This is the Pzzle reference KB for centrexIT’s Business Continuity Plan. For the most up to date version, please reference the link below.

Note: The full policy, approvals, and version information can be found here.

---

In keeping with centrexIT’s commitment to providing the highest quality service to its customers, centrexIT (CIT or Company) is developing a comprehensive approach to preparing for possible disruptions to its critical business operations. This document summarizes the CIT Business Continuity Policy (Policy), and associated Standards, established to minimize the impact to critical business processes, respond to disruptive situations appropriately, and provides direction in restoring the essential business activities to normal operation as soon as possible.

CIT’s goal is to minimize the potential for disruption and decrease the effects of disruption on the Company’s infrastructure, operations, and customers. Due to CIT’s concern with providing uninterrupted quality customer service, the Policy outlines the critical internal business processes, critical technical applications and recovery efforts, and discusses the strategies to provide for the continuation of essential services.

---

The purpose of this Policy is to provide a summary of Business Continuity Planning at centrexIT, the scope of the plans that are in place, and a high-level view of the recovery strategy.

---

The Policy’s scope includes key contributors including the Executive Leadership Team, senior management, department managers, legal, facility services, and finance. The Policy is intended to address a broad range of potentially disruptive events to protect a wide range of constituent services. The Policy scope extends to all Company employees and Company business systems.

---

Policy Approval - The ELT is responsible for approving this policy,

Policy Adoption - The QA Manager is responsible for submitting the final approved policy to be adopted in Policy Scorecard,

Policy Enactment - The CEO is responsible for ensuring the BCP is published and active,

Policy Implementation - The ELT is responsible for planning, organizing, implementing and periodic testing,

Policy Publication - The QA Manager is responsible for ensuring any changes to the Policy or related Standards are current in Pzzle,

Policy Monitoring and Review - the QA Manager is responsible for monitoring and the annual review of this Policy and all referenced Standards,

Policy Maintenance and Improvement - the QA Manager along with the ELT is responsible for defining and implementing standards and processes that will improve this Policy based on Company needs

---

cIT - centrexIT or Company

ELT - Executive Leadership Team

CEO - Chief Executive Office

---

In keeping with centrexIT’s commitment to providing the highest quality service to its customers, centrexIT (CIT or Company) is developing a comprehensive approach to preparing for possible disruptions to its critical business operations. This document summarizes the CIT Business Continuity Policy (Policy), and associated Standards, established to minimize the impact to critical business processes, respond to disruptive situations appropriately, and provides direction in restoring the essential business activities to normal operation as soon as possible.

CIT’s goal is to minimize the potential for disruption and decrease the effects of disruption on the Company’s infrastructure, operations, and customers. Due to CIT’s concern with providing uninterrupted quality customer service, the Policy outlines the critical internal business processes, critical technical applications and recovery efforts, and discusses the strategies to provide for the continuation of essential services.

The purpose of this Policy is to provide a summary of Business Continuity Planning at Company, the scope of the plans that are in place, and a high-level view of the recovery strategy.

Inclusions in this Policy, either existing or under future development:

• Leadership decisions and direction so that company can appropriately manage and respond to business disruptions or potential business disruptions,
• An assessment and identification of risks and impacts of critical business processes,
• References to Disaster Recovery Standards and Procedures crafted to recover required electronic and hard copy data promptly,
• References to Business Impact Analysis Standards and Procedures detailing the potential impact to the infrastructure and actions required to enable critical business processes to continue with minimal impact to Company’s customers,
• References to Crisis Management and Executive Decision Standards to minimize and support the number of decisions made during the crisis,
• Future: Standards to minimize dependency on any specific person(s) during the crisis,
• Future: Standards to restore normal business operations once the disruptive event is resolved; and.
• Future: Standards to ensure the health and safety of the CIT employees.

The Policy oversight process is designed to minimize the potential impact of risks that businesses face. Like most companies, CIT is susceptible to five general areas of risk: loss of adequate staffing levels due to pandemic outbreak or other cause, loss of connectivity (including telecommunications and network), loss of facilities (including loss of utilities), loss of critical systems or data, and failure of critical third-party services. Within each area of risk, there are varying levels of potential loss that could result. Disruptions can cause financial loss, regulatory compliance issues, service level degradation and loss of reputation.

CIT is enforcing the following to reduce risk:

• Alternate power supplies or generators in various Company’s facilities, if needed,
• Access control to monitor and control access to the Company’s facilities,
• The use of contracted recovery services to supplement in-house recovery resources, to support processing should an event occur; and
• Procuring the use of remote replication technologies to enhance the availability and recoverability of systems and data to support critical business processes.

