BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
i
ABBREVIATIONS
ATM - Automated Teller Machine
BCP - Business Continuity Plan
BOSA - Back Office Service Activity
CEO - Chief Executive Officer
CS - Co-operative Society
CDC - Centre for Disease Control
DNS - Domain Name Server
EFT - Electronic Funds Transfer
ICT - Information Communication Technology
IS - Information System
MSCA - Micro Savings and Credit Activity
SACCO - Savings and Credit Co-operative
UPS - Uninterruptible Power Supply
WPS - Wireless Priority Service
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
ii
TABLE OF CONTENTS
ABBREVIATIONS ................................................................................... i
TABLE OF CONTENTS ............................................................................ ii
1.0 INTRODUCTION ............................................................................... 5 1.1 Distribution of the Plan ........................................................................................... 6
1.2 Risk Management..................................................................................................... 6
1.3 Business Impact Analysis ........................................................................................ 7
1.4 Business Continuity Teams ..................................................................................... 9
1.5 Assessing the Damage ........................................................................................... 10
1.6 Declaring a Disaster ............................................................................................... 10
1.7 Command Centre Team ......................................................................................... 10
1.8 Command Centre Locations .................................................................................. 11
1.9 Virtual Command Centre Information ................................................................. 11
1.10 Business Resumption Team Procedures ........................................................... 12
2.0 BUSINESS RECOVERY ...................................................................... 14 2.1 Overview ................................................................................................................. 14
2.2 Information System Business Continuity Preparations ..................................... 15
2.3 Backups ................................................................................................................... 15
2.4 Alternate Processing Sites ..................................................................................... 15
2.5 Recovering .............................................................................................................. 15
2.5.1 Recovering the Core Processing System .................................................... 15
2.5.2 Recovering Printers and PCs ..................................................................... 16
2.5.3 Recovering Software and Operating Systems ............................................ 16
2.5.4 Recovering the Website............................................................................. 17
2.5.5 Recovering the Intranet ............................................................................ 17
2.5.6 Recovering Server ..................................................................................... 17
2.5.7 Recovering Email ...................................................................................... 18
2.5.8 Recovering the Domain Controller ............................................................ 18
2.5.9 Recovering Server ..................................................................................... 18
2.5.10 Recovering ATM Network ....................................................................... 19
2.5.11 Recovering Web Filter ............................................................................. 19
2.5.12 Recovering Telephone System/Voicemail System ................................... 19
3.0 INFORMATION SYSTEMS SECURITY ................................................... 21
3.1 Introduction ........................................................................................................... 21
3.2. Scope ...................................................................................................................... 21
3.3 Prevention .............................................................................................................. 22
3.3.1 Access to Computer server room ............................................................. 22
3.3.2 Access to Computers ................................................................................ 22
3.3.3 Passwords ................................................................................................ 23
3.3.4 Power Back Up ......................................................................................... 23
3.3.5 Antivirus, Spy Wares Worm, Firewalls ..................................................... 24
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
iii
3.3.6 Data and Information Security ................................................................. 24
3.3.7 Preventive Maintenance ........................................................................... 26
3.3.8 Hard Disk storage of the Computer Server ............................................... 26 3.4 Detection ................................................................................................................. 27
3.5 Deterrence .............................................................................................................. 27
3.6 Disaster Recovery .................................................................................................. 28
3.7 Correction Procedures .......................................................................................... 28
4.0 HUMAN RESOURCE AND ADMINISTRATIVE ISSUES .............................. 30
4.1 Employee Priorities ............................................................................................... 30
4.2 Reduced Workforce Considerations .................................................................... 30
4.3 Employee Call List .................................................................................................. 31
4.4 Management Succession ....................................................................................... 31
4.6 BRAEMEG SACCO’s Media Policy .......................................................................... 32
4.7 Local and Regional Authorities ............................................................................. 33
4.8 BRAEMEG SACCO Advocate Contact Information ............................................... 33
4.9 Insurance Coverage ............................................................................................... 33
4.10 Emergency Supplies ............................................................................................ 33
5.0 HUMAN CAUSED DISASTER ..............................................................35 5.1 Extortion ................................................................................................................. 35
5.1.1 Handling Extortion ................................................................................... 35
5.1.2 Employee Hostage Procedures ................................................................. 36
5.2 Robbery .................................................................................................................. 36
5.2.1 Precautions .............................................................................................. 36
5.2.2 During a Robbery: .................................................................................... 36
5.2.3 After Robber Exits: .................................................................................... 37
6.0 NATURAL DISASTER....................................................................... 40
6.1 Earthquake........................................................................................................... 40
6.1.1 Earthquake Preparedness ........................................................................ 40 6.2 Fire .......................................................................................................................... 41
6.2.1 During a fire: ............................................................................................. 41
6.2.2 Computer server room Emergency Procedures ....................................... 42
6.2.3 Fire Extinguishers .................................................................................... 43
6.3 Flood ....................................................................................................................... 43
6.4 Landslides ............................................................................................................... 44
6.5 Thunderstorm ........................................................................................................ 45
6.6 Droughts ................................................................................................................. 45
7.0 PANDEMIC .................................................................................... 46 7.1 Influenza ................................................................................................................. 46
7.2 Preparedness.......................................................................................................... 46
7.3 Terrorism ............................................................................................................... 47
7.4 Chemical Attacks .................................................................................................... 47
7.4.1 Different Types of Chemical Agents .......................................................... 48
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
iv
7.4.2 Response to Chemical Attacks .................................................................. 48
7.4.3 Biological Threats .................................................................................... 48
7.4.4 Suspicious Unopened Letter ..................................................................... 49
7.4.5 Envelope with Powder and Powder Spills out onto Surface ..................... 49
7.4.6 Room Contamination by Aerosolization: .................................................. 50
7.4.7 Identifying Suspicious Packages and Letters ............................................. 51
8.0 TECHNOLOGICAL DISASTER .............................................................53 8.1 Introduction ........................................................................................................... 53
8.2 Computerized Information Systems Threats ...................................................... 53
8.2.1. Human Errors .......................................................................................... 53
8.2.2 Technical Errors ....................................................................................... 54
8.2.3 Deliberate Actions ..................................................................................... 55
8.2.4 Commercial Espionage .............................................................................. 55
8.2.5 Malicious Damage .................................................................................... 56
9.0 SECURITY AND SAFETY .................................................................... 57
9.1 Purpose ................................................................................................................... 57
9.2 Building and Ground Security ............................................................................... 57
9.3 Inside Building Security ........................................................................................ 58
9.4 Safety Precaution ................................................................................................... 58
9.5 Emergency Measures ............................................................................................. 58
9.6 Property, Plant, Furniture and Equipment Security ........................................... 59
9.7 Police Investigation ............................................................................................... 59
BOARD APPROVAL OF POLICY .............................................................. 59
APPENDIX ......................................................................................... 60
1.0 Damage Assessment Form .......................................................................... 60
2.0 Recovery Script ........................................................................................... 62
3.0 Services Impacted ....................................................................................... 63
4.0 ATM Information ........................................................................................ 64
1.0 INTRODUCTION
The main purpose for which BRAEMEG SACCO was registered is to improve the
economic well-being of her members. The Society operates a BOSA. In order to
continue offering more quality member-oriented services the Board the Society
shall implement the Disaster Management and Business Continuity Policy.
The core business of the society is to provide a savings avenue to members and
advancing loans to them. This is still the focus of the society. Diversification
opportunities will be looked into within the context of the core business. The
feeling of the society is that success will come from concentrating on this initial core
business.
Like any other institution, the growth of BRAEMEG SACCO has come with a lot of
challenges which includes competition from other financial institutions. These have
helped re-define the Sacco’s destiny as reflected in its strategic plan.
Primary financial services include savings and loans. The heavy dependence of
BRAEMEG SACCO upon technology and automated systems creates a vital need for a
comprehensive business recovery plan. The possibilities for a disaster are endless
ranging from natural disasters to human error and destruction. Although most
disasters cannot be prevented, we can anticipate them and plan for recovery.
This policy outlines the arrangements and procedures, which would be put into
effect following a disaster. It assumes partial destruction of any of our possible
branch offices of BRAEMEG SACCO; however, portions of the policy can be
implemented, as applicable, depending upon the actual circumstances. The Manual
affords only a temporary solution and does not attempt to cover minute details of
every conceivable situation. Its purpose is to set forth the basic information
necessary to set up temporary operations until further arrangements, based on
actual circumstances, can be made.
