place to resolve them quickly is key to avoiding lost productivity.
Manmade threats are the more common threats to businesses and their networks and
data. These can come in the form of a direct attack on a system in the form of hackers, spam,
viruses, and worms. They can also show themselves in the form of credit card fraud and identity
theft from data stolen from company’s systems. Also, terrorism is a constant threat to
businesses.
Spamming
Spamming is defined as the abuse of electronic messaging systems to send unsolicited,
undesired bulk messages. While the costs of spamming are not easily determined, the general
costs of spam for a company refer to the overhead of preventing spam, including spam blockers,
and loss of productivity due to having someone dedicated to trying to stop the spam mail or the
employees having to sort through what is real and what is not.
Phishing
Phishing is a criminal activity using social engineering techniques. Phishers attempt to
fraudulently acquire sensitive information, such as passwords and credit card details, by
masquerading as a trustworthy person or business in an electronic communication. This scam
attempts to get people to pass on personal information for the recipient to use it in nefarious
ways. This is a very common threat and would rate this one 8 out 10.
Virus/Worms
A virus is a self-replicating computer program written to alter the way a computer
operates, without the permission or knowledge of the user. Worm is a self-replicating computer
program uses a network to send copies of itself to other nodes (computer terminals on the
network) and it may do so without any user intervention. Unlike a virus, it does not need to
attach itself to an existing program. Worms always harm the network (if only by consuming
bandwidth), whereas viruses always infect or corrupt files on a targeted computer. This attack
would be somewhere in the middle of the scale. 5 out of 10.
Steganography
Steganography is the art and science of writing hidden messages in such a way that no
one apart from the intended recipient knows of the existence of the message. This attack is not a
common threat and takes some skills so I would give this one a 3 out of 10.
Insider Threat
An insider threat occurs when individuals close to an organization who have authorized
access to its network intentionally or unintentionally misuse that access to negatively affect the
organization's critical data or systems. Do not take this one lightly because this one happens
more than we would like to believe. 6 out of 10.

Drive-by download attacks.
In a drive-by download attack, malicious code is downloaded from a website via a
browser, application or integrated operating system without a user's permission or knowledge. A
user does not have to click on anything to activate the download. Just accessing or browsing
a website can start a download. Cybercriminals can use drive-by downloads to inject banking
Trojans, steal and collect personal information as well as introduce exploit kits or other malware
to endpoints (Rosencrance, 2019).
Distributed denial-of-service (DDoS) attacks
In a distributed denial-of-service (DDoS) attack, multiple compromised machines attack
a target, such as a server, website, or other network resource, making the target totally
inoperable. The flood of connection requests, incoming messages or malformed packets forces
the target system to slow down or to crash and shut down, denying service to legitimate users or
systems. 7 out of 10 is where I would rate this as a risk to the company.
Ransomware
Ransomware is a form of malware that encrypts a victim's files. The attacker then
demands a ransom from the victim to restore access to the data upon payment. Users are shown
instructions for how to pay a fee to get the decryption key. The costs can range from a few
hundred dollars to thousands, payable to cybercriminals in Bitcoin. 9 out 10 because of how
often these occur, and they are very difficult, almost always lose data if not paid.
IT and Technology based threats
1. Humans are the biggest threats to IT security. These vulnerabilities come from employees,
vendors, and anyone else who has access to a business’s network or IT-related systems.
On one hand, a cyber-attack or data breach can occur simply because of human error or a
lack of cyber security awareness, using easy to guess passwords or employees falling for
phishing scams. They may simply have a moment of forgetfulness or may be tricked by hackers
via social engineering. Attackers frequently use social engineering because they use other tactics
to get information in order to get their victims to either provide the information they want or to
get them to engage with malicious content (such as malicious URLs).
Employees, and even former employees, can be very high cyber security threats. They
may want to profit by selling or using data, or they could maybe want revenge against a current
or former employer, leading them to install malware, download data, or change system settings.
Employees are not the only threat employees of vendors can also pose a threat, however.
Capital One recently made headlines when 100 million customers’ accounts were
compromised in a data breach. It wasn’t caused by a random hacker or even a CO employee. As
it turns out, Capital One used Amazon Web Services for their hosting. The hacker, a former
Amazon employee, decided to exploit a misconfigured firewall to gain access to:
“140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and
80,000 bank account numbers, in addition to an undisclosed number of people’s names,
addresses, credit scores, credit limits, balances, and other information, according to the bank and
the US Department of Justice.”

Capital One expects to face $150 million in costs related to the hack, including customer
notifications, credit monitoring, tech costs, and legal support. This is not taking the potential
stock losses into account.
Malware can be an insidious threat. It can be distributed via multiple delivery methods,
and in some cases, even disguise itself. Some types of malware are adaptive such as
metamorphic or polymorphic malware, they can change their code to adapt to the system under
attack. Malware is a more prevalent danger as it accounts for about 11% of cybersecurity
breaches and can cost upwards of millions to secure, contain and protect systems after they have
been breached.
The Top 10 Types of Malware:
1. Emotet
2. Kovter
3. ZeuS
4. NanoCore
5. Cerber
6. Gh0st
7. CoinMiner
8. Trickbot
9. WannaCry
10. Xtrat
2. Phishing is a cyber security threat to business small and large. $17,000 is lost every minute
due to phishing attacks. That is nine billion per year.
Phishing is an attempt to elicit information from a victim in order to gain access to a network
or accounts, gain access to data, get the victim to perform an action such as a wire transfer,
etc. Phishing comes in many forms:
 General phishing
 Spear phishing
 CEO fraud
 Smishing
 Vishing 
 Clone phishing
 Domain spoofing
 URL phishing
 Watering hole phishing
 Evil twin phishing

Phishing frequently involves the use of social engineering tactics. They can use domain
spoofing or phone number spoofing to make their communications appear legitimate.
Examples of Major Successful Phishing Attacks
Phishing as a cybersecurity threat is in abundance and can be very costly. Google and
Facebook together lost more than $100 million to a phishing attack. Crelan Bank in Belgium lost
more than $70 million.
3. Formjacking is a type of cyber security threat that involves taking over forms on a website
by abusing their security vulnerabilities. hackers use lines of malicious code on the checkout
page forms of eCommerce sites to steal their customers’ financial and payment information. The
goal is to scan and harvest any valuable data that users submit via forms.
Symantec released a report in 2019 that shows form jacking was on the rise in 2018. The
internet security company reported an average of 5,000 websites were compromised with form
jacking each month.
For examples of recent successful formjacking attacks, look no
further than British Airways and Ticketmaster attacks that were thought to be committed by
malicious actors known as Magecart. The British Airways attack resulted in more
than 400,000 credit cards being stolen at a projected loss of $17 million. This is in addition to the
record £183 million fine that was imposed against the company due to its lack of General Data
Protection Regulation compliance. GDPR allows fines of up to 4% of a company’s annual
turnover for noncompliance.

4. Inadequate Patch Management, Manufacturers release patches to correct weaknesses in
their operating systems and software. They are vital to the protection of your business but often,
patching largely gets overlooked both by users and IT security teams merely because IT staff has
so many tasks and responsibilities. which leaves huge holes in security infrastructure. Preferably,
patching should be applied as soon as a weakness is discovered because they:
 leave your organization in peril of cyberattacks
 lead to needing remediation
 might result in downtime
 cause reputational harm
 make you non-compliant with industry and regulatory cyber security standards.
Companies are not patching like they need to be. This could be because not all businesses
have the resources to rush that process in house, so they roll out patches when they can, or they
may need the services of a third-party service provider, a lot of technology remains unpatched,
which leaves companies and their data susceptible to even the simplest cyber security
threats. research from Avast shows that of five hundred thousand devices that
they examined only three hundred were properly patched.
An example of this was Eternal Blue an exploit that was purportedly developed by
the NSA, an exploit of a Microsoft weakness and has led to numerous security breaches and
helped the spread of WannaCry ransom ware, that cost the Nation Health Service in the UK 100
million Euros. Although Microsoft had released patches for Eternal Blue well beyond the 2017
WannaCry attacks began, many organizations remained susceptible because they did not patch
their systems, or they were operating old systems that no longer had the ability to be patched.
Infrastructural Threats
Businesses and life have a few connections that can make or break a business on a high to
low level. Depending on the threat being an internal or external threat. Today there are more
threats than ever but with the way of the world most of those threats have solutions or policies
and directions to contain or eliminate the threat itself. The threats and information given below
are examples of threats, policies, and a few solutions that most if not all businesses face today.
Starting with Critical Infrastructure Threats ranging from security and government are
concerned about the vulnerabilities. In a recent Reuters article, Dan Coats, Director of National
Intelligence, said: “The system was blinking red. Here we are nearly two decades later and I’m
here to say the warning lights are blinking red again,” Coats specifically marked Russia, China,
Iran and North Korea as “daily” attackers of America’s computer networks, at federal, state and
local government agencies level, in addition to U.S. corporations, and academic institutions.
There are three classes of threats to critical infrastructures:
 Natural - earthquakes, tsunamis, land shifting, volcanic eruptions, extreme weather
(hurricanes, floods, draught), fires.
 Human-Caused - terrorism, rioting, product tampering, explosions and bombing, theft,
financial crimes, economic espionage.
 Accidental or Technical - infrastructure and hazardous material failures and accidents,
power-grid failures, water-treatment facilities failures, water-mains ruptures, safety-
systems failures and a host of other disasters of omission and/or commission.

Cyber Threats are becoming one of the bigger threats of today. Focusing on anything from
the old money move to data in the spectrum of corporations and personal information. In
continuing to read the article (Tal, 2018), you see more into the thoughts, process and execution
of such a threat. The list of cyber threats increases rapidly. The following list represents a partial
set of typical threats:
 Terrorists and other non-state actors seeking to destroy, incapacitate, or exploit critical
infrastructures to threaten national security, cause mass casualties, weaken the economy,
and damage public morale and confidence.
 Criminal groups, attacking systems, using spam, phishing, and spyware/malware, identity
theft, online fraud, and computer extortion for monetary gain.
 Business intelligence operators, including criminal organizations, conducting voluntary
and on-demand industrial espionage.
 Individuals and groups “grazing” the cyber world in search of victims, for a combination
of thrill, monetary and “training” purposes.
 Bot-network operators, using networks, or botnets, of compromised, remotely controlled
systems to coordinate attacks and to distribute phishing schemes, spam, and malware
attacks.
 Disgruntled insiders, poorly trained employees, incompetent contractors – all creating the
opportunities for outsiders to penetrate networks.

 National intelligence and psychological operations organizations, using cyber tools for
information gathering, regime destabilization and as another arm furthering strategic
goals.
 Spammers using the above methods to distribute unsolicited e-mail with hidden or false
information to sell products, conduct phishing schemes, distribute spyware or malware,
or attack organizations (e.g., a denial of service).
 National and/or commercial organization specializing in deploying spyware or malware
against organizations or individuals, for political and commercial purposes.
Being passed by Cyber style threats but with the evolution of technology with the inclusion
of more online banking and e-commerce. Financial threats are still one of the higher threats to a
business and people past, present and will most likely continue into the future. There are many
ways to categorize a company's financial risks. Those being listed from the article (Maverick,
2019), being market risk, credit risk, liquidity risk, and operational risk.
 There are four broad categories of financial risk that most companies must contend with.
 Market risk is what happens when there is a substantial change in the particular
marketplace in which a company competes.
 Credit risk is when companies give their customers a line of credit; also, a company's risk
of not having enough funds to pay its bills.
 Liquidity risk refers to how easily a company can convert its assets into cash if it needs
funds; it also refers to its daily cash flow.

