Procedure to contain spread of COVID-19 in workplace settings

1. SUMMARY

  1. Coronavirus Disease 2019 (COVID-19) is a respiratory disease caused by the SARS-CoV-2 virus.
  2. Infection with SARS-CoV-2, the virus that causes COVID-19, can cause illness ranging from mild to severe and, in some cases, can be fatal. Symptoms typically include fever, cough, and shortness of breath. Some people infected with the virus have reported experiencing other non-respiratory symptoms. Other people, referred to as asymptomatic cases, have experienced no symptoms at all.
  3. According to the CDC, symptoms of COVID-19 may appear in as few as 2 days or as long as 14 days after exposure.

2. REVISION AND APPROVAL

Rev. Date Nature of Changes Approved By
00 04/06/2020 Original issue. CEO

3. INTRODUCTION

Offices and other workplaces are relatively close setting, with shared spaces like (corridors, elevators & stairs, parking places, cafeteria, meeting rooms and conference halls etc.) and thus COVID-19 infection can spread relatively fast among employees, staffs and visitors. Thus there is a need to prevent importation of infection in workplace settings and to respond in a timely and effective manner in case suspect case of COVID-19 is detected in these settings, so as to limit the spread of infection.

4. SCOPE

This Procedure outlines the preventive and response measures to be observed to contain the spread of COVID-19 in workplace settings. The HR and Admin Manager along with Department Head are responsible for implementation of the Procedure.

5. BASIC PREVENTIVE MEASURES

The basic preventive measures include simple public health measures that are to be followed to reduce the risk of infection with COVID-19. These measures need to be observed by all (employees and visitors) at all times. These include:

  1. Physical distancing of at least one meter to be followed at all times.
  2. Use of face covers/masks to be mandatory.
  3. Practice frequent hand washing (for at least 40-60 seconds) even when hands are not visibly dirty and use of alcohol based hand sanitizers (for at least 20 seconds).
  4. Respiratory etiquettes to be strictly followed. This involves strict practice of covering one’s mouth and nose while coughing/sneezing with a tissue/handkerchief/flexed elbow and disposing off used tissues properly.
  5. Self-monitoring of health by all and reporting any illness at the earliest

6. PREVENTIVE MEASURES FOR OFFICES/SITES:

The HOD  and HR & Admin Manager will ensure that Guidelines with respect to preventive measures specific to offices that has been/will be issued by Minister of Heath Kuwait is being followed. Any staff reportedly suffering from flu-like illness should not attend office and seek Medical advice from local health authorities. Such persons, if diagnosed as a suspect/confirmed case of COVID-19 should immediately inform the office authorities. Any staff requesting home quarantine based on the containment zone activities in their residential areas should be permitted to work from home. MOH guidelines with respect to organizing meetings, coordinating visitors shall be scrupulously followed.

All the Departments are advised to take all necessary measures such as :-

  1. Install thermal scanners at the entry of buildings and Sites as feasible. Mandatory placing of hand sanitizers at the entry of buildings/Sites. Those found having flu-like symptoms may be advised to take proper treatment/quarantine etc.
  2. Discourage, to the maximum extent, entry of visitors in the office/ Sites. Routine issue of visitors/temporary passes should be suspended with immediate effect. Only those visitors whom have proper permission of the Deputy Director or above who they want to meet should be allowed after being properly screened.
  3. Meetings, as far as feasible, should be done through video conferencing. To minimize or reschedule meetings involving large number of people unless necessary.
  4. Avoid non-essential official travel.
  5. Undertake essential correspondence on official email and avoid sending files and documents to other offices, to the extent possible.
  6. Facilitate delivery and receipt of Courier at the entry point itself of the office building, as far as practicable.
  7. Ensure proper cleaning and frequent sanitization of the workplace, particularly of the frequently touched surfaces.
  8. Ensure regular supply of hand sanitizers, soap and running water in the washrooms.
  9. All employees may be advised to take care of their own health and look out for respiratory symptoms/fever and, if feeling unwell, should leave the workplace immediately after informing their reporting Managers.
  10. The leave sanctioning authorities are advised to sanction leave whenever any request is made for self-quarantine as a precautionary measure.
  11. Advise all employees who are at higher risk i.e. older employees, pregnant employees and employees who have underlying medical conditions, to take extra precautions. The Departments may take care not to expose such employees to any front-line work requiring direct contact with the public.

7. DO’s AND DON’Ts FOR ALL EMPLOYEES

1) Do’s

  • To maintain personal hygiene and physical distancing.
  • To practice frequent hand washing. Wash hands with soap and water or use alcohol-based hand rub. Wash hands even if they are visibly clean.
  • To cover your nose and mouth with handkerchief/tissue while sneezing and coughing.
  • To throw used tissues into closed bins immediately after use.
  • To maintain a safe distance from persons during interaction, especially with those having flu-like symptoms.
  • To sneeze in the inner side of your elbow and not to cough into the palms of your hands.
  • To take their temperature regularly and check for respiratory symptoms.
  • To see a doctor if you feel unwell (fever, difficulty in breathing and coughing). While visiting doctor, wear a mask/cloth to cover your mouth and nose.

2) Don’ts

  • Shake hands.
  • Have a close contact with anyone, if you’re experiencing cough and fever.
  • Touch your eyes, nose and mouth.
  • Sneeze or cough into palms of your hands.
  • Spit in Public.
  • Travel unnecessarily, particularly to any affected region.
  • Participate in large gatherings, including sitting in groups at cafeteria.
  • Visit gyms, clubs and crowded places etc.
  • Spread rumors or panic.

8. MEASURES TO BE TAKEN ON OCCURRENCE OF CASE OF COVID-19:

Despite taking the above measures, the occurrence of cases among the employees working in the office cannot be ruled out. The following measures will be taken in such circumstances:

    1. When one or few person(s) who share a room/close office space is/are found to be suffering from symptoms suggestive of COVID-19:
      1. Place the ill person in a room or area where they are isolated from others at the workplace. Provide a mask/face cover till such time he/she is examined by a doctor.
      2. Report to concerned health authorities will be immediately informed.
      3. A risk assessment will be undertaken by the departmental Head along with Safety manager and accordingly further advice shall be made regarding management of case, his/her contacts and need for disinfection.
      4. The suspect case if reporting very mild / mild symptoms on assessment by the health authorities would be placed under home isolation, subject to fulfillment of criteria laid down in MOH guidelines
      5. Suspect case, if assessed by health authorities as moderate to severe, he/she will follow the MOH guidelines.
      6. The rapid response team consisting of Admin and Hr. Manager, safety manager and the Dept. Head of the concerned department shall be requisitioned and will undertake the listing of contacts.
      7. The necessary actions for contact tracing and disinfection of work place will start once the report of the patient is received as positive. The report will be expedited for this purpose.
    2. If there are large numbers of contacts from a pre-symptomatic/asymptomatic case, there could be a possibility of a cluster emerging in workplace setting. Due to the close environment in workplace settings this could even be a large cluster (>3 cases). The essential principles of risk assessment, isolation, and quarantine of contacts, case referral and management will remain the same. However, the scale of arrangements will be higher.
    3. Management of contacts:
      The contacts will be categorized into high and low risk contacts by the Safety Manager. The high risk exposure contacts shall be quarantined for 14 days. They will follow the guidelines on home quarantine as given by MOH, Kuwait. These persons shall undergo testing as per MOH, Kuwait protocol. The low risk exposure contacts shall continue to work and closely monitor their health for next 14 days.
    4. Risk profiling of contacts
      Contacts are persons who have been exposed to a confirmed case anytime between 2 days prior to onset of symptoms (in the positive case) and the date of isolation (or maximum 14 days after the symptom onset in the case).

      1. High-risk contact
        • Touched body fluids of the patient (respiratory tract secretions, blood, vomit etc; e.g. being coughed on, touching used paper tissues with a bare hand)
        • Had direct physical contact with the body of the patient including physical examination without PPE
        • Touched or cleaned the linens, clothes, or dishes of the patient.
        • Lives in the same household as the patient.
        • Anyone in close proximity (within 1 meter) of the confirmed case without precautions.
        • Passengers in close proximity (within 1 meter) in a conveyance with a symptomatic person who later tested positive for COVID-19 for more than 6 hours.
      2. Low-risk contact
        • Shared the same space (worked in same room/similar) but not having a high-risk exposure to confirmed case of COVID-19.
        • Travelled in same environment (bus/train/flight/any mode of transit) but not having a high-risk exposure.

9. CLOSURE OF WORKPLACE

If there are one or two cases reported, the disinfection procedure will be limited to places/areas visited by the patient in past 48 hrs. There is no need to close the entire office building/halt work in other areas of the office and work can be resumed after disinfection as per laid down protocol (see para 10).
However, if there is a larger outbreak, the entire building will have to be closed for 48 hours after thorough disinfection. All the staff will work from home, till the building is adequately disinfected and is declared fit for re-occupation.

10. DISINFECTION PROCEDURES IN OFFICES

1. Indoor areas including office spaces

  • Office spaces, including conference rooms should be cleaned every evening after office hours or early in the morning before the rooms are occupied. If contact surface is visibly dirty, it should be cleaned with soap and water prior to disinfection. Prior to cleaning, the worker should wear disposable rubber boots, gloves (heavy duty), and a triple layer mask.
  • Start cleaning from cleaner areas and proceed towards dirtier areas.
  • All indoor areas such as entrance lobbies, corridors and staircases, escalators, elevators, security guard booths, office rooms, meeting rooms, cafeteria should be mopped with a disinfectant with 1% sodium hypochlorite or phenolic disinfectants. High contact surfaces such elevator buttons, handrails / handles and call buttons, escalator handrails, public counters, intercom systems, equipment like telephone, printers/scanners, and other office machines should be cleaned twice daily by mopping with a linen/absorbable cloth soaked in 1% sodium hypochlorite. Frequently touched areas like table tops, chair handles, pens, diary files, keyboards, mouse, mouse pad, tea/coffee dispensing machines etc. should specially be cleaned.
  • For metallic surfaces like door handles, security locks, keys etc. 70% alcohol can be used to wipe down surfaces where the use of bleach is not suitable.
  • Hand sanitizing stations should be installed in office premises (especially at the entry) and near high contact surfaces.
  • In a meeting/conference/office room, if someone is coughing, without following respiratory etiquettes or mask, the areas around his/her seat should be vacated and cleaned with 1% sodium hypochlorite.
  • Carefully clean the equipment used in cleaning at the end of the cleaning process.
  • Remove PPE, discard in a disposable PPE in yellow disposable bag and wash hands with soap and water.
  • In addition, all employees should consider cleaning the work area in front of them with a disinfecting wipe prior to use and sit one seat further away from others, if possible

2. Outdoor areas

Outdoor areas have less risk then indoor areas due to air currents and exposure to sunlight. These include bus stops, railway platforms, parks, roads, etc. Cleaning and disinfection efforts should be targeted to frequently touched/contaminated surfaces as already detailed above.
3. Public toilets

Sanitary workers must use separate set of cleaning equipment for toilets (mops, nylon scrubber) and separate set for sink and commode). They should always wear disposable protective gloves while cleaning a toilet.

  • 70% Alcohol can be used to wipe down surfaces where the use of bleach is not suitable, e.g. metal. (Chloroxylenol (4.5-5.5%) / Benzalkonium Chloride or any other disinfectants found to be effective against coronavirus may be used as per manufacturer’s instructions)
  • Always use freshly prepared 1% sodium hypochlorite.
  • Do not use disinfectants spray on potentially highly contaminated areas (such as toilet bowl or surrounding surfaces) as it may create splashes which can further spread the virus.
  • To prevent cross contamination, discard cleaning material made of cloth (mop and wiping cloth) in appropriate bags after cleaning and disinfecting. Wear new pair of gloves and fasten the bag.
  • Disinfect all cleaning equipment after use and before using in other area
  • Disinfect buckets by soaking in bleach solution or rinse in hot water

4. Personal Protective Equipment (PPE):

Wear appropriate PPE which would include the following while carrying out cleaning and disinfection work.

  • Wear disposable rubber boots, gloves (heavy duty), and a triple layer mask
  • Gloves should be removed and discarded damaged, and a new pair worn.
  • All disposable PPE should be removed and discarded after cleaning activities are completed.
  • Hands should be washed with soap and water immediately after each piece of PPE is removed, following completion of cleaning.
  • Masks are effective if worn according to instructions and properly fitted. Masks should be discarded and changed if they become physically damaged or soaked.

5. Guidelines for use of mask

The correct procedure of wearing triple layer surgical mask

  1. Perform hand hygiene
  2. Unfold the pleats; make sure that they are facing down.
  3. Place over nose, mouth and chin.
  4. Fit flexible nose piece over nose bridge.
  5. Secure with tie strings (upper string to be tied on top of head above the ears –lower string at the back of the neck.)
  6. Ensure there are no gaps on either side of the mask, adjust to fit.
  7. Do not let the mask hanging from the neck.
  8. Change the mask after six hours or as soon as they become wet.
  9. Disposable masks are never to be reused and should be disposed off.
  10. While removing the mask great care must be taken not to touch the potentially infected outer surface of the mask
  11. To remove mask first untie the string below and then the string above and handle the mask using the upper strings.
  12. Disposal of used masks: Used mask should be considered as potentially infected medical waste. Discard the mask in a closed bin immediately after use.

