Company Members

Project scope statement

Project Title: Improve Network Structure for Lawyers Firm

Date: June 27, 2012

Document prepared by:
Email:

* We will provide our clients with IT solutions that offer practical value today while positioning them to meet the business and technological needs of tomorrow. With our constant focus on improved business results, we will make and build definitive plans for the best and most economical IT hardware and solutions. Our goal is to ensure a solid network as well as a state of the art design and equipment for a Law Firm’s work environment.
Assure that appropriate telecommunications and computing resources are available to support the mission of the firm
Assure that each staff member who uses telecommunications and computing resources in his or her position has a computer of sufficient capability to fulfill their required job responsibilities
Ease resource and financial planning by reducing the effort involved in budgeting and planning for new telephone units, computers, network, classroom equipment and server systems.
Provide for the cost effective and timely purchasing and installation of new equipment while decreasing the deployment time for new equipment; and disposal of old and obsolete equipment.

-------------------------------------------------
Deliverables
Dell Desktops and laptops
Cisco Routers, switches, and Ip phones will be installed and configured
Firewalls will be installed
Blade server holding case will be provided
Internet services will be provided by
Install Cat 6 cable and fiber optic cable
Connector’s trays and cable racks will be installed
Software i.e. Microsoft Server 2008R2, Windows 7, Exchange Server, Citrix Carpe Diem, Anti-Virus , Spam Server, VPN Server, Web Server, Hummingbird will be installed
All servers for the network will be installed

Technical requirements

Hardware and Software must comply with HIPPA regulations

Firewall must be established

Disaster Recovery should be active

Primary and secondary ISP’s should be in place

All training done for the Firm will be documented

Redundancy for the network will be required

Cisco Certification is required to all operatives out in the field or whomever works in there space.

-------------------------------------------------
Limits and Exclusions

Prime connections reserve the right to outsource some or all contracts to a subcontractor

Responsibility of extra unforeseen work or cost because of out of design changes that are not in the original blueprints will be the Firms

Site work will be limited to Monday thru Friday, 4p.m. to 1a.m. After hours

Server rooms may not have the proper cooling system installed. Pre-wiring will be available

Network will be built per the agreed terms by the customer and Prime Connections

Server room will be secured by two locks on their doors

-------------------------------------------------
Milestones
Start of primary project 15 August 2012
Site survey 20 August 2012
Presentation to staff members date 27 August 2012
Permits were obtained on 1 September 2012
Equipment purchase and delivery 5 September 2012
Cable drop completion 12 September 2012
Hardware installation start date 13 September 2012
Software start date 17 September 2012
Initial training for support staff started on 18 September 2012
Internet service started on 18 September 2012
Inspection and testing of all location network dates 25 September 2012
Training for all other staff personnel start date 27 September 2012
Decommission of old network system Start date 5 October 2012
Full activation of new network system 5 October 2012
Final inspection and testing of all location network dates 7 October 2012
Completion of decommissioning old network 8 October 2012
Make update for final training to all staff members 10 October 2012
Issue resolution date 12 October 2012
Project completion date 13 October 2012
Project Charter

1. Purpose
This project involves a complete overhaul of the networking environment for each office. The change is because of their current Network system is outdated including hardware, software and all employees will need to be trained on new systems. The upgrade will occur at each office individually, and will be tied together logically through a domain, set up at the central office with a minimum of three months to complete the project. Doing so will provide better functionality for the employees to use, will create a more reliable filing system, and will enable better customer service through updated technology.
2. Goals and Objectives
Our goal in this project is to fulfill the customer’s needs in regards to a networking system, to identify the current situation and how it may be improved, and provide the best solution to the customer in terms of hardware selection, reliability, affordability and ease of use. We will provide this to the customer at a competitive rate, and with a quality product.
3. Success Criteria
A successful project is one in which goals are defined; the customer will be involved in every step of what we are accomplishing and make sure it is up to their standards. We will complete the project within the ninety day time frame plus or minus four weeks and at or below the eight-hundred thousand dollar budget. To ensure the firm is satisfied with the work that is completed.

4. Project Context
Project will consist of a complete overhaul/upgrade of the current network infrastructure. The project will also consist of replacement of outdated equipment, software, telephone and filing system. This will be done while maintaining the privacy of the customer and the customers data in accordance with HIPPA regulations pertaining to privacy. We will be performing our duties on the project in accordance with the customer’s desires as well as our company goal. In addition, also maintain the integrity of the customer’s reputation as well as our own. We at Prime connections will provide the best level of service to our customers, in a fair and economical way. Any work completed must live up to this goal in order to be considered successful.
5. Project Deliverables
Within the scope of the project, we will deliver certain items. These deliverables will help to give an outline of the work to be performed, but also to provide specific information in regards to prototypes, quality assurance plans, training plans, disaster recovery, network layout& topology, and budgeting.
6. Scope Specifications
-Identifying equipment to be upgraded, and removing this equipment from the site.
-Installing new equipment as listed in the documentation-performing configuration of new equipment to meet client’s security and functional standards
7. Out-of-Scope Specifications
Examples of out-of-scope tasks would include:
-Repairing or replacing equipment
-Removing old cabling in offices
-Installing miscellaneous software not agreed upon beforehand
8. Assumptions
In working on this project, assumptions will be made and documented. We assume the following:
-Partial payments are to be made at milestones by customer when completed.
-Delivery of equipment, such as routers, cabling, computers, monitors, etc, will be on time and undamaged.
-Be given adequate access to the building (including all rooms, stairways, parking spaces, storage areas, etc) in order to perform work.
-High-speed Internet access available.
-Cabling to be contracted out.
9. Constraints
The following constraints will be in place for the project:
-Time available to work by project members
-Budget constraints
-Supplier constraints (for example, we are constrained by the limits – if any – our suppliers face with their stock)
-Unforeseen disasters (i.e. Hurricanes, wildfires, etc).
10. Risks
With any large project, certain risks are inherent in work we intend to do. We will try to identify any risks, the severity of those risks, and any possible action that is to be taken to mitigate those risks.
-Customers will not adapt to the new system quickly, needing more training.
-Team member may be unavailable for their portion of the job.
-Technical issues may delay the project.
-Natural forces, or other unforeseen acts of nature, may delay the project
.-Monetary issues may delay the project.
11. Stakeholders
5 Lawyers Group
12. Recommended Project Approach
For completion of this project, we will analyze the current setup of the five offices. Determine which equipment and methodologies are due to be upgraded or replaced. Then we will create an upgrade plan which suits the customer in terms of technological solution and meets their budget requirements. We recognize that in a law office, stability is a requirement, and so we will be using equipment and technology that is proven to be reliable and up to today’s standards.
COST ANALYSIS Description | Price | Qty. Ordered | Qty. Shipped | Total Price | Cisco ASR 1002 ROUTER | $11,211.99 | 11 | 11 | $123,332.00 | Cisco SGE2010 48-port Gigabit Switch | $979.00 | 13 | 13 | $12,727.00 | Cisco UCS C120 M2 General –Purpose Rack-Mount Server | $873.50 | 1 | 1 | $873.50 | Cisco Systems Cisco Universal Access Server AS5350 | $4,066.00 | 1 | 1 | $4,066.00 | Cisco 7937G unified conference phone | $580.00 | 5 | 5 | $2,900.00 | Cisco unified IP phone 7965G | $240.00 | 77 | 77 | $18,480.00 | Cisco Aironet 1250 Series Access Point | $500.00 | 26 | 26 | 13,000.00 | RIM BlackBerry Bold 9900 | 2yr contract | 75 | 75 | 0 | BlackBerry - PlayBook Tablet with 16GB Memory | $200.00 | 50 | 50 | $10,000 | Dell - 15.6" Inspiron Laptop | $529.99 | 53 | 53 | $28,037.00 | Dell 2155CN Multifunction Printer | $500.00 | 11 | 11 | $5,500.00 | Dell - 23" Inspiron All-In-One Computer | $749.99 | 75 | 75 | $56,250.00 | Power Edge 4220 Rack | $978.33 | 5 | 5 | $4,891.65 | Dell 5535dn multifunction laser printer | $3,169.99 | 5 | 5 | $15,849.95 | Microsoft Windows Small Business Server 2008 | $1,516.49 | license 5 per copy | 5 | $7,582.45 | Sage Carpe Diem Time and Billing Solutions | $50.00 | 130 | 130 | $6,500.00 | EDOCS | $8,000.00 | 1 per. Year | 1 per. Year | $8,000.00 | Cisco ASA 5510 SSL VPN Deployment | $2,200.00 | 5 | 5 | 11,000.00 | AVG Remote Administration 2012 | $100.00 | 5 | 5 | $500.00 | Ghost business ED | $66.00 | 3 yr. service 5 | 5 | $330.00 | Desktop Central 8 | $13 | 126 | 126 | $1,600.00 | Dragon Legal Practice Edition | $750.00 | 5 | 5 | $3,750.00 | Cable 6 | $139.33 | 100 FT | 15,000FT | $20,850.00 | Fiber optics | $215.40 | 1000 FT | 15,000FT | $3,225.00 | RJ-11 100 per pack | $4.00 | 100pk | 2 | $8.00 | RJ-45 100 per pack | $7.00 | 100pk | 2 | $14.00 | 2” J- hooks | $2.60 | 100pk | 2 | $5.20 | Cisco Unified Communications Manager Device License - PC | $3,000.00 | 100Lic | 1 | $3,000.00 | APC Smart-UPS 1500 LCD | $500.00 | 12 | 12 | $6,000.00 | Spam Filter for Exchange Server | $42.00 | 75 | 75 | $3,150.00 | Symantec Backup Exec | $400.00 | 1 | 1 | $400.00 | Emer Building rental | $2,000.00 | 12 months rent | N/A | $24,000.00 | T-Mobile Phone plan | $47,250 | 12 months | 1 year | $47,250 | Backup/ Misc. cost | $100,000.00 | Est. | Est. | $100,000.00 | Windstream | $259.35 | 3 year contract | 1 year | $259.35 | | | | Grand total | $543,331.10 |