Each functional area is responsible for updating, maintaining, testing, and
communicating their respective portion of the plan on an ongoing basis. Changes to
this plan will be forwarded to the Human Resource Manager who will distribute the
revised Manual to every departmental area.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
6
Each departmental head is expected to study and have an understanding of this
plan. They will review it periodically, with their staff, and keep a copy at his/her
residence. As new equipment is added to different departments, they need to keep
records of contacts, equipment and locations of equipment for future reference.
Additionally, this Business Continuity Policy must reflect any changes that might
occur within the department at the earliest opportunity. Staff meetings should be
held from time to time to go over this plan so as to have questions that may arise
answered. Management Staff will also review this plan in depth at least annually at
which time refinements; changes and updates will be made as necessary.
1.1 Distribution of the Plan
Each departmental head will maintain a copy of the BCP (in paper format) in his/her
office, as well as, place of residence. This allows for quick response and mobilization
of staff in the event of a disaster. Additionally, an electronic copy of the BCP is
maintained on the network. Access to the document is restricted to an as-needed
basis.
Additional paper copies of the Business Continuity Policy are located off-site from
the main office (in BRAEMEG SACCO).
1.2 Risk Management
In accordance with the SACCO Regulatory guidelines, the management of the Society
must conduct a roundtable test of its Business Continuity Plan. It is believed this
method of testing is a fairly comprehensive way to review several events and
determine a plan of action.
The Following Management staff and vendors shall be members of the Disaster
Management team and shall conduct regular roundtable sessions:
Area/Firm Represented Person
C.E.O
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
7
Finance Department
Credit Department
Marketing Department
ICT Department
Consulting Group
1.3 Business Impact Analysis
The business continuity planning team has identified the following business
functions and resources as vital elements of normal operations, with related
timeframes for recovery.
Red = High Priority, Yellow = Medium Priority, Green = Low Priority:
Function/Resource Timeframe for
Recovery Financial Impact
Computers High
Correspondent Accounts 8 Hours High
Debit Cards 8 Hours High
Network 8 Hours Medium
Telephone capability (telephone lines) 8 Hours Medium
Cash Delivery 24 Hours High
Core Processing 24 Hours High
Courier 24 Hours High
Firewall 24 Hours High
General Ledger 24 Hours High
Internet Access 24 Hours High
New Accounts 24 Hours High
Outgoing Cash Letter 24 Hours High
Power/Electricity (main office) 24 Hours High
Routers, hubs, switches 24 Hours High
Teller Operations 24 Hours High
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
8
Function/Resource Timeframe for
Recovery Financial Impact
CD origination (forms) 24 Hours Medium
Email 24 Hours Medium
Mail operations (overnight, DHL, FedEx,
Securicor) 24 Hours Medium
Mortgage Processing 24 Hours Medium
Official Cheques 24 Hours Medium
Processing loan draws 24 Hours Medium
Security System (Branch) 24 Hours Medium
Telephone system 24 Hours Medium
Web Site 24 Hours Medium
Wire operations (incoming) 24 Hours Medium
Wire operations (outgoing) 24 Hours Medium
Posting Payroll 24 Hours Medium
Safe Deposit Boxes 24 Hours Medium
ATM (switch) 48 Hours High
Image Item Capture 48 Hours High
Copier 48 Hours Low
Fax 48 Hours Low
Mobile Banking 48 Hours High
Disbursing loan proceeds 72 Hours Medium
Loan origination (forms) 72 Hours Medium
Security System (main office) 24 Hours High
Electronic Bill Payment 72 Hours Low
Internet Banking (business) 72 Hours Low
ATM (hardware down, actual ATM) 5 Days High
Posting loan payments 5 Days Medium
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
9
Function/Resource Timeframe for
Recovery Financial Impact
Mail operations 5 Days Low
Document Imaging 7 Days Medium
PCs and printers 7 Days Medium
Cell Phones 7 Days Low
Image Statements 7 Days Low
Payroll 2 Weeks Medium
Report Archive 2 Weeks Low
Accounts Payable 30 Days Medium
Asset Liability Management 30 Days Medium
Email function 30 Days Low
The above timeframes represent the maximum estimated time that this service or
function could be unavailable without severely impacting the Society’s operation.
This exercise establishes a priority list that can be used to allocate resources during
recovery. Clearly, other services and functions exist at the Society; however, the
business continuity planning team has identified those listed above as the most
critical.
Preventative Measures
The best way to plan for a disaster is to employ measures designed to mitigate risk
and prevent disaster.
1.4 Business Continuity Teams
To ensure adequate representation from all areas of the Society, the Board of
Directors has appointed the following Disaster Assessment Team. The Human
Resource Manager /C.E.O will be responsible for notifying the members of the
Damage Assessment Team.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
10
Title Name CONTACTS
C.E.O
Finance Manager
Loans Officer
Marketing Officer
ICT Manager
1.5 Assessing the Damage
i. Upon the knowledge that a disaster has occurred, the C.E.O will contact all
members of the Damage Assessment Team will meet at the affected site but
for safety reasons, no one is to proceed with the assessment until a qualified
building safety inspector has deemed the structure is safe for entering.
ii. Team members are to inspect the equipment and determine what needs to
be replaced and what can be repaired to attain skeletal operations. Some
items to be inspected are, but not limited to: Alarm System, Safe, Phone and
Data lines, PC’s and Printers, Modems, routers, switches, office furnishings,
forms and general office supplies. See the Appendix for a sample Damage
Assessment Form.
1.6 Declaring a Disaster
In the event of a disaster, the C.E.O is given authority to initiate and implement this
plan. In his absence the Accountant will activate the Business Continuity Plan.
1.7 Command Centre Team
All Departmental Managers will be contacted by the Human Resource
Manager/C.E.O to meet at the designated Command Centre, at which time staff
assignments will be reviewed and any additional instructions given. Contact
information shall be availed on a regular basis.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
11
1.8 Command Centre Locations
The Command Centre Team will coordinate business continuity and business
resumption efforts from the Head office. Physical and virtual command Centres may
be utilized. Web-based resources, such as internet mail groups, secure message
boards, may be utilized as a tool of the virtual command Centre.
Primary:
Preference will be given to utilizing current space at the main office in Braemeg. In
the event the main office is unavailable, any branch location with analog phones and
available space will be considered. Most of the above listed staff has laptops
available to allow for remote computing.
Secondary:
In the event Braemeg SACCO decides to utilize a virtual command Centre (solely, or
in conjunction with a physical command Centre), a teleconference line will be
opened and maintained by Information System staff.
1.9 Virtual Command Centre Information
The following information will be used to setup a conference line for Braemeg
SACCO. IT staff will be responsible for opening the conference line and ensuring its
availability
Communications
Select members of the Command Centre Team and supporting recovery teams shall
be provided with calling privileges. WPS (Wireless Priority Service) is restricted to
individual wireless/cellular telephones (cell phones). Cell phones must be
registered with the Service Provider and require a paid subscription to the wireless
telecommunications service providing wireless service to the cell phone.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
12
1.10 Business Resumption Team Procedures
Recovery efforts have been disbursed among several key personnel. They will lead
recovery efforts as outlined below.
Name Area Role Details
C.E.O
Notification
of
Membership
Immediately place a notification in all
newspapers as to the length of the disaster and
what steps are being taken to accommodate
Administrative
Secretary
Telephone
Service
Contact Service Provider and have calls
redirected to an alternate number.
Mail and
Services
Contact staff to make arrangements for pick-up
and delivery of mail and inter-office items. In-
house staff will be used to function as couriers.
Credit
Manager
Lending
Operation
A loan officer will be available for loan
approvals.
Finance
Manager Investments
The Finance Manager will be re-located to
another location (his/her home, or another
location). The Finance Manager will perform the
following tasks:
Contact financial institutions and provide
necessary contact information.
Any transactions will be tracked on a
preprinted ledger form until such time they
can be recorded in the GL system.
Monthly: email complete listing of
investments on BRAEMEG SACCO
Quarterly: email all financials (e.g., balance
sheet, income statement) generated from the
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
13
System. Physical copies will be stored at the
accountants residence.
ICT Manager Forms
Electronic copies of all core processing forms are
maintained on the network and a USB device at
the Society Data Centre in a fire resistant
cabinet. Extra copy of USB is stored in
BRAEMEG Vault.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
14
2.0 BUSINESS RECOVERY
2.1 Overview
BRAEMEG SACCO has taken several initiatives to ensure the Society is able to
provide continued services to its members. Technological preparedness is only part
of the plan. Non-technical elements, such as insurance coverage, succession plans,
and emergency supplies assist in developing a well-rounded business continuity
plan.