10. HAND WASHING TECHNIQUE WITH SOAP AND WATER

11. Management of the cases and Contact

 

12. Disinfection of workplace

Example of ISO 45001:2018 OHSMS Manual

0.0 Introduction

0.1 The Company

Information about your company

0.2 Products & Services

Your product and services

1.0  Scope :

Scope of the Occupational Health and Safety management System of XXXX is:

Scope At  XXXXX”
Please add location address

2.0  Normative References

ISO 45001: 2018 Occupational Health and Safety management systems – Requirements

3.0  Terms & Definitions.

3.1 Abbreviation:

GM                             :          General Manager
QM                             :          Quality Manual
OHSMS                     :           Occupational Health and Safety Management System
MR                             :          Management Representative
WI                              :          Work Instructions

3.2 Definition:

  1. Acceptable risk: risk that has been reduced to a level that can be tolerated by XXXX having regard to legal obligations and the company’s Health and Safety Policy.
  2. Audit: Systematic, independent and documented process for obtaining ‘audit evidence’ and evaluating it objectively to determine the extent to which ‘audit criteria’ are fulfilled.
  3. Continual improvement: year on year improvements in both XXXX’s health and safety performance and the Health and Safety System.
  4. Corrective action: action to eliminate the cause of a nonconformity or other undesirable situation.
  5. Document: hard copy or electronic information in written, diagrammatic or pictorial form.
  6. Hazard: source, situation or act with a potential for harm in terms of injury or ill health.
  7. Hazard identification: the process of recognizing that a hazard exists and defining its characteristics.
  8. Ill health: identifiable, adverse physical or mental condition arising from and/or made worse by a work activity and/or work-related situation.
  9. Incident: work-related event in which an injury or ill health or fatality occurred or could have occurred.
    Note 1: An accident is an incident which has given rise to injury, ill health, or fatality.
    Note 2: An incident where no injury, ill health or fatality occurred is referred to as a near miss.
    Note 3: A dangerous occurrence is a particular type of near miss.
    Note 4: An emergency situation is a particular type of incident.
  10. Interested party: person or group outside the workplace concerned with or affected by the OH&S performance of the company.
  11. Nonconformity: non-fulfillment of a requirement.
  12. Occupational health and safety (OH&S): conditions and factors that affect, or could affect, the health and safety of employees or other workers (including temporary workers and contractor personnel), visitors or any other person in the workplace.
  13. OH&S management system: part of an organization’s management system used to develop and implement its OH&S policy and manage its OH&S risks.
  14. OH&S objective: OH&S goal, in terms of OH&S performance set annually by XXXX in order to achieve one of its Health and Safety Policy commitments.
  15. OH&S performance: measurable results of XXXX’s management of its OH&S risks.
  16. OH&S policy: overall intentions and direction of the company related to OH&S performance as expressed by the Board of Directors.

4.0 Context of the Organization 

4.1 Understanding the Organization and Its Context

Organization contexts related to internal & external issues that are relevant and can affect its ability to achieve intended results of the OHSMS are identified and documented by the respective departments with proposed actions. Information about these external and internal issues are regularly monitored and reviewed.

Moral – The organization believes in the Principle of ‘All workers have a right to work in places where risks to their health and safety are properly controlled. Health and safety is about stopping workers getting hurt at work or ill through work.’

Legal – There is a wealth of health and safety legislation and codes of practice covering work both within offices and manufacturing sites. Without a formal system in place it is difficult for organizations to ensure that they understand and meet all their legal obligations.

Financial – In many cases there is often no conflict between what is good for business and what is good for health and safety management. Improved health and safety performance leads to increased productivity, reduced insurance premiums, improved morale and increases the company’s chances of winning new business.

The company determines the external and internal issues that are relevant to its purpose and strategic direction and that affect its ability to achieve the intended results of the OSHMS. Consideration is given to the:

  1. Positive and negative factors or conditions.
  2. External context and issues, such as legal, regulatory, technological, competitive, cultural, social, political and economic environments.
  3. Internal context and issues, such as values, culture, organization structure, knowledge and performance of the business.
  4. Determination and requirements of the needs and expectations of interested parties relevant to the OSHMS.
  5. Authority and ability to exercise control and influence.
  6. Activities, products and services relevant to the business.
  7. Documented information is retained as evidence to support that the context of the organization has been taken into account in the OSHMS.

4.2 Understanding the Needs and Expectations of Interested Parties        

The interested parties for XXXX include Clients, Principals/Service Providers, Employees, Higher Management, Government / Regulatory Bodies. The needs and expectations of interested parties are identified and taken care by the departments. Management of XXXX is always committed to fulfill the needs and expectations of all interested parties. All workers have an expectation that neither their health nor their safety will be at risk as a result of their employment with XXXX. The main needs and expectations of the interested parties are given below.

 Sl No. Interested Parties Needs and expectations of the Interested Parties
1 Clients/OHSMSs 1 A simple solution that manages compliance easier.
2 Implementation of the product in-line with OHSMS and Regulatory  requirements
3 Receive responsive support
4 Delivery of free content to educate around compliance
2 Suppliers / Principals & Service  Providers 1.Good relationship.
2.On-going and secure workplace.
3.To be paid on time.
4.Clear understanding of requirements.
5.Constructive feedback.
6.Want to provide services/products to a reliable, reputable and financially viable business
3 Employees 1.Job security.
2.Salary for work performed.
3.Flexible work hours.
4.Clear understanding of their role and responsibilities.
5.Able to raise issues of concern and provide constructive feedback.
6.Good, friendly and safe work environment.
7.To feel valued and appreciated.
8.Opportunities for personal development.
4 Top Management/ Owners/  Shareholders 1.Have a growing business that provides profit.
2.Be well governed and well managed.
3.Want staff to enjoy their work, be challenged, perform their job competently and meet the company, regulatory and OHSMS Requirement
5 Government & Regulatory Bodies 1.Follow the rules & regulations laid down by the Government and Public authorities and meeting the Legal requirements.
2.To submit all tax obligations accurately and on time.
3.To maintain high standards of corporate governance.
   6  Visitors 1.Environment friendly workshop design with no emissions.
2.Good, friendly and safe work environment.
7 Community i.e. society at large 1.Good corporate citizen.
2.Diversity of employees

4.3 Scope of the Occupational Health and Safety Management System

The scope of this Health & Safety System covers all work related to XXXX and any associated administration and any XXXX activities on site. Scope of the Occupational Health and Safety Management System is defined in 1.0 Scope:  and is as follows :

Scope of XXXX”.

4.4. Occupational Health and Safety Management System and its Processes 

XXXX’s Health & Safety System has been based on the format of the new International Standard ISO 45001:2018. Processes for XXXX with inputs, outputs and sequences are given in Annexure-II & III. Processes include:
i) Trading of items ( Procurement from Agents / Principals & supply to OHSMSs)
ii) Repair & refurbishment of static & rotating equipment at Workshop
iii) IT department (Maintenance of systems & support of software and hardware for departments)
iv) HR & Administration ( Recruitments & Recording employee attendance, Leaves, Plan for training and renewal of licenses)

Necessary resources for the processes are provided by the management through HR and their responsibilities & authorities are defined and documented. Risks and opportunities for each process are determined and necessary actions are planned to enhance desirable effects and eliminate/reduce undesired effects. The OSHMS consists of the following levels of documented information:

  1. Policies: Policies are documents that demonstrate the overall commitment to improving quality performance and are authorized by the Management Team.
  2. System procedures: high-level procedures that define the activities that are to be fulfilled to ensure that the OSHMS that complies with standards.
  3. Module workflows, operational procedures and work instructions. Control and operational procedures:
  4. Meet OHSMS requirements.
  5. Provide supplementary guidance and instructions to support the intent of the OSHMS.
  6. Ensure that the requirements of the OSHMS will be adequately addressed within the organization.
  7. Forms, registers and records are evidence to prove the OSHMS is operational.

5.0  Leadership

   5.1 Leadership & Commitment: General

Management of XXXX demonstrates its leadership & commitment with respect to Occupational Health and Safety Management System (OSHMS) , through :

i) Assigning responsibility and accountability for effectiveness of the OSHMS.
ii) Taking overall responsibility for the prevention of work-related injury and ill health and provision of safe and healthy workplaces and activities.
iii) Protecting workers from reprisals when reporting incidents, hazards, risks and opportunities.
iv) Ensuring the organization establishes and implements a process for consultation and participation of workers.
v) Supporting the establishment and functioning of a Health and Safety Committee.
vi) Ensuring that Health and Safety Policy & Health and Safety Objectives are established and are compatible with strategic direction of the organization.
vii) Ensuring that resources needed for the OSHMS are available.
viii) Communicating on importance of effective OSHMS to all concerned. Guiding and supporting personnel to contribute to the effectiveness of OSHMS.
ix) Promoting Risk Based and Process approach.
x) Promoting improvements
xi) Ensuring that OSHMS achieves its intended results by periodic review.

5.2 Health and Safety Policy

The top management of XXXX has established, implemented and maintained a Health and Safety Policy, which is appropriate to the purpose and context of the organization. It provides commitment to satisfy applicable requirements and continual improvements of the Occupational Health and Safety Management System. The Health and Safety policy is communicated, understood and applied within the organization and made available to the relevant interested parties.

The policy, which has been approved by General Manager, is reproduced below

HEALTH & SAFETY POLICY

  1. Management of health and safety falls within the social category of sustainable development and is of equal importance to the economic success of the business and protection of the environment.
  2. Our aim is to provide safe working environments and hence to prevent injury and ill health to our employees and all other stakeholders: clients, professionals, subcontractors, members of the public and anyone else affected by our activities, projects or services.
  3. We require all directors and managers to demonstrate leadership in health and safety matters in order to develop and maintain a positive health and safety culture.
  4. We will comply fully with all relevant health and safety regulations and codes of practice.
  5. We will implement and maintain a Health and Safety System to help deliver these policy commitments.
  6. We will provide the necessary resources in personnel, finance and time in order to implement and maintain the Health and Safety System.
  7. We will set Health and Safety Objectives annually, which reflect our commitment to continual improvement in health and safety performance and the Health and Safety System.
  8. We recognize that we need the support of all our employees in order to achieve our Health and Safety Objectives.
  9. We will provide relevant health and safety information, training and instruction for our employees.
  10. We will consult with our employees on health and safety matters. 

5.3  Organizational roles, responsibilities and authorities.

Responsibilities and authorities are defined in Job Descriptions. These are communicated to the relevant functions. Organization Chart for XXXX showing the authority and hierarchy of various roles is given in Annexure – I.        

Management Representative

The Safety Manager is the currently appointed Management Representative and has responsibility and authority for:

  1. Ensuring that the:
  2. OHSMS is established, implemented and maintained in accordance with the requirements of ISO 45001:2018.
  3. OHSMS processes are delivering their intended outputs.
  4. Reporting performance of the OSHMS and opportunity for improvements to the management.
  5. Integrity of the OHSMS is maintained when changes to the OHSMS are planned and implemented.
  6. Reporting on the performance of the OHSMS to top management for review and as a basis for improvement.

5.4 Consultation and Participation of Workers

Consultation and participation of workers is carried out through the Health & Safety Committee. The following events may be used to facilitate participation:

Toolbox Meeting

  1. The safety Manager will chair and take minutes of toolbox meetings.
  2. The frequency of toolbox meetings is determined by the:
  3. Main Contractor/ Principal
  4. contract requirements
  5. Company directive
  6. All employees and contractors on the site at the time of the meeting MUST attend unless excused by the Safety Manager for an extraordinary reason.
  7. The Safety Manager or his representative will record
  8. Names of all attendees
  9. Concerns or hazards raised
  10. Accident reported
  11. A brief summary of specific topics covered or instructions given
  12. Completed site safety toolbox meeting records shall be held in Toolbox record.

Health and Safety Meeting

  1. The Health and Safety Meeting is made up of representatives from all levels within the organization. The meeting can be a committee or it can be a full company meeting.
  2. The meetings will be minuted with action points clearly identifying responsibility with target date for completion. The following items will be discussed:
  3. Previous minutes and actions taken
  4. Reviews of policies
  5. Correspondence, i.e. new laws and legislative requirements
  6. Objectives achieved
  7. Hazards/risk
  8. New equipment and new work processes (including hazards associated with new equipment or processes)
  9. Training undertaken and training for next period
  10. Accidents and incidents
  11. Upcoming and overdue events from Mango
  12. Changes that affect workplace safety
  13. General business Excellence

Appointment of Employee Health and Safety Representatives

If required annual nominations will be asked from employees for representatives to be elected. If more nominations are received for the positions available, an election will be held by ballot. Trained representatives have the following duties as outlined in the responsibilities section.

6.0 Planning

6.1 Addressing Risks and opportunities

6.1.1 GENERAL

The following have been considered in the development of the Health & Safety System:

  1. Hazards.
  2. OH&S risks and other risks.
  3. OH&S opportunities and other opportunities.
  4. Legal and other requirements

All Department heads have identified risks for individual processes and controls are developed for all the identified risks. The risks and the issues are addressed with a view to

  • enhance desirable effects
  • reduce or prevent undesired effects
  • achieve improvements

The control actions are implemented considering potential impact on the conformity of products and services. Actions taken to address the risks and issues are regularly monitored by MR & Department Heads for strict implementation. The risks, issues and the controls thereof are maintained as Documented Information by the department heads. Opportunities for achieving desired improvements are identified by the Department heads and implemented to the extent possible. The results of such implementations are reviewed and achieved improvements are assessed.

6.1.2 Hazard identification and assessment of risks and opportunities

6.1.2.1 Hazard Identification

The organization has established, implement and maintain a process for the on-going proactive identification of hazards arising. The process has taken into account but not limited to:

  1. Routine and non-routine activities and situations, including consideration of Infrastructure, equipment, materials, substances and the physical conditions of the workplace;
  2. Hazards that arise as a result of product design including during research, development, testing, production, assembly, construction, service delivery, maintenance or disposal;
  3. Human factors;
  4. How the work is actually done;
  5. Emergency situations;
  6. People, including consideration of those with access to the workplace and their activities, including workers, contractors, visitors and other persons;
  7. Those in the vicinity of the workplace that can be affected by the activities of the organization;
  8. Workers at a location not under the direct control of the organization;
  9. The design of work areas, processes, installations, machinery/equipment, operating procedures and work organization, including their adaptation to human capabilities;
  10. Situations occurring in the vicinity of the workplace caused by work-related activities under the control of the organization;
  11. Situations not controlled by the organization and occurring in the vicinity of the workplace that can cause work-related injury and ill health to persons in the workplace;
  12. Actual or proposed changes in the organization, its operations, processes, activities and Occupational Health and Safety Management System;
  13. Changes in knowledge of, and information about, hazards;
  14. Past incidents, internal or external to the organization, including emergencies, and their causes;
  15. How work is organized and social factors, including workload, work hours, leadership and the culture in the organization.

6.1.2.2 Assessment Of OH&S Risks And Other Risks To The OH&S Management System

The organization has established implemented and maintained processes to:

  1. Assess OH&S risks from the identified hazards taking into account applicable legal requirements and other requirements and the effectiveness of existing controls;
  2. Identify and assess the risks related to the establishment, implementation, operation and maintenance of the OH&S management system that can occur from the issues identified in the organization context and the needs and expectations of the interest parties.
  3. The organization’s methodology and criteria for assessment of OH&S risks is defined with respect to scope, nature and timing, to ensure it is proactive rather than reactive and used in a systematic way. These methodologies and criteria is maintained and retained as documented information.

