Any Bank Disaster Recovery and Business Continuity Plan May 2009

Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year OVERVIEW.... The objective of Any Bank Disaster Recovery and Business Continuity Plan DRBCP is to minimize financial lo

Trang 1

DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN

Emergency Plans Disaster Recovery Contingency Planning

DATE LAST CHANGED

BOARD OF DIRECTORS APPROVAL

Trang 2

Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN

Month Year

OVERVIEW 3

DRBCP PLANNING AND REVIEW 3

CHAIN OF COMMAND 4

DISASTER DR TEAM 4

ACTIVATION 5

NOTIFICATION 5

INTERDEPENDENCIES AND GEOGRAPHICAL CONCERNS 7

DRBCP RECOVERY OUTLINE 8

PANDEMIC FLU 9

BUSINESS IMPACT ANALYSIS 12

CORE SERVICES 18

Core Data Services 18

Item Processing 19

ACH 19

Fedline Advantage and Fed for the Web 19

REGULATORY NOTIFICATION: 21

TECHNICAL DISASTERS 21

Computer Virus, Disk crash, etc 21

EMERGENCY TRAINING 21

SECURITY ARRANGEMENTS 21

REDUCED WORK FORCE AND WORK FORCE SUCCESSION CONSIDERATIONS 21

INSURANCE COVERAGE 22

DISTRIBUTION RECORD 22

TESTING 23

Testing Procedures 23

Security System 23

Appendix A: Emergency Telephone Numbers 24

Appendix B: Master Vendor Listing 27

Appendix C: List of Employees 28

Appendix E: Board of Directors 30

Appendix F: Contingency agreements with processing providers 31

Appendix G: Management Succession 32

Appendix H: Attachments 33

Appendix I: Key & Combination List 34

Appendix J: Emergency Evacuation Procedures 35

Appendix K: Disaster Telephone Answering Script 36

Appendix L: Any Bank Incoming Line Numbers 37

Appendix M: Startup, Shutdown, and End of Day Procedures 38

Appendix N: Detailed Directions to the SunGuard Disaster Recovery Hot Site: 41

Appendix O: Risk Assessment: 43

Appendix P: Floor Plan Drawings with Utility Shutoff Locations for each Bank: 45

Appendix Q: Specific Task Requirements of this Policy 46

2 of 47

Trang 3

The objective of Any Bank Disaster Recovery and Business Continuity Plan (DRBCP) is to minimize

financial loss to the Bank and to continue to provide service to our customers, remain in compliance with applicable laws and regulations, and reduce damage to the Bank Additionally, an overall objective of this plan will be to maintain, resume, and recover the business, not just recover the technology

Business continuity planning is the process for Any Bank to ensure the maintenance and recovery of

operations and customer services when confronted with adverse events Events include natural disasters, technological failures, human error or terrorism New business practices, technological changes, and

increased terrorism concerns have created greater awareness and increased the need for an effective DRBCP The DRBCP will also include a business impact analysis and risk assessment

This DRBCP will address interdependencies, both market and geography based, the potential for wide-area disasters impacting an entire region, the loss or inaccessibility of staff, and recovery times We anticipate that the amount of requested services will not decrease during a disruption, and in fact, service requests will probably increase This plan is the basic structure of a disaster recovery effort The procedures outlined will serve as starting points and are subject to modification to suit the need or situation

DRBCP PLANNING AND REVIEW

Any Bank Senior Management and Board of Directors have the overall responsibility for identifying,

assessing, prioritizing, managing, and controlling risks Disaster Recovery and Business Continuity planningresponsibilities are fulfilled by setting policy, prioritizing critical business functions, allocating sufficient resources and personnel, reviewing DRBCP test results, and ensuring maintenance of a current plan

Any Bank’s Information Technology Committee is responsible for the development and coordination of the DRBCP While the Committee may recommend prioritization, it is ultimately the responsibility of the Any Bank’s Board of Directors and Senior Management to prioritize critical business processes and establishing plans to meet business requirements