Because technology is being utilized, the Information Systems Department (IS) must
remain at the core of all disaster recovery procedures in every departmental area. It
is therefore necessary that all computer equipment be accounted for. Additionally, a
log of all phone lines, and data circuit IDs must be maintained for reference and
troubleshooting. Detailed inventories are available in the Appendix.
Critical functions have been identified and addressed with specific recovery steps
detailed below. Functionality will be restored, in most cases, according to the
Business Impact Analysis. In the event of hardware failure, replacements will be
obtained from vendors on an as-needed basis.
Restoring services would not be possible without data. Critical servers’ data is
backed up on a daily basis. Data is written to hard drives and to an off-site server at
the Society’s co-location facility. Tapes are moved off-site nightly.
The website, www.braemegsacco.co.ke, is to be hosted internally by the Society.
Backup images are maintained in multiple locations in the event the website must
be hosted elsewhere. A simple DNS redirect would be required to route traffic to the
new location.
Card services (debit and credit card transactions) are processed in-house via
Payment Systems for Society’s. In the event normal processing cannot be completed,
Payment Systems will provide space in their office for BRAEMEG SACCO employees
to work. Also, the Society is in the process of building a relationship (a reciprocal
agreement) with another Society in the area to run dual systems temporarily if
needed.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
15
Other ancillary systems have been detailed in the following sections.
2.2 Information System Business Continuity Preparations
Co-Location Facility
A secure co-location facility shall be set up for disaster recovery and business
continuity, which provides a secure environment to house critical data.
BRAEMEG SACCO UPS Systems
Three Uninterruptible Power Supply (UPS) systems are to be installed at the
BRAEMEG SACCO Data Centre.
2.3 Backups
Network servers
Internet/intranet web servers
2.4 Alternate Processing Sites
The following sites have been designated as alternate locations for processing.
Administration (Accounting, Finance, Executive Staff, Wires, etc.) will
relocate to available branch or other designated remote location.
Information Systems will relocate to the BRAEMEG SACCO Data Centre.
Branch operations will move to any other available branch.
Office (Call Centre) will relocate to available branch.
The Service Provider will reroute the hunt group number to another branch.
2.5 Recovering
2.5.1 Recovering the Core Processing System
Mainframe System
Determine the condition of the unit. Contact Service Provider.
Obtain the most recent offline backups, transaction logging and system tapes,
which are stored in a fire-resistant cabinet in the BRAEMEG SACCO Data
Centre. Proceed to reload the files.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
16
Machine replacement turn-around time – For mission critical solutions that
cannot accept the potential days of down time, Service Provider offers on-site
Repair or 24x7 same day service.
Credit Retrieval System—works with existing system. Service Provider
would have to reconfigure a replacement message server. Any PC can be
utilized for this. In the meantime we can access software online to pull credit
manually.
Audio Response Unit (ARU)—contacts Service Provider for replacement unit.
2.5.2 Recovering Printers and PCs
Determine the utility of the printers and PCs. Order necessary parts from Service
provider of computers or printers or routers:
a) ID Scanner
b) Signature Pad
c) Receipt Printer
d) Cheque Printer
e) Network Printer
Acquire spare PCs and printers from other branches to attain skeletal operations.
2.5.3 Recovering Software and Operating Systems
The IS Department possesses all the necessary software for all PCs. Software
is distributed between the locations of BRAEMEG SACCO in branch locations
and kept in fire-resistant cabinets. Additional software is also kept in the
miscellaneous drive on our network and a backup copy stored in a portable
drive kept at the BRAEMEG SACCO Data Centre.
Information System staff will assess the damaged PC hardware and salvage
as much as possible.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
17
2.5.4 Recovering the Website
The web site server is located in our data Centre at our Society offices. The server
runs the Microsoft Windows operating system and is continuously patched. All non-
essential applications and ports are shutdown for security purposes.
Hardware/Software Failure – In the event that there is an unrecoverable
hardware/software failure a new server can quickly be built and put in the place of
the existing server. The web site is currently backed up and kept on two separate
systems that would allow for quick recovery. Backup images are also stored nightly
to a storage server located at our Service Provider facility.
Internet Connection Failure - In the event that the Internet connection is down for
an extended period of time we can move our web site to another hosting provider.
BRAEMEG SACCO has contacts with various web-hosting companies that can easily
support our web site in the event of an extended Internet connection failure.
2.5.5 Recovering the Intranet
Currently the Intranet server is located in the Society data Room. The server runs
the Windows operating system and is patched on a regular basis. All non-essential
applications and ports are shutdown for security purposes.
The intranet application is scheduled currently to back up on a daily basis to our
Domain Controller. The Domain Controller is backed up daily. It is also being
backed-up to our secured co-location nightly.
2.5.6 Recovering Server
Currently the Server is located in the Society Data Room. The server runs the
windows operating system and is patched on a regular basis. All non-essential
applications and ports are shutdown for security purposes.
The application server is scheduled to be backed up on a daily basis. This daily tape
is then taken off site nightly to a fire-resistant cabinet at the Society. Backup images
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
18
are also stored nightly to a storage server located at our Service Provider. The
Server can be rerouted within 30 minutes of a disaster. In the event of a
hardware/software system failure the application software can be loaded and the
tape restored to one of our other Windows servers.
2.5.7 Recovering Email
Currently the email server is located in our BRAEMEG SACCO Data Centre. The
server runs the Windows operating system. This server is continually patched. All
non-essential applications and ports are shutdown for security purposes. The email
application server is scheduled to be backed up to tape on a daily basis. This daily
tape is then taken off site nightly.
2.5.8 Recovering the Domain Controller
Currently the domain controller is located in our Data Room. The server runs a
Microsoft Windows 2010 operating system. All non-essential services are shutdown
for security purposes. There is no outside connectivity to this server.
The Microsoft server is scheduled to be backed up to tape on a daily basis. This
daily tape is then taken off-site daily to a fire-resistant safe at the Society. In the
event of a hardware/software system failure all data can be restored to a like
Microsoft system.
The Microsoft server primarily houses spreadsheet and word documents needed by
the Society, no application software is running on the domain controller. As a
secondary backup to the tape system, files from the Microsoft server are copied to
the Backup server located at the co-location for immediate access in the event of a
Microsoft system failure.
2.5.9 Recovering Server
The server is located in the Society Server room. If server goes down, software
automatically reroutes documents to be saved to another drive on the server or the
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
19
individual PC. Contact Service Provider for support or replacement.
2.5.10 Recovering ATM Network
This is controlled by the Network Provider. If the network goes down, the Network
Provider will stand in with a specified amount until system restored.
2.5.11 Recovering Web Filter
The Sacco shall remove connection from the network and put cables back in
appropriate locations.
2.5.12 Recovering Telephone System/Voicemail System
Call Service Provider for replacement or repair.
Contact List and Important Information – Information Systems
Vendor Name of Person
Email Telephone/Cell Phone
Core Banking System Vendor
External Backup Storage
Other Support Systems
Business Repair
Telephone Company
Air conditioning and Heating
Software
Data mail Services
Micro Image
Network
Customer Care
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
20
Vendor Name of Person
Email Telephone/Cell Phone
Print Solutions
Communication Provider
Financial Services
Power -Exposed Power Lines
Server
Data Solutions
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
21
3.0 INFORMATION SYSTEMS SECURITY
3.1 Introduction
Security is the protection of data from accidental or deliberate threats, which might
cause unauthorised modification, disclosure, or destruction of data and the
protection of the Information System from the degradation of non-availability of
services. The Society shall ensure that I.S services are protected from any
identifiable threat.
3.2. Scope
A breach of security can be accidental or deliberate. Threats can be caused by the
Information system itself (e.g. a component malfunction, bug in the Software,
people) or natural disasters. Security covers a wide managerial scope which
includes technical issues related to the computer system, psychological and
behavioural factors in the Society and its employees and protection against the
unpredictable occurrences of the natural world. Human errors or omissions can be
just as dangerous as deliberate acts.
The Policy shall therefore cover the following:
a) Prevention
b) Detection
c) Deterrence
d) Recovery Procedures
e) Correction
f) Threats to Computerised Systems
g) Data and System Integrity
h) Documentation standards
i) Purchasing controls
j) Software Piracy and Licensing
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
22
3.3 Prevention
This shall require the Society to take measures to prevent any of the threats to the
Computer system from occurring. While in reality it is impossible to prevent all
threats cost effectively, the society should take the possible measures for such
prevention.