6.1.2.3 Identification Of OH&S Opportunities And Other Opportunities

The organization has established implemented and maintained processes to identify:

  1. Opportunities to enhance OH&S performance taking into account planned changes to the organization and its processes or its activities;
  2. Opportunities to eliminate or reduce OH&S risks;
  3. Opportunities to adapt work, work organization and work environment to workers;
  4. Opportunities for improving the OH&S management system.

6.1.3        Determination of Legal and other Requirements

The organization has:

  1. Determined and has access to the up to date legal requirements to which the organization subscribes / compliance obligations related to its Hazards and OH&S risk;
  2. Determined how these legal and other requirements / compliance obligations apply to the organization and what needs to be communicated;
  3. Take these legal and other requirements / compliance obligations into account when establishing, implementing, maintaining and continually improving its OH&S management system.

The organization has maintained documented information of its applicable legal and other requirements / compliance obligations and has ensure that it is updated to reflect any changes.

6.1.4 Planning Action

The organization has planned to take actions to address its:

  1. Significant environmental aspects, and address these risks and opportunities;
  2. Compliance obligations / applicable legal and other requirements;.
  3. Risks and opportunities;
  4. Integrate and implement the actions into its OHSMS processes or other business processes;
  5. Evaluate the effectiveness of these actions;

The organization has taken into account the hierarchy of controls and outputs from the OCCUPATIONAL HEALTH AND SAFETY MS when planning to take action. The organization has considered its best practices, technological options and its financial, operational and business requirements.

6.2 Occupational Health and Safety Objectives and planning to achieve them                                             

Occupational Health and Safety objectives for all processes are defined and are available with the respective department heads. These are consistent with the Occupational Health and Safety policy and measurable. Occupational Health and Safety Objectives are defined with focus on to maintain and improve the OHS and to achieve continual improvement. Objectives are monitored and communicated. Documented information of Occupational Health and Safety Objectives are maintained. Planning for achievements of the Objectives is done covering the action plan, resources responsibility and time period. Management Representative in consultation with the Department heads determines fulfilment of the Occupational Health and Safety objectives periodically and puts forward the results of achievements for Management Review. While planning how to achieve its Occupational Health and Safety objectives, the organization has considered;

  1. What will be done;
  2. What resources will be required;
  3. Who will be responsible;
  4. When it will be completed;
  5. How the results will be evaluated.
  6. How it will be measured through indicator (if practicable) and monitored, including frequency;
  7. How the actions to achieve Occupational Health and Safety objectives will be integrated into the organization’s business processes.

The organization has maintained and retains documented information on OCCUPATIONAL HEALTH AND SAFETY objectives and planning to achieve them.

7.0  Support

7.1 Resources

The organization has determined and provides the resources needed for the establishment, implementation, maintenance and continual improvement of the OCCUPATIONAL HEALTH AND SAFETY MS. Resources needed, which include people, infrastructure, environment, monitoring & measuring resources are determined by the respective Department heads and approved by the General Manager.  For determining the resources, capabilities and constraints of internal resources and required competency are considered.  Requirement of personnel and the infrastructure are identified by departmental heads for effective operation and control of OSHMS and are approved by the General Manager. Personnel could be internal or through external providers. Infrastructure includes:

  • Systems used for planning & recording ( such as ERP) including hardware and software
  • Processing and testing equipment at workshop
  • information and communication technology

7.2  Competence

Management ensures that the personnel performing work which affects the performance and effectiveness of the OHSMS management system and its ability to fulfill its compliance obligation are competent on the basis of education, training, skills and experience. Where necessary, training is provided to personnel to acquire necessary competence and the effectiveness is evaluated. Documented information is maintained as evidence of competence.

7.3  Awareness

Personnel of each department are made aware of Health and Safety policy, and objectives for the department and their contribution to effective Occupational Health and Safety Management System. They are also made aware of:

  1. related actual or potential OH&S hazards and risk that are relevant for them.
  2. The implications of not conforming to the Occupational Health and Safety management system requirements, including not fulfilling the organization’s compliance obligations, also includes the consequences, actual or potential, of their work activities.
  3. Information and outcome of the investigation of relevant incidents.

7.4 Communication

7.4.1 Mode of internal and external communications is informed to the personnel by Department Heads. It includes what to communicate, whom to communicate and when.

7.4.2 Internally communicate information relevant to the Occupational Health and Safety management system among the various levels and functions of the organization, including changes to the Occupational Health and Safety management system, as appropriate. Ensure its communication process enables persons doing work under the organization’s control to contribute to continual improvement.

7.4.3 Externally communicated information relevant to the Occupational Health and Safety management system, as established by the organization’s communication process and as required by its compliance obligations.

7.5 Documented Information

Documented information includes manual, procedures, records, information received or        communicated by e-mail etc. Documented information are maintained as required by the Occupational Health and Safety Management System and those determined by the organization for effective operations.

Creating & updating documented information

Following are ensured while creating & updating documented information.

  • Identification & description ( title , date, reference no)
  • Format is maintained in system or as hard copy.
  • Reviewed and approved by authorized person (department head or by MR, as applicable).

Control of documented information

Documented information is controlled so that these are available and suitable for use. Those are protected from improper use, loss of confidentiality, as applicable .For control of documented information, following are ensured:

  • Approval for adequacy prior to issue
  • Distribution to concerned functions.
  • Ensuring accessibility and retrieval when required.
  • Ensuring storage and preservation
  • Version or revision control after changes
  • Defining retention period and disposition methods.
  • Ensuring that documents of external origin are identified and their distribution controlled,

8.0 Operation

8.1 Operation Planning & Control

8.1.1 General

 Operational planning is carried out by Individual departments of XXXX so that OHSMS requirements are met. The Planning covers:

  1. Health and Safety requirements of product/services to be provided.
  2. processes , documents / documented information and  resources needed for the product & services
  3. Verification, inspection and measurement activities as applicable.
  4. Acceptance criteria for the products
  5. Adapting to work to workers.
  6. On multi-employer workplaces, the organization is implemented a process for coordinating the relevant parts of the OH&S management system with other organizations.

The organization has controlled and planned the changes and reviews the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization has ensured that outsourced processes are controlled or influenced. The type and extent of control or influence to be applied to the process has been defined within the OHSMS management system. The organization has maintained documented information to the extent necessary to have confidence that the processes have been carried out as planned.

8.1.2 Eliminating hazards & Reducing OH&S Risks

Elimination of hazards and reduction of risks is carried out in line with the following hierarchy of controls:

  1. Eliminate the hazard.
  2. Substitute with less hazardous process, operations, materials or equipment.
  3. Use engineering controls (guards) and reorganization of work.
  4. Use administrative controls, including information, instruction and training.
  5. Use adequate PPE.

8.1.3 Management of Change

The organization has established a process for the implementation and control of planned changes that impact OH&S performance

  1. New products, services and processes will be reviewed and changes made to the Health & Safety System as necessary.
  2. Changes to work processes, procedures, equipment, or organizational structure will be reviewed and changes made to the Health and Safety System as necessary
  3. Changes to legal and other requirements will be reviewed and changes made to the Health & Safety System as necessary.
  4. Changes in knowledge or updated information about hazards and risks will be reviewed and changes made to the Health & Safety System as necessary.
  5. Changes in technology will be reviewed and changes made to the Health & Safety System as necessary.

The organization has controlled temporary and permanent changes to promote OH&S opportunities and to ensure they do not have an adverse impact on OH&S performance. The organization will review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary, including addressing potential opportunities.

8.1.4 Procurement

8.1.4.1 General

Procurement of products and services is carried out in line with the requirements of the company’s Health & Safety System. The organization has established controls to ensure that the procurement of services conform to its OH&S management system requirements.

1.1.4.2  Contractors

The organization has established processes to identify and communicate the hazards and to evaluate and control the OH&S risks, arising from the:

  1. Contractors’ activities and operations to the organization’s workers;
  2. Organization’s activities and operations to the contractors’ workers;
  3. Contractors’ activities and operations to other interested parties in the workplace;
  4. Contractors’ activities and operations to contractors’ workers.

The Organization has established and maintained processes to ensure that the requirements of the organization’s OH&S management system are met by contractors and their workers. These processes shall include the OH&S criteria for selection of contractors. Suppliers and Contractors are to:

  1. Comply with the requirements of the OHSMS and participate in OHSMS promotions.
  2. Promptly report any unsafe working conditions, faulty equipment, hazards/risks, injuries or incidents

8.1.4.3 Outsourced processes: 

Calibration of equipment is outsourced to external calibration agency. Transportation / delivery of products are often outsourced if necessary. The performance of the outsourced agencies are monitored and controlled. Necessary resources for the processes are provided by the management through HR and their responsibilities & authorities are defined and documented. Risks and opportunities for each process are determined and necessary actions are planned to enhance desirable effects and eliminate/reduce undesired effects. The Safety Manager shall ensure that outsourced processes are consistent with legal and organization requirement so that OHSMS requirements are met. The Safety Manager will co ordinate with the outsource provider to assist XXXX to address any impact that outsourcing has on its OHSMS performance.

8.2 Emergency Preparedness And Response

The organization has established, implemented and maintained the process(s) needed to prepare for identify and respond to potential emergency situations and maintain a process to prevent or minimize OH&S risks from potential emergencies, including;

  1. Preparing to respond by planning actions to prevent or mitigate adverse OH&S impacts from emergency situations;
  2. Responding to actual emergency situations;
  3. Taking action to prevent or mitigate the consequences of emergency situations, appropriate to the magnitude of the emergency and the potential environmental impact;
  4. Periodically testing the planned response actions, where practicable;
  5. Periodically reviewing and revise the process and planned response actions, in particular after the occurrence of emergency situations or tests;
  6. Providing relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control.
  7. The establishment of a planned response to emergency situations and including first aid;
  8. The periodic testing and exercise of emergency response capability;
  9. The evaluation and, as necessary, revision of emergency preparedness processes and procedures including after testing and in particular after the occurrence of emergency situations;
  10. The communication and provision of relevant information to all workers and at all levels of the organization on their duties and responsibilities;
  11. The provision of training for emergency prevention, first aid, preparedness and response;
  12. The communication of relevant information to contractors, visitors, emergency response services, government authorities, and, as appropriate, the local community.

The organization has maintained documented information to the extent necessary to have confidence that the processes are carried out as planned. In all stages of the process the organization has taken into account the needs and capabilities of all relevant interested parties and ensures their involvement. The organization has maintained and retains documented information on the process and on the plans for responding to potential emergency situations.

9.0  Performance evaluation

9.1  Monitoring, measurement, analysis and evaluation 

9.1.1 General

XXXX has planned and implemented the monitoring, measurement, analysis and evaluation processes needed:

  • Applicable legal requirement and other requirements;
  • Its activities and operations related to identified hazards and OHSMS risks and opportunities;
  • to continually improve the effectiveness of the Occupational Health and Safety Management Systems.
  • Operational Controls;
  • Organization’s OHSMS Objectives;

XXXX has determined:

  1. The criteria against which the organization will evaluate its OHSMS performance;
  2. The methods for monitoring, measurement, analysis and evaluation, as applicable, needed to ensure valid results;
  3. When the monitoring and measuring shall be performed;
  4. When the results from monitoring and measurement shall be analyzed and evaluated and communicated.

The organization has evaluated the performance and the effectiveness of the OHSMS management system. The organization has retained appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results. The organization has ensured, as applicable that calibrated or verified monitoring and measurement equipment is used and maintained, as appropriate. The organization is communicating relevant environmental performance information both internally and externally, as identified in its communication processes and as required by its compliance obligations. The organization has retained appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results.

9.1.2 Evaluation of Compliance

Once the application of a particular requirement has been defined, the means of how compliance to the requirement is going to be ensured is to be established by the company, in consultation with appropriate personnel. Various means of ensuring compliance are available and include, but are not limited to the following:

  1. Policies and/or procedures being established documented and implemented.
  2. Training being provided.
  3. Engineered solutions being implemented.
  4. Instructional signs being displayed.

Details of the means of ensuring compliance are to be entered into the Legal and Other Requirements.

Means of Verifying Compliance

  1. Once the means of ensuring compliance has been determined, the means of how compliance to each requirement is to be verified on a continuous basis is to be established by the XXXX, in consultation with appropriate personnel.
  2. Various means of verifying compliance are available and include, but are not limited to the following:
  3. Internal auditing. (To verify compliance to the corresponding policies and/or procedures).
  4. Periodic workplace inspections
  5. Periodic review of records.

9.2  Internal audit

 The organization conducts internal audits at planned intervals to determine the Occupational Health and Safety Management System conforms to the planned arrangements, to the requirements of ISO 45001:2018 and to the Occupational Health and Safety Management System requirements including OH&S policy and objective established by the Organization, and that it is effectively implemented and maintained.

An audit program is planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency, consultation and methods are defined through documented procedures and relevant records.  Selection of Competent auditors and conduct of audits ensure objectivity and impartiality of the audit process. Auditors do not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and retaining documented information are defined in a documented procedure. The management responsible for the area being audited ensures that corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes and continually improve its OHSMS performance. Follow-up activities include the verification of actions taken and the reporting of verification results.

Documented information is retained by Management Representative  as evidence of implementation of audit programs and audit results. Results of internal audits are reported to the higher management in review meetings.

9.3  Management Review

 Top management of XXXX reviews the Organization’s Occupational Health and Safety Management System annually, to ensure its continuing suitability, adequacy, and effectiveness. This review includes assessing opportunities for improvement and the need for changes to the Occupational Health and Safety Management System, including the quality policy and quality objectives.

The inputs to management review shall include information on

  • Status of actions from previous management review
  • The needs and expectation of interested parties, including compliance obligations / applicable legal requirements and other requirements.
  • External & internal issues and their changes
  • Hazards, OHS Risk and opportunities.
  • Performance & effectiveness of the OSHMS, covering :
    • Extent to which OHS objectives are met
    • Process performance & conformity of products & services
    • Non-conformities and corrective actions
    • Monitoring & measurement results
    • Results of audits (internal & external)
    • Performance of external providers.
  • Adequacy of resources
  • Effectiveness of the actions taken on risks & opportunities
  • fulfilment of its compliance obligations / results of evaluation of compliance
  • Opportunities for improvement

The output from the management review will include any decisions and actions related to

  • Opportunities for improvement ,
  • Any need for changes to the OSHMS
  • resource needs

Management Review minutes are generated as documented information and distributed to all concerned for review and necessary actions.

