Case Studies Support Departments and Operational Groups Operational Groups - capsule summary of responsibilities Asset Allocation Services research and analysis of asset allocations, reports, customer service and investor contact. Custom Research research and analysis, custom research projects, reports, customer service and investor contact. Equity Selection Services research and analysis of equity investments, reports, customer service and investor contact. Fixed Income Selection Services research and analysis of fixed income investments, reports, customer service and investor contact. Percent of Revenue Percent of Profits 15% 15% Operational Group Asset Allocation Services Custom Research Equity Selection Services Fixed Income Selection Services 40% 50% 30% 25% 15% 10% Suhhort Dan Support Departments - capsule summary of responsibilities Data Operations - data acquisition, data verification and data analysis. Facilities - maintenance of buildings, maintenance of building systems, environmental controls and utility services. Finance and Accounting - accounting, financial reporting, insurance services, external communi- cations and crisis communications, hardcopy publishing operations, legal issues and account management. Human Resources (HR) payroll, benefits and general workforce issues. Information Technology (IT) - support of technology services including data center operations, data center recovery, alternate site operations, communication technologies, critical data management of electronic information, information security, applications and communications systems. Sales and Marketing - management of the marketing program and direct sales. Security - building protection and threat monitoring. Interdependencies and Supply Chain Nearly all operational groups of AIS are completely dependent on computer systems and communication access. The goal of AIS is to provide quality service on a very timely basis and failure in the supply chain and process flow will quickly lengthen processing time to unacceptable levels. The following figure illustrates the supply chain: Building Environment Both buildings are two story buildings equipped with an automatic fire suppression system, fire alarms, security systems and adequate exits. Both buildings are of recent construction and meet all building codes. There is a dual conduit supplying electricity to both buildings and there is a generator to provide electricity during an extended electrical outage for the Main Building but not the Auxiliary Building. Power outages will shutdown virtually all activities in the Auxiliary Building but critical operations can be relocated to conference rooms in the Main Building. Most critical operations including IT are already supported from the Main Building. Building and Building Systems AIS essentially requires general office space that can support 125 people. Each operational group can function independently of one another. Building Contents and Equipment For the most part, there are no unusual building contents required for operations. The print shop has some expensive equipment but this equipment is insured and would not be that difficult to replace. Moreover, hardcopy reports are no longer considered to be critical to overall operations. Community Infrastructure Fire and Police Departments are located a short distance from Grand Office Park. All utility services such as wire communications, electric, natural gas, sewer and water are underground, relatively new and in good condition. External Dependencies Several other businesses provide important subcontractor services for facility operations. Most of these services can be secured from multiple providers. Regional Threats Man-made: There are no Major Airports, Dams or Nuclear Power Plants in the general area. Seismic: There are no significant seismic threats in the general area. Weather: Grand Office Park floods approximately once every 50 years. A significant snowfall of six to seven inches occurs approximately every other year. Ice storm events are very rare. Public services are well equipped to clear roadways resulting from typical snowfall events. Grand Office Park receives approximately 55 thunderstorms per year. The buildings are designed to withstand severe thunderstorm wind, rain and lightning strikes. lowa experiences approximately 31 tornadoes in an average year and a few of these tornadoes are of tornado force EF3, EF4 or EF5. EF3, EF4 and EF5 tornadoes will damage or destroy modern buildings. Security A very good security system is in place that includes perimeter sensors, cameras, access controls, swipe cards and a sophisticated security monitoring system. There is a security control room in the Main Building. Special security controls are in place for critical areas of each building. Unarmed security guards are present during working hours. During non-working hours, the buildings are monitored and periodic drive-bys are conducted by an outside security subcontractor. The entrance to Grand Office Park is gated and guarded 24/7/365. Supplies and Raw Materials Error Data Center Controls The data center is well located in an interior section of the Main Building. The data center is equipped with raised floors, fortified walls, a pre-action water based fire suppressant system along with other modern alarms and controls. The data center is monitored 24/7/365 and access to the data center is controlled by a swipe-card security system. Electrical surge protection and UPS units are provided for all critical computer and communication equipment. Most importantly, the data center has a backup electrical generator capable of running the entire data