This DRBCP and its associated annual test will be subjected to an independent audit and will be reviewed bythe Information Technology Steering Committee and Board of Directors on an annual basis The DRBCP will be tested to the maximum extent possible The annual review is a minimum requirement The DRBCP should be a "living document" as new technology changes the Bank’s recovery needs

Trang 4

1 Any, Chairman DR Team Leader/Spokesperson

2 Any, Secretary Disaster Recovery Coordinator

on a continual basis

The responsibilities of the DR Team are as follows:

1 Make sure the Bank is secure

2 Evaluate the disaster situation

3 Implement the recovery plan

4 Inform Any Bank Board of Directors

5 Authorize special assignments

6 Approve expenditures

4 of 47

Trang 5

1 The activation of the DRBCP is determined by the amount of time estimated to effect normal to-day operations This plan will normally be activated not later than 12 hours after the

day-contingency or emergency

2 The DR Team must consider immediately a need to activate the plan if normal operations cannot

be resumed in a timely manner

3 Once a disaster has occurred and affected normal operations, the DR Team will be assembled and

a decision to implement the DRBCP will be considered

4 If for any reason the Bank President cannot be contacted, the decision will be shifted to the next available person listed in the Chain of Command

5 The DR Team may terminate this procedure when normal operations return

3 Where the damage assessment proves so severe that recovery within 12 hours appears to be a remote possibility, the call for employee assembly is justified The Bank’s emergency notification list (not comprehensive but a guideline) is outlined below Contact numbers are contained in the appendices

of this document

a Notify Regulatory Authorities

b Notify Sungard Disaster Recovery Services

c Notify ATT (data communications)

d Notify Network Support Contractor

4 The person responsible for Overall Command of Any Bank Disaster Recovery Team (normally the bank president) will be the spokesperson and notify the media as to the situation and begin the

process of handling the press and media requests It should be stressed to all personnel that ONLY the spokesperson will give information and interviews to the media

5 If local law enforcement and fire departments are not on the scene, the need for notifications is pertinent Call the local police at once to secure the area

6 Following the disaster, the media can be used effectively to convey important messages to our

customers and extreme care should be taken in responding to reporter’s questions

7 The information provided should be honest, factual, and presented in a positive manner to alleviate customer fears The spokesperson should make notes before talking with the media

8 The Bank President (or the next available person in the chain of command) will notify all regulatory agencies within 12 hours of declaring the emergency or contingency

9 The following are some concerns of the processed banks and customers following a disaster and should be included in remarks to the media:

a State when the Bank will re-open (if known)

b Give locations of alternate sites

c Give hours Any Bank will be in operation during the emergency period

d Use discretion when reporting on personal injuries, deferring these reports to medical and law enforcement officials for that information

Trang 6

Month Year

Persons in charge of handling the media or customer requests will need definite guidelines as to the mediabeing allowed in the off-site or reciprocal locations Personnel in these locations will be under a certainamount of stress and should not be subjected to visitors in the area who may disrupt their work

6 of 47

Trang 7

INTERDEPENDENCIES AND GEOGRAPHICAL CONCERNS

Any Bank’s management understands that the current regional economic environment requires dependency

on many vendors The effects of a major disaster or contingency at a key vendor site may have widespread effects for Any, Arkansas A copy of the DRBCP, Emergency Supply List and 3-days worth of materials will

be kept at Any Bank’s alternate processing site located at the North Branch in Any, Arkansas

Vendor Primary

Location

Major Contingency Procedure

Provide Hot Site for Information TechnologyInc Banking System Data & Item

Processing

This agreement should be tested annually with the results documented in the Information Technology Committee and Board of Director’s minutes

Core Banking System

be made a part of the vendor’s file for the Bank’sannual vendor review

ATMs & Debit Cards

Federal

Reserve

Little Rock, AR Arrangements for

moving cash orders and receipt as well as cash letter to the Federal Reserve Bank in Dallas,