  1. Improvement

10.1 General

Management of XXXX determines opportunities for improvements and implements necessary actions thereof. These include:

  1. Improvement in the products & services for meeting the requirements effectively and also considering future needs and expectations.
  2. Implementing corrective actions and preventive measures to eliminate or reduce undesired effects.
  3. Improving performance and effectiveness of Occupational Health and Safety Management System.

10.2 INCIDENT, NONCONFORMITY AND CORRECTIVE ACTION

The organization has planned, established, implemented and maintain a process to manage incidents and nonconformities including reporting, investigating and taking action, when an incident or a nonconformity occurs. When an incident or nonconformity occurs, including any arising from complaints, the organization shall:

  1. React in a timely manner to the nonconformity and, as applicable:
  2. Take action to control and correct it;
  3. Deal with the consequences;
  4. Evaluate with the participation of workers and the involvement of other relevant interested parties, the need for action to eliminate the cause(s) of the incident or nonconformity, in order that it does not recur or occur elsewhere, by:
  5. Reviewing and analyzing the incident or nonconformity;
  6. Determining the causes of the incident or nonconformity;
  7. Determining if similar incident or nonconformities exist, or could potentially occur;
  8. Review the assessment of OH&S risk as appropriate.
  9. Determine and implement any action needed, including corrective action, in accordance with the hierarchy of controls and the management of change.
  10. Review the effectiveness of any corrective action taken;
  11. Update risks and opportunities determined during planning, if necessary;
  12. Make changes to the QHSE management system, if necessary.

Corrective actions shall be appropriate to the significance of effects or potential effects of the incidents or nonconformities encountered including environmental impact(s).

The organization has retained documented information as evidence of:

  1. The nature of the incidents or nonconformities and any subsequent actions taken.
  2. The results of any corrective action, including the effectiveness of the actions taken.

The organization will communicate this documented information to relevant workers, and where they exist, workers’ representatives, and relevant interested parties.

10.3 CONTINUAL IMPROVEMENT

The organization has continually improved the suitability, adequacy and effectiveness of the QHSE management system to.

  1. Prevent occurrence of incidents and nonconformities;
  2. Promote a positive occupational health and safety culture;
  3. Enhance QHSE performance.

The organization has ensured the participation of workers, as appropriate, in the implementation of its continual improvement objectives. The organization has considered the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities that shall be addressed as part of continual improvement.

Example of Disaster Recovery Process

Section 1: Disaster Preparedness

A. Preparedness

Disasters—natural and man-made—and weather patterns all have the potential to damage or destroy records. Basic precautions and the formation of a disaster plan will help prevent the unnecessary loss of valuable records in the instance of a disaster. Following these guidelines will minimize potential risks and reduce the loss of records.

B. Disaster Prevention

Disaster Prevention refers to steps to protect your building and collections before a disaster occurs.

  • Establish security routines, including an annual building inspection and seasonal maintenance.
  • Inspect wiring regularly.
  • Inspect roofs and drains regularly.
  • Follow local and state fire codes. The presence of fire alarms, smoke detectors, fire extinguishers, and a sprinkler system are strongly recommended for personal safety and collection preservation. Map their locations.
  • Select a storage space least vulnerable to fire, flood, and harsh weather patterns.
  • Establish and practice fire evacuation and tornado response procedures. Map evacuation routes and designated tornado shelters.
  • Install water detectors and alarms. Map their locations.
  • Locate water pipes and water shut-off valves. Map their locations.
  • Install alarms to prevent intrusion, deliberate, or random violence.
  • Install emergency lighting.
  • Store records at least 6 inches off the ground.
  • Prohibit smoking in storage areas.
  • Limit small appliances in the collection storage area.
  • Limit unauthorized access to the storage area.
  • Limit the number of records a patron may view at one time.
  • Consider microfilming records that receive high use, and limit access to the originals that may be stored off-site.
  • Check your insurance coverage regularly.
  • Determine how you will have access to emergency funds: a supply of purchase orders to be used only during an emergency, or a disaster emergency fund.
  • Purchase emergency supplies to keep on hand, inventory them regularly, and map their locations.
  • Train staff in salvage techniques.
  • Label vital and historical records, and create an inventory or locator map that will allow you quick access to these records when needed. Regularly update your finding aids and keep copies off-site
  • Buildings and collections are particularly vulnerable during periods of construction, so increase security during these times.
  • Improving collection storage areas, when possible, will help prevent disasters and security problems.
  • Keep duplicates of your disaster plan, policies, lists, and record inventories off-site.

C. Disaster Plan

A Disaster Plan guides your organization through the proper responses to various types of disasters. This section highlights some of the elements of a disaster plan.

  • Create a written disaster preparedness plan or policy, which includes disaster recovery, damage assessment, and post disaster evaluation procedures.
  • Identify and prioritize the most important records. This includes records needed to resume business, historical records, and collections. Determine which record media and collections are more vulnerable or valuable than others.
  • Analyze your building, site, and collection storage areas. Include building and site maps in your disaster plan.
  • Establish responses to all potential geographic and climatic hazards, and other risks which could jeopardize your employees, building, and collections: tornadoes; floods; fires, which will include water damage from fire-hoses; pest infestation; mold; vandalism; and accidents.
  • Contact local civil defense offices to understand their disaster response procedures.
  • Identify sources of assistance, and develop contacts with appropriate consultants, suppliers, and vendors beforehand. Check your local Yellow Pages for contacts in your area, and make a list including names and telephone numbers. Update the list annually.
  • Establish contact with a freezer service; verify contact annually.
  • Special conservation efforts may be necessary with water or fire-damaged records, have phone numbers and addresses available of people or agencies to contact.
  • Include a copy of your collection inventory and vital records locator map in your disaster plan.
  • Include a supply list and locations in your disaster plan.
  • Create a telephone tree of staff and volunteers to help in the event of a disaster.
  • Establish a chain of command among staff members. All staff should know who they report to, and who they notify in case of disaster.
  • Know what your insurance carrier will require as evidence of damage: photographs, written documentation.
  • Establish salvage procedures for all collections, records, paper, and record media.
  • The following section outlines the roles and responsibilities for a two-pronged approach to disaster response: damage assessment and damage recovery. When establishing assessment and recovery teams for your disaster plan, it is important to detail specific responsibilities, outline clear lines of authority, and remember that a person may have more than one role.
  • Facilities Manager: responsible for seeing that the building is safe, damage to the building is evaluated, and measures formulated and implemented to remedy or correct problems. Upon notification of a problem establishes that no threat exists to personnel safety, secures the affected area and/or building, and alerts Assessment Director. Establishes priorities for facility repairs, and follows the progress of repairs once begun.
  • Assessment Manager: organizes and manages the process by which damage is evaluated. Responsible for notifying and instructing Assessment Team Leaders, and enlisting the assistance of in-house or outside experts/resource people as required. Evaluates findings and recommendations, and contacts the Recovery Director with recovery recommendations.
  • Assessment Team Leader: selects and assembles the teams members, and directs their operations. Instructs the team on what to do and how to do it, including methods of inspection and sampling, assessing damaged material, and documenting the process. Monitors the damage investigation, reporting recommendations to the Assessment Director.
  • Assessment Team: consists of people most knowledgeable about the collection or material involved. Responsibilities include recording observations and decisions made by the team; photographing damage; investigating where damage exists, the type of damage, and the importance and significance of the affected material; estimating the extent of damage to the collection; and establishing initial priorities for recovery of damaged items.
  • Recovery Manager: organizes and manages the recovery process. Sets priorities based on information received from the Assessment Director, assigns recovery teams, reports on progress, actions taken, problems encountered, and future risks. In many cases, the Assessment Director and Recovery Director may be the same person.
  • Recovery Team Leader: appoints team members, instructs the team on what they will be doing and how they will do it. Monitors the recovery process, and updates the Recovery Director.
  • Recovery Team: may include all staff members. Responsible for separating collections and other material to be salvaged, moving material to be recovered from affected areas to work or other storage spaces, drying materials, and packing materials that will require shipment to another facility. Other responsibilities include maintaining records and photographs of the recovery effort, including inventories and dates when items are sent out of the building to off-site storage or other facilities; what items have been frozen, treated or dried; where items have been relocated; and items in need of additional attention. The Recovery Team may also label items that have lost inventory numbers, label or re-label boxes with locator information, and label boxes ready for shipment.

D. Disaster Recovery

Disaster Recovery refers to the response and actions your organization takes after a disaster occurs.

  • Always place human safety first.
  • In the event of an emergency, prevent staff and volunteers from entering the building until city officials (fire or police department), or a building inspector determines the building is safe to enter.
  • Allow only authorized staff and volunteers into the damaged area, use check-in/out sheets to monitor access.
  • Contact your insurance carrier.
  • Stabilize temperature and relative humidity.
  • In the instance of a disaster, a recovery plan may include the following steps:
    1. locate and establish a recovery site.
    2. establish a designated storage area for removed material.
    3. retrieve vital records.
    4. maintain building security.
    5. set up systems necessary to continue operations, such as workspace for employees, telephones, financial services, clerical support, office supplies, equipment, food, drink, and restrooms.
    6. plan for building repair, and the replacement of equipment and furnishings.
    7. determine what has been lost and what records and collections are salvageable.
  • The goal is to stabilize the collection until further conservation measures can be taken. This includes, when possible, removing collections from the damaged area, prioritizing the recovery effort, and beginning initial stabilization measures.
  • Prioritize which records to conserve first, taking into consideration media type, duplication, and value to the organization.
  • Conservation of record media may require special processes; please contact preservation personnel before acting.
  • Quick reaction is a must. Mold can grow on records within 48 hours of damage. Immediately air dry or freeze wet records to prevent further damage and growth.
  • Minimize damage to collection materials and records on the floor by re-routing traffic, or by creating a bridge over the items with boards and chairs.
  • Assess the disaster response. Ask such questions as:
    1. Could I limit or avoid the damage if a similar disaster struck again?
    2. Do I need better insurance coverage?
    3. Do I need to revise my records management program to minimize future losses?
    4. Do I have the information and supplies I need to deal with future emergencies?
    5. What aspects of the Disaster Plan need to be modified?
    6. What additional training do I or my staff need?

Section 2: Disaster Recovery Process

A. Abbreviations / ACRONYMS / GLOSSARY

Acronym

Explanation

Acronym

Explanation

DRP

Disaster Recovery Plan

ERT

Emergency Response Team

Infosec

Information Security

BCP

Business Continuity Planning

UOM

Unit of Measure

NA

Not Applicable

B. Roles & Responsibilities

Role

Responsibilities

Head – BCP

Assess disaster situation and execute necessary action

Head-InfoSec

Coordinate with other stakeholders

ERT

Ensure safety of people

C.  Entry Criteria

Any Disaster

D. Inputs

#

Description / Work Product Name

#

Description / Work Product Name

1.      

Information about any disaster

2.      

 

E.      Activities performed

1 Assess Disaster Situation

Activities

Resp.

Related Documents / Processes / Notes

Assess Disaster Situation

Head – BCP

Disaster Assessment Guidelines

Evaluate whether to invoke Disaster Recovery Process

Head – BCP

 

Invoke Disaster Recovery Process, if needed

Head – BCP

 

Communicate invocation of Disaster Recovery Process to Emergency Response Team

Head – BCP

 

2 Ensure Employee Safety

Activities

Resp.

Related Documents / Processes / Notes

Evacuate Buildings

ERT

 

Ensure Employee Safety

ERT

 

Provide First-Aid

ERT

First Aid Guidelines

Inform nearby hospital

ERT

 

Inform Ambulance Service

ERT

Emergency Contact List

Send injured personnel to Hospital

ERT

Emergency Contact List

Inform nearby Police Station

ERT

 

Inform nearby Fire station

ERT

 

3 Communicate to Stakeholders

Activities

Resp.

Related Documents / Processes / Notes

Inform employee relatives about Disaster

ERT

Employee Details

Inform Clients about Disaster

ERT

Client Details

Set-up Help Desk

ERT

 

4 Switch to alternative modes of operations

Activities

Resp.

Related Documents / Processes / Notes

Make essential services operational in the alternative premises/modes of operations

Head – BCP

Business Continuity Plan

Communicate to employees to switch to alternative premises / modes of operations

Head – BCP

Services List

Employee Details

5 Recover essential Facilities services

Activities

Resp.

Related Documents / Processes / Notes

Recover essential Facilities

Facilities

 

Recover essential Facilities services

Facilities

Services List

6  Recover essential IT services

Activities

Resp.

Related Documents / Processes / Notes

Inform Vendors for Support, if required

IT

Services List

Restore Essential Servers

IT

Services List

Restore Essential Networks

IT

Services List

7 Recover facilities services

Activities

Resp.

Related Documents / Processes / Notes

Recover  Facilities

Facilities

Services List

Recover  Facilities services

Facilities

Services List

8  Recover IT services

Activities

Resp.

Related Documents / Processes / Notes

Inform Vendors for Support, if required

IT

Services List

Restore  Servers

IT

Services List

Restore  Networks

IT

Services List

9   Return to normal operations

Activities

Resp.

Related Documents / Processes / Notes

Asses if the operations have returned to normalcy

Head – BCP

 

Inform employees about Normal Operations

ERT

Employee Details

Inform Clients about Normal Operations

ERT

Client Details

10  Analyze Disaster Recovery Effectiveness

Activities

Resp.

Related Documents / Processes / Notes

Analyze Disaster Recovery Effectiveness

Head – BCP

 

Identify improvements in Disaster Recovery Process

ERT

Process Change Tracker Template

F. Outputs

#

Description / Work Product Name

#

Description / Work Product Name

1.

Facilities Recovered

2.

Systems Recovered

3.

Process Change Tracker

4.

Executed DRP

G.      Measurement and Analysis

#

Metric

Definition/ Formulae

Data to be captured

Source

Owner

Frequency

1.      

Recovery time

Time taken to recover

Time of Disaster and Recovery

Head – Infosec

Head – Infosec

 

NA

H.      Related PROCESSES / ARTIFACTS

#

Description / Work Product Name

#

Description / Work Product Name

1.   

Emergency Contact List

2.

Client Details

3.

Employee Details

4.

Services List

5.

Approved Vendor Contact List

6.

Disaster Assessment Guidelines

7.