3.3.1 Access to Computer server room
The computer server room shall be out of bounds and access shall be only to
authorised personnel namely:
a) The Chief Executive Officer
b) ICT Manager who shall have the relevant qualification to head the
Department
c) Data Entry Personnel
d) Computer system support personnel
e) Cleaning staff personnel
f) Other persons as authorised by the Chief Executive Officer or the Systems
Administrator.
The following should not be allowed in the computer server room:
a) Members
b) Representatives
c) Visitors
The Computer server room should always be under lock and key unless the
Computer server room personnel are present.
3.3.2 Access to Computers
a) Each user shall be given access rights to Computers by the ICT Manager
through user passwords to access Computers and the Network
b) Users shall ensure they log out of the computer or network when they are
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
23
not working
c) Users shall protect their computers and their work through the use of screen
savers with passwords giving adequate idle time not exceeding 10 minutes
d) The ICT Manager shall deny access to the server for all users on Sundays
except where special arrangements have been made with the consultation
with the Chief Executive Officer
3.3.3 Passwords
a) Passwords are security codes that are known only to the users who have
been assigned to get access to a computer or a software application with
their unique identification.
b) Users should not reveal their passwords to anyone including the ICT
Manager
c) Where a user password has been revealed to a second party, the user shall be
held fully responsible of any system and data changes carried out using his
user name or code.
d) Users should change their passwords regularly and especially where the
password has been revealed to a second party. The password shall be
inactive after a period of three months.
e) The password and log in names for all staff that have left the Society should
be deleted.
3.3.4 Power Back Up
a) Electricity power blackout and power surges can affect operations of the
computer system, corrupt data, cause equipment failure etc.
b) The Society shall ensure there is consistent supply of power to the machine
through the use of UPS, Power inverter, Generators etc
c) The power backup system should be serviced regularly to ensure that they
are in good working conditions
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
24
3.3.5 Antivirus, Spy Wares Worm, Firewalls
a) The Society shall purchase up to date Antivirus Software and Anti Spy Wares
to safe guard against Anti-Virus and Spy ware infection
b) All external electronic storage media should be scanned before being used in
any of the Society computers.
c) Firewalls should be installed to filter any unwanted data coming through the
network i.e. the internet and any other dedicated links(s).
3.3.6 Data and Information Security
a) Data and information security policy shall refer to procedures, processes and
mechanisms to be followed in ensuring the integrity, reliability, resilience
and availability of data and information within the Society.
b) An adequate and comprehensive backup recovery plan shall be in place to
ensure business continuity in case of a disaster. This plan shall be tested and
reviewed frequently to ensure that it remains relevant and applicable with
changing times
c) No external data storage medium e.g. diskettes, CDs, Flash memory shall be
used on any Society computer unless authorized by the IT section.
Otherwise, the issuance and distribution of these media shall be made by the
IT section
d) No user is allowed to copy any data and/or software from the Society’s
premises without authority
e) Adequate controls, checks, audits and logs shall be kept by systems to
enhance recovery of data
f) Procedures shall be in place to ensure that the system rights and privileges of
employees who leave the society are immediately removed
g) All computers shall be connected to Uninterrupted Power Supply (UPS) units
to protect them against power surges and outages
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
25
h) Sensitive data that is transmitted outside the society’s intranet via public
networks shall be encrypted to enhance security
i) The Society shall use Data Control accounts in posting all members personal
accounts and should be reconciled daily by the concerned staff in- charge of
these accounts
j) Where remittance has been received from an Employer, data must be posted
to control accounts
k) Data posted to control accounts must be cleared within a day and where
members are many should not exceed 5 working days.
l) Users should save most of their office documents in their Personal computers
in a Folder ‘My Documents’. Sub folders within ‘My Documents are
encouraged to ensure ease of managing personal data and information files.
m) Users should determine what is critical to their office documents and as such
liaise with the ICT Manager for external data backup.
n) The ICT Manager shall ensure regular data backups are taken both internally
and externally on the Society Critical application namely CMIS in all the
Society office premises in the Society.
o) Daily data backups of critical application should be taken at least once daily
and as frequently as need arises.
p) External data Backup of the critical application should be taken at least once
in five days and should be stored in a remote place outside the premises in
which it was taken.
q) The critical application requires File indexing of the database otherwise
‘House Keeping’. The ICT Manager shall ensure Housekeeping is done at least
once per day or as per arising need.
r) The ICT Manager shall ensure that data backup for the database is taken
before performing ‘Housekeeping’ procedures.
s) No user should be logged into the system when data back and housekeeping
are being carried out.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
26
t) Copies of anti-virus software shall be kept by the IT section and any requests
and/or updates as pertains to virus-related queries should be directed to the
section. All external media shall be handed over to the IT section for virus
scanning to certify that they are safe for use in the network
3.3.7 Preventive Maintenance
a) The Society shall carry out regular preventive maintenance for Computer
hardware not less than four times a year.
b) During preventive maintenance, cleaning and dusting of equipment shall be
done. Users in consultation with the ICT Manager should report any
problems experienced to the computer consultants carrying the exercise.
c) The Computer consultants carrying the preventive maintenance shall be
from among those short-listed by the Society.
d) A detailed report shall be prepared by the Computer consultants at the
conclusion of the exercise to deal with any equipment failure and
hardware/software problems.
e) The ICT Manager shall be required to act on the recommendations of the
report accordingly and advise the Chief Executive Officer on the action to be
taken.
f) The Society may out-source the services of a Consultant for maintenance
/repairing of the computers
3.3.8 Hard Disk storage of the Computer Server
a) The Hard disk is the main storage for all critical data and programs. It is
therefore necessary to ensure there is sufficient working space to prevent
any errors that may lead to data loss.
b) Avoid saving office application documents in the main server
c) Take regular external data backups using reliable mass storage media
d) Delete regular old files that are no longer in use
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
27
3.4 Detection
Detection is being made aware that there is/was an attempted breach of security.
Techniques for detection may be combined with prevention techniques. The society
shall take such measures and employ techniques that shall detect such security
threats.
a) The use of Anti-Virus and Spy wares
b) Maintenance of system logs to unauthorised attempts to gain access to a
computer system.
c) Monitor on a regular basis amount of free disk space
d) Monitor the use of control accounts to ensure data is posted to the correct
accounts.
e) Control accounts that have not been cleared for more than 10 days should be
subjected to investigation and action taken.
3.5 Deterrence
Deterrence is a measure that is undertaken to discourage the possibility of a breach
of security.
The Society shall take all meaningful and cost-effective measures to implement
deterrence.
a) Lock the computer server room to ensure access is only during regulated
working hours
b) Take disciplinary action on staff who leave their computers on after working
hours
c) Take disciplinary action on staff member who leave computers and software
application while logged on.
d) Severe disciplinary action should be taken on staff involved with Computer
frauds.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
28
3.6 Disaster Recovery
The measures to be taken shall depend on the nature and extent of the Disaster and
it shall be the responsibility of the ICT Manager to ensure that recovery strategies
are in place and implemented.
a) Evaluate the nature and extent of the disaster taking immediate action on
what the ICT Manager can be able to do.
b) Inform the Chief Executive Officer of the nature and extent of the disaster
making the relevant recommendation where necessary
c) Restore the most recent data backup taken before system crash
d) Advise the users on data to be re-keyed since the last back up was taken
e) Set up another machine as the server for the main database
f) Consultation to be made with the Chairman and the Chief Executive Officer to
purchase new machines or software or repairs with immediate effect and
seek ratification from the Board during the normal scheduled meeting.
g) Contact any of the short-listed suppliers for supply, installation of new
machines or repair and maintenance of concerned equipment.
h) Run the current Anti-Virus or Anti Spy ware available.
i) Transfer data to another machine and then ‘Format’ delete the hard disk of
the affected machine. Install the operating system and other relevant
software.
3.7 Correction Procedures
Correction procedures are those carried out to make right what had gone wrong.
Not everything that went wrong can be corrected.
The Society shall put corrective measures in place to ensure that correction is done
immediately.
a) Operating system that has crashed or corrupted should be re-installed
b) Data that has been posted to the wrong account should be reversed
immediately and then posted to the correct account.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
29
c) Control accounts in the database should always have zero figures. Any
amounts that remain in the control accounts should be thoroughly
investigated and appropriate action taken on the staff concerned.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
30
4.0 HUMAN RESOURCE AND ADMINISTRATIVE ISSUES
4.1 Employee Priorities
BRAEMEG SACCO Management realizes that, in some disasters, employees will be
unable to assist in the Society’s recovery efforts until personal issues are resolved.