 Operational risks emerge as a result of a company's regular business activities and
include fraud, lawsuits, and personnel issues.
SWOT (strengths, weaknesses, opportunities and threats) to the company and industry are
really you break down of what could slow or stop progression of a businesses future. Reading
into the article (Business Blogs, 2019) elaborating more, of how again certain threats can be
influential to a business.
Top four biggest threats to businesses today:
1 – Technology
The impact of new technologies can be a gamechanger or require minor adjustments. For
example, ‘going digital’ or taking your business online will please many customers but not those
adverse to change. These people are typically in the ‘laggards’ group of the technology adoption
curve and they are the last to change to newer technologies.
Many industries struggle directly or indirectly with the speed of technological change,
and sometimes they can be replaced by startups providing a product or service which is far
superior. For example, Uber and ridesharing, has disrupted the taxi industry, and some may say
it’s forced many taxi firms to go out of business.
One of the biggest dangers a business faces is in believing that they are invincible to
these forces and one area which is also as worrying today as it was yesterday is cybercrime. No
website is safe or protected entirely from hackers and they are using innovative ways to get to
your systems including AI assisted ransomware.

On a positive note, technology has bought companies closer to their customers. Software
and apps have increased efficiencies within the business and opened up the global economy
insofar as the clothes are likely to have been made in more than one country.
Technology can provide opportunities, as well as threats.
2 – Globalization
Each business is now competing in every market in the world. This, again, is a product of
technology but has also become a point for concern in and of itself. It is easier than ever to send
work overseas, find products from other parts of the world, and communicate with potential
partners in other countries. This all creates new challenges for businesses.
Due to international laws, a company may be limited in what they can do about some of
these challenges, but that only means they need to be more creative in how they combat them.
For example, if your company’s product or service can be outsourced overseas at a much lower
cost, you need to think about another way to make yourself more appealing at a higher price
point. This is a challenge in a cost obsessed environment, but not impossible.
3 – The Shifting Face of Labor
This is also influenced by the development of technology but is much more a matter of
people. Job seekers are becoming more and more able to find work they can perform from the
comfort of their own home. Not only that, but the most youthful members of the labor force
spent their entire lives in a world of massive connectivity.
If a company does not adjust to the needs and demands of the new labor market, they can
expect potential employees will seek work elsewhere.

4 – The Speed of Change
We touched on this topic earlier, and now we’re in the 5th industrial revolution changes
are happening faster and on a much larger scale than they have ever occurred before. This means
that a business could make a shift in strategy today that is the right decision, but in a short time,
they may need to shift away from that strategy.
The level of flexibility that companies need is something relatively new. While it is
essential to display a level of consistency so that consumers know what to expect, if a company
allows that consistency to turn into stubborn continuity, there will be a price to pay.
Most threats are external to a business. In an article from the Hartford’s Business owners
Playbook (The Hartford, 2021) Finding weaknesses, which are hard to self-identify objectively,
are normally seen when you look around your world and communicate with peers and customers
to recognize your threats.
They can include:
 Weather. These affect seasonal businesses that depend on good conditions.
 The economy. If you sell something consumers need in any economy, you will fare better
than others.
 Material shortage. Tensions in an oil-producing country result in big price hikes, raising
production costs for plastics manufacturers, trucking firms and others.
 Your computer system is hacked. This can knock your website out for days during a
crucial selling period.

 Employment in your industry is strong. This can make it hard to find skilled workers.
 Market demand dries up. Think Blockbuster falling behind Netflix because of its late start
streaming content.
Like said earlier in this document, threats create opportunities by making a person or
organization think outside of the normality of a situation or applying past experiences with a
newer adaptation.
When combating or overcoming any threats in a business, you find that the same information
from an article on how to cope with threats, we are relatively experienced in maintaining a level
of composure and tenacity to tackle the threat head on with a game plan. That can make anyone
in the organization feel confident. Later in the same article it continues to show how having a
plan and good belief in a set plan can pay off. (Blanks, 2013) Keep your focus the truth is,
focusing on these threats could become an obsession, it might even become a full-time job! Our
secret is not to let it bother us. Of course, we keep our fingers on the pulse, but we find looking
at new threats pointless, we focus on what we’re doing right and improve each of them bit by
bit.
Timetable your targets-
We keep on target with synchronized plans and make our overall targets very clear. We
sat down and planned out the next five years for our business and that’s broken down further into
a one-year plan and quarterly targets we need to strive for to make the five-year plan happen.
Each of the directors sticks to this and our departmental managers stick to their plans, focusing
on what we do and how we can do it better.

Don’t waste time worrying-
Worrying gets you nowhere; I remember how anxious we were over Amazon’s expansion plans
into office supplies. We need not have been, we have continued to grow every year, even with
Amazon’s buying power and economies of scale. There was nothing we could do, and as it turns
out, nothing that needed to be done.
To sum up, with business it is your own success that you need to focus on, not the strengths of
other operators in the marketplace. Drown out the noise created by your competitors and instead
keep focused on the objectives you can achieve from within. It’s those, and those alone, you
have the power to influence.

Prioritizing Mission-critical Functions (IT/non-IT)
“A mission-critical task, service, or system is one whose failure or disruption would cause an
entire operation or business to grind to a halt. It is indispensable to continuing operations.”
The term mission-critical is a description used for any essential service that is necessary
in order for normal operations to continue. These are operations within a business that cannot be
interrupted under any circumstances if the business is to continue production of their services.
Some examples of mission-critical functions are databases and process control software which
are crucial to companies that run on mainframes and workstations. There are also functions like
emergency call centers, computerized patient records, data storage centers and communication
systems that are mission critical. If these services were to fail to continue, they could cause
severe disruption of services, heavy financial losses, and even loss of life.
With so many different functions that can seem so critical, it can seem difficult to decide
which functions are the most important to focus on protecting. Different parts of a company may
rely on different things, such as HR needing their payroll application to function, marketing
needing their CRM system to sell products, or manufacturing needing its automated inventory
management system to even make anything. But while all of those may be true, there must be an
order to which critical systems are addressed.

Within the IT department, there are functions critical to the company in order to keep a
business going after a disaster, for example, creating, managing and storing backups of all data
before a disaster. If a failure occurs, the moment systems return online, a backup of everything
will need to be ready to go that very day in order to ensure a quick return to functionality. It is
also important ensure the confidentiality, integrity and availability of critical business data. A
balance between both security and operational needs must be found.
For Peak Security, the two requirements to keep the business functional are internet and
email access as well as being able to travel to customer sites. If a loss of internet or email access
were to occur, it would have to be brought back up within 48 hours in order to keep business
lines moving and to maintain access to SH mail servers, customer servers, and SH web servers.
As there is a 48-hour window, this luckily means that minor outages should not pose an
immediate threat to the company, however, other forms of longer lasting disasters could
potentially cause a network outage to last longer than that amount of time. As Peak Security is
responsible for establishing strategic relationships with their clients and partners as well as
providing them with services spanning the entire service chain and security solutions, being
unable to successfully perform these due to a long outage or inability to travel could have dire
effects on the company’s reputation, partnership’s and income that come from them, as well as
potentially require additional costs to fix any necessary hardware (in the event outages are
caused from broken hardware, or transportation needs to be repaired). While the max tolerable
downtime is two days, the recovery time and cost of such disasters will depend on the cause of
the disasters as well as how much the damage the disasters have caused, as outages or loss of
transportation could range between blackouts, hardware failure, or network attacks.

It would be best for the company to have some forms of backups to help keep forms of
transportation ready as well as secondary forms of internet connectivity. These can be in the
forms of secondary vehicles as well as hotspots.
Risk Mitigation Strategies
Contacting an insurance provider
General Liability Insurance: Every business, even if home-based, needs to have liability
insurance. The policy provides both defense and damages if you, your employees or your
products or services cause or are alleged to have caused Bodily Injury or Property Damage to a
third party. Contacting the insurance company is relatively easy in today’s workplace. You are
going to be dealing with a specific agent from the company chosen.
Property Insurance: If you own your building or have business personal property,
including office equipment, computers, inventory, or tools you should consider purchasing a
policy that will protect you if you have a fire, vandalism, theft, smoke damage etc. You may
also want to consider business interruption/loss of earning insurance as part of the policy to
protect your earnings if the business is unable to operate.
Business owner’s policy (BOP): A business owner policy packages all required coverage
a business owner would need. Often, BOP’s will include business interruption insurance,
property insurance, vehicle coverage, liability insurance, and crime insurance. Based on your
company’s specific needs, you can alter what is included in a BOP. Typically, a business owner
will save money by choosing a BOP because the bundle of services often costs less than the total
cost of all the individual coverages.

Worker’s Compensation: Worker’s compensation provides insurance to employees who
are injured on the job. This type of insurance provides wage replacement and medical benefits to
those who are injured while working. In exchange for these benefits, the employee gives up his
rights to sue his employer for the incident. As a business owner, it is very important to have
worker’s compensation insurance because it protects yourself and your company from legal
complications. State laws will vary, but all require you to have workers compensation if you
have W2 employees. Penalties for non-compliance can be very stiff.
Data Breach: If the business stores sensitive or non-public information about employees
or clients on their computers, servers or in paper files they are responsible for protecting that
information. If a breach occurs either electronically or from a paper file a Data Breach policy
will provide protection against the loss.
Simply put, the cost of your insurance will depend on what your business does and how
much of it you do. Depending on the type of operation you run, you may need to purchase
several different types of additional coverage (i.e., if your business has delivery vehicles, you
will need to get commercial auto coverage). But for starters, here are a couple of examples:
A tiny shoe repair cobbler nestled on the corner of a quiet downtown street would need a
combination of property and liability coverage, which might run at about $1,200/year. If they
had additional employees and needed workers' compensation, that aspect of the coverage might
add another grand on top of that.
A large gas company based in Louisiana that owns wells and trucks and has several
locations as well as tons of employees might pay more than $10 million/year for coverage.
Research to discover possible risks to the company as reported by FEMA
FEMA, the Federal Emergency Management Agency identifies current disasters to be
aware of as well as potential risks and hazards that could affect either an individual person,
community, or organization. Current risks to a company may be obvious: COVID-19
and changes in weather patterns in recent years affecting climate enough to cause various
hurricanes each year. While many organizations have found ways to mitigate the spread of
COVID-19, like mask wearing, maintaining social distancing guidelines, and requiring vaccines
for all employees, it is still a huge risk to productivity should an outbreak occur.
Additionally, hurricanes and changes in weather patterns can lead to floods and other natural
disasters which can affect the physical location of many companies, as well as potentially affect
the data for employees and clients because an outage may occur and without a proper recovery
plan in place, data could be compromised if that were to happen.
FEMA also helps to identify potential risks and hazards. Of those, earthquakes, windstorms,
hurricanes, nuclear or radioactive emergencies, dam risks, and building science are important to
be mindful of for an information technology company, all because of the potential impact that
these disasters could have on the data being protected or secured. Disasters such as these,
especially building science and security in place- such as safe rooms- are crucial to ensure that
the necessary rooms are protected. With most of the data securing private information of clients
for the organization, it is imperative that it be locked down not only digitally but
also physically to ensure the safety of the privacy of everyone involved.