First Aid Guidelines

8.

Disaster Communication Guidelines

 

7.      standards compliance

Standard / Model

Clause No & Name

Control description

ISO 27001

A.14

Business Continuity Management

Section 3: Disaster Assessment Guidelines

A. Assessment Goals

  • To provide timely and comprehensive information on the scope and impacts of a disaster
  • To support effective emergency decision making
  • To keep the staff and other stake holders accurately informed
  • To develop and support requests for disaster resources and recovery assistance

B. The Basics

  • First and always, assessment must focus on immediate emergency needs for life, safety, protection of property and essential services.
  • Assessment resources and activity must be assigned to address human needs as well as property
  • Forms and structure are important to good assessment, but the keys to success are leadership, organization and management.

C. The Essentials

1 Leadership

  • Assign an assessment leader or coordinator
  • Activate leader early as the response begins
  • The leader’s only task is to manage the assessment
  • The leader supports, but cannot be the emergency manager

2 Organization

  • The leader needs help – a partner or team
  • People must be reassigned from routine work, regular jobs and other departments to support the assessment effort
  • Divide the tasks  – establish a human needs group and a public services group
  • Organization and work early in the response will ease the demands of recovery assessment later

I3. Immediate and Continuous

  • Activate assessment staff immediately as the response unfolds, or even when a threat is imminent
  • Early information is crucial and the reporting process is continuous
  • Capturing an early overview and quickly targeting life/safety issues is vital – details and dollars come later
  • Resist the urge to hold and wait for better, more complete information – parts of a report at intervals are often more helpful than waiting for a complete report
  • Reporting at regular, frequent intervals is good, but pass along important information immediately

 D. Assessment – Steps and Stages

  • Early impact assessment
  • Assessment of needs and resource priorities
  • Preparing for the preliminary damage assessment

E. Informed Estimates

  • Decision-making in a crisis cannot always wait for complete data and detailed reports – good estimating is the key.
  • Estimating is not guesswork – informed estimates means contacting knowledgeable officials about their evaluation and judgment of local conditions and impacts.
  • Informed estimates by knowledgeable local leaders – supervisors, highway/public works, engineers, fire officers, and the Red Cross – typically provide reliable assessments useful to emergency operations.
  • Informed estimates are a credible tool that helps meet the pace and urgent demands of providing emergency services.

F. Flexible and Adaptable

  • Assessment demands and priorities can differ from disaster to disaster.
  • Timing cannot be predicted – the process usually moves more quickly than expected.
  • Information needed is not always reflected in the forms  – special requests are common.
  • In some instances, data requested on a form may be crucial, at other times the same data may not be needed.
  • Requests for more detail are common, but sometimes a step may be skipped.

 G. The Local Government Coordination

The local government is generally responsible for consolidating and coordinating the collection of assessment data provided by government departments, municipalities, community organizations, other agencies and services.

Back to Trace International

If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Example of Business Continuity Plan

Section I: Introduction

A. How to Use This Plan

In the event of a disaster which interferes with <ORGANIZATION NAME>’s ability to conduct business from one of its offices, this plan is to be used by the responsible individuals to coordinate the business recovery of their respective areas and/or departments.  The plan is designed to contain, or provide reference to, all of the information that might be needed at the time of a business recovery.
This plan is not intended to cover the operations of <ORGANIZATION NAME>’s separately structured Emergency Response Team.
Index of Acronyms: (EOC) Emergency Operations Center – (EMT) Emergency Management Team – (ERT) Emergency Response Team – (BCP) Business Continuity Plan – (IT) Information Technology
Section I, Introduction, contains general statements about the organization of the plan.  It also establishes responsibilities for the testing (exercising), training, and maintenance activities that are necessary to guarantee the ongoing viability of the plan.
 Section II, Business Continuity Strategy, describes the strategy that the <Department Name> Department will control/implement to maintain business continuity in the event of a facility disruption.  These decisions determine the content of the action plans, and if they change at any time, the plans should be changed accordingly.
Section III, Recovery Teams, lists the Recovery Team functions, those individuals who are assigned specific responsibilities, and procedures on how each of the team members is to be notified.
Section IV, Team Procedures, determines what activities and tasks are to be taken, in what order, and by whom in order to affect the recovery.
Section V, Appendices, contains all of the other information needed to carry out the plan.  Other sections refer the reader to one or more Appendices to locate the information needed to carry out the Team Procedures steps.

B. Objectives

The objective of the Business Continuity Plan is to coordinate recovery of critical business functions in managing and supporting the business recovery in the event of a facilities (office building) disruption or disaster.  This can include short or long-term disasters or other disruptions, such as fires, floods, earthquakes, explosions, terrorism, tornadoes, extended power interruptions, hazardous chemical spills, and other natural or man-made disasters.
A disaster is defined as any event that renders a business facility inoperable or unusable so that it interferes with the organization’s ability to deliver essential business services.
The priorities in a disaster situation are to:

  1. Ensure the safety of employees and visitors in the office buildings. (Responsibility of the ERT)
  2. Mitigate threats or limit the damage that threats can cause. (Responsibility of the ERT)
  3. Have advanced preparations to ensure that critical business functions can continue.
  4. Have documented plans and procedures to ensure the quick, effective execution of recovery strategies for critical business functions.

The <Department Name> Business Continuity Plan includes procedures for all phases of recovery as defined in the Business Continuity Strategy section of this document.

C. Scope

  • The Business Continuity Plan is limited in scope to recovery and business continuance from a serious disruption in activities due to non-availability of <ORGANIZATION NAME>’s facilities.  The Business Continuity Plan includes procedures for all phases of recovery as defined in the Business Continuity Strategy of this document.  This plan is separate from <ORGANIZATION NAME>’s Disaster Recovery Plan, which focuses on the recovery of technology facilities and platforms, such as critical applications, databases, servers or other required technology infrastructure (see Assumption #1 below).  Unless otherwise modified, this plan does not address temporary interruptions of duration less than the time frames determined to be critical to business operations. The scope of this plan is focused on localized disasters such as fires, floods, and other localized natural or man-made disasters. This plan is not intended to cover major regional or national disasters such as regional earthquakes, war, or nuclear holocaust.  However, it can provide some guidance in the event of such a large scale disaster.

D. Assumptions

The viability of this Business Continuity Plan is based on the following assumptions:

  1. That a viable and tested IT Disaster Recovery Plan exists and will be put into operation to restore data center service at a backup site within five to seven days.
  2. That the Organization’s facilities management department has identified available space for relocation of departments which can be occupied and used normally within two to five days of a facilities emergency.
  3. That this plan has been properly maintained and updated as required.
  4. That each department has their own Business Continuity Plan.
  5. The functions and roles referenced in this plan do not have to previously exist within an organization; they can be assigned to one or more individuals as new responsibilities, or delegated to an external third party if funding for such services can be arranged and allocated.

E.    Changes to the Plan/Maintenance Responsibilities

Maintenance of the <Department Name> Business Continuity Plan is the joint responsibility of the <Department Name> management, the Facilities Management Department, and the Business Continuity Coordinator.
Department Name management is responsible for:

  1. Periodically reviewing the adequacy and appropriateness of its Business Continuity strategy.
  2. Assessing the impact on the <Department Name> Business Continuity Plan of additions or changes to existing business functions, <Department Name> procedures, equipment, and facilities requirements.
  3. Keeping recovery team personnel assignments current, taking into account promotions, transfers, and terminations.
  4. Communicating all plan changes to the Business Continuity Coordinator so that the organization’s IT master Disaster Recovery Plan can be updated.

Facilities Management Department management is responsible for:

  1. Maintaining and/or monitoring offsite office space sufficient for critical <Department Name> functions and to meet the <Department Name> facility recovery time frames.
  2. Communicating changes in the “Organization IT Disaster Recovery Plan” plan that would affect groups/departments to those groups/departments in a timely manner so they can make any necessary changes in their plan.
  3. Communicating all plan changes to the Business Continuity Coordinator so that the master plan can be updated.

The Business Continuity Coordinator is responsible for:

  1. Keeping the organization’s IT Recovery Plan updated with changes made to <Department Name> facilities plans.
  2. Coordinating changes among plans and communicating to <Department Name> management when other changes require them to update their plans.

F. Plan Testing Procedures and Responsibilities

<Department Name> management is responsible for ensuring the workability of their Business Continuity Plan.  This should be periodically verified by active or passive testing.

G. Plan Training Procedures and Responsibilities

<Department Name> management is responsible for ensuring that the personnel who would carry out the Business Continuity Plan are sufficiently aware of the plan’s details. This may be accomplished in a number of ways including. practice exercises, participation in tests, and awareness programs conducted by the Business Continuity Coordinator.

H. Plan Distribution List

The <Department Name> Business Continuity Plan will be distributed to the following departments and/or individuals, and will be numbered in the following manner:

Plan ID No Location Person Responsible

Section II: Business Continuity Strategy

A.   Introduction

This section of the <Department Name> Business Continuity Plan describes the strategy devised to maintain business continuity in the event of a facilities disruption. This strategy would be invoked should the <ORGANIZATION NAME> <Department Name> primary facility somehow be damaged or inaccessible. It is assumed that each critical business function at your location also has their own group/department Business Continuity Plan, which is similar to this plan except the recovery procedures and appendices have been customized for each respective group/department based on size, and complexity.

B. Business Function Recovery Priorities

The strategy is to recover critical <Department Name> business functions at the alternate site location.  This can be possible if an offsite strategy has been put into effect by Office Services and Disaster Recovery/IT Teams to provide the recovery service. Information Systems will recover IT functions based on the critical departmental business functions and defined strategies. Business Functions by Location are listed in Appendix B (Recovery Priorities for Critical Business Functions).  “Time Critical Business Functions,” i.e., those of which are of the most critical for immediate recovery at the secondary location are:
Reference: Appendix B – Recovery Priorities for Critical Business Functions

C. Relocation Strategy and Alternate Business Site

In the event of a disaster or disruption to the office facilities, the strategy is to recover operations by relocating to an alternate business site.  The short-term strategies (for disruptions lasting two weeks or less), which have been selected, include:

Primary Location Alternate Business Site
<Office Address> TBD

For all locations, if a long-term disruption occurs (i.e. major building destruction, etc.); the above strategies will be used in the short-term (less than two weeks).  The long-term strategies will be to acquire/lease and equip new office space in another building in the same metropolitan area.

D.   Recovery Plan Phases

The activities necessary to recover from a <ORGANIZATION NAME> facilities disaster or disruption will be divided into four phases.  These phases will follow each other sequentially in time.

1.    Disaster Occurrence

This phase begins with the occurrence of the disaster event and continues until a decision is made to activate the recovery plans.  The major activities that take place in this phase includes: emergency response measures, notification of management, damage assessment activities, and declaration of the disaster.

2.    Plan Activation

In this phase, the Business Continuity Plans are put into effect. This phase continues until the alternate facility is occupied, critical business functions reestablished, and computer system service restored to <ORGANIZATION NAME>’s Departments. The major activities in this phase include: notification and assembly of the recovery teams, implementation of interim procedures, and relocation to the secondary facility/backup site, and re-establishment of data communications.

3. Alternate Site Operations

This phase begins after secondary facility operations are established and continues until the primary facility is restored.  The primary recovery activities during this phase are backlog reduction and alternate facility processing procedures.

4. Transition to Primary Site

This phase consists of any and all activities necessary to make the transition back to a primary facility location.

E. Vital Records Backup

All vital records for <Department Name> that would be affected by a facilities disruption are maintained and controlled by either <Department Name> or Disaster Recovery/IT. Some of these files are periodically backed up and stored at an offsite location as part of normal <Department Name> operations.  When <Department Name> requires on-site file rooms, scanning, and organization offsite storage locations, best practices advise using one near-by Records Warehouse and another secure site for vital records and data back-up.  All vital documents are typically located in files within the office complex and the most current back-up copies are in a secure off-site storage facility.

F.    Restoration of Hardcopy Files, Forms, and Supplies

In the event of a facilities disruption, critical records located in the <Department Name> Department may be destroyed or inaccessible.  In this case, the last backup of critical records in the secure warehouse would be transported to the secondary facility.  The amount of critical records, which would have to be reconstructed, will depend on when the last shipment of critical records to the offsite storage location occurred.<Department Name> management will arrange the frequency of rotation of critical records to the offsite storage site. The following categories of information can be exposed to loss:

  1. Any files stored on-site in file cabinets and control file rooms.
  2. Information stored on local PC hard drives.
  3. Any work in progress.
  4. Received and un-opened mail.
  5. Documents in offices, work cubes and files.
  6. Off-site records stored in the Records Warehouse (if this is not a secure, hardened facility).

G.   On-line Access to <ORGANIZATION NAME> Computer Systems

In the event of a facilities disruption, the IT Disaster Recovery Plan strategy should be to assist in re-establishing connectivity to the <ORGANIZATION NAME> departments and to establish remote communications to any alternate business site location.  If the data center is affected by a disaster or disruption, the IT Disaster Recovery Plan should include recovering processing at a pre-determined alternate site. Services covered would include; phones, cellular phones, pagers, communications, and all other services required for restoring limited emergency service to the organization. In this case, data communications will be rerouted from the data processing hot or cold site to the respective alternate business site locations.

BCP Representatives – It will be necessary to contact your respective Information Technology department in order to complete this section. You should understand, and enter here, what the recovery timeframe is for systems recovery (i.e. will have critical systems restored within hours or days) and what the strategy is for acquisition, installation, and connection of PC’s/terminals.  Acquisition and recovery of critical standalone personal computer capabilities should also be considered here.  You should also understand the Information Technology strategy for recovery of applications, either AS/400 based and/or those on desktop systems, which <Department Name> relies on.

H. Mail and Report Distribution

During the time that <ORGANIZATION NAME> department operations are run from the secondary facilities, output reports and forms will have to be delivered to that location.  The data center may or may not have the same print capability if the disruption affected the data center as well, so it may be necessary to prioritize printing of output. The EOC Administration Team in conjunction with designated delivery/courier services will distribute mail to all <ORGANIZATION NAME> alternate business sites.  Due to the possibility of multiple alternate business sites and the additional travel time required for mail service activities, the number of mail pickups and deliveries could possibly be decreased from the normal daily routine to once daily.  Mail pickup and delivery schedules, including overnight mail, will be established and communicated to each alternate business site.  Overnight mail/package delivery carriers should be contacted directly by a business function for items requiring pickup after the last scheduled pickup by the EOC Administration Team.  All overnight mail service vendors will be notified by the EOC Administration Team of appropriate alternate office addresses to redirect deliverables to <ORGANIZATION NAME> personnel or provide for pick up at the post office by a Team member.