For this reason, Society management suggests that Society employees follow these
priorities:
i. Call the Society’s emergency phone number and advise the Emergency
Coordinator of your location, safety, phone number, issues that you must
resolve, estimated time to resolve these issues, and other pertinent
information.
ii. Locate loved ones and determine their safety and condition. If local
telephone links are unavailable, establish a third-party relay with a friend or
relative whose contact is in another geographical region. Sometimes calls
cannot be made within the same area code, but outgoing calls can be made
and incoming calls can be received. It will be each employee’s responsibility
to establish this “third party relay.”
iii. Ascertain the condition of homes, travel routes and utilities and report to
work when it is safe to do so, and when you are prepared to assist in disaster
recovery efforts.
4.2 Reduced Workforce Considerations
From a disaster recovery standpoint, one of the advantages of our operation is the
fact that our employees “wear many hats” and are cross-trained in many different
jobs. This will prepare us to work with fewer people should a disaster occur and
employees suffer injuries or possibly lose their lives.
Each department manager will be responsible for adequate cross-training within his
or her department.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
31
4.3 Employee Call List
See the Employee Call Roster within the BRAEMEG SACCO Policy and Procedures
Manual.
Management Staff
Position Name Tel
C.E.O
Accountant
Accounts Assistant
Internal Auditor
Marketing Manager
Human Resource Manager
Executive Secretary
4.4 Management Succession
In the event a critical role within the Society becomes unavailable for an extended
period of time, the most recent Organizational Chart on file with the Human
Resources Department will be used for determining succession of those key roles.
The Board of Directors may provide oversight as deemed necessary.
The C.E.O shall be responsible for public relations following a disaster event and
will immediately prepare and issue news releases regarding the situation to radio,
newspaper, and television media. It is extremely important that the Society’s
members and employees be made aware of the disaster and be given sufficient
information and assurance, on a continuous basis, to prevent them from losing faith
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
32
in the Society. Available Society locations must be emphasized and temporary
telephone numbers must be publicized.
It must be emphasized that only Chairman and the Chief Executive Officer, or their
designee, has the authority to communicate to the public regarding a disaster event.
All personnel are to refer media questions to the CEO and should refrain from
answering such questions; this will help to eliminate inconsistent statements
regarding the disaster event.
Do’s and Don’ts of Media relations
DO DON’T
Give all media equal access to
information.
Speculate about the incident.
Give local and national media equal
time.
Allow unauthorized personnel to release
information.
Try to observe media deadlines. Cover up facts or mislead the media.
Escort media representatives to
ensure safety. Place blame for the incident.
Keep records of information released.
Provide press releases when possible.
4.6 BRAEMEG SACCO’s Media Policy
The Society maintains a Communications and Social Media Policy that is regularly
communicated to employees, staff, and contractors.
Employees shall not make statements of any kind to any member of the media no
matter how insignificant the comment or event may appear. This includes
statements that are “off the record.” If any member of staff is contacted by a
reporter, they shall refer them immediately to the Marketing Manager. If s/he is not
available, and the situation seems to require an immediate response, the call may be
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
33
referred to the Customer Care Officer.
4.7 Local and Regional Authorities
All areas served by BRAEMEG SACCO have Police 999 services available. Dialing
999 will staff into contact with appropriate emergency services based on the
location from which they are calling:
Location Police Fire Ambulance
General Authorities and Suppliers
Phone
Police Station
Health Department
Electricity Supply
Water Supply
Poison Control and Toxic Chemicals Centre
Disaster Management
Highway Patrol
Local Authority
4.8 BRAEMEG SACCO Advocate Contact Information
< >
4.9 Insurance Coverage
All of Society’s Insurance Policies are accessible through the main contact number.
4.10 Emergency Supplies
Pandemic kit with instructions issued by the board.
2 to 4 Flashlights per branch depending on size of branch and employees.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
34
First Aid kit fully stocked.
Battery operated calculator.
Water
Batteries
Sanitizer Spray
Tissues
New Membership Applications
Credit Card Applications
All Emergency supplies will be kept in a location that all staff will have access to in
case of an emergency.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
35
5.0 HUMAN CAUSED DISASTER
5.1 Extortion
Extortion is the act of obtaining money by force or undue illegal power over the
victim. In financial services, extortion is usually in the form of a threat by phone to
kill or do bodily harm to a family member if the employee does not provide the
extortionist with a large amount of the Society’s funds. If an extortion attempt is
made, immediately notify an executive officer of the Society and the Police.
A criminal may attempt to extort funds by kidnapping an employee or a member of
an employee’s family from the employee’s home. Employees should protect
themselves and family members by using a home security device such as a
monitored alarm and should follow precautions such as not opening the door for
strangers, requiring identification of all utility or repair workers, and changing
routines to prevent habits from being known by strangers. Instruct children to
never talk to or admit strangers to the home and teach them how to call the police
whenever anyone or anything is suspicious around the house.
5.1.1 Handling Extortion
Remain calm.
Indicate your willingness to cooperate.
Ask to speak with the abducted person.
Write the caller’s instructions down (amount and where to make delivery).
You may try to decide with the caller to accept half the ransom now, and the
other half when the victim calls to tell you that he or she is safe (this may aid
in the safety of the victim).
Immediately after the call, contact the Security Officer so he/she can call the Police.
Do not notify local authorities in an extortion case until and unless instructed to do
so by the Police. Make every attempt to verify that the family member was really
kidnapped. This could take some time; that is why it is important to notify the
Security Officer so that the efforts of many can get more things done.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
36
5.1.2 Employee Hostage Procedures
If an employee is brought to the Society as a hostage by a criminal, Do Not Set
Off the Alarm.
Do exactly as the criminal demands.
Notify the Security Officer.
If possible without detection, another employee should call the Police and
give the address of the family being held (this may have to be done after the
criminal and hostage leave).
Follow robbery procedures regarding observations, descriptions, type of
transportation and preservation of the holdup area.
If a hostage is taken during a robbery, follow the same procedures as when a
hostage is brought to the Society.
5.2 Robbery
5.2.1 Precautions
Tellers must develop an awareness of security and exercise good security habits at
all times. Be alert for suspicious persons loitering in or near the building. Be
familiar with the location and usage of alarms and other security equipment. To
minimize loss exposure, always observe the audit and securities rules and keep
teller bus cash within limits.
Tellers should never discuss with outsiders any aspect of the security systems, its
physical make-up or anything about amounts of cash or details of cash handling.
Outsiders are defined as anyone not employed by the Society.
5.2.2 During a Robbery:
The most important consideration during a robbery is to remain calm and avoid any
action which might increase danger to yourself or others. Obey every instruction
from the robber and avoid actions that may incite or antagonize the robber.
Give the robber only the amount of money he demands. Make sure to include the
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
37
bait money in the cash given out if at all possible without endangering your safety.
Trip the alarm when it can be done safely.
Observe everything possible about the robber’s appearance, weapon, and means of
escape. If the robber presents a hold-up note, try to keep it in your possession. If
safety permits, observe the direction of the robber’s escape and description and
license number on the escape vehicle.
5.2.3 After Robber Exits:
Remain Calm. Activate the alarm again and alert the nearest Society official. The
officer will notify the police. Immediately lock any remaining cash in your bus and
isolate the teller’s area. Do not allow anyone except the police to handle or touch
the teller’s area, the note, or any object the robber leaves behind. Do Not talk to
other tellers or witnesses until completing a written description of the robber, or
making a statement to the police. Do not discuss details of the crime or robber
description with anyone except law enforcement officers. Record your own
observations, not what someone tells you. Use a separate form for each robber.
Please refer to the Teller Manual for further information.
The robbery may be reported by radio, television or press before business closing
hours. Therefore, after police have concluded their investigation, allow employees
to contact relatives in an orderly manner.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
38
Robber Description Form:
Time of Robbery am pm # of Robbers:
Robber #
Race White Black Native American Hispanic Asian Other
Sex Male Female
Age
Estimated Height
Estimated Weight
Complexion Light Medium Dark
Hair Bald Partially Bald Short
Medium Long Very Long Colour:
Beard No Yes Colour:
Moustache No Yes Colour:
Sideburns No Yes: Short Med. Long Colour:
Glasses No Yes: Regular Sunglasses Colour:
Size Frames Small Medium Large
Type of Frame White Plastic Colour:
Shape of Frame Regular Round Square Rectangle
Hat No Yes Colour:
Shirt or blouse type
Work Sport Other Colour:
Pants type & colour
Work Sport Dress Other Colour:
Shoes type & colour
Work Sport Dress Other Colour:
Coat No Yes Colour:
Coat type Business Suit Sport Overcoat Raincoat
Coat Style Button Zipper Other:
Coat Length Hip Level Knee Level Other
Gloves No Yes Colour:
Mask or disguise No Yes
If yes, describe:
Weapon None Seen Gun Knife Other:
If gun, type Rifle Shotgun Pistol Revolver Auto
Gun colour Black Chrome Blue
Speech Coarse Refined High-pitched Low-pitched Accent Other Describe speech:
Other details:
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
39
Robbery Publicity
While security measures are taken to prevent a robbery, the Society should be
prepared. Interviews of employees by the media should not be allowed.