CIT’s Business Continuity Plan (BCP) is based on three basic scenarios. They include;

1. Scenario One – “Systems are OK. No access to Building.”

The total loss of the Company’s primary location. Where the loss of the Company’s facility where critical work is performed for eight weeks or greater, but where other Company locations and business associates are unaffected.

CIT has implemented procedures to support a work from home environment. CIT can currently support 99% work from home. The Provisioning process can be performed from an alternate location and could be delayed.

**Need to finalize remote provisioning since there is a dependency on a server located in the Poway office.

1. Scenario Two – “Building is OK, No access to Systems.”

The loss of systems over the entire enterprise with limited exceptions. In cases where the loss of systems is isolated to a particular building location, recovery will be attempted on a case by case basis. Examples include networking hardware/software malfunctions or loss of LAN or network carriers.

CIT has redundant processes for key business processes including multiple VPNs, DNS failover, and call center and messaging systems. CIT also has backup and recovery processes that are geographically dispersed. The primary ITSM platform is also cloud-based with backup and recovery that can be shifted to another geographic location.

1. Scenario Three – “Severe Staffing Shortage”

Any staffing shortages as a result of a regional or global Pandemic, Bio-Terrorism or similar event occurring simultaneously at any Company sites, to varying degrees of severity and for a period of two or more weeks.

CIT is working to identify key roles that would be required in order to maintain minimal operations. Those roles would be back-filled internally immediately.

The Policy and any referenced Standards are written to address the assumptions and risks they present to the Company and the Client.

The Policy’s scope includes key contributors including the Executive Leadership Team, senior management, department managers, legal, facility services, and finance. The Policy is intended to address a broad range of potentially disruptive events to protect a wide range of constituent services. The Policy scope extends to all Company employees and Company business systems.

This Policy includes related Standards that address specific activities required to support, repair, or communicate any internal or external business disruption:

1. General Business Continuity for business units where CIT conducts critical business, including remote work, and,
2. Disaster Back Up and Recovery Plans; and
3. Business Impact Analysis, and
4. Crisis Management Plans for essential corporate functions.

An internal business disruption - significant or otherwise - could affect the Company’s ability to communicate and conduct business, such as a fire in the data center or a severe shortage of personnel.

An external business disruption - significant or otherwise - could limit or prevent access to technology, services and service providers, logistics and supply chains, or any other organization or process that are involved in usual business operations.

These business disruptions could include, but are not limited to, acts of nature, terrorist attacks, or a wide-scale or regional disruption. This also includes the shortage of personnel due to local, wide-spread, or regional health issues.

General Business Continuity Policy and Plans

The Company has plans, with emergency procedures, to minimize the impact on health and safety of employees, customer service, financial standing, and reputation. The Policy comprises three component plans designed to support and complement one another. These plans are the Crisis Management Plan (CMP), Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP).

The purpose of Company’s Crisis Management Plan (CMP) is to ensure that protective actions are quickly implemented for the occupants of the buildings affected and to ensure activities such as damage mitigation, salvage, communications, and decision-making are initiated. The Crisis Management Plan invokes appropriate elements of the BCPs as required. The Crisis Management Plan directs the affected site and home office response and coordinates with others.

The purpose of the Company’s Business Continuity Plan (BCP) is to ensure impacted critical business areas receive the highest priority for recovering their function within established recovery time objectives. The BCPs contain team rosters, contact numbers, recovery strategies and alternate site resource requirements. They direct each business continuity team in the recovery of their most critical business processes.

The Disaster Recovery Plan (DRP) ensures that all critical IT infrastructure, systems, data, and networks are recovered commensurate with the plan’s objectives.

The Business Impact Analysis (BIA) predicts the consequences of a disruption to your business, and gathers information needed to develop recovery strategies.

The Company also maintains other plans and procedures which support this Business Continuity Policy and are designed to ensure appropriate security measures are taken in response to specific threats, ensure communications are clear and consistent, and ensure any environmental or safety concerns that emerge are addressed.

1. Crisis Management Plan (To Be Developed)

Establish a Crisis Management Team (CMT) to ensure leadership and decision-making during any potentially disruptive events.

The CMT’s primary directives are to:

1. Rapidly assess situations, events and infrastructure issues (internal and external);
2. Appropriately respond to events to minimize disruption and enable rapid recovery of critical business functions;
3. Provide timely communications to Company’s employees, critical third parties, customers and the public; and
4. Appropriately monitor and adjust to ongoing events and implement effective action.