Section III: Recovery Teams

A. Purpose and Objective

This section of the plan identifies who will participate in the recovery process for the <Department Name> Business Continuity Plan. The participants are organized into one or more teams.  Each team has a designated team leader and an alternate for that person.  Other team members are assigned either to specific responsibilities or as team members to carry out tasks as needed.

The information in this section is organized into several subsections.

B. Recovery Team Descriptions

This section lists the team definitions for the <Department Name> Team and gives a short explanation of the function of each team or function.

<Department Name> Recovery Team:

Responsible for oversight of the <Department Name> recovery functions.

 C.   Recovery Team Assignments

This section identifies the team roles and the specific responsibilities that have been assigned to the team.

Team leader-Overall coordination of <Department Name> Recovery Team

Backup Team Leader – Duties to be assigned based on Recovery Team areas of responsibility.

Team Member – Duties to be assigned based on Recovery Team areas of responsibility

D.  Personnel Notification

This section specifies how the team members are to be notified if the plan is to be put into effect by identifying who calls whom, and in what order.  Notification can also be made by using tools such reverse 911 or other notification systems.

References:   Appendix A – Employee Telephone Lists

E. Team Contacts

This section identifies other people or organizations outside of the <Department Name> Team who might need to be contacted during the recovery process.  Their names and telephone numbers are provided.

 Reference: Appendix A – Employee Telephone Lists

 F. Team Responsibilities

Departmental Recovery Teams

Name Department/Position Floor Comments

Business Continuity Coordinator – <Insert Name>

In the event of a disaster, the Business Continuity Coordinator is responsible for ensuring that the following activities are successfully completed:

  • Works with the <ORGANIZATION NAME> Emergency Management Team to officially declare a disaster, and start the Disaster Recovery/Business Continuation process to recover <ORGANIZATION NAME>’s business functions at an alternate site.
  • Alert <ORGANIZATION NAME>’s Senior Management that a disaster has been declared.
  • Assist in the development of an official public statement concerning the disaster. The <ORGANIZATION NAME>’s EOC Communications Team Leader is the only individual authorized to make public statements about organization affairs.
  • Monitor the progress of all Business Continuity and Disaster Recovery teams daily.
  • Present Business Continuity Plan recovery status reports to Senior Management on a daily basis.
  • Interface with appropriate work management personnel throughout the recovery process.
  • Communicate directions received from <ORGANIZATION NAME>’s Senior Management to the EOC and Departmental Business Continuity Team Leaders.
  • Provide on-going support and guidance to the Business Continuity teams and personnel.
  • Review staff availability and recommend alternate assignments, if necessary.
  • Work with <ORGANIZATION NAME>’s Senior Management to authorize the use of the alternate recovery site selected for re-deploying critical <ORGANIZATION NAME> resources.
  • Review and report critical processing schedules and backlog work progress, daily.
  • Ensure that a record of all Business Continuity and Disaster Recovery activity and expenses incurred by <ORGANIZATION NAME> is being maintained.

EOC Communications Team –

This team is responsible for providing information regarding the disaster and recovery efforts to:

  • <ORGANIZATION NAME> and organization offices Senior Management
  • Customers
  • Vendors/Contracts
  • Media
  • Regulatory Agencies
  • Other Stakeholders
  • Coordinating, submitting, and tracking any and all claims for insurance.

EOC Human Resources Team –

This team is responsible for:

  • Providing information regarding the disaster and recovery efforts to employees and families.
  • Assisting in arranging cash advances if out of area travel is required.
  • Notifying employee’s emergency contact of employee injury or fatality.
  • Ensuring the processing of all life, health, and accident insurance claims as required.
  • Coordinates temporary organization employee requests.

EOC Administration Team –

This team is responsible for:

  • Ensuring the recovery/restoration personnel has assistance with clerical tasks, errands, and other administrative activities.
  • Arranging for the availability of necessary office support services and equipment.
  • Providing a channel for authorization of expenditures for all recovery personnel.
  • Arranging travel for employees.
  • Tracking all costs related to the recovery and restoration effort.
  • Identifying and documenting when repairs can begin and obtaining cost estimates.
  • Determining where forms and supplies should be delivered, based on damage to the normal storage areas for the materials.
  • Contacting vendors to schedule specific start dates for the repairs.
  • Taking appropriate actions to safeguard equipment from further damage or deterioration.
  • Coordinating the removal, shipment, and safe storage of all furniture, documentation, supplies, and other materials as necessary.
  • Supervise all salvage and cleanup activities.
  • Coordinating required departmental relocations to the recovery sites.
  • Coordinating relocation to the permanent site after repairs are made
  • Assuring that arrangements are made for meals and temporary housing facilities, when required, for all recovery personnel.
  • Assuring order placement for consumable materials (forms, supplies, etc.) for processing based upon input from the other teams.
  • Notifying the United States Postal Service of delivery disruption.
  • Establishing internal mail delivery procedures and process.
  • Assuring that mail, and reports are redirected to the proper location as required.

Emergency Response Team –

This team is responsible for:

  • The safety of all employees.
  • Inspecting the physical structure and identifying areas that may have sustained damage.
  • Expanding on and/or revising the findings of the Preliminary Damage Assessment.
  • Providing management with damage assessment reports and recommendations.

Information Technology Recovery Team (See also Disaster Recovery Plan) –

This team is responsible for:

  • Activating the IT Technology Recovery Plan (See also Disaster Recovery Plan).
  • Managing the IT disaster response and recovery procedures.
  • Mobilizing and managing IT resources.
  • Coordinating all communications related activities, as required, with telephone & data communications, PC, LAN support personnel, and other IT related vendors.
  • Assisting, as required, in the acquisition and installation of equipment at the recovery site.
  • Ensuring that cellular telephones, and other special order equipment and supplies are delivered to teams as requested.
  • Participating in testing equipment and facilities.
  • Participating in the transfer of operations from the alternate site as required.
  • Coordinating telephone setup at the EOC and recovery site.
  • Coordinating and performing restoration or replacement of all desktop PCs, LANs, telephones, and telecommunications access at the damaged site.
  • Coordinating Disaster Recovery/IT efforts between different departments in the same or remote locations.
  • Training Disaster Recovery/IT Team Members.
  • Keeping Senior Management and the EOC Business Continuity Coordinator appraised of recovery status.

 Section IV: Recovery Procedures

A. Purpose and Objective

This section of the plan describes the specific activities and tasks that are to be carried out in the recovery process for <Department Name>. Given the Business Continuity Strategy outlined in Section II, this section transforms those strategies into a very specific set of action activities and tasks according to recovery phase.

The Recovery Procedures are organized in the following order: recovery phase, activity within the phase, and task within the activity.

The recovery phases are described in Section II.D of the Plan.  In the Recovery Procedures document, the phases are listed in the order in which they will occur.  The description for each recovery phase begins on a new page.

Each activity is assigned to one of the recovery teams.  Each activity has a designated team member who has the primary assignment to complete the activity.  Most activities also have an alternate team member assigned.  The activities will only generally be performed in this sequence.

The finest level of detail in the Recovery Procedures is the task.  All plan activities are completed by performing one or more tasks. The tasks are numbered sequentially within each activity, and this is generally the order in which they would be performed.

B. Recovery Activities and Tasks

PHASE I:  Disaster Occurrence 

ACTIVITY:  Emergency Response and Emergency Operations Center Designation

ACTIVITY IS PERFORMED AT LOCATION:  Main Office or Emergency Operations Center

ACTIVITY IS THE RESPONSIBILITY OF THIS TEAM:  All Employees

 TASKS:

  1. After a disaster occurs, quickly assess the situation to determine whether to immediately evacuate the building or not, depending upon the nature of the disaster, the extent of damage, and the potential for additional danger.

Note: If the main office is total loss, not accessible or suitable for occupancy, the remaining activities can be performed from the Emergency Operations Center (EOC), after ensuring that all remaining tasks in each activity have been addressed.  This applies to all activities where the Main Office is the location impacted by the disaster.  The location(s) of the EOC are designated in Appendix D – Emergency Operations Center (EOC) Locations.  The EOC may be temporarily setup at any one of several optional locations, depending on the situation and accessibility of each one.  Once the Alternate site is ready for occupancy the EOC can be moved to that location.

  1. Quickly assess whether any personnel in your surrounding area are injured and need medical attention. If you are able to assist them without causing further injury to them or without putting yourself in further danger, then provide what assistance you can and also call for help.  If further danger is imminent, then immediately evacuate the building.
  2. If appropriate, evacuate the building in accordance with your building’s emergency evacuation procedures. Use the nearest stairwells.  Do not use elevators.
  3. Outside of the building meet at (XXXXXXXX XXXXXXXXXX)Do not wander around or leave the area until instructed to do so.
  4. Check in with your department manager for roll call. This is important to ensure that all employees are accounted for.

ACTIVITY:  Notification of Management

ACTIVITY IS PERFORMED AT LOCATION:  At Any Available Phone

ACTIVITY IS THE RESPONSIBILITY OF: <Department Name> Management Team
PRIMARY:  <INSERT NAME>
ALTERNATE:  <INSERT NAME>
 TASKS:

  1. Team leader informs the members of the <Department Name> management team and notifies the <Department Name> senior management if they have not been informed.
  2. <Department Name> personnel are notified of the disaster by following procedures as included in Section III. D. – Recovery Personnel Notification.
  3. Depending upon the time of the disaster, personnel are instructed what to do (i.e. stay at home and wait to be notified again, etc.) 

ACTIVITY:  Preliminary Damage Assessment

ACTIVITY IS PERFORMED AT LOCATIONMain Office Location

ACTIVITY IS THE RESPONSIBILITY OF:  <Department Name> Management Team 

TASKS:

  1. Contact the Organization Emergency Response Team Leader to determine responsibilities and tasks to be performed by the <Department Name> Management Team or employees.
  2. If the Organization Emergency Response Team requests assistance in performing the Preliminary Damage Assessment, caution all personnel to avoid safety risks as follows:
  • Enter only those areas the authorities give permission to enter.
  • Ensure that all electrical power supplies are cut to any area or equipment that could posses a threat to personal safety.
  • Ensure that under no circumstances is power to be restored to computer equipment until the comprehensive damage assessment has been conducted, reviewed, and authority to restore power has been expressly given by the Emergency Management Team.
  1. Inform all team members that no alteration of facilities or equipment can take place until the Risk Management representatives (this is a function provided through the Department of Central Services as a statewide service) have made a thorough assessment of the damage and given their written agreement that repairs may begin.
  2. Instruct the Organization Emergency Response Team Leader to deliver the preliminary damage assessment status report immediately upon completion.
  3. Facilitate retrieval of items (contents of file cabinets — petty cash box, security codes, network backup tapes, control books, etc.) needed to conduct the preliminary damage assessment.
  4. Ensure that administrative support is available, as required.
  5. Arrange a meeting with the Emergency Management Team and Management Teams from other GROUPS/DEPARTMENTS in your facility (location) to review the disaster declaration recommendation that results from the preliminary damage assessment and to determine the course of action to be taken. With this group, determine the strategy to recommend to Senior Management (the Emergency Management Team Leader will be responsible for communicating this to Senior Management).

ACTIVITY: Declaration of a Disaster

ACTIVITY IS PERFORMED AT LOCATION: Main Office Location or Alternate Site/Emergency Operations Center

ACTIVITY IS THE RESPONSIBILITY OF:  <Department Name> Management Team 

TASKS:

  1. Actual declaration of a disaster is to be made by the Emergency Management Team, after consulting with senior management. The <Department Name> Management Team should wait for notification from the Emergency Management Team that a disaster has been declared and that groups/departments are to start executing their Business Continuity Plans and relocate to their Alternate Business Site Location.
  2. The person contacted verifies that the caller is someone who is authorized to do the notification.
  3. The person contacted notifies the <Department Name> Senior Management, if they have not yet been contacted.
  4. In the event the Emergency Management Team cannot be assembled or reached, the Team Leaders from each <Department Name> Management Team at the location should assemble, gather appropriate information, consult with senior management, and make the decision whether to declare the disaster.
  5. Because of the significance, disruption, and cost of declaring a disaster, appropriate facts should be gathered and considered before making the decision to declare a disaster. Individual groups/department personnel or the respective <Department Name> Management Teams should not unilaterally make a decision to declare a disaster.  This is responsibility of the Emergency Management Team.

PHASE II: Plan Activation

ACTIVITY:  Notification and Assembly of Recovery Teams and Employees

ACTIVITY IS PERFORMED AT LOCATION:  Alternate Site/Emergency Operations Center

ACTIVITY IS THE RESPONSIBILITY OF<Department Name> Management Team

 TASKS:

  1. The team leader calls each member of the management team, instructs them of what time frame to assemble at the <Department Name> Emergency Operations Center (to be decided at the time), and to bring their copies of the Plan. The location(s) of the EOC are designated in Appendix D – Emergency Operations Center (EOC) Locations.  The EOC may be temporarily setup at any one of several optional locations, depending on the situation and accessibility of each one.  Once the Alternate site is ready for occupancy the EOC can move to that location, if preferred.
  2. Review the recovery strategy and action plan with the assembled team.
  3. If necessary, adjust the management team assignments based on which members are available.
  4. The Management Team contacts critical employees and tells them to assemble at the alternate site. If the alternate site is a long distance from the primary site (i.e. out-of-state), then individuals should make their own travel arrangements to the alternate site.  Non-critical employees should be instructed to stay at home, doing what work is possible from home, until notified otherwise.
  5. In the event of a disaster that affects telecommunications service regionally, the Management Team should instruct critical employees to proceed to the alternate site even if they have not been contacted directly. Delays in waiting for direct communications can have a negative impact on <ORGANIZATION NAME>’s ability to recover vital services.