Protection of Witnesses:
Request that the press protect the identities of employees or other witnesses.
Restricted Areas
Do not permit the press to enter the building or work areas to photograph or
examine the crime scene.
Police Clearance
Consult with police authorities before releasing information to the press to make
certain the information does not interfere with the investigation.
Reportable Information
Media Contacts: Chief Executive Officer and Operations Manager.
Time of robbery, description of bandit, and method of operation.
A brief statement that the financial institution has insurance against holdup
losses.
Photos of exterior of the building.
Confidential Information that will not be reported
Names, addresses, and photographs of employees or other witnesses.
The amount of money taken in the holdup. Loss may be described as
“undetermined amount.”
Details of security procedures followed by personnel.
Details of protective devices, such as types and locations of alarm activators,
the time setting of vault-locking mechanisms or failure of any security device.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
40
Any action of employees or customers that may be viewed negatively.
6.0 NATURAL DISASTER
6.1 Earthquake
Earthquakes are a shaking or trembling of the earth, caused by underground
volcanic forces or by breaking and beneath the surface.
While the probability of an earthquake occurring is not great, the possibility of an
earthquake does exist. Accordingly, management includes earthquake preparedness
information in this plan.
6.1.1 Earthquake Preparedness
Secure top-heavy furniture and office equipment with anchors, brackets, latches or
Velcro bases. Know how to turn off the gas, electricity and water. Keep on hand a
battery-powered radio, a flashlight, fresh batteries, fire extinguishers and a first-aid
kit.
If you are indoors when the quake strikes:
Move away from windows, ceiling fixtures, mirrors, and tall furniture.
Stand at an inner wall or in a central doorway or get under a desk or table.
Protect your head and neck with your arms.
Do not head for the exits or elevators of a multi-story building. It’s better not
to go outside.
If you are outdoors when the quake strikes:
Try to move away from power poles and other objects that might fall.
If possible, get to an open area.
If you are in a car, pull over until the tremors stop. Keep away from
overpasses, bridges, power lines. Stay in the car.
When the quake is over:
Turn on the radio for instructions.
Use the telephone only for an emergency so lines and circuits will be clear.
Do not use your car unless there is an emergency.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
41
If you smell gas, turn it off at the main valve, open windows, and leave.
If there is no incoming water and you have none stored, you can get
emergency supplies from the water heater, toilet tanks, or canned fruits. Boil
doubtful water for 20 minutes before drinking or cooking with it.
Don’t flush toilets until you know that sewage lines are intact
Be careful opening cabinets or closets; items may have shifted.
Check the building for structural damage.
Leave a message at your home telling family members and other where you
can be found.
Be prepared for aftershocks
6.2 Fire
Install smoke detectors and fire extinguishers in appropriate locations. Preferably,
your smoke detectors will be wired into the security system.
All utility shutoffs should be clearly identified for emergency response
personnel.
Map out an escape plan in advance and hold periodic drills.
Have a gathering point outside the building where a head count can be taken
(Fire Assembly Point). Each section shall have a Fire Marshall whose
responsibility is to coordinate and control evacuation procedures for the
section.
Post fire emergency numbers near telephones.
6.2.1 During a fire:
If a fire appears to be an immediate threat to human life, activate the fire alarm if
possible and leave the building immediately, then call 999. When exiting the
building use designated exits, depending on the safest route, and do not use
elevators. Close any stairway doors as you exit. Do not attempt to return through
these exits. When you arrive at the street, proceed to the designated emergency
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
42
meeting location for your specific branch. Do not re-enter the building unless you
are directed to do so by a member of the Emergency Assessment Team. Remain at
the designated meeting site, a safe distance from the building, until you are directed
to return to your work area.
Important: Under no circumstances should you endanger yourself. You
should seek a place of safety unless completely free of all danger.
Get everyone out of the building and call the fire department.
Close all doors behind you as you leave the building.
When passing through a smoke-filled area, walk in a crouched position with
your head close to the floor. Try to cover your face with a damp cloth.
If your clothes catch on fire, Stop Drop and Roll! Wrap yourself in a coat or
blanket and roll on the floor.
Before leaving a room, feel the door. If it’s hot or if you see smoke, don’t open
it. If the door is cool, put your foot against it, avert your face, and open it
slightly. If heat or smoke rush in, shut the door. Leave by another exit or wait
at a window for rescue. Stuff bedding or clothes at the bottom of the door,
open the window slightly for fresh air, and hang out clothes or a sheet to
attract rescuers.
Once out of the building, don’t go back for personal effects unless you are in a
mission to rescue another person.
If the fire does not appear to be a threat to human life, place the appropriate
emergency telephone call and, if appropriate, use fire extinguishers located on each
floor of all company properties. If possible, place important documents and
computer storage media in the vaults. If a fire develops beyond your control, follow
the evacuation procedures above.
6.2.2 Computer server room Emergency Procedures
In the event a fire occurs in the computer server room , the operator on duty is to
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
43
make a quick survey of the area to determine the extent of the fire. If the fire is
limited to an area that can be extinguished readily with a manual fire extinguisher
(i.e. fire limited to a trash can), the operator is to do so. In the case of an extensive
fire in the computer server room, the operator on duty is to follow the written
procedures that are located in the computer server room. Where there is no threat
to human life or threat of human injury, the following procedures are to be followed
and supervised by the senior employee on duty:
Remove all items (checks, deposits, tickets) captured or not captured to the
vault or the designated meeting site.
In an orderly fashion, shut down the computers and remove all data modules
to a vault or designated meeting site if feasible.
Remove all printed reports, optical disks, control and balance sheets, and
other paper data in the same fashion, as time permits.
6.2.3 Fire Extinguishers
Have the proper class of fire extinguisher on hand, mounted in a conspicuous area
where every employee is aware of its location and proper use.
The letter rating of a fire extinguisher indicates which type of fire it can put out:
Class A - combustible solids such as wood, paper, fabrics, or trash.
Class B - grease and other flammable liquids
Class C - electrical (does not conduct electricity).
Do Not Use Water On Class B Or C Fires!!!
Have extinguishers inspected on a regular basis by qualified fire protection experts.
6.3 Flood
A flood occurs any time a body of water rises to cover what is usually dry land.
Floods have many causes, including
Heavy rainfall.
Hurricanes.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
44
Coastal storms.
Dam and levee failure.
6.3.1 Flood Prediction
The risk of damage or injury resulting from floods cannot be downplayed.
If flooding is eminent, take the following precautions:
Move valuable items to higher ground. Some furniture and equipment can be
raised using blocks of concrete or wood.
Rinse sinks and jugs with household bleach and fill with clean water for
drinking.
Shut off the electric power and gas valve.
Listen to a portable radio for information and instructions. Especially
important is information on which roadways are impassible. Inform
employees if their route home is impassible and encourage them to stay
there until it is safe to drive home.
Do not attempt to drive through water. Two feet of water will carry away
most automobiles.
If water is rising quickly in the building, open first floor windows to let out
water and proceed to the top floor. Take emergency food, water, warm
clothing, portable radio and a flashlight.
After a flood, check the building for structural damage.
If you smell gas, open all doors and windows, leave the building, and report
the leak to the gas company.
Throw out any food that has been touched by floodwaters.
Boil all drinking and cooking water for 20 minutes.
6.4 Landslides
The main cause of such a disaster is topography of the area, depth and nature of the
rock formation and type of soil within the area. Sandy soils are more prone to
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
45
landslide that red clay soil.
Landslides can be avoided by carrying out environmental conservation. Areas,
which are prone to landslides, should not be allocated to developers and
consideration should be given to relocate to safer grounds those already settled in
such areas.
The losses caused by landslides have a major impact on infrastructure works such
as power transmission, water supplies and irrigation facilities.
6.5 Thunderstorm
During a thunderstorm:
Avoid touching any metal object if it’s lightning. Rubber sole shoes and
rubber tires provide absolutely no protection from lightning.