 Include a detailed analysis of the services that FEMA provides.
o Then using this information, write a memo to the Task Coordinator detailing your
findings.
In order to mitigate fallout from any of these potential disasters, FEMA has developed many
services that can be taken advantage of by companies, communities or people in particular. Some
of the services include:
IPAWS: The Integrated Public Alert & Warning System provides local alerts, but is a national
system providing mobile notifications and alerts regarding any type of emergency that may pose
a threat.
Public Assistance Grants: This program provides funding opportunities to public organizations
and non-profit companies that qualify and have been affected by natural disasters
or emergencies. There is an application process and a review prior to acceptance.
Preparedness Grant: A particular funding option for non-emergency situations. This type of
grant can be provided to first responders or individual citizens as well as organizations.
Hazard Mitigation: This funding option is put in place prior to a disaster in an effort to avoid
possible emergency situation from occurring. It can help with pre-planning and managing
building plans to ensure safety in advance.

Threat and Hazard Identification & Risk Assessment: THIRA is a FEMA service that offers
preliminary assessment of risk and threats to an organization or community in an effort to
prepare for potential hazards or emergencies. FEMA offers a community level and a national
level of this type of assessment depending on the nature of the risk or community. The
assessment service allows a community to determine the capabilities that need to be in place to
mitigate potential risk.
National Disaster Recovery Framework: This service offers effective disaster
recovery management in a way that is collaborative and efficient. The framework itself
provides roles, responsibilities, principles and a structure that coordinates communication and
collaboration.
Community Recovery Management Toolkit: Provides a three-step process for communities to
manage and have long-term support following an emergency. Resources are also provided as a
part of this toolkit.
Environmental Planning and Historic Preservation: An environmental assessment is
completed in order to determine what type of resources/support are necessary in case of possible
disaster affecting historic landmarks or specific protected environments.
Chemical Stockpile Emergency Preparedness: A collection of resources held near chemical
warfare agent stockpiles for residents in case of hazardous emergency.

Memo to Task Coordinator:
To: Task Coordinator
From: Disaster Recovery Specialist
Date: January 24th, 2021
Subject: FEMA Resources for Disaster Relief
As we prepare our resources to recover from the recent data breach, it is worth considering some
of the services offered by FEMA, the Federal Emergency Management Agency. Because the
nature of our data focuses on cyber security, a Preparedness Grant from FEMA is a potential
option for financial support. The Homeland Security Preparedness Grant can offer financial
assistance to help us mitigate potential risk from domestic, cyber security attacks which can
create vulnerabilities in our own system.
Preparing an application for this grant will mean that we are proactive in securing our networks
to the utmost ability, affording our customers with peace of mind and security in their data. The
recent attack shows that even when we attempt to think of everything that could theoretically
breach our system, surprises may occur and having a plan in place allows us to recovery quickly
should this happen.
Please consider this grant and review the application process found on FEMA’s website
directly. Should I be able to offer support in this application, please do let me know as I believe
this is the best route for the organization to go moving forward and from a financial stability and
security standpoint.
https://www.fema.gov/
BC/DR Phases 4-6
Phases 4-6 will create plans for different types of backup sites, develop a procedure to
notify and activate an alternate worksite and create an inexpensive and feasible backup solution
for the VMware infrastructure.
Cold Site
Executive Summary
A cold backup site for business continuity and disaster recovery (BCDR) has little in it.
Unlike a hot site that is fully set up and ready to go, allowing for easy relocation and minimal
downtime. The cold site, therefore, only contains the essentials. Relocating to a cold site requires
setting up equipment, making the necessary installations, and loading the necessary software to
continue with operations.
Pros of a Cold Backup Site
The first major advantage a cold back-up site is the cost component. A cold back-up site
contains the least number of essentials that are needed in case relocation is needed. This includes
connection to power, internet, water, and adequate space adequate for relocation. For example, a
cold site does not require maintenance costs, any equipment, or I.T personnel, since the site is
barely functional. In comparison to hot or ware back-up sites, a cold site is the least capital
intensive.
Cons of a Cold Back-up Site
A significant disadvantage of a cold backup site is the time component. In the case of a
disaster, the business needs to relocate to the back-up site and resume operations with
expediency. With a cold back-up site, the recovery time is much longer considering that
everything must be set-up afresh. Businesses such as Peak security may not have high tolerance
to down-time, making cold-sites unappealing (Reed, 2021). In comparison, hot backup sites are
already operational, and resuming normal functioning is cheap and convenient.
Costs
While costs incurred are minimal in the short term, any incidences that mandates the
company to relocate to the backup site may result in the company incurring significant
expenses. First, in the case of a disaster recovery event, a company with only a cold back-up site
will lose all its data, and recovery may be impossible or expensive (Redhat, 2021). Businesses
with hot sites safeguard the protection of their data. Secondly, a recovery event to a cold site
could result in significant costs because of down-time. The time that the business halts
operations can be costly because it is not engaged in money making operations, but still has
expenses. Getting operations back to a state of full operations may cost more than running a hot
back-up site.
Back-Up Plan for Peak Security
Location
The backup location will be in Portland, Oregon. This is because Portland is ranked as
the safest place to live to avoid natural disasters. To avoid a disaster recovery event, Portland is a
metropolis that would allow for expedient resumption of operations, with the least likely hood of
recurring disasters.
Equipment
Equipment needed to run the cold back-up facility includes an office space, electricity,
internet access, cooling system, and air conditioning, communication equipment, and water.
Additional Resources
There should be security detail to safeguard the premises and minimal equipment from
theft and vandalism.
Conclusion
Cold sites for disaster recovery are sites that have minimal equipment in them. A
significant advantage of cold back-up sites is that in the short term, they are cost effective.
They have little equipment to maintain, therefore the company can save funds. Eventually, cold
back-up sites are unappealing because they take longer to set up, making the business suffer
longer down-times, and costs the business more if a disaster recovery event occurs. It is therefore
advisable to compare the short term and long-term benefits of back-up site varieties before
committing to a specific one.

Warm site
A warm site is considered the middle ground between the cold site and the hot site. A
warm site is a backup facility that has the network connectivity and the necessary hardware
equipment already pre-installed. However, a warm site cannot perform on the same level as the
production center because they are not equipped in the same way. Therefore, a warm site has less
operational capacity than the primary site. Moreover, data synchronization between the primary
and the secondary sites is performed daily or weekly, which can result in minor data loss. A
warm site is perfect for organizations which operate with less critical data and can tolerate a
short period of downtime. This type of a DR site is the second most expensive option.
Location
The choice of location is primarily dictated by how sensitive and critical the data is, how
big the allocated budget is, and what types of disaster the area is most subjected to. If you want
to ensure near real-time data synchronization between the primary and the secondary sites, both
sites should be located relatively close to each other. However, in this case, a disaster might
affect both locations at the same time, leaving you with no chance for system recovery. On the
other hand, if the sites are situated too far away from each other, issues with data synchronization
might occur. Moreover, it would then be necessary to hire new IT personnel responsible for
maintaining a remote DR site, which would eventually result in additional costs.

Hot Site
Developing multiple levels of back up options is a crucial part of disaster recovery and
ensuring future business continuity. Whereas a cold site backup location requires a customer to
have their own materials, equipment and management themselves, a hot site backup location
essentially replicates what was already created elsewhere- equipment included. Both options
allow for solid disaster recovery of any lost materials and ultimately, the best way to determine
the ideal option for any organization will be to consider the usage and role of the client
themselves as well as allowing them to determine which option is best for their specific data.
A hot site location can be the best option for an organization if reducing downtime and
loss of productivity are crucial for the company. While this sounds ideal in theory, it can mean
an increase in expenses overall and therefore, will not be viable for smaller organizations.
Additionally, if a hot site location is created, data is fully replicated so the chances of losing
anything crucial are slim to none. Because the secondary site should be located nearby but not in
the same building, the chances of a single shutdown affecting both locations is also very rare.
Ideally, a hot site is set up directly after the initial or primary location is created so that the
replication can be specific and exact.
Business continuity is the number one benefit to a hot site as the entire organization
could essentially move to the secondary location should a disaster occur, leaving the company
with no need to shut down to restore anything. The biggest con of a hot site is the cost. Because
the secondary site still accrues rent, has electricity costs and even costs to run in general, an
organization must be able to sustain both locations financially. If the benefit of quick recovery
and limited downtime outweighs the costs associated with the secondary location or hot site, it is
still the ideal option for an organization.

Peak Security Hot Site Plan
Peak Security has determined that an ideal recovery plan includes the use of a hot site
location to limit the potential downtime of the organization should a disaster occur. Despite the
potential downsides, a hot site will be the most secure, productive way to maintain business
continuity and since our main site location is already operational, a hot site can now be
created. Ensuring that an exact replication of site, services, and resources is created and available
is essential in safeguarding that there will be no downtime or production loss should a disaster
occur. Because of the costs associated with the creation of this hot site, Peak Security will be
making the same financial investment that we had during the creation of the primary site location
as it is assumed that the loss of production time would have a greater impact on revenue than it
does to create and manage a hot site location.
Of the resources needed to stand up the hot site or secondary location, cloud data
infrastructure is crucial. In the event of a disaster, access to client data will be necessary and
essential. Having data on the cloud can present its own risks; however, the ability to share
between locations will make it a dramatic benefit in the case of a disaster. Additionally, servers
large enough to hold all data stored at the primary location will be just as important for the hot
site so that when the site does become primary, storage limits are not met right away and the
same production time can go into effect at the secondary location (now the primary location,
should the emergency occur).

Because the hot site location will be an exact replica of the primary location, thought
should also go into infrastructure when it comes to upholding a traditional office environment.
While minutia like vending machines, snacks or even office supplies can be determined when
and if the site becomes fully operational, having equipment like working desktop
monitors, computers and even small office products like mice, keyboards and headsets will be
necessary. The goal should be that if need be, the hot site can be fully functional within less than
a day meaning all employees can migrate over to the new location without any delay in having to
order desk chairs or other required equipment to operate a functional office.
The most important resource for the hot site is funding. Because of the extra costs for
upholding the building, buying the equipment and materials and securing all the data, money
becomes the primary resource needed. Without the funding, the hot site location cannot exist in
the way that it needs to in order to reduce downtime and productivity in the event of a
disaster. Additionally, having an internet service provider already in place, as well as vendors
who are aware of the need for the hot site to become functional, in case of disaster event, will be
crucial as well. Without these resources already in place on stand-by, so to speak, there could be
additional delay in the usage of the secondary location which negates the benefits of the hot site.
Ideally, all involved with Peak Security can and will be using the secondary location (hot site) as
their primary location within less than 24 hours of a disaster occurring and affecting the original
primary location.
Mobile Site
When most people think of starting or running a business, they follow the typical
humdrum idea of everything in one building. Anyone in the IT department can verify that that is
no longer the truth. As times change and business go more high-tech involving e-commerce
ranging from sales, marketing and even customer information. Not only the customer side of
things but also in house, employee records and more are now being saved in different locations
besides the business itself.
Since the invention of the internet and intranet companies that focus on data security,
backup, and recovery. Moving more personal and professional flies electronically is riskier
nowadays than it was to have the secretary or office worker walk it down the hall or to a
different floor to be added in manually or filed by hand. Below you will find that there is even a
better, more widely adapted version of this and it is Icloud business backup.
Found on the website of Datastorage Corp. the flat out tells you that doing a mobile style
backup is the new way of the future. The article stated, (Datastoragecorp, 2020)“Gone are the
days when the Fortune 500 companies were the only ones that could afford state-of-the-art data
recovery solutions. Advances in technology and the utility model of computing now enable you
to achieve powerful disaster recovery and business continuity benefits—with the simplicity and
affordability you require.” letting their potential customer know they are up to date and on par
with the current standards of the company's data and more.