ACTIVITY:  Relocation to Alternate Site

ACTIVITY IS PERFORMED AT LOCATION:  Alternate Site

ACTIVITY IS THE RESPONSIBILITY OF:  All Critical Personnel

 TASKS:

  1. When instructed by the <Department Name> Management Team, make arrangements to commute or travel to the alternate site. Reference item #5 under Notification and Assembly Procedures for exception to this step.
  2. The <Department Name> Management Team needs to consult with the Emergency Management Team and the Organization Emergency Response Team to determine if access can be gained to the primary (damaged) site to retrieve vital records and other materials. The Organization Emergency Response Team will only allow access to the primary site if the authorities grant access.  This will be dependent upon the nature of the disaster and the extent of damage.
  3. If allowed access to the primary site to retrieve vital records and other materials, perform some pre-planning to determine what is most important to retrieve. This may be necessary since the time you may be allowed access to the primary site may be minimal.
  4. Depending on the amount of vital records and other materials you are able to retrieve from the primary site, make arrangements to transport this material to the alternate site. If the material is not too great, this could be accomplished by giving to employees to carry along with them.  If the material is a large amount, then make arrangements for transport services and/or overnight courier services.
  5. Management and critical employees travel to alternate site.

ACTIVITY:  Implementation of Interim Procedures

ACTIVITY IS PERFORMED AT LOCATION:  Alternate Site

ACTIVITY IS THE RESPONSIBILITY OF:  <Department Name> Management Team

 TASKS:

  1. After arrival at the alternate site, map out locations that can be used for workspace. This should include unused offices and cubicles, conference rooms, training rooms, lunch/break areas, and open space in hallways or in other areas.
  2. Obtain additional tables and chairs, either from the office or from outside rental agencies to provide additional workspace. Place in any available open areas, but be cautious of not blocking exits for fire evacuation purposes.
  3. Determine flexible working schedules for staff to ensure that client and business needs are met, but also to enable effective use of space. This may require that some employee’s work staggered shifts or may need to work evening or nightshifts.
  4. Gather vital records and other materials that were retrieved from the primary site and determine appropriate storage locations, keeping in mind effectiveness of workgroups.
  5. Determine which vital records, forms, and supplies are missing. Obtain from off-site storage location or from other sources, as needed, per Appendices E & F.
  6. Developed prioritized work activities, especially if all staff members are not available.

ACTIVITY:  Establishment of Telephone Communications

ACTIVITY IS PERFORMED AT LOCATION:  Alternate Site

ACTIVITY IS THE RESPONSIBILITY OF:  IT Liaison

 TASKS:

  1. Contact the Organization Disaster Recovery/IT Team to determine what activities they are taking to reroute telephone communications to the alternate site. Do not directly contact the telephone company – this will be handled by the Organization Disaster Recovery/IT Team.
  2. If your alternate site is at another <ORGANIZATION NAME> office, prepare a list of phone extensions which your staff will be temporarily using and provide this list to the alternate site switchboard attendant.
  3. If your primary office phones will not be switched to the alternate site, let the Organization Disaster Recovery/IT Team know that the phones need to be transferred to the phone numbers you will be using at the alternate site.
  4. Coordinate with the Organization Communications Team regarding contacting customers to notify them of the disaster situation, how <ORGANIZATION NAME> is responding, and how you can be reached. Do not contact customers until the Organization Communications Team has given you directions.

Organization Communications will provide you with scripts and guidance on how to discuss the disaster with customers to provide assurance that their confidence in <ORGANIZATION NAME> will be maintained.

ACTIVITY:  Restoring Data Processing and Data Communications with Primary or Secondary Backup Data Center
ACTIVITY IS PERFORMED AT LOCATION:  Alternate Site

ACTIVITY IS THE RESPONSIBILITY OF THIS TEAM:  IT Liaison 

TASKS:

  1. Contact the Organization Disaster Recovery/IT Team to determine when the data center is to be recovered, if affected by the disaster. Also, discuss when data communications will be established between the primary or secondary backup data center and your alternate site.
  2. If your alternate site is another <ORGANIZATION NAME> office, determine if that site has access to the computer systems that <Department Name> uses. If so, work with local office management to determine how workstations can be shared between personnel from their groups/departments and <Department Name>.  This may involve using flexible hours or multiple shifts for your personnel.
  3. Discuss with the Organization Disaster Recovery/IT Team when and how replacement PC’s and/or terminals will be provided to you at the alternate site and when they will be connected.
  4. Discuss with the Organization Disaster Recovery/IT Team when the files from your normal PC/LAN servers and applications will be restored and how you can access those files. Also, work with other <ORGANIZATION NAME> management at your alternate site to discuss using their LAN servers.
  5. Discuss with the Organization Disaster Recovery/IT Team your normal application report distributions, such as when you can expect to receive standard computer reports and how they will be distributed to your alternate site.
  6. Communicate the IT recovery status to all <Department Name> personnel who regularly use the systems.

PHASE III: Alternate Site Operations 

ACTIVITY:  Alternate Site Processing Procedures

ACTIVITY IS PERFORMED AT LOCATION: Alternate Site

ACTIVITY IS THE RESPONSIBILITY OF: Alternate Site Operations Team 

TASKS:

  1. Communicate with customers regarding the disaster and re-solicit phone contacts (in conjunction with the Organization Communications Team)
  2. Acquire needed vital documents
  3. Access missing documents and files and reconstruct, if necessary
  4. Set up operation 

ACTIVITY:  Manage work backlog reduction.

ACTIVITY IS PERFORMED AT LOCATION:  Alternate Site

ACTIVITY IS THE RESPONSIBILITY OF:  Alternate Site Operations Team 

TASKS:

  1. Determine priorities for work backlogs to ensure the most important backlogged tasks are resolved first.
  2. Set an overtime schedule, if required, based on staff and system availability.
  3. Set backlog priorities, establish a backlog status reports if necessary, and communicate this to the <Department Name> supervisor.
  4. Report the backlog status to <Department Name> management on a regular basis.
  5. If backlogs appear to be very large or will take a significant time to recover, determine if temporaries could be used for certain tasks to help eliminate the backlogs. If justified, arrange for temporaries to come in.

PHASE IV: Transition to Primary Operations                  

ACTIVITY:  Changing Telephone and Data Communications Back to Primary Site

ACTIVITY IS PERFORMED AT LOCATION:  Alternate Site

ACTIVITY IS THE RESPONSIBILITY OF:  IT Liaison 

TASKS:

  1. Coordinate with the Organization Disaster Recovery/IT Team to determine when <Department Name> will be relocating back to the primary site. Verify that they have a schedule to ensure that telephone and data communications are rerouted accordingly.
  2. Discuss when and how PC’s, terminals, and printers, if brought into the alternate site, will be de-installed, moved back to the primary site and re-installed. 

ACTIVITY:  Terminating Alternate Site Procedures

ACTIVITY IS PERFORMED AT LOCATION:  Alternate Site and Primary Site

ACTIVITY IS THE RESPONSIBILITY OF:  <Department Name> Team 

TASKS:

  1. Determine which alternate site operating procedures will be suspended or discontinued and when.
  2. Communicate the changes in procedures to all affected staff.
  3. Determine if additional procedures are needed upon return to the primary site, such as to continue resolving work backlogs. 

ACTIVITY: Relocating Personnel, Records, and Equipment Back to Primary (Original) Site

ACTIVITY IS PERFORMED AT LOCATION:  Alternate Site and Primary Site

ACTIVITY IS THE RESPONSIBILITY OF:  <Department Name> Management Team 

TASKS:

  1. In conjunctions with the Emergency Management Team and the Organization Emergency Response Team, determine when <Department Name> will be scheduled for relocating back to the primary site.
  2. Communicate this schedule to all <Department Name> personnel.
  3. Inventory vital records, equipment, supplies, and other materials, which need to be transported from the alternate site to the primary site.
  4. Pack, box, and identify all materials to be transported back to the primary site.
  5. In conjunction with the Organization Administration Team, make arrangement for a moving company or courier service to transport the boxes back to the primary site.

Section V: Appendices 

Appendix A – Employee Telephone Lists 

Employee Title/Function Office Phone # Home Phone # Cellular/Pager # EMAIL Time Called Arrival Time Comment
*
**
**
 
 
 
 
 
 
Fire, Police, Emergency  

*     Indicates Team Leader
**    Indicates Alternate Team Leader

Appendix B – Recovery Priorities for Critical Business Functions

Department

 

Priorities Maximum Allowable Downtime

 

<Department Name>   1-2 Days 3-5 days 1-2 weeks > 2 weeks
 

Contracts

 

Critical

 

 

X

   
     
         
           
           
           
           
           
           
           
           
           
           

 Appendix C – Alternate Site Recovery Resource Requirements

General Requirements 

# Description Current

Number

BCP

Number

Comments
1. Number of people

 

2. Square footage needed

 

3. Power Outlets 110V

 

Can use power strips
4. Power Outlets 220V

 

5. Telephones

 

6. Telephone lines

 

7. Desks

 

8. Chairs

 

9. Tables

 

10. Typewriters

 

11. Photocopiers

 

12. Calculators

 

13. Microfiche Viewers

 

14. File Cabinets (specify type)

 

4 drawer lateral file cabinets
15. Other – Please attach list

 

Technical Requirements 

# Description Current

Number

BCP

Number

Comments
1. Telephone Lines (regular)

 

2. Telephone Lines (800 or special)

 

3. Single Line Telephone Sets

 

4. Other Type Telephone Sets

TWO LINE

5. Stand-alone FAX Machines

 

6. PC’s

 

7. LAN/WAN Connections

 

8. Printers  – LAN

 

9. Printers – Direct attach to PC

 

10. PC Connectivity outside <ORGANIZATION NAME>* (Internet)
11 Other Computers

 

12. Fax – Stand alone

 

13. Other – Please attach  list

 

Appendix D – Emergency Operations Center (EOC) Locations 

Disaster Affecting Which Area/Building                        EOC Location

<ORGANIZATION NAME> Home Community  City

Recovery Locations and Travel Directions

Alternate Sites

Critical Function Alternate Site
Desktop and Personnel
EOC Emergency Management Team

NOTE – Provide directions to all alternate sites. Include address and phone number of site.  Include Maps and Floor Plans.

Appendix E – Vital Records

Description Primary Location of Records Alternate (Backup) Location of Records Other Sources to Obtain Records
Settlement Agreements Department File Cabinets Vault Scanned images on Network drive/Other Parties
Litigation Files Department File Room Scanned Images of pleadings on Network drive Outside Counsel/Courts

 Appendix F – Forms and Supplies

Form/Supply Name/Description Primary Locations Where Stored Alternate Sources to Obtain Form/Supply Vendor’s Name/Phone
No special form or supplies other than standard office supplies.

Appendix G – Vendor Lists

Vendor Name Goods/Service Provided Contact Name Address Phone #
Master Service Agreements and other contractors  – lists available on network Master Service Agreement and Insurance databases

Appendix H – Desktop Computer Configurations

Description of Desktop:  Dell, etc                                                                                      

Used By: All <Department Name> Employees                                                                    

Business Activity Supported:                                                                                             

Connected to Which LAN’s:                                                                                               

Used for Host Access (Which Applications): network printing                                              

Special Features, Boards, Memory Size, Etc.: over 20 Gigs HD, over 128MB Memory _____

Over 850 MHz Processor(s)                                                                                               

Ethernet Net Cards, Fax/Modems                                                                                      

Proprietary Software required (indicate release number, version and/or level, as applicable:  

The IT Department maintains records on all desktop systems.                                         

                                                                                                                                        

                                                                                                                                        

 Appendix I – Computer System Reports

 

Report Name

 

Report Description

System Produced From Alternate Sources of Report or Information
No special computer reports required.

Appendix J – Critical Software Resources

Software Application Publisher or Vendor Platform Recovery Criticality

 Appendix K – Alternate Site Transportation Information

Employees will be notified (by team members), if a disaster is declared, as to the location and when to report.  Since recovery site is local, transportation to the work location is up to the employee unless directed otherwise.  Directions will be supplied at the time of notification, if necessary.

Appendix L – Alternate Site Accommodations Information

Should alternate site accommodations be required team members will be notified.  Employees will be contacted (by team members), if a disaster is declared, as to the location and where to go.  Since accommodations are local, transportation to the work location is up to the employee unless directed otherwise.  Directions will be supplied at the time of notification, if necessary.

Appendix M – Severity Impact Assessments

<Department Name> 

                  Severity of Impact
Least ——> to ——> Greatest Comments
Impact Area 1 2 3 4 5
1 Cash Flow Interruption          
2 Inoperative Billing Systems          
3 Inoperative Financial Controls          
4 Loss of Customers          
5 Financial Reporting (Banks, IRS, etc.)          
6 Increases in Liability          
7 Loss of Public Image          
8 <Department Name> and Regulatory Violations          
9 Contractual Violations          
10 Vendor Liabilities & Relations          
11 Customer Liability & Relations          
12 Effect on Employee Morale          
13 Staff Resignations          

Appendix N – <ORGANIZATION NAME> Business Impact Assessment

Department or Function: <ORGANIZATION NAME>
Number of Employees in HOME COMMUNITY :
Primary Business Function:
Executive:BCP Representative:
What’s at Stake:  $ Millions Plus
STRENGTHS
Example
Able to work from home if access to e-mail and system is available through dial-up access. Will need records and files as well.
WEAKNESSES
Example
Unable to work remotely if access to records and files is restricted.
Loss Impact
Example
Our department would not be able to perform >95% of its work without access to our computers or work areas. It would take time and effort to recreate the contracts and other information (to the extent they can be recreated) before we could work on them.
Maximum Allowable Downtime:> 24 – 48 Hours

Appendix O – Recovery Tasks List

Recovery Activation Date: ________

Task No. Task Description Estimated Time Actual Time Assigned To Assigned Time Completed Time Comments
10 Receive Communication on emergency Situation
20 Identify recovery site
30 Retrieve Business Continuity Plans
40 Notify department members identified in Appendix A
50 Retrieval of  department Vital Records
60 Oversee delivery and placement of office equipment.
70 Oversee delivery and placement of office supplies.
80

Back to Trace International

If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Example of Technical Vulnerability Management Policy

1 Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure that all technical vulnerabilities that exist in the IT systems  are identified and managed. IT systems contain inherent weaknesses that are termed as vulnerabilities. Threats exploit vulnerabilities to cause harm to IT systems. Hence, it is imperative to regularly identify and plug those vulnerabilities and prevent occurrence of security incidents.

2 Purpose

The purpose of the Technical Vulnerability Management Policy is to establish rules and principles for identifying and managing vulnerabilities in IT systems.

3 Scope

3.1 IT Assets

This policy applies to all hardware, software, and network assets.