The CMT comprises of managers and staff from various areas of the Company including field offices. The CMT has the responsibility, authority and sufficient breadth and depth of knowledge to advise all personnel on appropriate courses of action effectively. CMT members are chosen because they can effectively analyze available information; understand the potential impact of a disruption to business, its infrastructure, and its customers; and timely make problem-solving decisions. The CMT will gather at the pre-determined command center locations and begin their decision-making process after receiving notification of a potential threat.

Succession Plan:

The President of centrexIT provides leadership to the organization in the event of an emergency. The goal is to minimize disruption and continue to operate the business.

If the President is not available, the succession plan occurs in the following order:

1. – CEO will assume decision-making authority. The CEO will work with the remaining executive leaders to determine how to proceed and will delegate authority and responsibilities as needed to maintain business operations. If the CEO is not available, or chooses to delegate authority,
2. – President will assume decision-making authority. The President will work with the remaining executive leaders to determine how to proceed and will delegate authority and responsibilities as needed to maintain business operations. If the President is not available, or chooses to delegate authority,
3. • Vice President of Technology will assume decision-making authority while working with the Directors. If the Vice President of Technology is not available, the Directors will determine how to proceed.
4. – Directors will assemble and will work together and share decision-making authority. The Directors will delegate the authority and responsibilities needed to maintain business operations.

Specifically, this team is responsible for:

• Ensuring the safety and welfare of employees;
• Activation of appropriate response personnel;
• Requesting assistance from local disaster authorities;
• Coordinating the activities of personnel during a disaster;
• Deciding when to enact or cease activation of the business continuity plans;
• Serving as the central source for data and information about the event;
• Making decisions about the Company’s response;
• Coordinating communication responses to Customers, Plan Sponsors, Members, Provider Networks, Employees, Critical Third Parties, media, and the public;
• Coordinating and communicating with all appropriate jurisdictional regulatory entities such as Insurance Departments;
• Modifying member and plan sponsor policy as necessary for regional or national disasters;
• Assessing the availability of staff and possible transportation needs;
• Mobilizing support from all areas to assist in prompt recovery; and
• Initiating facility recovery and re-entry process.

2. Business Continuity Plan (BCP)

The BCP protects CIT’s most critical business areas customized to the area of operation, and also subject to the CMP and DR.

In addition to the CMT, champions from each critical business area are responsible for creating and maintaining their BCP. In the event of a disaster, the business areas will provide information to the CMT, which may activate the continuity plans as appropriate. In the event a disaster is declared, the business unit continuity team will work under the general direction of the CMT to implement recovery procedures and restore business processes.

Business unit continuity teams are responsible for the following activities:

1. Create and maintain a team to address the recovery procedure and each member of the team must have current contact information for other members of the team;
2. Establish communication and plan rollout training with team members;
3. Execute recovery procedures upon an event manager’s request;
4. Allocate work to other Company’s offices, if required;
5. Select and transition critical staff to become temporary teleworkers;
6. Expand processing capacity by engaging contingent workers, extended work hours and through invoking 3rd party contract provisions;
7. Invoke Alternate Operating Models;
8. Relocate to an alternate site, if required;
9. Initiate workarounds, if required;
10. Keep CMT informed of status and resource needs;
11. Manage the restoration of the business once the recovery period ends; and
12. Help maintain, update, test and continuously improve the BCP regularly under the guidance of Corp BCP Team.

Each BCP:

1. Contains contact information for BCP Response Team members;
2. Itemizes the equipment needs and special requirements of the business units to resume critical processes;
3. Identifies an alternate site in which to relocate and requirements to make that site operational;
4. Contains contact information for consultants and vendors that may be of assistance;
5. Contains contact information for critical contacts within the company;
6. Contains steps to retrieve business critical documentation;
7. Includes critical data and voice communications requirements and a listing of all incoming and outgoing telephone numbers, specifics about their associated circuits, hours of operation and circuit type;
8. Contains lists of technical hardware/software requirements needed for work groups to become operational at an alternate site;
9. Documents critical computer applications and their associated priority for recovery;
10. Identifies critical functions performed at the facility and lists job titles and phone numbers of employees;
11. Documents required manuals, forms, and other critical documentation;
12. Identifies any special operating procedures; and
13. Contains a list of manual operating procedures, if needed.

CIT’s BCP strategy is to activate each BCP team within the affected office and coordinate their needs and priorities with the CMT and DR teams. The plans leverage Company’s enterprise- wide resources and ensure priority is given to the appropriate group, applications, and resource needs.