Even the National Records Center or NRC also have options and information for
companies and personal record cloud or mobile data management. The NRC states, (National
Records Center, 2021) “Safeguarding critical business data today means more than having a
backup plan: It means ensuring that every aspect of backup, transmission, storage and recovery
meet stringent privacy and security requirements to protect your confidential customer, patient,
client, employee and business data.
NRC’s E-Backup and Restore data backup, archiving and recovery service utilizes
proven technology previously available only to Fortune 500 companies, but with an interface
designed to be used by any size organization. It is user-friendly, reliable, secure and cost-
effective.”
Companies like Crash Plan make it clear that other programs, (Crash Plan/ Code42
Software, 2020) such as Dropbox or One Drive does not support all for a business yet more for
the consumer on an individual basis. Crash Plan, IDrive and more have set employees and
business mottos that have gained reputations as some of the best companies to assist, manage
and, ease any company into using mobile or off-site data management.
Mirror Site
A mirror site is created when a set of files within a computer server or drive has been
copied to another server or drive, making it so that the files are available in more than just a
single place. This is done by linking two systems together so that they will continually match
each other. Mirroring can be used with disks (such as in the form of RAID) or on servers. The
mirrored servers can also both be at entirely different locations. If a computer malfunction
occurs, a hot swap or hot standby will kick in to save data.
In a hot swap, the system signals that a disk failure has occurred and switches to the
mirrored disk. This allows for a quick, seamless transition that the user may not even recognize
without being given a notification that a malfunction had already happened. With a hot standby,
a backup from the active disk is put onto the remaining disk. A new disk is installed, creating a
new backup system, while the malfunctioning one is discarded. Little data is lost during this
process and data recovery is swift, meaning minimal disruption.
There are many pros to a mirror site. It is very efficient in that it can synchronize changes
without any lag or loss, as well as perform backups quickly. It requires less bandwidth than other
data replicating methods while also having no limitations on geography. No special hardware is
required either, meaning a lower cost compared to other methods. Database mirroring also
allows for real time data security.

There are also many cons, however. Mirroring is limited to two servers, so losing both at
once can still cost all data. Real time mirroring also means that incorrect changes on the main
drive also affect the backup as well as increasing wear of drives. It can also lead to a lot less
storage space as everything has to be saved twice and could also require additional cooling if
adding a second disk. Database mirroring can also be difficult to remove from a system.
VMware backup solution
There are a few options to choose from when looking for back-up solutions for the
VMware infrastructure. Data can be backed up to the cloud, storage area network, tape or
detachable drive. Cloud and SANs are online forms of storage while tapes and drives are
physical hardware. As maintaining a connection to the internet is integral to company’s work,
using one of the online options is not a bad idea for day to day needs. VMware has a cloud
option in the form of vSphere Replication’s VMware Site Recovery Manager. With this,
incremental backups could be sent to a remote location. The vCenter Server
Appliance Management Interface within vSphere can also be used to back up vCenter Server
Appliances as long as a proper server is set up with sufficient disk space.
However, for more important data, such as info on the defensive measures other
companies may send to Peak Security, a drive or tape could be used instead. When compared,
the only real advantage of tape over drive is cost, and it isn’t much of a big difference, so as long
as cost isn’t a major concern, using drives to perform full yet quick backups of vital data can be
helpful, and can prevent issues with backups being sent to the cloud when there are internet
issues.
Alternate Worksite
Nikolas Seropian – Lead on BC/DR team, located in Chicago, Illinois.
Phone Number – 1-773-251-3515
Email – nikserop@uat.edu
Other members include:
Austin Wellman – AustinWellman3@gmail.com
Jonathan Fuentes – jonfuent@uat.edu
Michael Lucas – Michaellucas30581@gmail.com
Aaron Phillips – aarphill@uat.edu

BC/DR Phases 7-9
Phases 7-9 will develop a communication template as well as create a disaster declaration
statement, organizational chart of key employees, a vendor list of companies to purchase
essential supplies, BC/DR activation steps, an assessment for determining structural damage, and
checklists for contacting disaster recovery specialists as well as working suppliers. It will also
identify addresses of appropriate emergency response organizations, policies for locations and
testing of alarms, evacuation procedures, and policies for shelter-in-place procedures.
Crisis Communication
Peak Security, Inc is a technology security-based firm established by leading minds in the
security sector. It has a high-quality security industry experience, providing a variety of services
aimed at helping their clients to achieve their security goals. These services include software
development, security consulting, security assessment, penetration testing (Peak Security, Inc,
2021). Like other organizations, especially in a highly sensitive security industry, Peak Security,
Inc often face crisis situations. One of the most common forms of crisis that Peak Security can
encounter financial where it can experience difficulties to meet its financial obligations, thus
causing reputational damage. The second common type of crisis it can face is personnel-related,
such as employee turnover, which would affect its performance and reputation (Sheehan and
Quinn-Allan, 2017). The third common type of crisis is organizational, characterized by
wrongdoings due to organizational malpractices. Another form of crisis the company can face is
technological, characterized by technology failure that can lead to functionality loss (Coombs,
2017). The final type of crisis that Peak Security can face is natural, such as flooding or current
health crisis caused by Covid-19 pandemic. Depending on the type of crisis that Peak Security
faces, it requires an effective communication strategy to assist in crisis communication
situations. The following communication template will assist to serve that purpose.
Communication Template
Spokesperson Response
When Peak Security finds itself in a crisis, it would be important to have an assigned
spokesperson to speak on its behalf. This person can be the company executive, or the CEO, or
the Chairman, or someone who the company feel is best suited to represent the
company. Ndlela (2018) explains that the assigned spokesperson should be a good communicator
as his or her actions would influence how key stakeholders will respond to the crisis situation.
Proactive Damage Control
Regardless of how smooth operations are running at Peak Security at the moment, the
company should always prepare for a crisis to occur. Proactive damage control serves this
purpose as it helps to prevent or reduce the effects of a crisis before it starts (Sheehan and Quinn-
Allan, 2017). Having a proactive damage control will facilitate a more credible and
compelling communication during a crisis as the firm can refer to it (Coombs, 2017). For
example, it can refer to different security protocols that were employed before, during and after
the crisis occurred.
Case Escalation
According to Sheehan and Quinn-Allan (2017), sometimes crisis situations can be
resolved on the individual level before they reach an unmanageable level. It is critical to create
an escalation system within Peak Security to help in diffusing the issue before it gets to a viral
tipping point. Often, the escalation system is created within a management team and/or customer
service team where they work on time-sensitive or complex cases (Ndlela, 2018). Case
escalation system is vital in managing complex crisis situations and ensuring that they are
resolved amicably and within the shortest time possible.
Distribution Channels
Several distribution channels will be utilized by Peak Security in crisis communication
situations. They include face-to-face meetings with employees, emails, printed communique, and
social media. Due to extensive digitalization around the world, social media has become a nearly
indispensable part of human communication (Ndlela, 2018). It allows firms to reach a wider
audience within the shortest time possible.
Frequency of Communication
Communication on the crisis situation should be communicated on a continual basis.
Some items regarding the crisis can change frequently and should be updated regularly. While
there could be standard frequency of the communication, such as twice a day, the frequency can
be higher when the need for more updates arises.

Communication Log
Disaster declaration statement

Date: February 4, 2021
Time: 11.30 am
Peak Security, Inc can confirm that a fire broke out on February 2, 2020 at 8 PM at our
premises causing severe disruption to our services. No fatalities or injuries have been reported.
However, office equipment has been damaged.
An investigation is taking place into the cause of the fire. Our chief investigation officer is
liaising with the local police department to establish what could have led to the fire, including if
it was as a result of negligence or malicious intentions.
Peak Security, Inc would like to express our commitment to restore the services as soon as
possible and to assure our clients, employees and the entire public that we are taking this matter
very seriously and we are moving at speed to establish the full details.
We have set up a call center to respond to all inquiries regarding the incident and any other
information regarding the company and our services. We will provide further updates as soon as
the information we receive is verified.
While access to our physical office has currently been affected, we continue to provide services
remotely. We would also like to provide an assurance to all our clients that no data or
information has been compromised by the fire incident. All stakeholders, including employees,
vendors, contractors, and customers can still access our online portal for various services.
Our next statement will be issued later today at 4.30 pm.
Role Assignments
Employees have a critical role to play in operations following a disaster. The
effectiveness of your communication and role assignments helps Recovery Time Objectives,
within projected time. (Yantz, 2019) Workstations, procuring equipment that was damaged,
redirecting phone services, assessing damages, and updating clients, as well as assessing data
loss. With clear assignments and expectations in place, your team can work more efficiently to
bring systems back online and minimize negative impacts following a disaster.
Kinds of disasters that you would need to prepare for listed in the same article would be:
(Yantz, 2019) User Error: This includes accidental deletions, shadow IT, and other issues that
could place your business in a bad spot if unprepared for.
Key Staff Unavailability: What would happen if someone with important knowledge or
permissions were to suddenly be away from the office due to some accident, personal
emergency, or other reason?
Equipment Failure: Most modern businesses rely heavily on technology of some sort, and that
technology requires an infrastructure.
Malware: Malware is a constant threat to businesses, and it has evolved over the years to
become a force to be reckoned with.
Natural Disasters: Most businesses fear natural disasters of certain types, and it’s largely due to
their geographic location. Hurricanes, earthquakes, floods, electrical storms, etc.
There are many steps to preparing for a disaster and there are even more issues with each
person involved with the article in Akita Box there could be 10 main steps. Listed below are just
a few of those steps.

(Kelly, 2019)
 Step 1: Understand the importance of emergency response planning.
 Step 2: Brainstorm a list of potential risks, hazards and threat scenarios.
 Step 3: Collect contact information from local emergency personnel.
 Step 8: Disperse responsibilities following the disaster event.
 Step 9: Train and educate internal personnel on your emergency response plan.
 Step 10: Test and revise your emergency response plan.
Key Employees
Key employees are a little better pointed out in the article from the Hearst newspaper
written to take some of the hard work out of trying to find out who your own business would
need to appoint in case of a disaster. (Hearst Newspapers,LLC & Linton, 2021)The plan
identifies key employees who must be able to resume work after a disaster. These include senior
executives, customer service staff, sales representatives, and production planners. These are the
employees responsible for making important decisions about the business or keeping customers
informed during the recovery period. In a related article by Greenwald and Dorherty LLC even
having your employee’s emergency contact information can make them key employees as well
in case of a disaster. (Greenwald Doherty,LLP., 2017)Employee emergency contact information
is just that – the identity of the person to call in case of emergency. Unfortunately, emergencies
happen at work more than companies would like.