center and the dedicated air conditioning, heating and ventilation system. Data Center Recovery Data center hardware and hardware configuration is well documented. There is a contract with an outside service provider to rapidly replace damaged or destroyed equipment. Information Technology also utilizes the services of an outside consultant who can assist with the data center recovery. Information Management - Electronic Data All data files are backed-up daily and secured offsite weekly with quarterly backup files retained indefinitely. Data files are stored at a local bank vault located within the Grand Office Park. Software disks are stored inside the data center in a fire-resistant safe. Information Management - Hardcopy Data For AIS, nearly all hardcopy data has backup electronic data. For hardcopy data that are not created or otherwise secured by Information Technology, special precautions are taken. Critical hardcopy data are duplicated and secured with one copy located at each building. Information Security Security includes User ID numbers and complex passwords that must be changed regularly. Programs, data and files are all password protected. Firewalls are in place to prevent the introduction of outside viruses, intruders and hackers. Alpha Investment Services Case Study 24 Several years ago, written administrative controls were developed and approved by the Director of Information Technology. Among many other responsibilities, the Director of Information Technology is also responsible for information security. Revised Recovery Time Objectives AIS senior management wants to be fully prepared for major crisis events such as a flood and for other crisis events that only temporarily disrupt operations such as a severe winter storm. Senior management is in basic agreement with the analysis and goals presented in the RA and the BIA. However, senior management wants to ensure that data acquisition plus communications between senior management and with investors can be maintained without interruption. Senior management also believes that recovering all critical operations at 100% capability within one hour would require an extremely expensive BCM that is not realistic or cost-justified. The following Recovery Time Objectives have been established by senior management: Operations that must be maintained at all times: Data Operations - data acquisition. Information Technology - communication infrastructure. Facilities - environmental controls and utility services in the Main Building. Finance and Accounting - crisis communication. Security - facility protection and threat monitoring. We've updated our read aloud feature! Operations that must be recovered within one hour: All critical operations not listed above at 50% of normal capability. Operations that must be recovered within one day: All critical operations. All non-critical operations at 50% of normal capability. Operations that must be recovered within five days: All non-critical operations. The prior Recovery Time Objectives was one hour for critical operations and two days for non-critical operations. Crisis Communication Communication Infrastructure at Grand Office Park Both buildings are serviced by dual underground voice and data communication lines. Crisis communication hardware is modern and includes an intercom system in each building. Grand Office Park has a siren system to alert businesses of a tornado, hazardous release or other general threat. 250 Section V Case Studies Communication Equipment and Technologies Emergency team members can be alerted to a crisis simultaneously via cell phone. A voice mail system is in place for disseminating information to employees during non-working hours. The voice mail system hardware is safely located out-of-the-area and can be accessed and updated remotely. The voice mail system is handled by a subcontractor and the system is capable of handling a high volume of calls and there are many redundancies in place. Email can also be used for emergency communications and email servers are located at the data center with redundant email servers at the IT alternate site. AIS has an emergency webpage link on the home page of the company's website. Information here is acces- sible to all employees, investors and anyone who accesses the website. AIS also has a special website specifically dedicated to providing crisis information to employees. This special website provides detailed and sometimes confidential information about a crisis situation. Employees may also post information to the special website. All key management personnel have a PDA and there are six satellite phones that are secured in the data center in the Main Building and available for distribution in a crisis situation. AIS can also text message and instant message crisis information. Case Studies Case Study A-11: Alpha Investment Services (AIS) Crisis Communication Based on the Crisis Communication and other information previously provided in Case Study A, consider the following: A-11.1 Identify the major controls in place and rate as Excellent, Good, Fair or Poor the ability of AIS to conduct crisis communication to employees in following environments: A. At work. B. At employee homes. C. In transit or working at another location. D. Customers, clients, subcontractors and outside interests. A-11.2 Identify the major controls in place and rate as Excellent, Good, Fair or Poor the ability of AIS to conduct crisis communication to employees in following situations: A. Emergency warnings. B. During and after a crisis. A-11.3 In order to improve communications, what changes to existing systems or new systems would you recommend? Case