TX

Agreement with FRB and ABB

Cash LetterCash Ordering

Trang 8

Month Year DRBCP RECOVERY OUTLINE

STEP 1: Key management learns of a contingency or disaster

STEP 2: The DR Team is formed The leader of the DR Team will decide the location(s) where the team will

be formed, taking into consideration the current disaster Team notification will be accomplished via home telephone, cell phone, or runner The course of action will be decided and implemented

STEP 3: Contingency Plan has been invoked The person responsible for Overall Command (or the next person in the chain of command) will handle media, regulatory notifications and communications Key areasfor media notification include local radio, television, and newspaper Initial restoration of the core services (see below) is covered with an agreement with Name of your Data Processor Software to provide emergency data processing at their hot site in city, State One ANY Bank employee will go to City, State with backup media to restore the system Proof work will also be sent electronically or carried to item processing

company’s hot site for item processing Remote deposit capture items will be retrieved electronically and processed at the hot site

STEP 4: Any Bank data processing personnel are concurrently working to move operations to the branch Bank building in or gain delivery of a temporary building from MPA Systems, procure and install data lines, get telephone communications installed, etc Additionally, data processing personnel will handle bank PC setup (telnet, etc) and communications between the Data Processing Company emergency sites Primary disaster locations for each Bank location are listed below

If the emergency or disaster affects the contingency location, Bank management will procure temporary building space in the nearest unaffected area/region

STEP 5: Data processing personnel will be using insurance funds to procure a replacement server for Name

of Your Banking System software The replacement server will be placed at the temporary building or other

alternate site Network connectivity and PCs will be ordered and installed using the Bank's service provider.

STEP 6: Employee Internet access and other secondary banking activities will need to be coordinated STEP 7: New building construction should be started as soon as practical

8 of 47

Trang 9

PANDEMIC FLU

The CDC estimates that a "medium-level" pandemic flu may cause up to 207,000 deaths in the United States,with another 725,000 hospitalizations and 20-47 million people being sick, with an economic impact in the range of $71 - $166 billion A pandemic flu could easily leave 25-30% of the workforce ill for an extended period

The latest version of the flu believed to have pandemic potential is the avian H5N1 strain This strain has infected approximately 100 people since 1997, with half of those infected dying It has also caused the greatest number and most severe outbreaks among poultry in history Large numbers of wild birds are dying from this extremely deadly strain Although the strain does not jump easily from avian to human at this time, experts fear that it could evolve into a strain that spreads as easily as the normal flu

Unlike most disaster scenarios, with pandemic flu, the Bank’s main concern is not the loss of equipment or operations facilities, but instead the people necessary to make it all work The enclosed items are part of the Bank plan to prepare for a pandemic that could leave the Bank without 30% of the workforce for weeks or months

• Determine the impact that long-term illnesses will have on operations and update the plan

accordingly This is included in the Business Impact portion of the plan

• Appoint an emergency response team with defined roles and responsibilities This is included in the Bank’s disaster response team and emergency chain of command

• Identify critical functions and essential employees required to continue normal operations by

location This is identified in this plan in the employee succession plan

• Cross train employees from multiple locations with minimal face-to-face contact to be able to fill these essential roles This is part of the risk mitigation controls for a potential Pandemic flu outbreak Cross training exercises will be conducted at least annually and documented

• Determine what functions could be conducted remotely and provide for secure access in the event of

a pandemic VPN Access is part of our mitigation controls for key employees

• Review personnel policies for sick leave compensation and guidelines for when employees are allowed to return to work after a pandemic illness

• Have posters and other material available to educate employees on proper hygiene in the event of virus outbreaks

• Collaborate with local and national authorities to participate in the planning process and to be more aware of potential threats