Vendor Directories need to be more like the one presented by Media Brain shown
below. In case your business has a disaster.
(MediaBrains Inc. & SHRM, 2021) Business Services:
 Conference Call Services
 Employee Shuttle Services
 Expense Reporting
 Financial Services
 Food and Beverage Services
 Identification Badges (Employee and Conferences)
 Liability Insurance
 Marketing Communications
 Meetings / Events / Speakers
 Property & Casualty Insurance
 Research Statistical and Economic
 Tax Services
 Translation & Interpretation Services

After establishing all of that for the business, addressing and identifying the organizations or
companies that will help can be found on the FEMA.Gov riskmanagemnet section
at https://www.fema.gov/emergency-managers/risk-management.
At the Cybersecurity and Infrastructure Security Agency. Emergency Services Sector (US
Gov, 2021)The Emergency Services Sector (ESS) is a community of millions of highly-skilled,
trained personnel, along with the physical and cyber resources, that provide a wide range of
prevention, preparedness, response, and recovery services during both day-to-day operations and
incident response.
Exit Route
Make exit route design permanent. Ensure that the number of exit routes is adequate
based on the number of employees, the size of the building, its occupancy, and the arrangement
of the workplace. Separate an exit route from other workplace areas with materials that have the
proper fire resistance-rating for the number of stories the route connects. Ensure that exit routes
meet width and height requirements. The width of exit routes must be sufficient to accommodate
the maximum permitted occupant load of each floor served by the exit route. Ensure that doors
used to access exit routes have side hinges and swing in the direction of travel (depending on
occupancy and hazard areas). Design exit routes that lead to an outside area with enough space
for all occupants. An outdoor exit route is permitted but may have additional site-specific
requirements.
First Aid
Ensure that medical personnel are ready and available for advice and consultation on the
overall employee safety and health condition in the workplace. Provide trained personnel and
adequate first aid supplies to render first aid when a medical facility is not in near proximity to
the workplace. Provide suitable facilities for immediate emergency use if exposure to injurious
or corrosive materials is possible.
Structure
If your structure has been compromised by windfall, fire, flood, vehicle
impact, earthquake, or other disaster, it is important to have a structural engineer determine if it
is safe to occupy. An experienced structural engineer will arrive on site to assess the damage and
assist the property owner in understanding the next steps for re-construction. Based on the
engineer’s findings, a summary memo will be provided with recommendations for needed
repairs. Project time frames can vary widely and are subject to many external factors. The major
factors involved in determining the timeline for design of a project are the size of project and the
involvement of other design professionals.
Figure 1 Risk Assessment Chart
Identify Hazards & Calculate Likelihood

1. Unlikely
An unlikely hazard is extremely rare, there is a less than 10 per cent chance that it will happen.
2. Seldom
Seldom hazards are those that happen about 10 to 35 per cent of the time.
3. Occasional
An occasional hazard will happen between 35 and 65 per cent of the time.
4. Likely
A likely hazard has a 65 to 90 per cent probability of occurring.
5. Definite
These hazards will occur 90 to 100 per cent of the time. You can be nearly certain it will
manifest.
Calculate Consequences
1. Insignificant (A)
The consequences are insignificant and may cause a near negligible amount of damage. This
hazard poses no real threat. Examples: loss of $1K, no media coverage and/or no bodily harm.
2. Marginal (B)
The consequences are marginal and may cause only minor damage. This hazard is unlikely to
have a huge impact. Examples: loss of $10K, local media coverage and/or minor bodily harm.
3. Moderate (C)
The consequences are moderate and may cause a sizeable amount of damage. This hazard cannot
be overlooked. Examples: loss of $100K, regional media coverage and/or minor bodily harm.
4. Critical (D)
The consequences are critical and may cause a great deal of damage. This hazard must be
addressed quickly. Examples: loss of $1M, national media coverage, major bodily harm and/or
police involvement.
5. Catastrophic (E)
The consequences are catastrophic and may cause an unbearable amount of damage. This hazard
is a top priority. Examples: loss of $10M+, international media coverage, extreme bodily harm
and/or police involvement.
Calculate Risk Rating

1. Low
Low risks can be ignored or overlooked as they usually are not a significant threat. A definite
hazard with insignificant consequences, such as stubbing your toe, may be low risk.
2. Medium
Medium risks require reasonable steps for prevention but they’re not a priority. A likely hazard
with marginal consequences, such as a small fall, may be medium risk.
3. High
High risks call for immediate action. An occasional hazard with critical consequences, such as a
major car accident, may be high risk.
4. Extreme
Extreme risks may cause significant damage, will occur, or a mix of both. They are a high
priority. An unlikely hazard with catastrophic consequences, such as an aircraft crash, is an
extreme risk.
Create an Action Plan

Your risk action plan will outline steps to address a hazard, reduce its likelihood, reduce its
impact and how to respond if it occurs.
Figure 2 Risk Assessment Form
Plug Data into Matrix
A risk assessment matrix simplifies the information from the risk assessment form, making it
easier to pinpoint major threats in a single glance. This convenience makes it a key tool in the
risk management process. Every risk assessment matrix has two axes: one that measures the
consequence impact and the other measures likelihood. To use a risk matrix, extract the data
from the risk assessment form and plug it int
o the matrix accordingly.

Figure Risk Assessment Matrix
Peak Security Evacuation Procedures
In the event of an emergency requiring the need to evacuate the office environment, Peak
Security has outlined a strategic and specific evacuation plan. Please see below for a copy of
the map of the building, and the specific route that has been designated to follow in the case of
an emergency which requires the need for evacuation. Before following the evacuation plan, it is
decided that each person is responsible for a total shut down of their system as well as turning off
and unplugging their towers and anything in their workspace connected to a plug. Servers are set
up for automatic shut down in the event of a power outage or emergency and cloud back ups will
be put in place to secure the information and allow for external access if need be.
From a physical location perspective, the company building is small enough that safe
areas within the building are not required. In the event of an emergency that blocks doors or
prohibits evacuation, a specific shelter in place plan will be created; however. If a specific alarm
is sounded, all employees will begin to follow through with the next steps of the evacuation
plan. The evacuation plan specifies that the front doors will be used in an emergency. The reason
for this is because of the features provided by the doors, and the option for more people to exit
swiftly given that they are double doors versus a single door frame. Employees will follow a
primary exit route using the map below and due to the size of the building, only one route will be
required. Once the building has been evacuated, employees will gather at a designated location
outside of the building where vehicles will be provided in the form of vans and/or busses from a
specific organization that will be designated and contacted at the first sign of any emergency. As
most employees will likely live locally or at least in state, lodging for the night will not be
provided unless the emergency itself requires it (compromised data or specific, immediate threat
from a volatile individual or group of individuals). Depending on the secure nature of the data,
this type of plan would be used specifically in extreme cases only.

In case of emergency causing the need for evacuation, it will be important to determine
who is responsible for ensuring that all employees are accounted for. Using employee manifests
will be the starting point and registering day-to-day attendance along with accounting for
any missing persons through verification with the human resources department will provide
accuracy and the least amount of room for error. The organization has a limited number of
employees so the hope is that accounting for all people and ensuring that proper communication
is in place should be manageable. Emergency communication devices like walkie-talkies will not
be necessary due to the size of the organization. Instead, the use of cell phones, text messages
and the use of colored cards held up to reiterate safety of a group or set of people. Because the
office is in Arizona, the important weather protection to have will be water and sunscreen in the
case of the need to spend long periods of time outside. The water and sun protection will
be stored in a closet in the front office nearest to the door. Employees will be evaluated multiple
times during the evacuation to ensure that their mental and physical well-being is intact
and appropriately impacted by the severity of the situation.
Peak Security Shelter-in-Place Procedures
In an office as small as the one for Peak Security, establishing safe areas in case of a
Shelter-in- Place situation can be a challenge. What becomes most important is security of the
safe area and assurance that an intruder is not able to clearly identify the area. A panic room, of
sorts, is created in the event of a need for a shelter in place plan. This will not only keep staff
safe from any intruders who may come into the office but will also act as a safe space should an
external threat be located outside of the building affecting the staff’s ability to vacate. The panic
room will be in a small space just off of the main conference room but will not be designated on
the map in an effort to keep the room a secret from outsiders who may view the map.
Inside of the room, supplies will be kept lasting a team of up to 10 employees for 3-4
months. This will include excess water, non-perishable foods, as well as nutrient rich vitamins to
ensure that the health of the employees is key. Generic clothes of various sizes will be provided
along with blankets and other comfort supplies; however, these will be kept in limited quantity,
prioritizing other supplies like food and water as those are deemed more essential. There are
shelves set up within the panic room and boxes storing all of the supplies; however, space is
limited overall due to the nature of the room.
Lead employees will be briefed on locations of importance such as circuit breakers, water
lines and utility closets. Only those in these positions will be made aware of the shelter in place
plan to reduce the number of people informed of where the resources may be. In case of this type
of emergency, the lead will prepare the room and ensure that employees are accounted for in the
room and briefed on the situation. From there, the lead employee will be the only person to leave
the room until the all-clear has been given by emergency personnel. This person will locate the
gas and power line should they need to do so and will have blueprints indicating areas of
importance should they need to be accessed at any time during the shelter in place process.
Checklists for contacting and interviewing a disaster recovery specialist
Items to include in procedures for Status (e.g., Completed, Pending, or N/A)
contacting disaster recovery providers

Names and titles of employees who are
authorized to contact disaster recovery service
providers
Contact information and locations of disaster
recovery service providers

How to describe needs to these service
providers
How facilities and locations should be
identified for these service providers

Information on negotiated contracts with
these service providers

Information on paying these service providers
if there are no negotiated contracts

How to access emergency funds to pay
disaster recovery providers
Checklist for contacting and informing stakeholders
Items to include in procedures for working Status (e.g., Completed, Pending, or N/A)
with stockholders and investors

authorized to talk with stockholders and

investors
A list of executives assigned to stockholder
and investor relations

Contact information and locations of large
stockholders and investors

How to establish a stockholder
A process to update stockholders and
investors on the status of disaster recovery
efforts
A process to provide stockholders and
investors with a final report when recovery is
complete
Checklist for contacting and working with suppliers
Items to include in procedure for working Status (e.g., Completed. Pending, or N/A)
with suppliers and service providers

authorized to work with suppliers and service
providers
Contact information and locations of suppliers
and service providers

How product lines or services should be
identified when contacting suppliers and
service providers.
What to tell suppliers and service providers
about disasters
What to tell them about recovery of
operations
What suppliers and service providers should
do if they need to contact the organization
during the disaster
Checklist for contacting and working with customers
Items to include in procedures for working Status (e.g., Completed, Pending, or N/A)
with suppliers and service providers

authorized to work with suppliers and service
providers
Contact information and locations suppliers
and service providers

How product lines or services should be
identified when contacting suppliers and
service providers about disasters