Business Continuity Planning
Plan for the Law Firm

TABLE OF CONTENTS Business Continuity Planning (BCP) 11 Plan for Law Firm 11 Introduction 12 1.0 Overview 13 1.1 Policy Statement 13 1.2 Introduction 13 1.3 Confidentiality Statement 13 1.4 Manual Distribution 13 1.5 Manual Reclamation 14 1.6 Plan Revision Date 14 1.7 Defined Scenario 14 1.8 Recovery Objectives 14 1.9 Plan Exclusions 15 1.10 Plan Assumptions 15 1.11 Declaration Initiatives 15 1.12 Recovery Strategies 15 1.14 Team Charters 17 2.0 Recovery Strategies 18 2.1 Emergency Phone Numbers 20 2.3 Threat Profile 22 2.4 Recovery Strategy Overview 25 2.5 Plan Participants 27 2.6 Alternate Site Setup 29 3.0 Recovery Ranking 30 4.0 Recovery Team Checklists 31 5.0 Emergency Contacts 32 6.0 Emergency Procedures Introduction

1.0 Overview

1.1 Policy Statement

It is the Policy of the Law Firm to maintain a large scope Business Continuity Plan for all important organization functions. Each department lead is responsible for compliance with this policy and is tested no less than annually. Disaster Recovery efforts exercise reasonable measures to protect employees, safeguard assets, and client accounts.

1.2 Introduction

This document is the Business Continuity Plan for the Law Firm
This plan is designed to guide the firm through a recovery for identified organization functions. At the instance of an emergency condition, firm employees and resources will respond quickly to any condition, which could impact the firm’s ability to perform its important functions. The procedures have been designed to provide clear, brief and essential directions to recover from different degrees of interruptions and disasters.

1.3 Confidentiality Statement

This manual is classified as the confidential property of firm. Due to the sensitive nature of the information contained,, this manual is available only to those persons who have been authorized as plan participants and is, assigned to one of the firm’s recovery teams, or play a direct role in the recovery process. This manual remains the property of the firm and may be repossessed at any time. Unauthorized use or duplication of this manual is strictly prohibited and may result in disciplinary action and/or prosecution.

1.4 Manual Distribution

Each plan receiver will be given and maintain two copies of the disaster recovery manual; one copy will be kept in the receiver’s work area; the second copy will be kept at the receiver’s home. Each manual has a control number to track its distribution. Replacement manuals and additional copies may be obtained from firm’s Disaster Recovery Manager. Backup copies of all recovery documentation are maintained at On and Offsite location.

1.5 Manual Reclamation

Individuals who become active member of a disaster recovery team or an employee of the firm’s must surrender both copies of their disaster recovery manual to the Disaster Recovery Manager. The firm reserves any and all rights to follow up on the return of these manuals.

1.6 Plan Revision Date

The latest manual revision date appears in the lower right hand corner of each page. This date indicates the latest date of the plan section.

1.7 Defined Scenario

A disaster is defined as a disruption of normal organization functions where the expected time for returning to normal operations would seriously impact the firm’s ability to maintain customer commitments and legal compliance. The firm’s recovery and restoration program is designed to support a recovery effort where the firm would not have access to its buildings and data when there is an emergency condition.

1.8 Recovery Objectives

The firm’s plan was written with the following intensions:

* Ensure the life/safety of all employees throughout the emergency condition, and recovery process.

* To reestablish the essential structure related services provided by the firm within their required recovery window as identified in the recovery portfolio in Section 2 at the declaration of disaster.

* To suspend all activities not required until normal and full functions have been restored.

* To lessen the impact to the firm’s customers through the rapid utilization of effective recovery process as defined in the plan.

* To reduce confusion and bad information by providing a clearly defined command and control center.

* To consider relocation of people and facilities as a recovery plans of last resort.

1.9 Plan Exclusions

This Continuity Plan was designed with the following exclusions:

* Filling temporary positions of Management

* Restoration of the Primary Buildings

1.10 Plan Assumptions

The firm’s Business Continuity Plan was developed under certain assumptions in order for the plan to address a large base of disaster scenarios. These assumptions are:

* The firm’s recovery efforts are based on the idea that any resources required for the restoration of critical functions will reside outside of the primary Building.

* Any vital records required for recovery can be either retrieved or recreated from an off-site location and moved to the recovery facility within 24 hours.

1.11 Declaration Initiatives

The firm’s decision process for implementing any of the three levels of recovery strategies to support the restoration of critical organization functions are based on the following declaration initiatives:

* Every reasonable effort has been made to provide critical services to The firm’s customers by first attempting to restore the primary facility or operate using emergency procedures.

* After all reasonable efforts have failed to restore the primary buildings, and using manual procedures severely degrades client support, The firm will implement a recovery outcome that requires the relocation of people and resources to an alternate recovery building.

* If the outage will clearly extended past the acceptable period of time identified in the Recovery Portfolio, (Section 2) a presentation of disaster will be made.

1.12 Recovery Strategies

In order to expedite a recovery regardless of the type or duration of disaster, the firm will work multiple recovery procedures. These procedures will be in three levels. Each level will provide an effective recovery solution equally matched to the duration of the emergency.