• The bank will notify the (city) Department of Health, Red Cross, and/or the CDC of suspected pandemic illness The bank will monitor news sources and sites such as www.who.int and

www.cdc.gov to track possible pandemic outbreaks and levels of infection The CDC information number is 1-800-CDC-INFO

• Communications with key/critical vendors will be accomplished using the emergency list of phone numbers in the appendix of this policy Bank employees will continue to update this plan with secondary vendor numbers

Bank Precautions to Help Maintain the Workforce:

• Review key personnel succession to make sure you have identified critical and non-critical daily duties and replacement personnel

Trang 10

• Employees should frequently washing hand with soap and water Hand washing should last 20 seconds with hot water Keep an ample supply of anti-bacterial soap in public areas of the Bank

• Encourage employees to stay home if they are sick

• Employees should see a physician if illness continues

Pandemic Outbreak Strategy:

The 6 Phase Levels to the WHO Pandemic Alert System:

Level 1: 'Inter-Pandemic Phase'

- There is Low Risk of Human Cases

No bank action is required at this phase

Level 2: 'Inter-Pandemic Phase'

- There is Higher Risk of Human Cases

The bank will continue with regular normal monitoring of WHO and CDC sites

Level 3: 'Pandemic Alert'

- No or Very Limited Human-to-Human Transmission

The bank will remind employees of steps to take reduce pandemic risk such as hand washing, symptoms of the pandemic, etc

- Evidence of Increased Human-to-Human Transmission

The bank will continue to remind employees of steps to take maintain the workforce Supply levels of soap, tissues, masks, etc are verified Cross training and succession charts are reviewed and personnel are briefed

on alternate responsibilities Alternative methods to work from home or other locations (VPN) are reviewed

to ensure operability

- Evidence of Significant Human-to-Human Transmission

10 of 47

Trang 11

The bank is on high alert to monitor employees and customers for symptoms of the pandemic illness

Employees are taking protective steps to reduce the chance of pandemic spreading in the workforce

Reduced work force considerations may be a consideration Some branch locations will consider minimizingcustomer interaction and may only operate drive-up or use surgical masks for person to person contact

Level 6: 'Pandemic'

- Efficient and Sustained Human-to-Human Transmission

The bank may need to consider closing lower traffic locations and will definitely minimize lobby traffic to the maximum extent possible Sick employees or those with sick family members are encouraged to work from home using VPNs or other methods

In summary, our preparation for and response to a pandemic influenza epidemic will be to cross train our personnel so that we will have at least three people qualified for each core Bank function Secondly, we will use remote employee access such as VPN and surgical masks to minimize employee contact Finally, we will minimize employee customer interaction by providing customer service through ATM and drive up instead of in the Bank lobby

Trang 12

BUSINESS IMPACT ANALYSIS

One of the most important steps in accomplishing a complete DRBCP is the development of Business Impact Analysis (BIA) The BIA should identify the potential impact of events on business processes and customers The BIA will cover all departments and business functions and should estimate allowable downtime and levels of acceptable loss in data, operations, and finance

Business Priority:

3=Bank must have this resource to conduct bank operations

2=Bank should have this resource to conduct bank operations

1=Bank would like to have this resource to conduct bank operations however workarounds are available

Business Impact:

3=Bank can conduct operations without this item for no more than 3 days

The business impact score is obtained by multiplying the business priority times the business impact

Department or

Area

Business Priority Risk and Recovery Parameters Business Impact

Personnel Required

Business Impact Score

Fire, Water, or Electrical Damage Physical theft ordamage

Recovery:

Any Bank contingency agreement with Sungard Disaster Recovery will beimplemented Data is restored to the system

Maximum allowable downtime=3 days

Losses of up to

$5,000 per day may occur due to manual posting errors and backlogs

Reputational damage may occur due to the inability to service customers quickly and accurately

3=Non-availability

of the host system will prevent current access to customer and management information

Customer service operations will be slower

A minimum of 3 personnel to operate item and data processing operations at alternate and temporary locations

