1. Analyze strategic pre-incident changes the company would follow to ensure the well-being of the enterprise.

Pre-incident plan for changes the company should take in advance of a disaster. First, our company needs to develop a team which should consist of someone from each department. The next order of business would be to organize, develop and administer a preparedness program that should include training, procedures, etc. With EPLAN, the main pieces for a disaster program would be around data. This company data is its key. This does not just contain customer data, but each individual’s data and their work needs to be backed up. Also they will need a plan for backing up all human resources filing and information, billing and finance and marketing data. First steps would be for the team to assemble a list of what are some of the hazards and assess the risks of losing this data. Second they would need to conduct an impact analysis plan to see if this will hurt the business. Third examine ways to prevent hazards from happening. With a company such as EPLAN, the team would evaluate all data and where the data is housed. Some servers are currently overseas but most data is stored in the office of Farmington Hills, MI. The server room is not protected by any Fire protection walls. The company data for employees are on their computers and are currently not being backed up onto the server as most of the employees work from home. The only employees that are backed up on the server are out of the Farmington Hills office. This office is where the Finance and human resource departments are located. So all of the electronic documentation is housed on the in house server but there currently they do not have a data warehouse to back up this data. All marketing data is housed on the marketing manager’s computer with no back up. This position works out of the home and has all data on laptop. Now that we know where each data location is stored, we can take it to the next step of what to do in advance of a disaster. First is the concern of the main customer data and any technical support data that is housed on the internal server. There are two things that need to be addressed in this scenario. One – current server room set up and two – data warehouse location for backup. The plan needs to include a fire safe room for all servers so in the case of a fire, the data is protected. Second, routing to a data center. First thing to think about it is where to house the data. If a natural disaster where to hit this area, we do not want all data in the same vicinity. Most likely in a different climate at least 3-4 states over or more. Currently we have a sister company based in Houston and some of the employees work out of this location so it would be a good contender for a data warehouse location. Next is the concern of all employees who are not currently on any server. Each employee should be given a back up drive to house all data. There should be processes that every so many days that the employees are required to back up data on this drive. This isn’t the best solution so the company can look into a possible cloud service for backing up data. 2. Analyze the ethical use and protection of sensitive data.

All customers have the right to have protection of their data whether they consider it to be sensitive or not. As a business, we need to be sure that we are ethical with their data and protect it at all costs. Not only do we need to protect our customer’s data but also our employees. Our employees trust that any information given to the company in confidence will be protected such as social security numbers, payroll information, any reviews, write ups, complaints filed and much more.
First let’s discuss our strategy on protection of sensitive data and the ethical use of this data for our customers and what this data entails. This data needs to be protected and comply with laws, regulations, policies within the country and company. We have legal and ethical responsibilities to protect the privacy and confidentiality of all gathered customer data. We will need to create a privacy and confidential policy for all customer data with guidelines and procedures on how to protect their data. Also since some companies pay with credit card information there needs to be Data Security Standards for all payments made by credit card.
First we need to create degree of data sensitivity levels. Bottom level is public that is defined as not protected and made public to employees. This data could include basic policies of how the company is to use data. What is included publically in their contracts? Middle level is sensitive that is data that is not disclosed without good reason due to private information and is protected by company procedures and have high ethical standards. This data is data that cannot be disclosed without the right clearance level in the company. The next level is confidential. This level is the most highly protected data such as company financial records; credit card information which needs to be protected by security standards and this is anything that is protected by laws, regulations, and our contracts.
Employees also need procedures on how to protect individual privacy and reducing the potential for identity theft. First we need to create degree of sensitivity levels for data for employee too. Bottom level is public that is defined as not protected and made public to anyone in the organization. This data could include basic policies of the company such as dress codes, work hours, employee handbooks. Middle level is sensitive that is data that is not disclosed without good reason due to private information and is protected by company procedures and have high ethical standards. This data includes employment data such as salary data, employee personal information such as race/ethnicity, any special needs, etc. The next level is confidential. This level is the most highly protected data such as employees reviews, any financial data such as 401k, social security numbers, date of birth, drivers license #’s, health records and any banking information.
Now that we know what data levels are assigned, we need to know how to protect the data in case of emergency. One of the simplest strategies is strong passwords. Making sure that employees follow a strong password policy such as capital letters, numerical values, symbols are some examples. This will protect the information for the customers they are working on. Limiting access to all customer data is also important. Just because an employee works with a customer does not mean that they should have access to all data. So clearance levels should be in effect due to job titles. Another factor is a high security data system. Protecting the customer data is first priority. Encryption of all data is necessary and finding the right tools to be effective will be important. Also an anti-phishing software program is another option. It will alert you to any fraudulent activities when detected against your customer’s data.
Having firewalls, anti-phishing, levels of security are important but educating the employees is even more important. Developing policies and regular training for employees on how to handle customer data is extremely important. Regular updating of documentation and policies will go far in protecting all data. This works the same for personal employee information. 3. Analyze the ethical use and protection of customer records.