* LEVEL 1: SHORT-TERM OUTAGE (RIDE-OUT) – INTRA-DAY

A short-term outage is defined as a period of time the firm does not require computerized network, or where an outage window of the same day or less would not allow adequate time to restore a computerized recovery operations.

* LEVEL 2: MEDIUM-TERM OUTAGE (TEMPORARY) – UPTO SIX WEEKS

A medium-term outage is defined as the time that the firm will execute its disaster recovery process, which includes a real declaration of a disaster. A disaster may either be declared firm wide or only for the effected department or building. The decision to declare a disaster will be based on the amount of time / expense that is required to start the formal recovery and the anticipated impact to the firm’s organization over this period of time.

* LEVEL 3: LONG-TERM OUTAGE (RELOCATION) – 6 WEEKS OR MORE

A long-term outage is defined, as the period of time that the firm will exceed the allowed period time of its primary recovery process. During this phase of recovery the firm will start a physical move of people and resources.
1.13 Team Overview
During an emergency each team member uses the skills that they have for everyday work to the overall response.

1.14 Team Charters

Crisis Management Team - The CMT will included senior firm management and is responsible for authorizing announcements of a disaster, emergencies investment process, approving public release of information, and ensuring donors are informed.

Emergency Response Team - The ERT is first on scene to assess the damage caused by the disaster or ensure precautionary measures are taken in any impending disaster Once the ERT determines the extent of the disaster, they will either order an evacuation of the building or work with building to minimize the effects to the firm.

Recovery Site Team - The RST Team provides enterprise-level support for both the physical site and technology issues. The members of this team will ensure that the alternate site is ready, and adequate for arriving recovery individuals. The RST will be the first at a meeting point or alternate site in order to register arriving individuals.

Business Restoration Team – The BRT’S consist of people from each firm’s area found critical to the continuation of the firm. The supervisors of the BRT get updated status from the ERT and the RST to pass on to their team members to ensure short recovery of each department.

2.0 Recovery Procedure

The following are the identified recovery procedures for the organization:

Recovery Area: | Primary process: | Backup process: | Office Space | Mobilization Time: ( ) | Mobilization Time: ( ) | Phone System | Mobilization Time: ( ) | Mobilization Time: ( ) | Network Recovery | Mobilization Time: ( ) | Mobilization Time: ( ) | Server Recovery | Mobilization Time: ( ) | Mobilization Time: ( ) | Recovery Area: | Primary process: | Backup process: | Office Equipment | Mobilization Time: ( ) | Mobilization Time: ( ) | Applications | Mobilization Time: ( ) | Mobilization Time: ( ) | Databases | Mobilization Time: ( ) | Mobilization Time: ( ) | Service Providers | Mobilization Time: ( ) | Mobilization Time: ( ) |
2.1 Emergency Phone Numbers

Complete the following to ensure that you have identified all the

Emergency services

1. Police: (____) ____ - ______

2. Fire: (____) ____ - ______

3. Alarm Company: (____) ____ - ______

4. Ambulance: (____) ____ - ______

Communications

1. Local Telco: (____) ____ - ______

2. Long distance carrier: (____) ____ - ______

3. Direct dial numbers: (____) ____ - ______
Weather information

1. NOAA: (____) ____ - ______

2. Radio station:

3. Weather channel:

Maintenance & repair

1. Janitorial: (____) ____ - ______ 2. HVAC: (____) ____ - ______ 3. Electrical: (____) ____ - ______ 4. Glazer: (____) ____ - ______ 5. Carpentry: (____) ____ - ______ 6. Plumbing: (____) ____ - ______ Logistics 1. Travel agent: (____) ____ - ______ 2. Express shipping: (____) ____ - ______

3. Taxi/limo service: (____) ____ - ______ 4. Charter air service: (____) ____ - ______ IT services 1. Hardware VAR: (____) ____ - ______ 2. Software VAR: (____) ____ - ______ 2.3 Threat Profile

Hazard: | Profile of Hazard: | First Response: | Freezing Rain | Freezing rain is rain occurring when surface temperatures are below freezing. The moisture falls in liquid form, but freezes upon impact, resulting in a coating of ice glaze on exposed objects. This occurrence may be called an ice storm when a substantial glaze layer accumulates. Ice forming on exposed objects generally ranges from a thin glaze to coatings about an inch thick. A heavy accumulation of ice, especially when accompanied by high winds devastates trees and transmission lines. Sidewalks, streets and highways become extremely hazardous to pedestrians and motorists. During the winter citizens should be prepared to shelter themselves at home for several days possibly without power. Local shelters can be opened in areas where power is not affected but transportation to a shelter may be difficult. | Step 1: Monitor weather advisoriesStep 2: Notify on-site employeesStep 3: Call local radio and TV stations to broadcast weather closing information for employees at homeStep 4: Place closing sign on all firm doorsStep 5: Arrange for snow and ice removal | Tornadoes | Tornadoes are violent rotating columns of air, which descend from severe thunderstorm cloud systems. They are normally short-lived local storms containing high-speed winds usually rotating in a counter-clockwise direction. These are often observable as a funnel-shaped appendage to a thunderstorm cloud. The funnel is initially composed to nothing more than condensed water vapor. It usually picks up dust and debris, which eventually darkens the entire funnel. A tornado can cause damage even though the funnel does not appear to touch the ground. | Step 1: Monitor weather conditionsStep 2: Notify employees of potential of severe weather Step 3: Power off equipment Step 4: Shut off utilities (power and gas) Step 5: Instruct employees to assume protective posture Step 6: Assess damage once storm passes Step 7: Assist affected employees | Floods | Unusually heavy rains may cause “flash” floods. Small creeks, gullies, dry streambeds, ravines, culverts or even low lying round frequently flood quickly. In such situations, people are endangered before any warning can be given. | Step 1: Monitor flood advisoriesStep 2: Determine flood potential to your locationStep 3: Determine employees at riskStep 4: Pre-stage emergency power generating equipment Step 5: Assess damage |

Hazard: | Profile of Hazard: | First Response: | Hurricanes | Hurricanes have the possibility to affect our area. | Step 1: Power-off all equipmentStep 2: Listen to Hurricane advisories Step 3: Evacuate area, if flooding is possibleStep 4: Check gas, water and electrical lines for damageStep 5: Do not use telephones, in the event of severe lightningStep 6: Assess damage | Earthquakes | An earthquake is the shaking, or trembling, of the earth’s crust, caused by underground volcanic forces of breaking and shifting rock beneath the earth’s surface. | Step 1: Shut off utilitiesStep 2: Evacuate building if necessaryStep 3: Account for all personnelStep 4: Determine impact of organization disruption | PowerFailures | Power failures occur in many parts of the area throughout the year. They can be caused by winter storms, lightning or construction equipment digging in the wrong location. For whatever the reason, power outages in a major metropolitan area can severely impact the entire community. | Step 1: Wait 5-10 minutesStep 2: Power-off all Servers after soft shut down procedureStep 3: Shut down main circuit located on the bottom floorStep 4: Use emergency phone line to make outgoing phone callsStep 5: Call power company for assessmentStep 6: Locate sources of mobile powerStep 7: Contact electrical companyStep 8: Re-energize buildingStep 9: Power-on equipment | Urban Fires | In metropolitan areas, urban fires can, and do, cause hundreds of deaths each year .Even with strict building codes and exceptions, citizens still parish needlessly in fires. | Step 1: Attempt to suppress fire in early stagesStep 2: Evacuate personnel on alarm, as necessaryStep 3: Notify fire departmentStep 4: Shut off utilitiesStep 5: Account for all personnelStep 6: Search for missing personnelStep 7: Asses damage |

2.4 Recovery Procedure Overview

The firm’s Business Continuity Recovery is based on the organization surviving the loss of facilities and/or key personnel and systems during a disaster.