9

Trang 13

Department or

Area

be restored

Maximum Downtime=1 Business Day

Loss of customer and business

communications

Financial losses could

be as much as $1,500 per day per location

3=Loss of communications between banks and Any Bank will effectively shut down data operations

No additional personnel, but coordination and payment of local communication providers may be necessary

to answer information requests

Recovery:

Returning electronic systems to operability such as the Information Technology Inc host system

Maximum Downtime= 3 daysExtended inability to provide customer information could cause employee and customer issues

Financial losses couldexceed $5,000 or more if we are unable

to provide customer data during critical customer financial transactions

2=Frustrated customers and employees due to inability to access customer data may cause loss of customer accounts and loss of customergoodwill

No additional personnel required;

however, customer service and personnel will have a 10-15% increase of workload due to customer and management inquiries

2=Loss of PC and server operations

Budget for additional hours

4

Trang 14

Month Year Department or

Area

includes the inability to access the Internet and theInformation Technology Inc system

Recovery:

The Bank has a SLA with their vendor to have PC systems restored in 3-5 days PC images are stored on tape backup and can be restored to the new

PC

Loss of employee efficiencies and quickresponse to Bank questions

Financial loss of

$500-$800 per day per location in lost time and inefficient operations

will severely limit customer support and efficient data center operations

(possible overtime) of contract network administration

Internet Access 2 Risk:

Bank could lose Internet access

Recovery:

Use local dial-up for emergency use Internet equipment is under maintenance contract

Allowable down time: 7 business days

No Internet access foremail, Fedline

Advantage, Fed for the Web, etc

Financial losses of

$200 per day could occur for inaccurate credit reporting, loss

of bond sales, e-mail communications missed

2=No e-mail, Fedline Advantage, Fed for the Web, credit reporting, check ordering, etc

No additional personnel required

4

14 of 47

Trang 15

Department or

Area

Recovery:

The Bank will coordinate with a local bank and the Federal Reserve to find analternate site until the hardware can be replaced

Procurement of new Fedline Advantage hardware will take one to two days

Allowable down time: 1 business dayLoss of customer confidence as many Bank customers are dependent on ACH payments and accesses Financial losses could be over

$1,500 per day

3=Inability to receive ACH transactions, wires, returns, and

payments

1 Fedline Advantage operator (can be aperson with other duties)

relationships with communication representatives will help

High degree of risk regarding fraud and inaccurate balancing

Financial loss could

be as much as

$700-$1,000 per day at each location

3=Inaccurate or existent daily statements, reports, and customer transaction files

non-Slow transaction processing as employees adapt to manual procedures

Customer service will require at least a 25%

increase in workload

9

Trang 16

Month Year Department or

Area

in re-establishment of datacircuits

Facilities 3 Risk:

Loss of major infrastructures

Recovery:

Initially, use the alternate operating site with possible support from alternate item processing locations Move to North Main Branch or consider the use of a temporary facility from MPA contract

Maximum allowable down time= 1 business day

Loss of visible structure may cause loss of customer confidence and increase the chances

of customer panic

be as high as $4,000 per day

3=Inability to service customers effectively

3-4 People to helpmove data center operations to North Main Branch or coordinate delivery and setup

of temporary building Media spokesperson to let public know where banking services are beingoffered

Interim item processing work will be done at location, city, state

Maximum Allowable down time=2

business daysInaccurate processingdue to manual procedures and manual bookkeeping

be $1,000-$1,500 per day

2=Slow customer service and inaccurate statements and ledgers

Increase of 10%

in data service personnel work requirements

4

Bank Employees 3 The Bank could have as

much as 40% of the

Maximum allowable downtime=3 days

2=The Bank must have personnel

Minimum of 5 per main branch

6

16 of 47

Trang 17

Department or

Area

workforce out for 2-3 months during a Flu Pandemic

Losses of up to

$3,000 per day may occur due to manual posting errors, employee unfamiliarity with tasks, and backlogs