Studies Support Departments and Operational Groups Operational Groups - capsule summary of responsibilities Asset Allocation Services research and analysis of asset allocations, reports, customer service and investor contact. Custom Research research and analysis, custom research projects, reports, customer service and investor contact. Equity Selection Services research and analysis of equity investments, reports, customer service and investor contact. Fixed Income Selection Services research and analysis of fixed income investments, reports, customer service and investor contact. Percent of Revenue Percent of Profits 15% 15% Operational Group Asset Allocation Services Custom Research Equity Selection Services Fixed Income Selection Services 40% 50% 30% 25% 15% 10% Suhhort Dan Support Departments - capsule summary of responsibilities Data Operations - data acquisition, data verification and data analysis. Facilities - maintenance of buildings, maintenance of building systems, environmental controls and utility services. Finance and Accounting - accounting, financial reporting, insurance services, external communi- cations and crisis communications, hardcopy publishing operations, legal issues and account management. Human Resources (HR) payroll, benefits and general workforce issues. Information Technology (IT) - support of technology services including data center operations, data center recovery, alternate site operations, communication technologies, critical data management of electronic information, information security, applications and communications systems. Sales and Marketing - management of the marketing program and direct sales. Security - building protection and threat monitoring. Interdependencies and Supply Chain Nearly all operational groups of AIS are completely dependent on computer systems and communication access. The goal of AIS is to provide quality service on a very timely basis and failure in the supply chain and process flow will quickly lengthen processing time to unacceptable levels. The following figure illustrates the supply chain: Building Environment Both buildings are two story buildings equipped with an automatic fire suppression system, fire alarms, security systems and adequate exits. Both buildings are of recent construction and meet all building codes. There is a dual conduit supplying electricity to both buildings and there is a generator to provide electricity during an extended electrical outage for the Main Building but not the Auxiliary Building. Power outages will shutdown virtually all activities in the Auxiliary Building but critical operations can be relocated to conference rooms in the Main Building. Most critical operations including IT are already supported from the Main Building. Building and Building Systems AIS essentially requires general office space that can support 125 people. Each operational group can function independently of one another. Building Contents and Equipment For the most part, there are no unusual building contents required for operations. The print shop has some expensive equipment but this equipment is insured and would not be that difficult to replace. Moreover, hardcopy reports are no longer considered to be critical to overall operations. Community Infrastructure Fire and Police Departments are located a short distance from Grand Office Park. All utility services such as wire communications, electric, natural gas, sewer and water are underground, relatively new and in good condition. External Dependencies Several other businesses provide important subcontractor services for facility operations. Most of these services can be secured from multiple providers. Regional Threats Man-made: There are no Major Airports, Dams or Nuclear Power Plants in the general area. Seismic: There are no significant seismic threats in the general area. Weather: Grand Office Park floods approximately once every 50 years. A significant snowfall of six to seven inches occurs approximately every other year. Ice storm events are very rare. Public services are well equipped to clear roadways resulting from typical snowfall events. Grand Office Park receives approximately 55 thunderstorms per year. The buildings are designed to withstand severe thunderstorm wind, rain and lightning strikes. lowa experiences approximately 31 tornadoes in an average year and a few of these tornadoes are of tornado force EF3, EF4 or EF5. EF3, EF4 and EF5 tornadoes will damage or destroy modern buildings. Security A very good security system is in place that includes perimeter sensors, cameras, access controls, swipe cards and a sophisticated security monitoring system. There is a security control room in the Main Building. Special security controls are in place for critical areas of each building. Unarmed security guards are present during working hours. During non-working hours, the buildings are monitored and periodic drive-bys are conducted by an outside security subcontractor. The entrance to Grand Office Park is gated and guarded 24/7/365. Supplies and Raw Materials Error Data Center Controls The data center is well located in an interior section of the Main Building. The data center is equipped with raised floors, fortified walls, a pre-action water based fire suppressant system along with other modern alarms and controls. The data center is monitored 24/7/365 and access to the data center is controlled by a swipe-card security system. Electrical surge protection and UPS units are provided for all critical computer and communication equipment. Most importantly, the data center has a backup electrical generator capable of running the entire data