Once The firm’s ERT has determined that a declaration of disaster is required, the following sequence of events will occur:

Steps: | Instruction: | 1: Evacuate affected facility. | If the emergency requires an evacuation of employees, execute evacuation plans contained in the Emergency Procedures section. | 2: Go to staging area. | Follow building evacuation instructions. | 3: Determine length of outage. | Review written and verbal damage assessment reports from facilities and civil authorities and then estimate the amount of time the facility will be uninhabitable. | 4: Select disaster level. | Based on the estimated duration of the outage, declare the disaster event as either a L1 (Less than 48hrs.), L2 (48hrs. to 6 weeks), or L3 (6 weeks or longer). | 5: Activate alternate facilities. | Contact alternate facilities identified in the Facilities section. Confirm their availability and alert them of estimated arrival time. | 6: Release personnel from the staging area. | Once the disaster level has been selected, release all personnel from the staging area to their assigned recovery location. * Non-essential personnel – Home * Recovery Site Team – Alternate Facility * End Users – Alternate Facility * Command Center Staff – Alternate Facility * Crisis Management Team – Alternate Facility | 7: RST establish Command Center. | RST personnel are the first to arrive at the alternate facility to setup and organize the command center prior to the arrival of the CMT and support personnel. The following representatives are required at the Command Center within 1-3 hours: * Crisis Management Team * Emergency Response Team Lead * Business Restoration Team Lead * Recovery Site Team Lead | 8: Establish situation desk. | At the command center, establish a dedicated line with operator to field all incoming calls. Announce command center phone number to all recovery participants. | 9: Review recovery matrix. | Review the Recovery Matrix Section on a department by department basis to determine who is most effected by the disaster. Group departments by recovery resource requirements, time frames, and co-location requirements. | 10: Create technology shopping list. | Once the technology requirements of the effected department(s) are known, create a requirements list for the IT support staff. | Steps: | Instruction: | 11: Contact quick ship vendors. | Using the vendor quick-ship contacts or local sources located in the LAN Restoration section order replacement technology indicated on requirements list. | 12: Retrieve electronic/hardcopy vital records, | Retrieve vital records from Iron Mountain or other locations as indicated in the Vital Records section. Have vital records shipped and staged at the alternate facility. | 13: Setup replacement LAN. | The priority of the firm’s Server restoration to support all other firm Business functions is: * Core technology * End-user servers | 14: Activate short-term recovery strategies. | Instruct each department to initiate their short-term recovery strategies. These strategies will be used while the replacement LAN/WAN circuits are implemented. | 15: Populate alternate facility. | Once the replacement LAN/WAN is functional, notify the BRT that departments can now begin executing their L2 recovery strategies. |

2.5 Plan Participants

The following presents the firm’s plan participants and their recovery function. At the time of a disaster, these individuals will be among the first to be contacted.

Recovery Role: | Primary: | Alternate: | Recovery Manager | Name: _____________________________Title: ______________________________Office: _____________________________Cell: _______________________________Home: _____________________________E-mail: _____________________________Pager/other: ________________________ | Name: _____________________________Title: ______________________________Office: _____________________________Cell: _______________________________Home: _____________________________E-mail: _____________________________Pager/other: ________________________ |

Recovery Role: | Primary: | Alternate: | Network Recovery | Name: _____________________________Title: ______________________________Office: _____________________________Cell: _______________________________Home: _____________________________E-mail: _____________________________Pager/other: ________________________ | Name: _____________________________Title: ______________________________Office: _____________________________Cell: _______________________________Home: _____________________________E-mail: _____________________________Pager/other: ________________________ | Administrative Support | Name: _____________________________Title: ______________________________Office: _____________________________Cell: _______________________________Home: _____________________________E-mail: _____________________________Pager/other: ________________________ | Name: _____________________________Title: ______________________________Office: _____________________________Cell: _______________________________Home: _____________________________E-mail: _____________________________Pager/other: ________________________ |

2.6 Alternate Site Setup

Once the alternate site has been secured, the RST’s will work with the staff to configure appropriate command enter and recovery space.

The following provides the firm’s configurations for general work areas and the command center.

Recovery Area: | Configuration: | Command Center | * Occupancy – 15 * Room – private, 750-sq. ft. * Conference table * Phones – 15 * Facsimile – 2 * Office Equipment – copier, typewriter, PC, printer, folding tables * Office supplies – flip charts, stationary, writing supplies * Communications – Walkie-talkies, tape recorder, cellular phones | Work Area Recovery | * Occupancy – 50 * Room – 5000- sq. ft. * Folding Tables- each workstation needs to be 3ft apart * Phones – 50 * Facsimile – 3 * Office Equipment – copier, typewriter, tape recorder, 15 pre-configured laptops * Office supplies – flip charts, stationary, writing supplies * Communications – 3 fax lines, 10 modem lines, 50 voice lines | Mail Room | * Occupancy – 2 * Room – 250-sq.ft. * Phone – 1 * Office Equipment – scale, postage meter * Supplies – Mailing/shipping supplies | Vital Records Staging | * Occupancy – 2 * Room – private, 300 sq. ft. * Office Equipment – folding tables, metal racks |

3.0 Recovery Ranking

The following organization processes will be recovered within the sequence specified below:

PriorityRank: | Organization Process: | Potential Impact: | Allowable Downtime: | 1 | | | | 2 | | | | 3 | | | | 4 | | | | 5 | | | |
4.0 Recovery Team Checklists

Develop checklist for each recovery function:

Recovery Function: | Administration | Primary: | Jane Doe | | | Alternate: | John Doe | Alternate Locations: | Primary Staging Area: | Alternate Staging Area: | | Primary Work Area: | Alternate Work Area: | Charter: | Responsible for all of the administrative aspects of the recovery effort. This includes maintaining the plan currency, activating the command center and providing logistics and employee assistance support during the recovery effort. | Recovery Resources: | In order to perform your recovery efforts, you will need access to the following resources: | | -------------------------------------------------
-------------------------------------------------
Phone:------------------------------------------------- | -------------------------------------------------
-------------------------------------------------
PC:------------------------------------------------- | -------------------------------------------------
-------------------------------------------------
Network------------------------------------------------- | -------------------------------------------------
-------------------------------------------------
Internet------------------------------------------------- | -------------------------------------------------
-------------------------------------------------
Fax------------------------------------------------- |

5.0 Emergency Contacts

5.1 Vendor Dependencies

All plans require a proper listing of external contacts:

Provider: | Contact: | Purpose: | APC Corp. | 888.289.APCC | Power protection systems | Agility Recovery Solutions | 800.567.5001 | Mobile recovery resources | Belfor, Inc. | 800.856.3333 | Electronics restorations | BMS Catastrophic | 800.433.2940 | Damage restoration (fire & water) | Crisis Care Network | 888.736.0911 | Crisis management | Data Protection | 800.267.1664 | Online data backup | Electronic Restoration Services | 888.248.3148 | Data restoration services | Emergency Lifeline Corp. | 800.826.2201 | Disaster response kits | FedEx Custom Critical | 800.762.3787 | Expedited shipping | Generac Power Systems | 262.544.4811 | Emergency power supply | IMAC | 800.554.IMAC | Crisis management | Iron Mountain | 800.899-IRON | Off-site data storage | Kohler Rental Power | 888.769.3794 | Diesel generators. | Mail-Gard Continuity & Recovery Services | 215.957.1007 | Mail processing recovery | Media Recovery, Inc. | 800.527.9497 | Damaged media recovery | Network Services, Inc. | 800.392.3299 | Satellite linked command center | Renew Data Corp. | 888.811.3789 | Data recovery and forensics | Rentsys Recovery Services | 800.955.5171 | Emergency technology recovery | Service Master | 800-RESPOND | Fire, smoke & water restoration |