Reputational damage may occur due to the inability to service customers quickly and accurately

cross-trained to provide core banking functions for deposit and ACHtransactions

available within 24 hours

that operates as the data center

This is the minimum number

of people required

to accomplish teller, drive-up, processing, and ACH activities at each open

location

While this list compiles many of the main possibilities that could face Data processing personnel, it is not intended to be all inclusive of the types of disasters that we anticipate

Trang 18

CORE SERVICES

The main concern in a disaster should be to resume the core data processing and customer service operations

as soon as possible This section will document the activities that are considered core activities

Core Data Services

The number one core service for Any Bank is Sungard Disaster Recovery services Should a major disaster strike the center and disable the data services department, The Any Bank personnel should immediately determine the nature of the disaster, expected interruption of service and possible causes of future

accomplished at the Sungard Hot Site The DR Team will direct the staff to their alternate duty assignments

at the alternate data processing location

Network Recovery

Bank operations will be dependent on employees being able to access network resources Key areas of network recovery and the Bank plan are outlined below:

CRITICAL NETWORK RESOURCE RECOVERY METHOD/PLAN

Data Center Building Sungard DR Trailer at or near the main Bank site

Use of BRANCHNAME branch to house tellers, CSR, and drive up Utilization of branch offices as alternate customer service

Premier Server Replacement Premier server hardware comes with

Sungard trailer, data restored from tape backups stored off site from main Bank

Item Processing Replacement Premier item processing scanner comes

with Sungard DR trailer and interfaces with Premier server

Image and Report Server (Director) Replacement server comes with Sungard DR trailer

and interfaces with Premier server Data is restored from Bank tape backups

Data Communications from branch locations to the

Data Equipment (Routers, Firewalls, Switches, etc.) All network equipment will be under service contract

or insurance agreement, which will allow for replacement within 72 hours Manual processing

Trang 19

will be in effect until equipment is in place.

Personal Computers Bank contract network support provider

(COMPANYNAME) has agreed to provide the initialstock of PCs 15-20, and then restock more computers

as needed within the next 5-7 days

Item Processing

Item processing will be done at the hot site location, Sungard Disaster Recovery Services in

Management will schedule the appropriate work force

ACH

Fedline Advantage and Fed for the Web

Fedline Advantage is used for the processing of ACH transactions and wire transfer operations Fedline Advantage uses a VPN device to connect from the Bank network to the Federal Reserve Bank network If the Fedline Advantage device experiences hardware or software failure, the Bank has an agreement with the FRB for a replacement device If the device is requested prior to 10:00 am, a replacement will be received

on the same business day If the device is requested after 10:00 am, the replacement will be received within

24 hours The Bank has a back up analog telephone line to use if the Internet connection is inoperative Finally, if the Bank building is destroyed, the President will contact the Federal Reserve Bank and change thereceiving institution to one of the correspondent partners or a “buddy bank” that is not affected by the

disaster

Fed for the Web is the FRB processing program that can be used to transfer the Bank’s cash letter, make cashorders, purchase bonds, and make TTL transactions This program is dependent upon a digital certificate thatidentifies each user The Bank backs up the digital certificate to removable media (floppy, USB drive, etc.) and the media is stored with the Bank’s disaster supplies This allows the Bank to reload the certificate on any PC with Internet access

Should there be a major catastrophe affecting the Bank's ability to receive this type of activity (ACH and wire transfer), the President will contact the Federal Reserve Bank and change the receiving institution to one of the correspondent partners or a “buddy bank” that is not affected by the disaster Should there not be

an unaffected correspondent or buddy bank, the President should consider contacting the nearest large bank

to open an account that can handle these types of activity

Electronic Banking

Electronic banking is a much higher priority during certain disaster scenarios Any Bank Internet banking services are provided by Fiserv Employees will able to access Internet banking accounts and services through alternate Internet access points as described below Check Free bill payment services should be unaffected and current bill pay customers will continue to be able to pay bills online