What to tell suppliers and service providers
about disasters
What to tell them about recovery of
operations
What suppliers and service providers should
do if they need to contact the organization
during the disaster
BC/DR Phases 10-11
Phases 10-11 will create assessments for determining inventory, develop a set of policies
and procedures for employees to follow, and inspect hazardous materials as well as vital records.
Test scenarios will also be made along with a tabletop test. There is also a memo to the CEO on
how testing will be performed.
Assessments for inventory
The management of businesses uses inventory to facilitate the regular supply of goods
and services at customers' convenience. The cost of making and managing inventory remains
significantly high. However, business managers take the risk of running stocks to facilitate the
effective running of the business. Some of the areas of concern for running an inventory at a
damaged site include financial loss, salvage and restoration, operations disruption, and salvage
operation.
The Extent and Severity of Operations Disruption
The provision of quality goods and services that enable clients to realize their goals and
objectives helps enterprises build a large and strong customer base. However, damages in the
operation site expose goods to potential destruction; thus, it lowers the value and increases loss
to the firm (Peltz et al., 2014). Site damage interferes with the business operation since it deflects
concentration to efforts to salvage and restoration efforts to limit the extent of loss that the
business may suffer. The practice of attracting and retaining customers relies on the
organization's ability to provide quality goods and services.
Financial Loss
Damages to the property lead to financial loss for the business since it limits the potential
to sell the goods profitably. The analysis should consider the extent of destruction of the goods
and the rate of destruction to determine the potential for selling the goods at relatively reduced
prices (Peltz et al., 2014). Again, the assessment should consider the actual prices for purchasing
the goods and the operating cost, such as refrigeration cost. Businesses incur losses when
damages lead to the reduction of goods' value at the point of sale.
Salvage and Restoration
The price of goods drops significantly because of the reduction in value after damage. It
exposes the business to potential loss because of the difficulty to fetch the purchasing value. The
assessment should consider the cost of salvaging goods after destruction. It should also consider
the possible cost of restoring the goods to ensure that they attain a relatively good quality that
fetches significant selling value (Peltz et al., 2014). Determining the cost of salvaging and
restoring damaged goods helps the management understand the fall in prices and plan
accordingly.
Timelines to Salvage Operation

Interventions to cases of damage to sites involve ensuring that operations continue to
minimize the business's negative impacts. The assessment should consider the technological
requirement and related costs to ensure that the organization continues with function.
Furthermore, identifying the timeline of salvage operation helps the management prepare
accordingly with the human and capital resources to promote the salvage operation's
effectiveness (Peltz et al., 2014). It should consider government regulations on the adoption of
new operating strategies after suffering losses. Continued operations help the firm mitigate high
rates of losses after damage to the site.
The Extent and Severity of Disruption to Operations
The practical business operation involves investment in goods, services, and utilities that
provide an enabling environment for the interaction between business operators and consumers.
The attainment of smooth operations relies on the management's ability to determine the
inventory of buildings and utilities such as gas, electricity, and water (Beccali, Ciulla,
Lo Brano, Galatioto, & Bonomolo, 2017). The assessment should consider the cost of installing
and maintaining buildings and available utilities and the potential disruption of operations due to
the damages on buildings and other utilities. It facilitates the actualization of mitigation
measures.
Potential Financial Loss
Building and utilities face regular changes in prices due to the political and economic
atmosphere. The business management should consider potential changes in the cost of buying
the utilities to ensure that proper arrangements exist to mitigate potential inaccessibility in the
future (Beccali, Ciulla, Lo Brano, Galatioto, & Bonomolo, 2017). The assessment should also

consider arrangements for the regular supply of authentic utilities to ensure the protection of
machines and resources that may suffer damages due to the use of low-quality utilities.
Consideration of the change in prices of building and utilities ensure the management prepares
for unforeseen circumstances.
Salvage and Restoration
Damaged buildings and utilities may not contribute to realizing identified goals and
objectives because of the reduction in their effectiveness to respond to stated needs. However,
salvage and restoration may limit the potential for suffering high losses. The analysis of salvage
and restoration efforts should consider related costs and the tools needed to enhance the
process (Beccali, Ciulla, Lo Brano, Galatioto, & Bonomolo, 2017). The examination should also
consider government regulation on the quality of salvaged and restored utilities applied in the
running of enterprise operations.
Timelines
The operations of businesses rely heavily on the accessibility to proper structures and
utilities since they create an enabling environment for producing quality goods. The analysis
should consider the timeline for the potential purchase and construction of new utilities
and resources. It should also consider the potential for restoration and related costs to enable the
management to put a necessary execution arrangement. The analysis should also consider the
extent of damage to utilities such as gas, electricity, and water and the potential for accessibility
in the future to sustain business operations (Beccali, Ciulla, Lo Brano, Galatioto, & Bonomolo,
2017). It enables the management to respond decisively and lower potential future risks.
Conclusion
The focus of inventory includes financial loss, salvage and restoration, operations
disruption, and salvage operation as strategies to appropriately respond to the destruction of the
enterprise's utilities and buildings. The management's role includes the determination of
measures that facilitate the regular supply of goods and services that meet the needs of
customers. Running an inventory contributes to the need to run operations effectively.
Hazardous materials/Vital records
Inspection for hazardous material:
(Zak) When to Inspect for Hazardous Materials
The best time to determine the presence of hazardous materials is before the contract is
written. Specifications that accurately reflect current conditions benefit and protect all
stakeholders.
When hazards are unexpectedly found post-contract, the work schedule gets thrown off,
expenses mount, and failure to properly address the danger may even result in legal action.
The party who wins most from the situation is the contractor, who can justifiably charge a
premium rate for emergency response services. Safety comes first — but at a high cost when the
hazardous material survey is omitted from pre-construction planning and specifications.
Resource Records:
(OmniSecu)What are resource records?
Resource Records are usually a name to IP Address (IPv4 or IPv6) mapping (or vice
versa). DNS Resource Records are used to answer DNS client queries. Resource Records are
added to the DNS server for the portion of the DNS namespace which the DNS Server is
hosting. (NS1)3 types of DNS queries—recursive, iterative, and non-recursive 3 types of DNS
servers—DNS Resolver, DNS Root Server and Authoritative Name Server
Common DNS records—including A, AAAA, CNAME, MX and NS
Vital Records:
(Iron Mountain) What Is A Vital Record?
Vital records are fundamental to an organization’s ability to function.

Certain vital records contain information critical to the continued operation or survival of
an organization during or immediately following a crisis. Such records are necessary to continue
operations without delay under abnormal conditions. They contain information necessary to
recreate an organization’s legal and financial status and preserve the rights and obligations of
stakeholders, including employees, customers, investors, and citizens.
(VRC Vital Records Control)5 Steps to an Effective Records Management Program
Step 1: Set-up a Records Retention Schedule
To determine the retention period for your records, it’s important to: Perform a record
inventory of all physical and electronic records, establish a standardized record classification
system, and conduct research on all federal, state, and local requirements.
Step 2: Policies and Procedures
Your records management program should support policies and procedures both legally
and operationally. Policies and procedures set the standard for a compliant records management
system. They should include the management of all records and media types. A well-strategized
manner, your policies and procedures will work simultaneously with your business continuity
plan and disaster recovery program.
Step 3: Accessibility, Indexing, and StorageA contributing factor of a successful records
management program is the ability to access your information when it’s needed. Companies need
to obtain information quickly for everyday business operations and compliance requirements.
Indexing parameters, including date, subject matter, creator, and location of the record, are
essential to retrieving information promptly and efficiently.
Step 4: Compliance Auditing Components of a records management audit should include:
Retention schedule complies with up-to-date laws and regulations.
Indexing accuracy and accessibility of documents
Training and communication among staff and departments
Protection and preservation of records
Timely and consistent destruction of inactive files

Employee Policies/Man-made test scenario
MEMO
Peak Security
To: Peak Security Disaster Recovery Test Team

From: Jonathan Fuentes
CC: Peak Security Leadership
Date: 2/10/2021
Re: Disaster Evaluation
Comments: Hello Test Team,
Due to the recent power outage, a test must be conducted to evaluate the
usage potential of the electricity and ensure the safety of company materials
on the current power grid. During this evaluation period, many Peak Security
employees will be working remotely to reduce downtime and limit an impact
to productivity. Additionally, as the evaluations are completed, updates must

be provided to the Peak Security leadership team as to a resolution timeline.
In order to best evaluate the impact of the recent outage, all circuit breakers
and fuses should be checked. Also, all systems will require a file system
integrity check upon rebooting to ensure that data was not lost as a result of
the outage. No major updates were scheduled to be in play during the time of
the outage so with any luck all data will be intact upon rebooting.
As a reminder, a backup power generator is an option should the evaluation
reveal more concerns or long-term downtime. Once evaluation and notes are
completed and reviewed, a return to office plan will be implemented for any
employees still working remotely.
Safety Action Plan-
Objectives:
1. Increase awareness to safety and response procedures.
2. Minimize risk and implement disaster recovery plans in an efficient and timely manner.
Team Peak Security will have the following key team members:

Nikolas Seropian
Safety Consultant Lead
He is responsible for developing and implementing safety procedures and program.
Jonathan Fuentes
Hazard Control Specialist
He is responsible for risk assessment and mitigation.

Safety Policies
1. It is the responsibility of each employee to conduct themselves appropriately, following
state and local laws. All employees will sign safety contact agreeing to follow the safety
guidelines put in place by Peak Security.
2. In the event of emergency, any employees affected and/or a part of the emergency will
be expected to provide a write up of the event, outlining the details as it affected them
directly.
3. Use of specific policy/manual depending on the circumstances of the event must be
properly adhered to. Failure to do so could result in termination of employment.

4. Peak Security agrees to uphold a safe, functional working environment at all times.
Nature based test scenario/Tabletop
Memorandum
To: Peak Security Leadership
From: Michael Lucas
Date: 2/11/21
Topic: Natural disasters
Planning A Mock Disaster Scenario

The following steps can be used as a guideline when developing your own mock
exercise. Keep in mind that you need to tailor this to meet the needs and demands of your
organization.
1. Choose A Scenario
Open your plan and review the results of your business impact assessment - select an
incident that could realistically happen. For example, you could build a scenario around an
overnight fire occurring at your office.
2. Communication Strategy
Determine who in the company will know about your mock scenario. You will likely
need to communicate this with one person in your IT department and key team leaders. Be
careful of telling too many people about the mock disaster (some people are not great at keeping
secrets).
3. Outside Assistance
You are going to need some external individuals to help you execute your mock disaster.
Contact your local fire department and emergency personnel - explain to them what it is you
want to do and why you want to do this. Remember this is a good chance for them to test out
their action response plan as well.
4. Put It into Action
Once you have a scenario and have worked out how you will execute the disaster the next
thing to do is to put it into action. For our fire example, this likely means you will be contacting
key team members in the middle of the night to let them know about the fire. This will set the
mock disaster into action. Now your crisis communication plan and mechanisms will be tested,
and the employee responses can be measured and evaluated. Also, you will be able to test your
off-site working plans, your ability to communicate effectively with media and other third
parties, your disaster recovery strategy, and your business continuity plan. Learn more about the
difference between business continuity and disaster recovery.
5. Analyze
Take your time with this - do not rush this step. Once the mock disaster has concluded,
you need to review all the notes, actions, what worked and did not work - use this information to
update your plan. You may need to refine your communication strategy - for example, you may
find that your employees only respond to push notifications and that email failed. You may need
to update the hardware people are using to work from home. Your third-party contact list may
need to be better distributed. These are all good things to know - it is better to discover this
during a mock disaster than during a real-life scenario.
6. Talk to Your Employees
Find out what the experience was like for your employees. These are the people who you
are relying on to run the organization, so it is vital that they are comfortable with the disaster
preparedness plan and how it is implemented. Remember that most employees do not have
confidence in their company’s ability to be prepared for a disaster - you do not want to be such a
company.
Landslide scenario
Landslide Warning Signs:
 Springs, seeps, or saturated ground in areas that have not typically been wet before.
 New cracks or unusual bulges in the ground, street pavements or sidewalks.
 Soil moving away from foundations.
 Ancillary structures such as decks and patios tilting and/or moving relative to the main
house.
 Tilting or cracking of concrete floors and foundations.
 Broken water lines and other underground utilities.
 Leaning telephone poles, trees, retaining walls or fences.
 Offset fence lines.
 Sunken or down dropped roadbeds.
 Rapid increase in creek water levels, possibly accompanied by increased turbidity (soil
content).
 Sudden decrease in creek water levels though rain is still falling or just recently stopped.
 Sticking doors and windows, and visible open spaces indicating jambs and frames out of
plumb.
 A faint rumbling sound that increases in volume is noticeable as the landslide nears.
 Unusual sounds, such as trees cracking or boulders knocking together, might indicate
moving debris.
Areas that are generally prone to landslide hazards:
 On existing old landslides.
 On or at the base of slopes.
 In or at the base of minor drainage hollows.
 At the base or top of an old fill slope.
 At the base or top of a steep cut slope.
 Developed hillsides where leach field septic systems are used.
Areas that are typically considered safe from landslides:
 On hard, non-jointed bedrock that has not moved in the past.
 On relatively flat-lying areas away from sudden changes in slope angle.
 At the top or along the nose of ridges, set back from the tops of slopes.
What to Do Before a Landslide:
 Do not build near steep slopes, close to mountain edges, near drainage ways, or natural
erosion valleys.
 Get a ground assessment of your property.