Cisco ASR 1002 Router

* Integrated route and serial interface processors. It houses three shared adapter slot. * 5 Gbps or 10 Gbps embedded services processor and four built-in gigabit ethernet ports.
It support features such as security, deep packet inspection and firewall

Power Edge 4220 Rack

* Cooling- Front and rear doors with 80% perforation allow air to flow smoothly. * Cable management- Deep design> provide the right space to route cables for every need. * Extremely strong and secure- static load rating of 2,500 lbs., stabilizer feet on both sides, and lockable side panels and front and rear doors. * Power distribution- integrated trays offer tool-free mounting for vertical PDUs.
Cisco SGE2010 48-port Gigabit Switch

Allows you to expand the size of your high-speed, gigabit network securely and reliably. Fully redundant stacking and dual firmware images. Because network uptime loses its worth if your data isn't secure, the integrated security and authorization features of this managed switch prevent unauthorized access to y Included Quality of Service (QoS) functionality supports your video and voice communications our network's critical information * Additional features of the Cisco SGE2010 Ethernet Switch include: * 48 10/100/1000 Ethernet ports, four miniGBIC slots (shared with four Ethernet ports) for network expansion * Secure, encrypted management via SSH and SSL, as well as 802.1x and MAC authentication and filtering * Advanced security - Protect against "man in the middle" (eavesdropping) attacks - ARP Inspection, IP Source Guard, DHCP Snooping, STP Root Guard * Resilient stacking for web-based management of up to four supported switches at once * Limited lifetime warranty with one year of technical support and free software fixes

Cisco ASA 5510 Security Appliance 10
Firewall

Cisco ASA 5510 adaptive security appliance is purpose-built solution that combine best of breed security and VPN services with the innovative Cisco Adaptive Identification and Mitigation (AIM) architecture. Designed as a key component of the Cisco Self-Defending Network, the Cisco ASA 5510 provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexible VPN connectivity. The result is a powerful multifunction network security appliance family that provides the security breadth and depth for protecting small and medium-sized business and enterprise networks while reducing the overall deployment and operations costs and complexities associated with providing this new level of security.

Cisco 7937G unified conference phone

* Feature wideband voice and microphone quality, with simplified wiring and administrative cost. * IP-based, hands-free conference station. * Speakerphone * Multiple ring tones * Volume control supports IEEE 803.af PoE classes * Comfort noise generation and voice activity detection * 255x128 high-resolution graphical 32 level grayscale, backlit, pixel display * Mute, hold and redial buttons

Cisco unified IP phone 7965G

* VoIP telephone, including wideband audio support, backlit color display and an integrated gigabit Ethernet port. * Easy access to communication information, timesaving applications, features such as time and date, calling party name, calling party number, digit dialed. * This phone provides direct access to six telephone lines, four interactive soft keys that guide you through call features and functions and an intuitive four-way navigation cluster.

Dell 5535dn multifunction laser printer

* Print up to 275,000 pages with minimal user interface. * Manage the 5535dn printer remotely using a Web browser with Dell printer configurator web tool * Optional wireless LAN capability, standard Ethernet 10/100 base-t networking lets you easily wire the 5535dn for a large workgroup.

Dell 2155CN Multifunction Printer

* Modem Speed 33.60 Kbps * Maximum Memory 768 MB Number of Copies 99
Platform Supported Mac PC Duty Cycle 40000 pages per month Recommended Use Plain Paper Print Standard Warranty 1 Year Standard Memory 512 MB Transmission Speed 3 sec/page
Dell - 15.6" Inspiron Laptop - 6GB Memory - 500GB Hard Drive - Black

* 2.3 GHz processor, features 4-way processing performance for HD quality. * 6 GB DDR3 memory * 500GB serial ATA hard drive, spacious storage and fast read/write times. * 2 USB 3.0 and 2 USB 2.0 ports for fast digital video, audio and data transfer. * Built-in Intel Centrino wireless-N 1030 networking (802.11b/g/n) connects to the internet without wires. * Integrated 10/100 network interface with RJ-45 connector for quick and easy wired web connection.

Dell - 23" Inspiron All-In-One Computer - 6GB Memory - 1TB Hard Drive

* 2nd Gen Intel® Core™ i3-2120 processor * Features a 3MB cache. * 6GB DDR3 SDRAM * For multitasking power, expandable to 8GB. * 1TB Serial ATA hard drive (7200 rpm) * Offers spacious storage and fast read/write times. * 4 USB 3.0 and 2 USB 2.0 ports * For fast digital data transfer and easy peripheral connectivity. * Built-in Dell Wireless 1703 LAN (802.11b/g/n) * Connect to the Internet without wires. * Built-in 10/100/1000 Mbps Ethernet LAN * For quick and easy wired Web connection.
BlackBerry - PlayBook Tablet with 16GB Memory

* This tablet features BlackBerry e-mail, calendar, BBM, tasks, documents and more along with a 7" LCD touch-screen display for easy navigation of features. The 16GB internal memory offers ample space for media storage. * Wi-Fi 802.11a/b/g/n network for Internet capability on the go * Only when connected through your BlackBerry Bridge can you access corporate BIS e-mail via your handheld on Playbook. * All POP e-mail services (Hotmail, Gmail, Ymail, etc.) are available on Playbook through icons/apps on the desktop or directly through the Internet.

Blackberry 9900

Technical Details : 2.8" capacitive touch display Full, wide QWERTY keyboard BlackBerry 7 OS 1.2 GHz Processor 5.0MP camera with flash 720p HD video recording capability 1230 mAH battery 768 MB RAM 8GB on-board memory Micro SD slot supports up to 32GB Dual-band Wi-Fi GPS Tri-band HSPA+, Quad-band GSM/EDGE NFC technology New Augmented Reality enabled with digital compass and accelerometer BlackBerry QWERTY keyboard 24-bit high-resolution touch screen 10.5mm thin design New powerful 1.2GHz processor 8GB onboard memory expandable up to 40GB through uSD card Dual-band (2.4GHz & 5GHz) Wi Enabled for new NFC and Augmented Reality New digital compass Next generation BlackBerry 7 OS Featuring Liquid Graphics Fastest BlackBerry Voice activated universal search Full HD video recording Most pre-Installed apps Iconic BlackBerry QWERTY keyboard 24-bit high-resolution touch screen 10.5mm thin design Fully loaded with the latest technologies New powerful 1.2GHz processor 8GB onboard memory expandable up to 40GB through uSD card Dual-band (2.4GHz & 5GHz) Wi Enabled for new NFC and Augmented Reality New digital compass Next generation BlackBerry 7 OS Featuring Liquid Graphics Fastest BlackBerry Voice activated universal search Full HD video recording Most pre-Installed apps New high resolution touch screen High-res full touch screen - all in the thinnest BlackBerry Bold 6% larger than the BlackBerry Bold 9000 16 million colors Premium materials and finishes Wi-Fi Fastest Browser ever Voice activated on a BlackBerry smartphone ever New BBM New BlackBerry App World Docs to Go BlackBerry Balance BlackBerry Protect Social Feeds BlackBerry Music Storefront BlackBerry PlayBook ready
Cisco Systems Cisco Universal Access Server AS5350