After business is disrupted, efforts will be made to re-route customer service to other Company’s call centers, or a Voice Response Unit. Damage will be assessed and an initial Estimated Time for Recovery developed. Decisions will be made as to which recovery strategy to enact. Calls will be restored to the normal business units once employees are returned to the facility or relocated to an alternate site. Workarounds, re-allocation of work and work at home are all viable recovery strategies and will be considered and utilized as appropriate.

Third-party vendors such as imaging, mail or publishing vendors that support the Company’s critical processes are required to have their BCP. Vendor plans are reviewed for their ability to meet individual unit recovery time objectives.

3. Disaster Recovery Plan (DRP) Detailed DRP is found in a separate addendum policy.

The scope of this disaster recovery policy is all information technology systems, software, databases, applications and network resources needed by the company and its clients to conduct business.

It is the responsibility of the Operations Team to maintain, improve, and implement this DR Plan and all its supporting documents and processes.

Statement of Compliance

This policy is designed to be compliant with ISO/IEC 27031:2013 Information technology - Security Techniques - Guidelines for Information and Communication Technology Readiness for Business Continuity

1. The company shall develop comprehensive disaster recovery plans in accordance with good disaster recovery management practices as defined by the disaster recovery standard, ISO/IEC 27031:2013.
2. Technology disaster recovery activities shall be performed as part of the company’s business continuity plan (BCP), which administers and manages the technology disaster recovery program which includes:

• • Planning and design of technology disaster recovery activities, which include technology disaster recovery plans
  • Identification of DR teams, defining their roles and responsibilities and ensuring they are properly trained and prepared to respond to an incident
  • Scheduling of updates to DR business impact analyses
  • Scheduling of updates to DR risk assessments
  • Planning and delivery of awareness and training activities for employees and DR team members
  • Planning and design of incident response activities
  • Planning and execution of DR plan exercises
  • Designing and implementing a DR program/plan maintenance activity to ensure that all plans are up to date and ready for use
  • Preparation for management review and auditing of DR plans
  • Planning and implementation of continuous improvement activities for the DR program and plans

1. A formal risk assessment (RA) and business impact analysis (BIA) shall be undertaken to determine the requirements for all DR plans; RAs and BIAs shall be updated at least annually to ensure they are in alignment with the business and its technical requirements.
2. Strategies for responding to specific technology incidents, as defined in the BIA and RA, shall be identified and used when developing individual DR plans.
3. Disaster recovery plans shall address critical technology elements, including systems, networks, databases, and data, by principal business activities.
4. Disaster recovery plans shall be periodically tested in a suitable environment to ensure that the systems, networks, databases, and other infrastructure elements can be recovered and returned to a business as usual (BAU) status in emergencies and

that centrexIT management and employees understand how the plans are to be executed as well as their roles and responsibilities.

1. All employees must be made aware of the disaster recovery program and plans and their roles and responsibilities during an incident.
2. Technology disaster recovery plans and other documents are to be kept up to date and will reflect existing and changing circumstances.

4. Business Impact Analysis (BIA) Detailed BIA found in a separate addendum policy.

The purpose of the BIA is to identify and prioritize system components by correlating them to the mission/business process(es) the system supports and using this information to characterize the impact on the process(es) if the system were unavailable.

The BIA is composed of the following three steps:

1. Determine mission/business processes and recovery criticality. Mission/business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that an organization can tolerate while still maintaining the mission.
2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes and related inter dependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.
3. Identify recovery priorities for system resources. Based upon the results from the previous activities, system resources can more clearly be linked to critical mission/business processes. Priority levels can be established for sequencing recovery activities and resources.

5. Plan Maintenance and Testing

CIT’s Business Continuity Policy has an active simulation exercise, testing, and maintenance process designed to train team members and to capture gaps and changes to the business it is built to protect.

The Operations Department will review and update this disaster recovery policy on an annual basis. As changes to this policy are indicated in the course of business, the Operations Department may initiate a change management process to update this policy.

In addition, the policy will be reviewed during the annual Management Review meeting to confirm that all of the major plan components, from the up-front basic assumptions to the members of the business unit continuity teams, remain current.

---

centrexIT Core Policies are:

• Quality Manual
• Business Continuity Policy
• Information Security Policy
• Financial Policy
• Employee Handbook

Additional Internal References:

• CIT- ST- Business Impact Analysis
• CIT- ST- Disaster Recovery Policy

---

---