3.2 Documentation

The documentation shall consist of Technical Vulnerability Management Policy and related procedures & guidelines. The Technical Vulnerability Management Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.

3.3 Records

Records being generated as part of the Technical Vulnerability Management Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.4 Distribution and Maintenance

The Technical Vulnerability Management Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and website administrator.

4 Privacy

The Technical Vulnerability Management Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5 Responsibility

The CISO / designated personnel and system administrator are responsible for proper implementation of the Technical Vulnerability Management Policy.

6 Policy

It is the stated goal of XXX to provide secure IT systems and services in order to protect organizational information assets, as well as the privacy of employees, contractors, and third party employees. The timely and consistent application of vendor-supplied security patches or mitigation of a reported vulnerability are critical components in protecting the network, systems, and data from damage or loss due to threats such as worms, viruses, data loss, or other types of external or internal attacks. XXX  shall conduct routine scans of its website, servers (including those hosted at ABC), and devices connected to its networks to identify operating system and application vulnerabilities on those devices. XXX requires its system administrators to routinely review the results of vulnerability scans and evaluate, test and mitigate operating system and application vulnerabilities appropriately. Should an administrator identify a reported vulnerability as a potential false positive, the CISO should be notified immediately.

7Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Trace International

If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Example of Website Security Policy

 

1 Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure integrity, availability, and authenticity of its website and all information contained within. An organization’s website is its interface with the external world. Information contained within the website is deemed as authentic statements from the management of the organization. It is imperative to publish only authenticated content on the website and maintain its integrity and availability.

2 Purpose

The purpose of the Website Security Policy is to establish rules for preserving the integrity, availability, and authenticity of XXX’s website.

3 Scope

3. 1 Employees

This applies to all permanent employees, contractual employees, trainees, privileged customers and all other visitors.

3.2 Documentation

The Website Security Policy documentation shall consist of Website Security Policy and related procedures & guidelines.

3.3 Document Control

The Website Security Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.

3.4 Records

Records being generated as part of the Website Security Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.5 Distribution and Maintenance

The Website Security Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the Website Security Policy document shall be with the CISO and website administrator.

4. Privacy

The Website Security Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5 Responsibility

The CISO / designated personnel and website administrator are responsible for proper implementation of the Website Security Policy.

6 Policy

Following are the policies defined for maintaining Security of the website:

  1. The website shall be developed and maintained as per relevant guidelines of Govt. of  Kuwait
  2. User registration for secured access to the website shall be required when i) a web application or internal link requires user identification before processing, or ii) accessed data has been classified as “sensitive” and requires further authorization.
  3. To facilitate site management, information shall be collected for statistical purposes. XXX shall employ software programs to compile summary usage statistics, which may be used for assessing what information is relevant to users. The data so accumulated may be used to help determine technical design specifications, identify system performance, or pinpoint problem areas.
  4. Except for authorized security investigations and data collection, no attempts shall be made to identify individual users or their usage habits. Accumulated data logs will be scheduled for regular deletion in accordance with schedules set by the web administrators.
  5. Unauthorized attempts to upload information or change website information are strictly prohibited, and may be punishable under relevant cyber laws.
  6. Access to sensitive or proprietary business information on the websites shall be limited to employees, customers, clients and vendors who have been determined to have an appropriate business reason for having access to such data. All registered website users, who are granted security access, will be identified by a user name (referred to as the User ID). All actions performed with a User ID will be the responsibility of the ID’s registered owner.
  7. Individuals who are granted password access to restricted information on the website are prohibited from sharing those passwords with, or divulging those passwords to, any third parties. User will notify XXX immediately in the event a User ID or password is lost or stolen or if user believes that a non-authorized individual has discovered the User ID or password.
  8. XXX’s records shall be final and conclusive in all questions concerning whether or not a specific User ID or password was used in connection with a particular action.
  9. Any data or document upload to social networking sites shall be duly authorized by the competent authority and shall be done by designated persons authorized to do so.

7 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Trace International

If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Example of System Monitoring Policy

1 Policy  Statement

To ensure that organizational IT systems are not open to abuse, XXX reserves the right to monitor individual staff usage but only where authorized by senior HR staff and where, in the circumstances, it is fair and appropriate to do so. A range of monitoring activities need to be established to ensure that the IT systems are operating efficiently and effectively. This includes the monitoring of information entering, leaving or stored on organizational IT systems. Such monitoring is not, in general, person specific, but employee’s personal data may be accessed as part of this policy.

2 Purpose

This policy offers guidance regarding monitoring of system use and related user activities. It is intended to guide and inform personnel and help them understand the importance of maintaining logs of all user activities on the system.

3 Scope

3.1 IT Assets

This policy applies to all organizational information systems and  Employees, Contractors, and Third Party Employees, who have access to IT assets and may be bound by contractual agreements.

3.2 Documentation

The System Monitoring Policy documentation shall consist of System Monitoring Policy, related procedures & guidelines.

3.3 Document Control

The System Monitoring Policy document and all other referenced documents shall be controlled. The version control shall be used to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.

3.4 Records

Records being generated as part of the System Monitoring Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.5 Distribution and Maintenance

The System Monitoring Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the System Monitoring Policy document will be with the CISO and system administrators.

4 Privacy

The System Monitoring Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5 Responsibility

The CISO / designated personnel is responsible for proper implementation of the System Monitoring Policy.

6 Policy

Systems shall be monitored to ensure all information security events are recorded. The organization shall comply with all relevant legal requirements applicable to the monitoring and logging activities. System monitoring shall be used as a means to check the effectiveness of controls adopted and also to verify the conformance to the organizational access control and acceptable use policies.
System monitoring shall consider the following aspects:
a. compliance with regulatory and statutory obligations;
b. effective maintenance of IT systems;
c. prevention or detection of unauthorized use of, or other threats to, organizational IT systems, or criminal activities;
d. compliance with organizational policies and procedures; and
e. review of usage and staff training.

7 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Trace International

If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Example of Anti-Spam and Unsolicited Commercial Email (UCE) Policy

1.  Purpose

This policy describes the permitted and prohibited uses of corporate email systems for bulk emailing. Its purpose is to:
1. protect organizational reputation,
2. preserve the effectiveness of email as a business communication medium,
3. prevent potential breach of the US CAN-SPAM Act by employees, and
4. to generally encourage adherence to e-mailing best practices.

2. Overview

The practice of sending unsolicited, commercial mass e-mails represents a potential threat to organizational reputation and may be violation, which defines the quantity and characteristics of bulk commercial e-mails that may legally be sent. All communications with customers, prospects and other professionals reflect XXX. In light of increasing antipathy to unsolicited email promotions of any kind, it is generally in the best interest of XXX to limit electronic mailings to legitimate communications with individuals have indicated a willingness to receive them.

3. Scope

All individuals who use the e-mail systems and addresses to send bulk e-mails to customers, prospects, or other types of recipients.

3.1 Employees

This policy applies to all  Employees, Contractors, and Third Party Employees, who use, process, and manage information and business processes of XXX.

3.2 Documentation

The documentation shall consist of software installation Policy, and related procedures & guidelines. This Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.

3.3 Records

Records being generated as part of this Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.4 Distribution and Maintenance

This Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators.

4. Privacy

This Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5. Responsibility

This Policy shall be implemented by the CISO  and designated personnel (if any).This policy has full support from the  executive steering committee and human resources. This policy is a living document and may be modified at any time by the IT manager, human resources, or the executive steering committee.

6 Policy

  • All mass emails must be approved by IT Manager.
  • Individuals may send mass emails for the purpose of marketing or sales of products, services, or programs only to:
    • Recipients who specifically consented to receive marketing or sales emails
    • Recipients who have not explicitly opted out of receiving marketing or sales emails
  • Mass emails sent from computers or email addresses may not:
    • o Contain false or misleading information in the subject line, headers, or email body
    • o In any way misrepresent or disguise the sender, point of origin, or transmission path
  • Individuals may not send any emails to addresses that have been illicitly harvested, mined, or skimmed from one or more third-party Web sites. Employees may not build e-mail addresses or lists by guessing or using software to generate character strings that are likely to be associated with live email accounts.

Anti-spam restrictions also apply to other forms of electronic messaging:

  • Individuals may not post promotions or advertisements for products, services, or programs in newsgroups, message boards, chat rooms, or other online services in violation of the terms of participation of those online services.
  • Individuals may not post promotions or advertisements for products, services, or programs in newsgroups, message boards, chat rooms, or other online services that do not explicitly permit advertisements.
  • Individuals may not use vendors, software, or service providers or to circumvent the intent of this policy.

7 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.Violation of this policy may result in disciplinary action which may include performance sanctions; termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to restriction or suspension of email privileges, as well as civil and criminal prosecution.

Back to Trace International

If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Example of Risk Management Policy

1 Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure timely management of organizational risks. Employees are expected to cooperate fully with any Risk Assessment being conducted on systems for which they are held accountable. Employees are further expected to work with the Risk Assessment Team in the development of a remediation plan. The policy, and respective procedures, guidelines & forms shall be available to the CISO and members of senior management.

2 Definitions

Entity Any business unit, department, group, or third party, internal or external to XXX, responsible for maintaining assets.

RiskThose factors that could affect confidentiality, availability, and integrity of XXX’s key information assets and systems. The Risk Assessment Team is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets on networks, while minimizing the impact of security procedures and policies upon business missions.

3 Purpose

The purpose of this policy is to identify areas of risk on a timely manner and manage them to ensure continuity of business processes.The execution, development and implementation of remediation programs are the joint responsibility of the IT Infrastructure management team and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the Risk Assessment Team in the development of a remediation plan.

4 Scope

4.1 IT Assets

This policy applies to the entire IT Infrastructure.

4.2 Documentation

The Policy documentation shall consist of Risk Management Policy, Risk Assessment and Treatment Procedure, and related guidelines.

4.3 Document Control

The Risk Management Policy document and all other referenced documents shall be controlled. The version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.

4.4 Records

Records being generated as part of the Risk Management Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

4.5 Distribution and Maintenance

The Risk Management Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the Risk Management Policy document will be with the CISO and system administrators.

5 Privacy

The Risk Management Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

6 Responsibility

The CISO / designated personnel is responsible for proper implementation of the policy.

7 Policy

Risk Management Plan shall be drawn by the management which shall identify the people within XXX who will perform risk assessment operations. For this purpose, the events (or series of events) which cause disruption to business processes shall be identified. The risk assessment shall consider probability and impact of such disruptions in terms of time, scale of damage and recovery period. The risk assessment shall identify, quantify and prioritize risks against criteria and objectives relevant to the organization, including critical resources, impacts of disruptions, allowable outage times and recovery priorities. Based on the results of the assessment, business continuity strategy shall be outlined for XXX to determine overall approach to business continuity.The execution, development and implementation of remediation programs are the joint responsibility of the IT Infrastructure management team and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the Risk Assessment Team in the development of a remediation plan.

8 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Trace International

If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Example of Third Party Access Policy

1.  Purpose

This document describes the policy under which third party persons or organizations connect to or access network resources on XXX networks for the purpose of transacting business related to KDCC or other approved business transactions.

3. Scope

All connections and network resources access between third parties that require access to non-public resources fall under this policy, regardless of what technology is used for the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide Internet access for XXX or to the Public Switched Telephone Network does NOT fall under this policy.

3.1 Employees

This policy applies to all  Employees, Contractors, and Third Party Employees, who use, process, and manage information and business processes of XXX.

3.2 Documentation

The documentation shall consist of software installation Policy, and related procedures & guidelines. The Compliance Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.

3.3 Records

Records being generated as part of this Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.4 Distribution and Maintenance

This Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators.

4. Privacy

This Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5. Responsibility

This Policy shall be implemented by the CISO  and designated personnel (if any).This policy has full support from the  executive steering committee and human resources. This policy is a living document and may be modified at any time by the IT manager, human resources, or the executive steering committee.

6 Policy

6.1 Pre-Requisites Security Review

All new extranet connectivity will go through a security review with the Office of IT Manager. The reviews are to ensure that all access matches the business requirements in a best possible way, and that the principle of least access is followed.

6.2 Third Party Connection Agreement

All new connection requests between third parties and XXX require that the third party and  representatives agree to and sign the Third Party Agreement. This agreement must be signed by the IT Manager as well as a representative from the third party who is legally empowered to sign on behalf of the third party.  By signing this agreement the third party agrees to abide by all referenced policies. The signed document is to be kept on file with the relevant extranet group.  All non-publicly accessible information is the sole property of XXX.

 6.3 Business Case

All extranet connections or network resource access must be accompanied by a valid business justification, in writing, that is approved by both the third party and the corresponding KDCC contracting authority or rightful designee. Typically this function is handled as part of the Third Party Agreement.

6.4 Point Of Contact

The KDCC contracting authority must designate a person to be the Point of Contact (POC) for the third party connection. The POC acts on behalf of the KDCC contracting authority, and is responsible for those portions of this policy and the “Third Party Agreement” that pertain to it. In the event that the POC changes, the relevant third party person or organization, must be informed promptly.

6.5 Establishing Connectivity

All contracting authorities within that wish to establish connectivity or network resource access to a third party are to file an Extranet connectivity request with IT Manager accompanied by a “Third Party Agreement” signed by the third party person, organization, or rightful designee.  IT Manager will then engage the third party to address security issues inherent in the project. The sponsoring contract authority must provide full and complete information as to the nature of the proposed access to IT Manager, as requested. All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. All connectivity requests will have a specific beginning and ending date.  In no case will rely upon the third party to protect network or resources.  IT Manager will grant access to all approved resources and reserves the right to refuse access on the basis of legitimate security concern as decided by the CISO.

6.6 Modifying or Changing Connectivity and Access

All changes in access must be accompanied by a valid business justification, and are subject to security review.  The sponsoring contracting authority is responsible for notifying the third party person or organization and IT Manager when there is a material change in their originally provided information so that security and connectivity evolve accordingly.  Extensions will be granted on a case by case basis and must be requested in writing by the sponsoring contracting authority.

6.7 Terminating Access

When access is no longer required, the sponsoring contracting authority within XXX must notify the IT Manager, who will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. IT security teams must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are found to be deprecated, and/or are no longer being used to conduct business or other approved business transactions will be terminated immediately. Should a security incident or a finding that a circuit has been deprecated and is no longer being used to conduct business or other approved business transactions necessitate a modification of existing permissions, or termination of connectivity, IT Manager will notify the POC of the sponsoring contracting authority of the change prior to taking any action.

7 Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Trace International

If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.