* The Cisco AS535-4E1 Universal Gateway is the only one-rack-unit gateway supporting 2-, 4-, or 8-port T1/7-port E1 configurations that provides universal port data, voice, and fax services on any port at any time. * It offers high performance and high reliability in a compact, modular design. This cost-effective platform is ideally suited for Internet service providers and enterprise companies that require innovative universal services. * Operating System IP+ IOS Installed Memory512 MB
Cisco Aironet 1250 Series Access Point

* Cisco Aironet 1250 Series wireless access points provide reliable and predictable 802.11n WLAN coverage for rugged indoor environments. * These enterprise-class access points offer combined data rates of up to 600 Mbps to provide users with mobile access to high-bandwidth data, voice, and video applications. * WPA2 * 5

APC Smart-UPS 1500 LCD

* UPS, External, 1440 VA power capacity, 7 min battery run time (up to), 980 Watt power provided, AC 120 V, 3 year warranty. * As the most popular UPS in the world for servers, storage and networks. * Trusted to protect critical data and equipment from power problems by supplying clean and reliable network-grade power. * It has the capability to add external battery packs to scale runtime from minutes to hours typically needed for converged voice and data networks.

Software

* Microsoft Windows Small Business Server 2008 is an all-in-one server solution designed to help you keep your data more secure and your company more productive. * It provides many of the features used by larger companies, such as e-mail, Internet connectivity, internal Web sites, remote access, support for mobile devices, file and printer sharing, backup, and restore, all at one affordable price.

Carpe Diem * Sage Carpe Diem Time and Billing Solutions * The billing-oriented professional is presented with a daily challenge when it comes to accurately accounting for time and expenses on behalf of clients. Sage Carpe Diem Electronic Time Sheet addresses this challenge like only an industry leader can. Integration with internal billing or accounting systems, off the shelf, custom, or legacy, makes Sage Carpe Diem the obvious choice to improve the efficiency and accuracy of time collection for billing purposes. Designed to support the most popular client/server database engines, Sage Carpe Diem's scalable system protects the integrity of your most important resource, your time.

Desktop and Laptop OS

Windows 7 Ultimate is the most powerful and versatile edition of Windows 7. It combines the entertainment features of Home Premium and the business capabilities of Professional. It offers the most security with BitLocker, which encrypts everything from your documents to passwords.

EDOC’S
Formerly Hummingbird (DM) * User Access & Mainstream Authoring Tools * Web Servers * Transaction * Servers * DM Repositories * Hummingbird Search Server * Indexes * Hummingbird DM/RM

Cisco ASA 5500 SSL VPN Deployment

AVG Remote Administration 2012

* AVG Email Scanner Ensure a safe and clutter-free inbox by taking advantage of automatically checked email attachments and links AVG Anti-Virus, Resident Shield and Smart Anti-Root kit Keep your workstations, networks, and employees safe from getting or spreading the latest viruses, worms, and Trojans AVG Online Shield™ Enable safe downloads and file shares, as well as risk-free chat and file exchange on ICQ, MSN, Yahoo! Instant Messenger AVG Anti-Spyware Protect your classified business data and communications by identifying and removing tracking software like spyware and adware AVG Threat Labs Access detailed information regarding website security including clear and comprehensive website security reports, as well as information regarding your own site’s safety status. AVG Firewall Block hackers from sabotaging your wired and wireless networks Secure your data with the expert’s choice * AVG File Server Protection Preserve client and supplier confidentiality by protecting all critical business data located on your file servers AVG Identity Protection Shield passwords and credit card numbers and identify all potentially dangerous software, enabling secure transactions between you and your clients / suppliers AVG Link Scanner® Superior Phishing Protection Keep your inbox and online experience free from malware by ensuring all web pages and emails are genuine AVG Protective Cloud Technology Identify current and emerging threats by employing multiple scanning engines and “in the cloud” behavioral detection technology AVG Community Protection Network Profit from fellow AVG users who share information regarding new threats
Spam Filter for Exchange Server

* SPAM fighter Exchange Module (SEM) is an easy-to-use yet highly configurable solution for protecting your business from spam, phishing attempts, and malware * SEM is a unique anti spam and anti malware solution that's powered by a community of over 8,135,189 SPAM fighter users. This means instant and automatic effectiveness against the identification of spam emails and threats and absolutely no work involved with training the spam filter to work for you.
Ghost business ED
Imaging

* Key Features * Deploy Anywhere technology creates hardware-independent imaging. * Create base images from a live system using hot imaging. * Support for Microsoft Windows Vista and 64-Bit OS's. * Single centralized management console for management of all migration tasks. * Built-in Vista inventory filters for identification and targeting of 'Vista ready' machines. * Hardware and software inventory for efficiently managing image and software deployments.
Desktop Central 8 * Uses a hosted Patch Database at Manage Engine site to assess the vulnerability status of the network * Completely automated Patch Management Solution for both physical and virtual assets. * Solution from detecting the missing patches/hotfix to deploying the patches * Patch based deployment - Deploy a patch to all the systems applicable * System based patch deployment - Deploy all the missing patches and hot fixes for a system * Provision to test and approve patches prior to bulk deployment * Automatic handling of patch interdependencies and patch sequencing * Reports on System vulnerabilities, Patches, OS, etc. * Provides an update of the patch deployment status. * Supports both Microsoft and Non-Microsoft Patches.

Dragon Legal Practice Edition

Symantec Backup Exec

Service Level Agreement
The purpose of this agreement is to provide support services available to Firm and its users fo any IT problems that may occur
Prime Connection will provide quality services for end users with the full support of the firm
This agreement will start on the date following the acceptance by both parties and will continue until terminated
This agreement will be reviewed every six months The review will cover services provided, service levels and procedures. Changes to this agreement must be approved by both parties
In the event of any discrepancy between actual and targeted service levels both parties are expected to identify and resolve the reasons.
All complaints relating to the operation of the help service received by either party will be forwarded in writing the intent is to ensure a, timely and open resolution of all problems.
The firm’s IT Help/Support Service will operate daily from 8:00 am· a.m. to 6:00 p.m. except on public holidays where alternative arrangements will be made and publicised
Response Times
Table1 shows the priority assigned to faults according to the importance of the reported problem. The priority assignment is to refer to the initial telephone response to the client as per this document. The support level refers to the firm’s guide for support available. Table 1- Response Priority Support Level | Business Critical | Business Critical | Non- Business Critical | Non- Business Critical | Request For Service | | Fatal | Impaired | Fatal | Impaired | | High | A | B | B | C | R | Medium | A | B | C | C | R | Low | B or C | C or D | C or D | D | R | Fatal | - | Total system inoperability. | Impaired | - | Partial system inoperability. | Business Critical | - | Unable to perform core business functions. | Non-Business Critical | - | Able to perform limited core business functions. |
Priority Level Response Times
Table 2 shows the required initial telephone response times for the individual priority ratings. All times indicated represent telephone response time during specified working hours of 8:00 am to 6:00 pm Monday to Friday, unless otherwise indicated in this document, or otherwise agreed upon by both parties.
The indicated telephone response time represents the maximum delay between a fault/request being reported to the firm IT representative contacting the client by telephone. The purpose of this telephone contact with the individual is to notify the client of the receipt of the fault/request from the firm’s IT and provide the client with details of the action to be taken in respect of the particular fault/request. Table 2- Priority Level Response Times Priority Level | Response Time | A | 15 Minutes | B | 30 Minutes | C | 45 Minutes | D | 60 Minutes | R | 90 Minutes |

The following is an example of what the client should have for the response team in order to facilitate a fast an efficient resolution to their issue:
Request for help List:
Name, section, street/building address and telephone number client contact.
Details of problem equipment - type, make, model and serial number.
Details of package in use - name, version and installer.
Details of operating environment - LAN, WAN, operating system, user interface etc.
Complete description of the fault/request.
If installation requested complete details of hardware/software to be installed.
Purchase/Emergency Order Number (where applicable).