Avoid using the phone except for an emergency. Telephone lines can conduct
electricity.
6.6 Droughts
Droughts in the country have led to malnutrition and ultimately deaths. Due to the
acute water and food shortages, use of water bowsers and distribution of relief food
are usually the alternatives. The other cause of drought is evaporation from open -
surface. In this regard, boreholes are preferred to water pans especially in areas
where there are high temperatures. Water should therefore be conserved.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
46
7.0 PANDEMIC
7.1 Influenza
In the event of pandemic influenza/Covid-19, businesses will play a key role in
protecting employees' health and safety as well as limiting the negative impact to
the economy and society. Planning for pandemic influenza is critical. As with any
catastrophe, having a contingency plan is essential.
7.2 Preparedness
The Society will be prepared in the event of a pandemic epidemic. Preparedness
includes, but is not limited to,
Monitoring for outbreaks and the associated stages
Activating stages of the plan based upon the pandemic threat stage
Training employees on proper hygiene and social distancing techniques
Wearing of masks at all times.
Consideration given to providing flu vaccinations for influenza
Utilizing social distancing techniques during various stages of outbreaks.
Social distancing techniques include using ATMs and drive-through teller
stations instead of the lobby or utilizing remote processing where available
e,g mobile banking/lending, labelling sits in the banking halls to allow a one
meter distance from one seat to another.
Encouraging employees to use allocated sick days when they aren’t feeling
well
Reporting to and updating relevant authorities as necessary
In case an infection is dictated within the organisation, contact tracing should
be done and the close contacts asked to go for testing and at least 14-day
isolation period.
Disinfect the workplace regularly.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
47
Provide sanitizers and ensure the organisation has running water and soap
at all times.
Cross-training employees
Maintaining cleaning supplies, medical supplies, and hygiene supplies
Organizational polices
The Society will continue to monitor this threat and update the Business Continuity
Plan accordingly.
7.3 Terrorism
Terrorism is defined as “premeditated, politically motivated violence perpetrated
against noncombatant targets by sub-national groups or clandestine agents, usually
intended to influence an audience.” Terrorism has four key elements:
i. “It is premeditated---planned in advance, rather than an impulsive act of
rage.
ii. It is political---not criminal, like the violence that groups such as the mafia
use to get money, but designed to change the existing political order.
iii. It is aimed at civilians---not at military targets or combat-ready troops.
iv. It is carried out by sub-national groups---not by the army of a country.”
The society will continue to monitor terrorism threats and will remain aware of the
potential for terrorist actions impacting the Society or its customers.
The society will observe all applicable regulations and laws designed to combat
terrorism by preventing and detecting money laundering and other illicit activities.
7.4 Chemical Attacks
Chemical attacks refer to the terrorist act of releasing chemicals in an effort to harm
or kill people. Although some chemical agents act through the skin or eyes, most
chemical warfare agents must be inhaled to harm people.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
48
7.4.1 Different Types of Chemical Agents
Chemical agents may come in liquid, gas, aerosol-spray or dry powder form. The
deadliest types of chemical agents are nerve agents which attack the body’s nervous
system. Choking agents such as chlorine and phosgene attack the lungs. Blood
agents such as cyanide carry tissue-killing poisons throughout the body.
7.4.2 Response to Chemical Attacks
Most experts agree that the best response to a chemical attack is to:
Flee the contaminated area while shielding your eyes and skin as much as possible,
and minimizing the amount of the chemical agent inhaled.
Most experts’ advice against acquiring gas masks because the masks require
practice and training to use safely, and the masks would have to be worn constantly
to provide true protection against an attack that occurred without warning.
First responders such as police, firefighters, and paramedics are best equipped to
handle chemical attacks. They would cordon off the area and establish a “hot zone”
where contamination is highest.
While antidotes exist for some chemical agents, they are not always absolute “cures”
sometimes only pulling victims back from the brink of death. Unfortunately, other
than the simple instructions above, there is relatively little that one can do to avoid a
chemical attack.
7.4.3 Biological Threats
Centre for Disease Control (CDC) Health Advisory
Do Not Panic
Anthrax organisms can cause infection in the skin, gastrointestinal system, or the
lungs. To do, so the organism must be rubbed into abraded skin, swallowed, or
inhaled as a fine, aerosolized mist. Disease can be prevented after exposure to the
anthrax spores by early treatment with the appropriate antibiotics. Anthrax is not
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
49
spread from one person to another person.
For anthrax to be effective as a covert agent, it must be aerosolized into very small
particles. This is difficult to do, and requires a great deal of technical skill and special
equipment. If these small particles are inhaled, life-threatening lung infection can
occur, but prompt recognition and treatment are effective.
7.4.4 Suspicious Unopened Letter
Packages Marked with Threatening Message Such As “Anthrax”:
1. Do not shake or empty the contents of any suspicious envelope or package.
2. Place the envelope or package in a plastic bag or some other type of
container to prevent leakage of contents.
3. If you do not have any container, then cover the envelope or package with
anything (e.g., clothing, paper, trash can, etc.) and do not remove this cover.
4. Then leave the room and close the door, or section off the area to prevent
others from entering (i.e., keep others away).
5. Wash your hands with soap and water to prevent spreading any powder to
your face.
6. What to do next…
If you are at Home, then report the incident to local police.
If you are at Work, then report the incident to local police, and notify
your building security official or an available supervisor.
7. LIST all people who were in the room or area when this suspicious letter or
package was recognized. Give this list to both the local public health
authorities and law enforcement officials for follow-up investigations and
advice.
7.4.5 Envelope with Powder and Powder Spills out onto Surface
1. DO NOT try to clean up the powder. Cover the spilled contents immediately
with anything (e.g. clothing, paper, trash can) and do not remove this cover!
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
50
2. Leave the room and close the door, or section off the area to prevent others
from entering (i.e., keep others away).
3. WASH your hands with soap and water to prevent spreading any powder to
your face.
4. What to do next:
If you are at Home, then report the incident to local police.
If you are at Work, then report the incident to local police, and notify
your building security official or an available supervisor.
5. Remove heavily contaminated clothing as soon as possible and place in a
plastic bag, or some other container that can be sealed. This clothing bag
should be given to the emergency responders for proper handling.
6. Shower with soap and water as soon as possible. Do Not Use Bleach Or
Other Disinfectant On Your Skin.
7. If possible, list all people who were in the room or area, especially those who
had actual contact with the powder. Give this list to both the local public
health authorities so that proper instructions can be given for medical
follow-up, and to law enforcement officials for further investigation.
7.4.6 Room Contamination by Aerosolization:
For example: small device triggered, warning that air handling system is
contaminated, or warning that a biological agent released in a public space.
1. Turn off local fans or ventilation units in the area.
2. Leave area immediately.
3. Close the door, or section off the area to prevent others from entering (i.e.,
keep others away).
4. What to do next…
5. If you are at Home, then dial “999” to report the incident to local police and
the local POLICE field office.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
51
6. If you are at Work, then dial “999” to report the incident to local police and
the local POLICE field office, and notify your building security official or an
available supervisor.
7. Shut down air handling system in the building, if possible.
8. If possible, list all people who were in the room or area. Give this list to both
the local public health authorities so that proper instructions can be given for
medical follow-up, and to law enforcement officials for further investigation.
7.4.7 Identifying Suspicious Packages and Letters
Some characteristics of suspicious packages and letters include the following…
Excessive postage.
Handwritten or poorly typed addresses.
Incorrect titles.
Title, but no name.
Misspellings of common words.
Oily stains, discolorations or odor.
No return address.
Excessive weight.
Lopsided or uneven envelope.
Protruding wires or aluminum foil.
Excessive security material such as masking tape, string, etc.
Visual distractions.
Ticking sound.
Marked with restrictive endorsements, such as “Personal” or “Confidential.”
Shows a city or state in the postmark that does not match the return address.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
52
Source: Bureau of Alcohol, Tobacco and Firearms (BATF)
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
53
8.0 TECHNOLOGICAL DISASTER
8.1 Introduction
Technological disasters are those events that render the Society’s systems non-
functional and include intentional damage such as hacking and virus infection and
unintentional damage such as disk or system failure and inadvertent destruction of
data.
To prepare for technological disasters, the Society has employed the following
measures against intentional damage:
Virus Protection
Anti-Spyware
Raid technology on servers
Distribution of servers and critical functions
Firewall with Intrusion Prevention module
Daily backups to tape and off-site server
Co-location space with Service Provider
To prepare for unintentional damage to data, the Society employs system features
including access control to sensitive data, uninterruptible power supplies for critical
systems, and thorough backups of systems and data.
