Sample BCP Template s2

Description & Inventory: <department name>

Department Description & Inventory

University of Connecticut

<department name>

Prepared by: , Director

June 28, 2005

Date of Last Review: June 28, 2005

Storage Location:

Primary:

Alternate:

TABLE OF CONTENTS:

Overview 3

Purpose: 3

Scope: 3

Assumptions: 3

Description of <department name> 4

Location 4

Main Function 4

Physical Security Access 4

Number of Staff at this Location. 4

Business Processes 5

Systems Required: 5

Unique Assets: 6

Data on Stand-alone PC’s: 6

Hardcopy Files: 7

Files used but Owned by Other Organizations: 8

Offsite File Storage Locations: 8

Dependencies Impacted: 8

Recovery Requirements 10

Outage Impacts: 10

Increased Risk Times 10

Staff Space 11

Office Equipment 11

Co-Location Requirements 11

Service Level Agreements or Regulatory Requirements: 12

Recovery Tier: 12

Document Maintenance Procedures: 13

Review and Update Process: 13

Distribution Procedures: 13

Validation Requirements: 13

Document Verification History: 13

Additional Documentation: 14

Location of Other Documentation: 14

Location of Supporting Documentation: 14

Update History: 14

Sign Off 15

Overview

Purpose:

This description and inventory will be updated in response to changes in the business environment. The <department name> will review the document at least annually to verify that it is current.

This document records the background information that provides the basis for the security risk assessment (RA) business continuity planning (BCP) activities that are required by security policies instituted by the University of Connecticut. Typically, the information recorded in this document will be collected or reviewed before starting RA or BCP activities.

Scope:

This document describes the <department name> of the University of Connecticut and records the inventory of business functions and computing resources used by the <department name>.

Assumptions:

The description and inventory information reflect the department as of the date of the document update.

·  Any changes that might impact results of a security risk assessment will be recorded in an update to this document and trigger a review of the RA documentation.

·  Any changes that might impact results of a business continuity plan will be recorded in an update to this document and trigger a review of the BCP documentation.

Description of <department name>

Location

University of Connecticut

…

…, Storrs, CT 06269

Main Function

Provide a brief description of the business functions performed at this location.

Physical Security Access

Provide a brief description of the physical security at this location.

Number of Staff at this Location.

Provide a summary of the numbers and type of staff working at this location.

Business Processes

List the key processes performed at this location.

Processes / Description / Frequency
(daily / weekly/ monthly) / Person Performing Task

Systems Required:

Provide a brief description of the computer applications and databases used at this location.

System Name / Description / Criticality / Application Type
(desktop / server / mainframe) / # Desktops Installed / Owner / Technical Contact

Criticality Ratings: 1 – The Organization/Department cannot function without the system.

2 – The Organization/Department can function partially without the system.

3 – The Organization/Department can function fully without the system.

Unique Assets:

Provide a brief description of unique equipment or other major assets used at this location.

Asset Description / Qty / Vendor / Details (model #s etc.) / Criticality / Location of Asset
(Campus / Building / Floor) /

Criticality Ratings: 1 – The Organization/Department cannot function without the asset.

2 – The Organization/Department can function partially without the asset.

3 – The Organization/Department can function fully without the asset.

Data on Stand-alone PC’s:

Provide a brief description of significant data files that are kept on stand-alone PC’s at this location.

Data Description / File Name / Backup Frequency / Backup Storage Location / University Data Classification / Criticality / PC Owner /

The University Data Classifications are defined in the University’s Data Classification Policy:

Registered Confidential

Confidential

For Internal Use

Public / Unclassified

Criticality Ratings: 1 – The Organization/Department cannot function without the data.

2 – The Organization/Department can function partially without the data.

3 – The Organization/Department can function fully without the data.

Hardcopy Files:

List files that are retained on paper, microfiche, or microfilm.

Description/Name / Qty / Loc / Bldg/ Floor / Description of Contents / Criticality / Dup. Stored
Offsite
(yes or no) / Offsite
Location / Retention
Policy / Candidate for Imaging
(yes or no) /

Criticality Ratings: 1 – The Organization/Department cannot function without the files.

2 – The Organization/Department can function partially without the files.

3 – The Organization/Department can function fully without the files.

Files used but Owned by Other Organizations:

List any files that are used at this location, but are stored at another location and owned/maintained by a separate organization.

Description / Criticality / Location / Contact Name /

Criticality Ratings: 1 – The Organization/Department cannot function without the files.

2 – The Organization/Department can function partially without the files.

3 – The Organization/Department can function fully without the files.

Offsite File Storage Locations:

List files that are used at this location but stored at another location.

Description / Location / Contact Name / Who has Access? /

Dependencies Impacted:

List organizations that provide information or services to the Department.

Organization / Description / Criticality / Location / Contact Name

Criticality Ratings: 1 – The Organization/Department cannot function without support.

2 – The Organization/Department can function partially without support.

3 – The Organization/Department can function fully without support.

Identify any organizations that require information or services from the Department.

Organization / Description / Location / Contact Name / Frequency of Report or Service?
(daily / weekly / monthly) / What mechanism is required for delivery?

Recovery Requirements

Outage Impacts:

Describe the impact to this location that would result from an extended unplanned interruption.

Increased Risk Times

Indicate times when this location could be subject to greater risk of impact from an extended unplanned interruption.

The checked time frames indicate increased risk for <department name> functions.

Month / Day / Time /
Jan / ¨ / Mon / ¨ / þ
Feb / ¨ / Tues / ¨ / þ
Mar / ¨ / Wed / ¨ / þ
Apr / ¨ / Thur / ¨ / þ
May / ¨ / Fri / ¨ / þ
June / ¨ / Sat / ¨
July / ¨ / Sun / ¨
Aug / ¨
Sep / ¨
Oct / ¨
Nov / þ
Dec / þ

Staff Space

Describe the space that would be needed for staff working at this location to perform their functions at another location.

Specify the number of associates that require resources over time.

Number of People in the Department / Day 1 / Day 5 / 2 – 4 months /

Office Equipment

List the general office equipment that would be needed to support staff functions at another location.

Description / Day
1 / Week 1 / Week 2 /

Co-Location Requirements

Describe requirements regarding sharing space with other organizations or resources.

Service Level Agreements or Regulatory Requirements:

Describe any service level agreements or regulatory requirements that affect the services that would be provided during an interruption to normal activity.

Recovery Tier:

Describe any recovery tier definitions (e.g. functions that should be recovered before or after others) that affect the services that would be provided during an interruption to normal activity.

Document Maintenance Procedures:

Review and Update Process:

Describe the process for keeping the document current.

This document is reviewed and maintained using the process described in the <department name> …… procedures.

Distribution Procedures:

Describe the process for distributing the document and/or training people to use its content.

Additional copies will be distributed to crisis management team members and a copy will be offsite with the Director.

Training will be provided as described in the <department name> …. procedures.

Validation Requirements:

Identify frequency and method for verifying the information recorded in this document.

Document Verification History:

Record the history of review/verification activities for the document.

Date: / Results:

Additional Documentation:

Location of Other Documentation:

Application / Document Name / Location

Location of Supporting Documentation:

Document Name / Location

Update History:

Date / Update Session Details / Revised By

Sign Off

This document accurately describes targeted organizations and presents a current view of the assets and resources used to perform normal work functions.

______

Director/Assoc.Vice President/Dean/Department Head Date

Page 15 of 15