 Contact local officials, state geological surveys or departments of natural resources, and
university departments of geology. Landslides occur where they have before, and in
identifiable hazard locations. Ask for information on landslides in your area, specific
information on areas vulnerable to landslides, and request a professional referral for
a very detailed site analysis of your property, and corrective measures you can take, if
necessary.
 Watch the patterns of storm-water drainage near your home, and note the places where
runoff water converges, increasing flow in channels. These are areas to avoid during a
storm.
 Learn about the emergency-response and evacuation plans for your area. Develop your
own emergency plan for your family or business.
 Minimize home hazards:
o Have flexible pipe fittings installed to avoid gas or water leaks, as flexible fittings are
more resistant to breakage (only the gas company or professionals should install gas
fittings).
o Plant ground cover on slopes and build retaining walls.
o In mudflow areas, build channels or deflection walls to direct the flow around
buildings. Remember: If you build walls to divert debris flow and the flow lands on a
neighbor's property, you may be liable for damages.
What to Do During a Landslide:

 Stay alert and awake. Many debris-flow fatalities occur when people are sleeping. Listen
to a NOAA Weather Radio or portable, battery-powered radio or television for warnings
of intense rainfall. Be aware that intense, short bursts of rain may be particularly
dangerous, especially after longer periods of heavy rainfall and damp weather.
 If you are in areas susceptible to landslides and debris flows, consider leaving if it is safe
to do so. Remember that driving during an intense storm can be hazardous. If you remain
at home, move to a second story if possible. Staying out of the path of a landslide or
debris flow saves lives.
 Listen for any unusual sounds that might indicate moving debris, such as trees cracking
or boulders knocking together. A trickle of flowing or falling mud or debris may precede
larger landslides. Moving debris can flow quickly and sometimes without warning.
 If you are near a stream or channel, be alert for any sudden increase or decrease in water
flow and for a change from clear to muddy water. Such changes may indicate landslide
activity upstream, so be prepared to move quickly. Do not delay! Save yourself, not your
belongings.
 Be especially alert when driving. Bridges may be washed out, and culverts overtopped.
Do not cross flooding streams!! Turn Around, Don't Drown! Embankments along
roadsides are particularly susceptible to landslides. Watch the road for collapsed
pavement, mud, fallen rocks, and other indications of possible debris flows.
 Be aware that strong shaking from earthquakes can induce or intensify the effects of
landslides.
What to Do if You Suspect Imminent Landslide Danger:

 Contact your local fire, police, or public works department. Local officials are the best
persons able to assess potential danger.
 Inform affected neighbors. Your neighbors may not be aware of potential hazards.
Advising them of a potential threat may help save lives. Help neighbors who may need
assistance to evacuate.
 Evacuate. Getting out of the path of a landslide or debris flow is your best protection.
 Curl into a tight ball and protect your head if escape is not possible.
What to Do After a Landslide
 Stay away from the slide area. There may be danger of additional slides.
 Listen to local radio or television stations for the latest emergency information.
 Watch for flooding, which may occur after a landslide or debris flow. Floods sometimes
follow landslides and debris flows because they may both be started by the same event.
 Check for injured and trapped persons near the slide, without entering the direct slide
area. Direct rescuers to their locations.
 Help a neighbor who may require special assistance - infants, elderly people, and people
with disabilities. Elderly people and people with disabilities may require additional
assistance. People who care for them or who have large families may need additional
assistance in emergency situations.

 Look for and report broken utility lines and damaged roadways and railways to
appropriate authorities. Reporting potential hazards will get the utilities turned off as
quickly as possible, preventing further hazard and injury.
 Check the building foundation, chimney, and surrounding land for damage. Damage to
foundations, chimneys, or surrounding land may help you assess the safety of the area.
 Replant damaged ground as soon as possible since erosion caused by loss of ground
cover can lead to flash flooding and additional landslides soon.
 Seek advice from a geotechnical expert for evaluating landslide hazards or designing
corrective techniques to reduce landslide risk. A professional will be able to advise you
of the best ways to prevent or reduce landslide risk, without creating further hazard.
Memo
Peak Security
To: Peak Security CEO, Russ Rogers

From: Nikolas Seropian
Subject: Testing for plan
Date: 2/11/2021
For the CEO, Russ Rogers,
There will be multiple steps in testing the functionally of our BC/DR plan. As
there are many potential threats as well as many ways to prepare for them,
plenty of testing will be required to make sure everything is in order. The
objectives of the tests would be to ensure that no matter what threats may
occur, whether natural or man-made, all important data is protected and that
the company is able to recover and continue business as soon as possible.
It may take weeks to set up and will require hiring employees to install and
test hardware, as well as multiple drills to make sure that everything holds up
in the many possible situations. The BC/DR documentation will go over more
specifics as to how different tests will be run and the roles my team will play
in that. It should be expected for tests to range from simple maintenance
checks to full on drills that will have equipment tested in ways as if an actual
disaster has occurred (i.e., shutting off power to devices to make sure they
protect data properly, performing live drills with Peak Security staff to make
sure they know how to act in immediate emergencies).
It can be important to do constant tests with old and new members of the
planning team. As technology advances, more threats as well as forms of
protection will pop up. Having members already experienced with the new
setup do constant checkups can help make sure everything continues to
function properly, while new members can further evaluate and possibly
brings up new ideas to further advance the safety of the company.
As it is important for to know what the BC/DR plan entails, steps should be
made to help employees in reviewing the plan that will be a long read. Time
should be taken to allow employees to take in the information at a pace that

does not rush them to the point it is too much to take in at once. I would
recommend a meeting take place to allow the plans to be passed out for the
company to review together with multiple breaks to allow questions to be
asked, pages to be reviewed again, and employees to get a drink and take care
of other personal needs to help them retain attention in the next reading.
Intranet Documents Checklist
1. Security and integration –
For an intranet platform to be reliable, it must be secure.
2. Preview documents online –
Needed to quickly review documents before downloading.
3. Recycle bin –
So mistakenly deleted files can be restored.
4. Easy uploads –
So files can be stored within the intranet platform.
5. Check in and check out –

Allows files to be checked out while being edited.
6. Document versioning –
For saving different versions of files.
7. Flagging and reporting –
To bring attention to content that is relevant or must be removed.
8. Tagging and metadata –
Allows users to associate keywords or tags as metadata.
9. Logical folder hierarchy –
For organizing files in a way that makes sense to the users.
10. Commenting and discussions –
For users to give feedback with fellow collaborators.
BC/DR plan change management.
There may be times where the current BC/DR plan must be updated. It is important that that the
changes are made known to everyone as quickly as possible so everyone is prepared if an
incident occurs. If the company or my team believe changes need to be made, once both sides
agree, my team can look at the current state of the company and make revisions based on that.
Once the BC/DR team has come up with possible changes to the plan, stakeholders can be
notified of the intended changes. If the changes are agreed upon, another meeting can be held by
Peak Security to pass out the new versions of the plan and review them the same way as before.
Once everyone is caught up, testing of the new plan can take place if needed to make sure the
plan will succeed in an actual situation.
Citations
Phases 1-3-
Botzen, W. W., Deschenes, O., & Sanders, M. (2019). The economic impacts of natural
disasters: A review of models and empirical studies. Review of Environmental Economics
and Policy, 13(2), 167-188.
Monllor, J., & Murphy, P. J. (2017). Natural disasters, entrepreneurship, and creation after
destruction: A conceptual approach. International Journal of Entrepreneurial Behavior
& Research.
Onyshchenko, S., Maslii, O., & Ivanyuk, B. (2019, October). The Impact of External Threats to
the Economic Security of the Business. In 2019 7th International Conference on
Modeling, Development and Strategic Management of Economic System (MDSMES
2019) (pp. 156-160). Atlantis Press.
Rosencrance, L. (2019, June 28). Top 10 types of information security threats for IT
teams. Retrieved January 22, 2021,
from https://searchsecurity.techtarget.com/feature/Top-10-types-of-information-security-
threats-for-IT-teams
Types of Small Business Insurance. (n.d.). Retrieved January 23, 2021,