Internet Access

In the event of a disaster, the Internet access capabilities of the Bank are considered to be a core activity Analternate Internet access point will be established at one of the Bank branches or processed banks to service needs such as ACH, Fed for the Web, Credit Reports, Internet banking etc

Trang 20

Month Year Alternate Bank Location

An alternate Bank location or backup site has been established at the North Branch in Any, Arkansas This location is owned and maintained by Any Bank

NATURAL DISASTERS

Fire

All personnel should evacuate the building immediately unless conditions permit employees to:

1 Contact the Vice President of Operations who will investigate smoke or fire and contact fire

department

2 Secure all cash teller drawers placing cash money bin in vault Each teller will be responsible

for securing his/her area

3 The VP Loans and Teller supervisor will be responsible for locking the vault and giving each

teller his/her responsibilities for securing the teller area

4 All employees are to secure their area by placing all documents in their filing cabinets They

should secure their area before leaving

5 The loan department should secure all loan documents before leaving

6 The data services department should secure their area by placing all checks and confidential

information in the vault The department supervisor should make sure that the department issecure prior to leaving In addition, if time allows, the data service department shall properlypower down the computer equipment and shut off power to the data processing equipment

7 All other personnel will secure their work areas prior to leaving the building

8 The drive-in locations will secure their cash drawers and vault as if close of day

9 A list of emergency numbers is listed in Appendix A

Severe Storm, Tornado or Power Outage

1 Vice President of Operations will notify all work personnel

2 Secure work area and work station as if close of workday All monies should be placed in

vault and all filing cabinets secured and locked If unable to leave, the vault area is the mostsecure area of the Bank All personnel on the top floor should descend to the lower floor

3 In case of severe storm, turn computers off and leave off until Vice President of Operations

gives the all clear

4 If there is a power outage, all officers will secure their work area and immediately proceed to

the lobby area to remain until the office closes or power is restored

5 A list of emergency numbers is listed in the appendix

Earthquake

1 Move immediately to a safe area (i.e., support archway, against an inside wall, under heavy

furniture, such as a desk or table) Move away from windows

2 Sweaters, jackets, or coats should be pulled over the head to protect the face, or protect the

face by interlocking fingers behind the head and pulling the elbows down to side of the face

3 Remain calm; do not panic

4 When the ground stops shaking:

a Secure the teller area

b Check for injuries and help those in need

c Do not use telephone unless there is a severe injury

d Do not smoke until it has been determined that there are no gas leaks

20 of 47

Trang 21

e Fires should be extinguished with fire extinguishers or smothered.

f Turn off main gas valve, water valve, and electricity

g A head count will be conducted and search teams organized if necessary

h Evacuate building making sure all monies are secure before leaving All files,

cabinets, and desks should also be locked and secure

i A list of emergency numbers is listed in appendix

REGULATORY NOTIFICATION:

The CEO or Bank President will make notification of all regulatory agencies within 12 hours of declaring theemergency or contingency

TECHNICAL DISASTERS

Computer Virus, Disk crash, etc.

In the event of a computer virus, Any Bank will implement the response plan listed in the Information Technology Operations Policy (ITOP) and Customer Information Security Policy (CISP) Should it be deemed necessary to implement the full DRBCP because of a virus, the balance of the unaffected systems should be shut down in order to minimize further virus damage

Additionally, all other types of disasters such as a denial of service attack, system compromise by hackers, data storm, etc., are covered in the e-banking section of the ITOP

EMERGENCY TRAINING

The employees that are trained for the operations functions of the Bank should be kept in constant contact within the event of a natural disaster Should management deem it necessary, these employees should be available for extended periods of work and potential travel to off-site processing centers For this reason, the management of the Bank should consider having these employees refined to a group of personnel that can bemobilized quickly and efficiently