Security Policy
A. It will be the policy of the firm that information, as defined in all its forms--written, spoken, recorded electronically or printed will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes any appropriate security over the equipment and software used to process, store, and transmit that information.
B. All policies and procedures must be documented and made available to individuals responsible for enforcement and use of this document. All activities identified by the policies and procedures must also be documented. All the documentation, which may be in electronic form, must be retained for at least 6 (six) years after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must be periodically reviewed for currency, a period of time to be determined by each entity within the firm.
C. At each department level, additional policies, standards and procedures will be developed detailing the for enforcement and use of this document and set of standards, and addressing any additional information systems functionality in such department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the conditions of this policy where possible. Existing systems are expected to be brought into compliance where possible and as soon as practical.

SCOPE
The scope of information security includes the protection of the confidentiality, integrity and availability of information.
INFORMATION SECURITY DEFINITIONS

Covered properties: Legally separate, but affiliated, covered properties which choose to designate themselves as a single covered entity for purposes of HIPAA.
Availability: Data or information is accessible and usable upon demand by an authorized person.
Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes.
HIPAA: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards.
Integrity: Data or information has not been altered or destroyed in an unauthorized manner.
Involved Persons: Every worker at the firm no matter what their status. This includes physicians, residents, students, employees, contractors, consultants, temporaries, volunteers, interns, etc.
Involved Systems: All computer equipment and network systems that are operated within the firm environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.
Risk: The probability of a loss of confidentiality, integrity, or availability of information resources.
INFORMATION SECURITY RESPONSIBILITIES

A. Information Security Officer: The Information Security Officer for each property is responsible for working with management, owners, custodians, and users to develop and implement security policies, procedures, and controls, subject to the approval of the firms IT head. Specific responsibilities include:
1. Ensuring security policies, procedures, and standards are in place.
2. Providing basic security support for all systems and users.
3. Advising owners in the identification and classification of computer resources.
4. Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production use.
5. Educating custodian and management with comprehensive information about security controls affecting system users and application systems.
6. Providing on-going employee security education.
7. Performing security audits.
8. Reporting regularly the status of firm’s information security.
9. Specifying controls and communicating the control requirements to the custodian and users of the information.
10. Reporting promptly the loss or misuse of firm information.
11. Initiating corrective actions when problems are identified
Custodian: The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner
1. Provide and recommend physical safeguards.
2. Provide and recommend procedural safeguards.
3. Administering access to information.
4. Releasing information as authorized by the Information Owner and the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information.
5. Evaluating the cost effectiveness of controls.
6. Maintaining information security policies, procedures and standards as appropriate
7. Promote employee education and awareness by using programs where appropriate.
User Management:. User management is responsible for overseeing their employees' use of information.
1. Reviewing and approving all requests for their employee’s access authorizations.
2. Start security change requests to keep employees' security record current with their positions and job functions.
3. Informing the appropriate employer of employee terminations and transfers, in accordance with termination procedures.
4. Prohibit physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.
5. Provide employees with the opportunity for training needed to properly use the computer systems.
6. Report the loss or misuse of firm information.
7. Start corrective actions when problems are identified.
8. Following existing approval processes for the selection, budgeting, purchase, and start of any computer system/software to manage information.
User: The user is any person who has been authorized to read, enter, or update information. A user of information is expected to:
1. Access information only in support of their authorized job responsibilities.
2. Comply with Information Security Policies and Standards and with all controls established by the owner and custodian.
3. Keep personal authentication devices (e.g. passwords, Secure Cards, PINs, etc.) confidential.
4. Start corrective actions when problems are identified.

INFORMATION CLASSIFICATION
Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats must have the same classification regardless of format. The following levels are to be used when classifying information:
Confidential Information
1. Confidential Information is very important and highly sensitive material that is not classified. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access.
2. Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations, or may cause significant problems for the firm, its customers, or its business partners. Decisions about the provision of access to this information must always be cleared through the information owner.
Internal Information
1. Internal Information is intended for unrestricted use within the firm, and in some cases within affiliated organizations such as other business partners.
2. Any information not explicitly classified confidential or public will by default, be classified as Internal Information.
3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal reasons.
Public Information
1. Public Information has been specifically approved for public release by a designated authority the firms IT. Examples of Public Information may include marketing brochures and material posted on the firm’s internet web pages.

COMPUTER AND INFORMATION CONTROL
All involved systems and information are assets of the firm and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.
Ownership of Software: All computer software used must not be copied for use at home or any other location, unless otherwise specified by the license agreement.
Installed Software: All software packages that reside on computers and networks within the firm must comply with applicable licensing agreements and restrictions and must comply with firm acquisition of software policies.
Virus Protection: Virus checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.
Access Controls: Physical and electronic access to Confidential and Internal information and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be started as recommended by the Information Security Officer and approved by firm’s IT. Mechanisms to control access to Confidential and Internal information include (the following methods:
Authorization:
Access will be granted on a “need to know” basis and must be authorized by the immediate supervisor and application owner with the assistance of firm IT. Any of the following methods are acceptable for providing access under this policy:
a. Context-based access: Access control based on the context of a transaction. The “external” factors might include time of day, location of the user, strength of user authentication, etc.
b. Role-based access: An alternative to traditional access control models that permits the specification and enforcement of specific security policies in a way that fits more naturally to an organization’s business. Each person is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.
c. User-based access: A security mechanism used to grant users of a system access based upon the identity of the person.
Identification/Authentication:
Unique user identification and authentication is required for all systems that maintain or access Confidential and Internal Information. employees will be held accountable for all actions performed on the system with their user id.
a. At least one of the following authentication methods must be implemented:
1. Strictly controlled passwords
b. The user must secure his/her authentication control such that it is known only to that person and a security manager.
c. An automatic timeout re-authentication must be required after a certain period of no activity.
d. The user must log off or secure the system when leaving it.
Data Integrity:
The firm must be able to provide proper examples that Confidential, and Internal Information has not been altered or destroyed in an unauthorized manner. Listed below are some methods that support data integrity:
a. transaction audit
b. disk redundancy (RAID)
c. ECC (Error Correcting Memory)
d. checksums (file integrity)
e. encryption of data in storage
f. digital signatures
Transmission Security:
Technical security rules must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. The following features must be implemented:
a. integrity controls and
b. encryption, where appropriate

Remote Access: Access into firm network from outside will be granted using firm approved devices and pathways on an individual user and application basis.
Physical Access:
Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals.
The following physical controls must be in place:
a. Mainframe computer systems must be installed in an access-controlled area. The area in and around the computer facility must afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations.
b. File servers containing Confidential and Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
c. Workstations or personal computers must be secured against use by unauthorized individuals. Procedures and standards must be developed on secure and appropriate workstation use and physical safeguards which must include procedures that will: 1. Position workstations to minimize unauthorized viewing of protected health information. 2. Grant workstation access only to those who need it in order to perform their job function. 3. Establish workstation location criteria to eliminate or minimize the possibility of unauthorized access to protected information. 4. Employ physical safeguards as determined by risk analysis, such as locating workstations in controlled access areas or installing covers or enclosures to preclude passerby access . 5. Use automatic screen savers with passwords to protect unattended machines. d. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Policies and procedures must be developed to address the following facility access control requirements: 1. Disaster recovery operations –Procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. 2. Facility Security Plan Policies and procedures to safeguard the facility and the equipment from unauthorized physical access, tampering, and theft. 3. Access Control and Validation Procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. 4. Maintenance records Policies and procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks).
Emergency Access:
a. Firm IT is required to establish a procedure to provide emergency access to systems and applications in the event that the assigned custodian or owner is unavailable during an emergency.
b. Procedures must be able to address: 1. Authorization, 2. Implementation
Equipment and Media Controls: The disposal of information must ensure the continued protection of Confidential and Internal Information. Each section must develop and begin policies and procedures that govern the receipt and removal of hardware and electronic media into and out of a facility, and the movement of these items within the facility:
Information Disposal / Media Re-Use :
a. Hard copy (paper and microfilm/fiche)
b. Magnetic media (floppy disks, hard drives, zip disks, etc.) and
c. CD ROM Disks