from https://www.thehartford.com/small-business-insurance/types-of-small-business-
insurance
McLean, R. (2019, July 30). A Hacker gained access to 100 million Capital one credit card
applications and accounts - CNN BUSINESS. Retrieved from
https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html
CIS. (n.d.). Cybersecurity threats. Retrieved from https://www.cisecurity.org/cybersecurity-
threats/
BBC News. (2019, July 08). British Airways Faces RECORD £183m fine for data breach.
Retrieved from https://www.bbc.com/news/business-48905907
Passeri, P. (2019, June 13). The security nightmare of formjacking. Retrieved from
https://www.infosecurity-magazine.com/opinions/security-formjacking-1-1-1/
Blanks, S. (2013, 2 15). How to Cope With Threats to Your Business. is4profit.com. Retrieved 1
23, 2021, from http://is4profit.com/how-to-cope-with-threats-to-your-business/
Business Blogs. (2019, 9 0). The Top 4 Biggest Threats To Businesses Today.
businessblogshub.com. Retrieved 1 21, 2021, from
https://www.businessblogshub.com/2019/09/the-top-4-biggest-threats-to-businesses-
today/
The Hartford. (2021, 0 0). Threats: Obstacles That Can Trip Up Your Business.
therhartford.com. Retrieved 1 22, 2021, from https://www.thehartford.com/business-
insurance/strategy/swot-analysis/threats
Maverick, J. B. (2019, 7 17). Financial Risk: The Major Kinds That Companies Face.
Investopedia. Retrieved 1 20, 2021, from
https://www.investopedia.com/ask/answers/062415/what-are-major-categories-financial
-risk-company.asp
Tal, J. (2018, 9 20). America’s Critical Infrastructure: Threats, Vulnerabilities and Solutions.
Security info Watch. Retrieved 1 20, 2021, from
https://www.securityinfowatch.com/access-identity/access-
control/article/12427447/americas-critical-infrastructure-threats-vulnerabilities-and-
solutions#:~:text=There%20are%20three%20classes%20of,%2C%20financial%20crimes
%2C%20economic%20espionage.
Phases 4-6-
Redhat. (2021). 8.3.2. Backup Sites: Cold, Warm, and Hot Red Hat Enterprise Linux 4 | Red Hat
Customer Portal. Red Hat Customer Portal. Retrieved from
https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/4/html/introduction_to_system_administration/s2-disaster-
recovery-sites.
Reed, J. (2021). Comparison of Disaster Recovery Sites: Which one to Choose? Official
NAKIVO Blog. Retrieved 26 January 2021, from
https://www.nakivo.com/blog/overview-disaster-recovery-sites/.
Contributor, T. (2018, December 30). What is warm site? - Definition from WhatIs.com.
Retrieved January 29, 2021,
from https://searchdisasterrecovery.techtarget.com/definition/warm-site
Alday, J. (2018, August 29). Disaster recovery: Cold Sites, hot sites, and Why Do I care?
Retrieved from https://www.cimasg.com/2017/02/disaster-recovery-cold-sites-hot-sites-
and-why-do-i-care/
Crash Plan/ Code42 Software. (2020, 1 1). Business. Compare. https://www.crashplan.com/en-
us/business/compare/
Datastoragecorp. (2020, 1 1). Protect Your Data Like a Fortune 500 company. Data protection
that fits your growing business is here and now.
https://www.datastoragecorp.com/protect-your-data-like-a-fortune-500-company/
National Records Center. (2021, 1 1). E-Backup and Restore Solutions. E-Backup and Restore
Solutions. https://nationalrecordscenters.com/e-backup-and-restore-solutions/
Sullivan, E. (2016, November 09). What is mirror site? - definition from whatis.com. Retrieved
from https://searchstorage.techtarget.com/definition/mirror
Vmware. (2021, February 05). What is VSPHERE replication & How does it help in disaster
recovery in virtual machines? Retrieved from
https://www.vmware.com/products/vsphere/replication.html
Ostlund, C. (2014, May 19). Tape backup vs. Disk Backup: Which is right for your business?
Retrieved from https://www.marconet.com/blog/tape-backup-vs.-disk-backup-which-is-
right-for-your-business
Collins, T. (n.d.). Full backup vs. incremental backup VS. DIFFERENTIAL Backup: Which is
best? Retrieved February 20, 2020, from https://www.atlantech.net/blog/full-backup-vs.-
incremental-backup-vs.-differential-backup-which-is-best
Phases 7-9-
Coombs, W. T. (2017). Ongoing crisis communication: Planning, managing, and responding.
Los Angeles: SAGE Publications.
Ndlela, M. (2018). Crisis Communication: A Stakeholder Approach. Springer International
Publishing.
Peak Security, Inc. (2021). About Us. Retrieved from https://www.peaksec.com/about-us
Sheehan, M and Quinn-Allan, D. (2017). Crisis Communication in a Digital World. Cambridge
University Press.
Greenwald Doherty,LLP. (2017, 9 22). Topics:Employment Policies and Practices. Why
Employers Should Obtain Their Employees’ Emergency Contact Information.
https://www.greenwaldllp.com/law-clips/employers-obtain-employees-emergency-contact-
information/
Hearst Newspapers,LLC & Linton, i. (2021). Company Disaster Plan Examples. Chron.
https://smallbusiness.chron.com/company-disaster-plan-examples-62111.html
Kelly, M. (2019, 11 19). 10 STEPS TO CREATING AN EMERGENCY RESPONSE PLAN FOR
YOUR BUSINESS. Akita Box. https://home.akitabox.com/blog/emergency-response-plan-how-
to
MediaBrains Inc. & SHRM. (2021). Business Services:. Human Resource Vendor Directory.
https://vendordirectory.shrm.org/category/business-services
US Gov. (2021). CyberSecurity & Infrastructure Security Agency. Emergency Services Sector.
https://www.cisa.gov/emergency-services-sector
Yantz, M. (2019, 8 26). Backup and Recovery, Best Practices, Business. Backup and Recovery,
Best Practices, Business. https://itsupportguys.com/it-blog/key-elements-of-disaster-
recovery-plan/
Katie YahnkeMarketing WriterKatie is a former marketing writer at i-Sight. She writes on topics
that range from fraud, (n.d.). How to use a risk assessment matrix [with template].
Retrieved February 06, 2021, from https://i-sight.com/resources/risk-assessment-matrix/
Principal emergency response and preparedness. (n.d.). Retrieved February 04, 2021,
from https://www.osha.gov/Publications/osha3122.html
Risk assessment (n.d.) Retrieved February 04, 2021, from https://www.ready.gov/risk-
assessment
Ready. (21, February 9). Emergency response plan. Retrieved from
https://www.ready.gov/business/implementation/emergency
FEMA. (2019, July). Planning Considerations. Retrieved from
https://www.fema.gov/sites/default/files/2020-07/planning-considerations-evacuation-
and-shelter-in-place.pdf
Phases 10-11-
Beccali, M., Ciulla, G., Lo Brano, V., Galatioto, A., & Bonomolo, M. (2017). Artificial neural
network decision support tool for assessing the energy performance and the
refurbishment actions for the non-residential building stock in southern
Italy. Energy, 137, 1201-1218. doi:10.1016/j.energy.2017.05.200
Peltz, E., Brauner, M. K., Keating, E. G., Saltzman, E., Tremblay, D., & Boren, P. (2014). DoD
depot-level reparable supply chain management: Process effectiveness and opportunities
for improvement. Rand National Defense Research Inst Santa Monica Ca.
Iron Mountain. “Introduction.” IMPORTANT VERSUS VITAL RECORDS: THE MAGIC 5%
YOU CAN'T LIVE WITHOUT, 2021,
https://www.ironmountain.com/resources/whitepapers/i/important-versus-vital-records-
the-magic-5-you-cant-live-without. Accessed 8 2 2021.

NS1. “DNS: Types of DNS Records, DNS Servers and DNS Query Types.” DNS: Types of DNS
Records, DNS Servers and DNS Query Types, 2021, https://ns1.com/resources/dns-types-
records-servers-and-queries. Accessed 9 2 2021.
OmniSecu. “What is DNS Resource Record.” What is DNS Resource Record, 2021,
https://www.omnisecu.com/tcpip/what-is-dns-resource- record.php#:~:text=Resource
%20Records%20are%20usually%20a,the%20DNS%20Serv er%20is%20hosting.
Accessed 9 2 2021.
VRC Vital Records Control. “5 Essential Records Management Procedures.” 5 Essential
Records Management Procedures, 2021, https://vitalrecordscontrol.com/records-
management-procedures/. Accessed 9 2 2021.
Zak, Julie. “5 Essential Benefits of the Pre-Project Hazardous Materials Inspection and
Survey.” FACS Insider Blog, 2 7 2019, https://forensicanalytical.com/blog/5-essential-
benefits-of-the-pre-project-hazardous-materials-inspection-and-survey/.
Oman. (2016, March). What is essential to test after a power surge for an unprotected pc?
Retrieved from https://superuser.com/questions/1046874/what-is-essential-to-test-after-a-
power-surge-for-an-unprotected-pc
Hout, O. (2019, September 16). 6 scenarios for business continuity PLAN TESTING. Retrieved
from https://www.agilityrecovery.com/article/6-scenarios-business-continuity-
plan-testing
Drake, K. (2020, August 24). Disaster recovery testing scenarios. Retrieved February 11, 2021,
from https://ongoingoperations.com/blog/it-disaster-recovery-scenarios/
Nature news. (n.d.). Retrieved February 11, 2021,
from https://www.nature.com/scitable/topicpage/lesson-8-landslides-hazards-8704578/
Eisenhauer, T. (2014, October 31). 10 most important features in a social document management
system. Retrieved from https://axerosolutions.com/blogs/timeisenhauer/pulse/277/10-
most-important-features-in-a-social-document-management-system

ntw440 Finalbcdrplan Team1 Peaksec

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ntw440 Finalbcdrplan Team1 Peaksec

Uploaded by

Copyright:

Available Formats

Peak Security BC/DR Plan 1

BC/DR Phase 1-3

will have on Peak Security.

Businesses face different types of threats to their existence including economic,

winds, tsunamis, avalanches, mudslides, and blizzards among

others (Onyshchenko, Maslii & Ivanyuk, 2019). The following paragraphs evaluate the sources

of the threats, likelihood of occurrences which shall be followed by prioritization and impacts of

the priority threats.

occur due to wet soil from higher grounds.

prevent ships from ferrying business goods.

industries (Botzen, Deschenes & Sanders, 2019). Mudslides may harm the equipment of

The prioritization of the list of threats to a company depends on the frequency of the

mitigated (Monllor & Murphy, 2017). Each of these threats has differing

impacts on business operations. As described above, when infrastructure like roads and

seas are affected.

place to resolve them quickly is key to avoiding lost productivity.

Spamming is defined as the abuse of electronic messaging systems to send unsolicited,

employees having to sort through what is real and what is not.

Phishing is a criminal activity using social engineering techniques. Phishers attempt to

masquerading as a trustworthy person or business in an electronic communication. This scam

A virus is a self-replicating computer program written to alter the way a computer

operates, without the permission or knowledge of the user. Worm is a self-replicating computer

would be somewhere in the middle of the scale. 5 out of 10.

more than we would like to believe. 6 out of 10.

Drive-by download attacks.

In a drive-by download attack, malicious code is downloaded from a website via a

browser, application or integrated operating system without a user's permission or knowledge. A

Distributed denial-of-service (DDoS) attacks

In a distributed denial-of-service (DDoS) attack, multiple compromised machines attack

systems. 7 out of 10 is where I would rate this as a risk to the company.

hundred dollars to thousands, payable to cybercriminals in Bitcoin. 9 out 10 because of how

IT and Technology based threats

get them to engage with malicious content (such as malicious URLs).

compromised in a data breach. It wasn’t caused by a random hacker or even a CO employee. As

Amazon employee, decided to exploit a misconfigured firewall to gain access to:

80,000 bank account numbers, in addition to an undisclosed number of people’s names,

the US Department of Justice.”

stock losses into account.

Malware can be an insidious threat. It can be distributed via multiple delivery methods,

attack. Malware is a more prevalent danger as it accounts for about 11% of cybersecurity

The Top 10 Types of Malware:

due to phishing attacks. That is nine billion per year.

Phishing is an attempt to elicit information from a victim in order to gain access to a network

etc. Phishing comes in many forms:

 Watering hole phishing

 Evil twin phishing

spoofing or phone number spoofing to make their communications appear legitimate.

Examples of Major Successful Phishing Attacks

Phishing as a cybersecurity threat is in abundance and can be very costly. Google and

more than $70 million.

3. Formjacking is a type of cyber security threat that involves taking over forms on a website

by abusing their security vulnerabilities. hackers use lines of malicious code on the checkout

goal is to scan and harvest any valuable data that users submit via forms.

Symantec released a report in 2019 that shows form jacking was on the rise in 2018. The

internet security company reported an average of 5,000 websites were compromised with form

For examples of recent successful formjacking attacks, look no

further than British Airways and Ticketmaster attacks that were thought to be committed by

Protection Regulation compliance. GDPR allows fines of up to 4% of a company’s annual

turnover for noncompliance.

4. Inadequate Patch Management, Manufacturers release patches to correct weaknesses in

their operating systems and software. They are vital to the protection of your business but often,

patching largely gets overlooked both by users and IT security teams merely because IT staff has

so many tasks and responsibilities. which leaves huge holes in security infrastructure. Preferably,

etc. Phishing comes in many forms:

Symantec released a report in 2019 that shows form jacking was on the rise in 2018. The

further than British Airways and Ticketmaster attacks that were thought to be committed by

threats. research from Avast shows that of five hundred thousand devices that