The Society’s Information Security Program contains more information regarding
the preventive measures employed by management to mitigate technological risk
and safeguard confidential member information.
8.2 Computerized Information Systems Threats
BRAEMEG SACCO recognizes that its computerised information system may be
threatened by a number of errors including:
8.2.1. Human Errors
This is the risk with highest incidence as it’s the people who interact with the
system on a daily basis. Human errors may include:
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
54
a) Entering incorrect data from the source document.
b) Executing a command at the wrong place or time.
c) Failing to carry out instructions in respect of security procedures.
In dealing with human errors therefore:
a) The society shall employ qualified staff and train existing staff members to
work on the computerised information system to reduce chances of
occurrence.
b) Controls should be put to ensure that correct data is entered into the system
c) Staffs that are prone to make mistakes should be subjected to closer
supervision and where necessary disciplinary action should be taken against
them for deliberate errors and those due to negligence.
d) Human errors related to control accounts should be viewed with suspicion as
can easily lead to frauds.
8.2.2 Technical Errors
This is the second most common risk after human error. Technical errors involve
malfunctioning of hardware, system software, application software or
communication software.
a) The Society shall purchase branded equipment that meets acceptable
international market standards for office use and shall ensure it is kept in a
safe place secure from any damage and in accordance to manufacturer’s
specifications so that they function optimally.
b) Equipment whose manufacturer’s warranty has expired may require to be
subjected to a consistent qualified hardware maintenance company as
determined by the Tender committee.
c) The society shall buy and install original software that is properly licensed,
registered and with the appropriate documentation. Authorised backup
copies shall be made and kept in a secure place. Should the existing ones be
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
55
corrupted and damaged in any way, backup copies shall be available.
8.2.3 Deliberate Actions
Given the nature of the business of the Society i.e. receiving savings, issuing and
recovering loans, and the scope for fraud, there is need for particular consideration.
This is because data held on electronic media is not immediately legible and it may
be difficult to obtain evidence of unauthorised data modification. Staff with proper
knowledge of existing system may be involved in fraudulent activities.
a) The Society should employ honest staff with integrity.
b) Control Accounts should be monitored on a daily basis.
c) All data entry transactions should have supporting documents
d) Data entry transactions that have no supporting documents shall be
interpreted to mean they are not authorised transactions.
e) All unauthorised transactions shall be treated as deliberate actions unless
proved otherwise.
f) The Computer system should have a security log that shall keep track of all
users who have made changes and accessed the system.
8.2.4 Commercial Espionage
Commercial espionage is involved with data/information getting into the wrong
hands with the intention of using it for other purposes than what was intended.
a) The Society shall regulate the use of external storage media to only the ICT
Manager and the Manager or staff authorised by them.
b) The use of diskettes, Compact disk, Data tapes, flash disks etc in the Society is
therefore prohibited except for express authority from the ICT Manager or
the Chief Executive Officer.
c) Severe disciplinary action should be taken against any staff involved in
commercial espionage.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
56
8.2.5 Malicious Damage
Malicious damage is likely to be caused by disaffected employees or consultants
destroying data or software. Sabotage would fall into this category. This may be
quite risky as its execution may not leave a trace of what happened and who did it.
The destruction could take the form of introduction of viruses, software piracy,
deletion of data, inserting garbage data into the system etc.
a) Staff employed shall be those who are honest. These should be regularly
trained and the Society should endeavour to retain their services.
b) Consulting firms should be of reputable firm that is reliable. A good working
relationship should be cultivated and consistency exercised.
c) The policy of prevention and data recovery should be implemented and
reviewed from time to time.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
57
9.0 SECURITY AND SAFETY
9.1 Purpose
BRAEMEG SACCO security and safety measures are essential to effective operations,
its employees and visitor’s well-being and minimal loss of property.
The security and safety procedures described in this section, are to be implemented
in all Society facilities and followed by all Society staff, and as applicable, visitors.
9.2 Building and Ground Security
a) Designated office attendants are responsible for ensuring Society office
facilities and ground security through:
b) Logging in the road tag and description of cars entering Society grounds
c) Asking and directing the occupants of the cars to enter the front gates of the
Society facility and register at the Receptionist/Administrative Secretary’s
desk
d) Stopping persons entering Society grounds and directing them to the
Receptionist/Administrative Secretary
e) Inspecting, at periodic intervals after the official closing of Society facilities
for the day, all gates, doors and windows are locked.
f) Notifying police immediately of any disturbances on Society property as well
as the Human Resource and Administration Officer
g) Bringing to the attention of the appropriate Society staff member any safety
hazards that may exist on Society grounds or on the outside of the Society
facilities. Such safety hazards may include:
Broken locks on gates, windows, and doors
Loose bricks, cement on driveway or building
Exposed electrical wires
Fallen trees, branches
Loose tools or other objects which people may step on
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
58
9.3 Inside Building Security
a) Office attendant must ensure at the end of the day that:
b) All doors and windows are locked
c) Curtains are pulled
d) All electrical equipment and appliances are switched off
e) Water taps are closed securely
f) All cigarettes, pipe ashes have been extinguished
g) Any other hazards that may be identified are eliminated
9.4 Safety Precaution
a) All Society facilities are required to have appropriate fire extinguishers
which are checked by authorized personnel at least, every 3 months
b) No firearms or explosive materials are to be maintained on the Society
property
c) All Society facilities are to maintain a fully equipped First Aid Kits and to post
in a conspicuous location telephone numbers to call in case of an emergency,
such as police, fire brigade, nearest hospital and/or clinic
d) At least one staff member in Society facility should know and practice First
Aid procedures
e) Any staff member having health problems requiring special medication
should notify the Human Resource and Administration Officer so that
appropriate measures can be taken in case of an emergency
9.5 Emergency Measures
Within the Society facilities, the senior ranking staff member present during an
emergency becomes the “officer in charge”. Under emergency conditions, all staff
members and visitors, present in all Society facilities, shall carry out the instructions
of the officer in charge.
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
59
9.6 Property, Plant, Furniture and Equipment Security
Procedures described under Chapter 8 of Property, Plant, Furniture and Equipment,
ensure the security and safety of such items. At no time, shall any Property, Plant,
Furniture and Equipment be removed from Society facilities without implementing
the applicable procedures and authorization process.
9.7 Police Investigation
a) If an incident does occur requiring police attendance, all staff members are
required to give full information and comply in all matters directed by the
police investigation
b) All incidents are to be reported immediately through Human Resource and
Administration Officer to the Chief Executive Officer
c) As described earlier, police are to be notified immediately of an emergency
BOARD APPROVAL OF POLICY
This document was discussed and approved for implementation as a policy and
procedures of the Society in respect to Disaster Management and Business
Continuity with effect from 2020.
It is approved under Minute Number of Board of Directors
Meeting held on
APPROVED BY:
National Chairman Date
Vice Chairman Date
Hon. Secretary Date
Rowland Njagi
Josephat Okora
James Anyika
10th March 2021
10th March 2021
10th March 2021
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
60
Treasurer Date
Chief Executive Officer Date
APPENDIX
1.0 Damage Assessment Form
Form Instructions
This form will be used as a general guide in disaster recovery for selected
firm business functions.
Please insert the information necessary for recovery, completing each table
as thoroughly as you can.
If you have specific recovery procedures (e.g., how to restore to server),
please insert them or attach the procedure(s).
After completing the form, save it using the following filename guideline (e.g.,
disaster recovery plan – nightly update.doc), and email the document to
the firm’s disaster response coordinator, _____________________.
People
(Who is needed for the recovery effort?)
Name Role Home Phone # Home Email Mobile Phone
#
10th March 2021
10th March 2021
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
62
2.0 Recovery Script
(What steps need to be taken to restore?)
Priority Business
Function or
System
List steps or procedures to follow for disaster
recovery
Locations
(Which locations could be impacted?)
Location Telephone Number Address (Street Address, City, Town,
Code)
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
63
3.0 Services Impacted
(Which services could be impacted?)
Records Needed for Recovery
(What records will be needed for recovery? Consider paper and magnetic
media.)
Software Needed for Restoration
(What software applications and operating systems will be needed to recover?)
BRAEMEG SACCO Society Limited
Disaster Management and Business Continuity Policy
64
Hardware Needed for Restoration (e.g., computers, printers, copiers, etc.)
(What hardware will be needed to run the software needed above and recover
the business function or system?)
4.0 ATM Information
ATM COMMUNICATION ADDRESSES