Accountability: Each section must maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Data backup and Storage: When needed, create a retrievable, exact copy of electronic information before movement of equipment.
Other Media Controls:
Confidential Information stored on external media (diskettes, cd-roms, portable storage, memory sticks, etc.) must be protected from theft and unauthorized access. Such media must be appropriately labeled so as to identify it as Confidential Information. Further, external media containing Confidential Information must never be left unattended in unsecured areas. Confidential Information must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smart phones, tablet PC’s, etc.) unless the devices have the following minimum security requirements implemented:
a. Power-on passwords
b. Auto logoff or screen saver with password
c. Encryption of stored data or other acceptable safeguards approved by Information Security Officer
Further, mobile computing devices must never be left unattended in unsecured areas.
If Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of firm Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation with firm.
Data Transfer/Printing:
Electronic Mass Data Transfers:
Downloading and uploading Confidential and Internal Information between systems must be strictly controlled. A request for mass downloads of, individual requests for information for research purposes must be approved through the proper channels. All other mass downloads of information must be approved by the Application Owner and include only the minimum amount of information necessary to fulfill the request.
Other Electronic Data Transfers and Printing: Confidential and Internal Information must be stored in a manner inaccessible to unauthorized individuals. Confidential information must not be downloaded, copied or printed left unattended and open to compromise.
Oral Communications: Firm staff should be aware of their surroundings when discussing Confidential Information. This includes the use of cellular telephones in public areas. Firm staff should not discuss Confidential Information in public areas if the information can be overheard. Caution should be used when conducting conversations in: semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.
Contingency Plan: Controls must ensure that the firm can recover from any damage to computer equipment or files within a reasonable period of time. Each office is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain Confidential, or Internal Information. This will include developing policies and procedures to address the following:

* Data Backup Plan: a. A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information. b. Backup data must be stored in an off-site location and protected from physical damage. c. Backup data must be afforded the same level of protection as the original data. * Disaster Recovery Plan: * A disaster recovery plan must be developed and documented which contains a process enabling the office to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. * Emergency Mode Operation Plan: * A plan must be developed and documented which contains a process enabling offices to continue to operate in the event of fire, vandalism, natural disaster, or system failure.

Miscellaneous
Backup plan will have a testing period of no more than four weeks to evaluate the continuing expense for the year of storage and storage supplies
Prime connection employee will stay on premises for no longer than nine months after initial completion of the project with firm permission in order to help oversee test of backup period and consult/assist with any issue pertaining to the network. After this time the firm will have the option to continue or dismiss such employee at anytime in writing. Continued service will be at firm’s cost.
ISP
Windstream VOIP & Data Bundle (VoxIP) Full Data T1
Network: VOIP & Data Bundle 1.5M x 1.5M Yes 3 Year
Quote Line 9
Email Addresses 30 Email POP3 Accounts
This is the number of POP3 email boxes that come with this package.
IPs IP Address Included
Web Hosting Web Hosting with 1 GB Storage

Building layout

Building wiring layout

Legend: Blue = Copper Yellow=Fiber optic
Risk Management Plan

Purpose
A risk is an event or condition that, if it occurs, could have a positive or negative effect on a project’s objectives. Risk Management is the process of identifying, assessing, responding to, monitoring, and reporting risks. This plan defines how risks associated with the project will be identified, analyzed, and managed. It outlines how risk management activities will be performed, recorded, and monitored throughout the project and provides templates and practices for recording and prioritizing risks.
The Risk Management Plan is created by the project manager in the Planning Phase of the project and is monitored and updated throughout the project.
The intended audience of this document is the project team, project sponsor and management.
Procedure
The project manager working with the project team and project sponsors will ensure that risks are actively identified, analyzed, and managed throughout the life of the project. Risks will be identified as early as possible in the project so as to minimize their impact. The steps for accomplishing this are outlined in the following paragraphs the project manager or other designee will serve as the Risk Manager for this project.

Risk Identification
Risk identification will involve the project team, appropriate stakeholders, and will include an evaluation of environmental factors, culture of the organization and the project management plan including the project scope. Attention will be given to the project deliverables, assumptions, constraints, cost/effort estimates, resource plan, and other key project documents.
A Risk Management Log will be generated and updated as needed and will be stored.
Risk Analysis
All risks identified will be assessed to identify the range of possible project outcomes. An outlined list will be used to determine which risks are the top risks to pursue and respond to and which risks can be ignored.
Risk Analysis
The probability and impact of an issue for each identified risk will be assessed by the project manager, with input from the project team using the following approach:

Probability * High – Greater than 70% probability of occurrence * Medium – Between 30% and 70% probability of occurrence * Low – Below30% probability of occurrence

* Impact * High – Risk that has the potential to greatly impact project cost, project schedule or performance * Medium – Risk that has the potential to slightly impact project cost, project schedule or performance * Low – Risk that has relatively little impact on cost, schedule or performance

Risk Analysis
Analysis of risk events that have been prioritized using risk analysis process on the project activities will be estimated, a numerical rating applied to each risk based on this analysis, and then documented in this section of the risk management plan.
Risk Response Planning
Each major risk will be assigned to a project team member for monitoring purposes to ensure that the risk will not “fall through the cracks”.
For each major risk, one of the following approaches will be selected to address it: * Avoid – eliminate the threat by eliminating the cause * Mitigate – Identify ways to reduce the probability or the impact of the risk * Accept – Nothing will be done * Transfer – Make another party responsible for the risk (buy insurance, outsourcing, etc.)

* For each risk that will be mitigated, the project team will identify ways to prevent the risk from occurring or reduce its impact of occurring. This may include prototyping, adding tasks to the project schedule, adding resources, etc.
For each major risk that is to be mitigated or that is accepted, a course of action will be outlined for the event that the risk does materialize in order to minimize its impact.
Risk Monitoring, Controlling, and Reporting
The level of risk on a project will be tracked, monitored and reported throughout the project cycle.
A “Top 10 Risk List” will be maintained by the project team and will be reported as a component of the project status reporting process for this project.
All project change requests will be studied for their possible impact to the project risks.
Management notification of important changes to risk status
Tools and Practices A Risk Log will be maintained by the project manager and will be reviewed as a standing item for project team meetings. risk management plan approval
The undersigned acknowledge they have reviewed the Risk Management Plan for the firm project. Changes to this Risk Management Plan will be coordinated with and approved by the undersigned or their designated representatives.

Signature: | | Date: | | Print Name: | | | | Title: | | | | Role: | | | |

Signature: | | Date: | | Print Name: | | | | Title: | | | | Role: | | | |

Signature: | | Date: | | Print Name: | | | | Title: | | | | Role: | | | |

Signature: | | Date: | | Print Name: | | | | Title: | | | | Role: | | | |