center and the dedicated air conditioning, heating and ventilation system. Data Center Recovery Data center hardware and hardware configuration is well documented. There is a contract with an outside service provider to rapidly replace damaged or destroyed equipment. Information Technology also utilizes the services of an outside consultant who can assist with the data center recovery. Information Management - Electronic Data All data files are backed-up daily and secured offsite weekly with quarterly backup files retained indefinitely. Data files are stored at a local bank vault located within the Grand Office Park. Software disks are stored inside the data center in a fire-resistant safe. Information Management - Hardcopy Data For AIS, nearly all hardcopy data has backup electronic data. For hardcopy data that are not created or otherwise secured by Information Technology, special precautions are taken. Critical hardcopy data are duplicated and secured with one copy located at each building. Information Security Security includes User ID numbers and complex passwords that must be changed regularly. Programs, data and files are all password protected. Firewalls are in place to prevent the introduction of outside viruses, intruders and hackers. Alpha Investment Services Case Study 24 Several years ago, written administrative controls were developed and approved by the Director of Information Technology. Among many other responsibilities, the Director of Information Technology is also responsible for information security. Revised Recovery Time Objectives AIS senior management wants to be fully prepared for major crisis events such as a flood and for other crisis events that only temporarily disrupt operations such as a severe winter storm. Senior management is in basic agreement with the analysis and goals presented in the RA and the BIA. However, senior management wants to ensure that data acquisition plus communications between senior management and with investors can be maintained without interruption. Senior management also believes that recovering all critical operations at 100% capability within one hour would require an extremely expensive BCM that is not realistic or cost-justified. The following Recovery Time Objectives have been established by senior management: Operations that must be maintained at all times: Data Operations - data acquisition. Information Technology - communication infrastructure. Facilities - environmental controls and utility services in the Main Building. Finance and Accounting - crisis communication. Security - facility protection and threat monitoring. We've updated our read aloud feature! Operations that must be recovered within one hour: All critical operations not listed above at 50% of normal capability. Operations that must be recovered within one day: All critical operations. All non-critical operations at 50% of normal capability. Operations that must be recovered within five days: All non-critical operations. The prior Recovery Time Objectives was one hour for critical operations and two days for non-critical operations. Crisis Communication Communication Infrastructure at Grand Office Park Both buildings are serviced by dual underground voice and data communication lines. Crisis communication hardware is modern and includes an intercom system in each building. Grand Office Park has a siren system to alert businesses of a tornado, hazardous release or other general threat. 250 Section V Case Studies Communication Equipment and Technologies Emergency team members can be alerted to a crisis simultaneously via cell phone. A voice mail system is in place for disseminating information to employees during non-working hours. The voice mail system hardware is safely located out-of-the-area and can be accessed and updated remotely. The voice mail system is handled by a subcontractor and the system is capable of handling a high volume of calls and there are many redundancies in place. Email can also be used for emergency communications and email servers are located at the data center with redundant email servers at the IT alternate site. AIS has an emergency webpage link on the home page of the company's website. Information here is acces- sible to all employees, investors and anyone who accesses the website. AIS also has a special website specifically dedicated to providing crisis information to employees. This special website provides detailed and sometimes confidential information about a crisis situation. Employees may also post information to the special website. All key management personnel have a PDA and there are six satellite phones that are secured in the data center in the Main Building and available for distribution in a crisis situation. AIS can also text message and instant message crisis information. Case Studies Case Study A-11: Alpha Investment Services (AIS) Crisis Communication Based on the Crisis Communication and other information previously provided in Case Study A, consider the following: A-11.1 Identify the major controls in place and rate as Excellent, Good, Fair or Poor the ability of AIS to conduct crisis communication to employees in following environments: A. At work. B. At employee homes. C. In transit or working at another location. D. Customers, clients, subcontractors and outside interests. A-11.2 Identify the major controls in place and rate as Excellent, Good, Fair or Poor the ability of AIS to conduct crisis communication to employees in following situations: A. Emergency warnings. B. During and after a crisis. A-11.3 In order to improve communications, what changes to existing systems or new systems would you recommend