SECURITY ARRANGEMENTS

With the destruction of the Bank, a complete security analysis will have to be done on the proposed alternate site The Security Officer and Any Bank senior management should act proactively in their assessment of thesecurity features in considering which alternate site to choose

REDUCED WORK FORCE AND WORK FORCE SUCCESSION CONSIDERATIONS

While it is considered absolutely necessary to have a completely competent workforce to run the Bank and data center in the case of a disaster, Any Bank management considers it appropriate to consider which

positions could be eliminated in the case of a disaster If necessary, employees that hold peripheral positions would be used to replace employees that might be missing due to the anticipated disaster

Current Positions Essential Eliminate in Disaster Successor

Executive Assistant/Audit &

Information Security Manager

Bank Compliance Officer

Trang 22

Month Year

VP/Head of Bookkeeping/Security

Vice President/Head of Consumer

Assistant Vice President/Finance

Officer

Proof Operator/Assistant Systems

Operator

X Branch Proof Operator

This listing of reductions denotes the positions that can be eliminated in the case of a major disaster It is anticipated that under no circumstances should the listed positions be vacated, unless it is impossible to keep them filled and not cover the functions that are considered to be vital to the operation of the Bank

Should it be determined that this reduction in workforce be in place longer than three days, the Board of Directors’ approval should be obtained before the end of the third working day This approval should be documented in writing if at all possible

INSURANCE COVERAGE

Any Bank management has purchased and maintains adequate insurance coverage for the facilities,

operations and the equipment of the Bank All insurance contact information is contained in the appendices

Senior Vice President - Operations

VP/Head of Consumer Lending

AVP/Finance Officer

Systems Operator/EDP Assistant

These managers are directed to maintain a copy of this Plan both at the Bank and in a safe place in their homes This will help insure that at least one copy of this plan will survive a disaster

22 of 47

Trang 23

Management will decide what functions, systems, or processes are going to be tested Management will alsodecide what constitutes a successful test The objective of the test should be to ensure that the DRBCP is accurate, relevant, and operable under adverse conditions A good testing plan should not jeopardize normal business operations and should gradually increase in complexity, level of participation, functions, and

physical locations involved The test should also demonstrate a variety of management and response under simulated crisis conditions It should uncover DRBCP inadequacies

The test should also include the validation of critical services, evaluate transaction volume, evaluate

interrelationships among different business functions, and ensure strategies are properly related to use of facilities and other outages

The test of the plan will vary according to Any Bank employees’ experience level As a minimum, the annual test will consist of an orientation/walk-through to ensure critical personnel are familiar with the DRBCP Subsequent tests will involve a tabletop test This test should be more involved than the walk-through and should evaluate specific response capabilities The test may include some mobilization, scripts, and simulations and should focus on decision-making and demonstration of knowledge and skills At least annually, the each Bank location will test and document the ability of teller and CSR personnel to process and balance transactions manually

The maximum number of personnel involved in the implementation of the DRBCP should participate in the test Personnel rotation during the test will help Any Bank prepare for the loss of key personnel

Management should report test results and problem resolutions to the Bank Board The test report should include an assessment that test objectives were completed, corrective action plans to address problems, proposed DRBCP modifications, and recommendations for future tests

Lastly, the audit department or other independent party will directly observe the test of the DRBCP

Testing Procedures

The Bank will test all of its vital core systems on the off-site system at least once each year Operations personnel will perform the test using the backup information from the day before and process the

information directly on the mainframe at the SunGuard Disaster Recovery site in Scottsdale, AZ

Should the system not perform as it should, the test routine should be investigated and re-run as many times

as it takes to get the routine correct

Security System

The Bank should test periodically (at least annually) the readiness of the security system The Security Officer should retain the appropriate documentation of this test in a permanent file

Tiêu đề	Any Bank Disaster Recovery And Business Continuity Plan
Thể loại	Business Continuity Plan
Năm xuất bản	2009

Định dạng
Số trang	47
Dung lượng	224,5 KB