First we need to analyze the ethical use and protection of our customer’s records. This is a common threat to any organizations information systems. It comes from inadequate protection of company information and data. There are many risks that go with unauthorized activity of customer data. The impacts are negative and not always considered during the risks assessments of their data.
Through the business impact analysis/risk assessment phase, the organization will evaluate its security process for all of its internal and external data and how well their security system holds up to external viruses and usage. The loss, destruction and/or disclosure of company data and information may have far more significant consequences and should be included for consideration in the continuity process (The Definitive Handbook of Business Continuity Management, ch. 16 ).
This first stage involves the analysis and decision-making that will feed into planning and strategy to ensure overall business continuity for the organization as well as to understand which approaches are needed throughout the organization in order to deliver a workable information availability strategy. Often this process will involve an external consultant and/or one or more individuals in the organization in order to understand the internal and external pieces of the business which involve both the business and IT operations. By prioritizing their importance and time criticality companies can begin to determine the directions the information availability strategy will lead as well as which individuals within the company should run it. Once plans have been formulated, keeping them in line with the organization is very important to the ongoing success of the company, this shows the need for business continuity provision to incorporate ongoing plan maintenance and testing, which will highlight any changes required as the business moves.
After the organization decides which data is sensitive and which data needs to be protected, they have formulated their strategy to protect the data. Now how do they know this strategy will work? They need to test it with a pilot group that has certain rights depending on their clearance level. By testing to make sure the employees cannot access the sensitive data will ensure that the policies are in effect.

4. Discuss the communication plan to be used during and following the disruption.

Our communication plan includes a brief background of the plan, who it involves (stakeholder analysis), clear objectives, strategy for communicating the plan, and potential issues and risks of the plan. This plan is to address any customer and employee communication, safety and security of their protected information, recovery of information due to a disaster and how to communicate this plan to all stakeholders. Our stakeholders include customers, employees and executives. Everyone it may affect. The customers are affected by the data they provide to the company. During the disruption, all customers will be informed that their data is protected by the security measures that have been put into place by IT with an expected timeline for resolution. They should already have copies of all policies on risk management by the company. Next they need to be informed on the strategies that have been put into place to recover the data. It is extremely important that the customer be involved through all the steps so that they are secure with the company. Next the need to communicate to them after the data has been recovered and depending on the situation of data loss, how they will be able to access their data. If it was a facility fire, the location of the back up facility and the server information that will be encoded for their specific company needs to be communicated. Next, the employees will need the same assurance that their personal data will not be leaked out. So again through the company policies and efforts, the company will need to communicate the security measures that were taken to keep their data safe. The encryption, servers, etc. Lastly, the executives need to be briefed on all moving parts. This communication is essential to the business as they are the ones that will be face to face with all people involved.
Communication Plan for Customers
Customers require accurate, timely and apologetic communications, usually via email including: * What products or services you won’t be able to provide at the usual times * What alternate accommodations they can make * Any compensation we plan to make depending on the disaster * Timeframe of the expected resolution
Communication Plan for Employees * HR to keep open communication with Employees and ensure that their personal information has not been compromised * Follow up with them on the risk management strategies that have been put into place * Keep communication open to resolve any concerns employees have about the recovery

5. Discuss restoring operations after the disruption has occurred (post-incident).

Restoring operations after a disruption is one of the most common pieces to any disaster plan. The most common and most effective plan is data backup which EPLAN uses. This recovery is done by retrieving the data from their data warehouse that is in compliance with all regulations. This warehouse can be accessed externally through a cloud server. This is important to keep backups done daily with a backup tape system. This way historical data is not compromised.
Now, there is the concern of restoring actual operations if a disaster occurs. The Information technology team would work with the data warehouse to make sure the data for our customers and internal employees has been restored but being an international company, most of our data is housed on our German server so operations will not be affected. All employees will be able to access the same data through their own portable laptops and Germany’s server. Germany and other countries will be able to back up our technicians for support calls if needed. This is part of our recovery policy for all countries. The customer’s should not feel any downtime due to our recovery time. The main part will be making sure everything is secure and that the employee records are secure. The team will have to follow our recovery plan and checklist to ensure that everything is safe and accessible to the right teams.