Security

Example Crisis Management Plan (CMP)

Dalton, Walton, and Carlton, Inc.

 Crisis Management Plan (CMP)

A crisis, defined as an unexpected or unplanned situation or threat that threatens the stability of a business and its operations or reputation (Kukreja, 2020), can quickly cause devastating consequences to an organization’s processes if there is no plan of action already created and tested; due to this, a sophisticated crisis management plan (CMP) should be constructed and mandated. A crisis can come in many forms, such as facility or equipment failure/damage that causes loss of operational-ability, substantial operations disruption such as a bomb threat or workplace violence, severe injury or fatality of a staff member, an active shooter or assailant, or a momentous environmental influence, such as a gas or chemical exposure (Fennelly, 2017). Crises can also come in the form of natural disasters and dramatic weather events, biological hazards, reputation-damaging events such as lawsuits or sexual assault cases, and technology issues such as outages or cyberattacks.

      For Dalton, Walton, and Carlton, Inc., this document will both define and outline the crisis management plan to be utilized in the occurrence of any event that causes significant damage or disruption to Dalton, Walton, and Carton, Inc.’s ability to provide and manage their products, services, and safety for their personnel. The document will be reviewed and signed off by upper management and infosec, with specified reviews and revisions at regular intervals. Furthermore, the crisis management plan will have its contents and guidelines for reacting to and restoring operations of any unplanned downtime, disaster, or event, tested in random, yet quarterly (at the minimum) intervals. All documentation in reference to the crisis management plan, as well as the program itself, have a hardcopy stored in a single, secure location, with digital copies located in multiple protected areas, with, at the minimum, one stored off-site and one kept with both infosec and the CTO.

The Dalton, Walton, and Carton, Inc. crisis management plan will be comprised of several methods to reduce the damage to the organization’s reputation, practices, services, and personnel.

Crisis Management Spokesperson: CSO (Chief Security Officer).

Crisis Management First Responders: CTO (Chief Technical Officer), infosec staff, IT staff, HR lead.

Crisis Management Team Members: CTO (Chief Technical Officer), infosec staff, IT staff, HR lead, department leads, local police and fire departments.

List of Emergency Contacts: Power, Internet, VoIP, local fire and police departments, state/government representatives.

Individuals That Need to Be Notified (and How): CEO (call/email), stakeholders (email), DRP members (call/email).

Early-Warning Monitoring Systems/Practices: Network, security, IT asset monitoring and intrusion detection software, weather monitoring software/alerts, communication between utility vendors, fire detection systems, communication/monitoring of local, state, and regional health organizations, and security systems (fire alarm, door locks, carbon monoxide alarms, video surveillance systems).

Criteria for Crisis Designation: While the priority levels are subject to change, the following will be utilized for now:

Level 1: Severe disaster or imminent threat involving all of Dalton, Walton, and Carton, Inc.’s facilities as well as the nearby area.

Level 2: Severe disaster or imminent threat involving a significant portion of Dalton, Walton, and Carton, Inc.’s facilities.

Level 3: A minimal, limited disaster or imminent threat involving Dalton, Walton, and Carton, Inc.’s facilities in which the problem can be rapidly solved with limited resources or external assistance.

Process for Incident Assessing and Categorization: Dalton, Walton, and Carton, Inc.’s first responders will hold a meeting in, at the maximum, one hour after initial crisis detection, to determine the severity of the crisis, as well as how to categorize it (Purdue University, n.d.).

Strategy for Social Media: HR lead, infosec lead, and marketing will convene, depending on the crisis, to develop a plan of action for both addressing the issue and determining who to inform of the crisis. In the event of a reputation-damaging crisis, proper steps and communication must be made with stakeholders and the CEO to determine how to delicately approach reconciling the situation.

Process for Testing Effectiveness of the Plan: Before, during, and after the crisis management plan is completed, proper documentation of each stage, its success, as well as any areas that failed or can be approved on need to be compiled in a secure document following a standardized format; all crisis management team members, first responders, as well as the spokesman, will fill out their report, which all will then be combined into a single collection of data on the plan’s effectiveness.

Process for Updating the Plan: Upon completion of the abovementioned collection of data pertaining to the plan’s effectiveness, crisis management first responders, department leads, and the CSO and CTO will all meet to review and update the crisis management plan.

Outline of Purpose and Goals of the Plan: The purpose of the crisis management plan is first to reduce the risk of harm to Dalton, Walton, and Carton, Inc. employees, then reduce the possible harm or damage to physical (building, hardware, etc.) and digital assets (employee/customer/business data, business reputation, etc.) and finally, reduce any damage or delays in the organization’s business operations.

Evacuation Plan: In the event of a necessity for the evacuation of personnel, whether in a test scenario or real-world crisis, the first step would be to either determine the situation warrants the need of a shelter-in-place, partial, or total evacuation. Then, utilizing a clear chain of command of the crisis management plan, the order for shelter or place or evacuation will be issued. During a shelter-in-place crisis, employees on each floor will meet at their designated bomb/tornado shelter. Due to Dalton, Walton, and Carton, Inc.’s non-use of a high-rise building, the evacuation policy is simple enough, having each floor evacuate separately, from top to bottom, in quick succession. In the event that key personnel may be required to stay behind to shut off assets, lock doors, etc., the names and roles of these individuals need to be both obtained and stored for use during the accountability phase. All employees will meet at a designated area, either the primary location (North Parking Garage) or the backup location (South Parking Garage). Once the evacuation is over, a headcount of all employees needs to be taken, as well as a checklist of their names and roles. For those who stayed behind during the evacuation to turn off assets or lock doors, their names need to be signed off before releasing all employees from the evacuation meeting point. If there were vendors, visitors, or any external individuals in the building, they will need to be accounted for by cross-referencing the visitor sign-in sheet with the evacuation sheet.

Crisis Response Framework: In this crisis management plan, we will be utilizing ‘layers of protection analysis (LOPA) for varying levels of threat analysis, by estimating risks throughout the crisis sequence (Fennelly, 2017); with this method, each phase of the crisis management plan (detection, notification, response, evacuation, documentation, review) will be carefully drafted and coincide with the Disaster Recovery Plan, Data Backup Plan, and Business Continuance Plan.

Crisis Management Flowchart

  1. Crisis Detected: Utilizing network, security, IT asset monitoring and intrusion detection software, weather monitoring software/alerts, communication between utility vendors, fire detection systems, communication/monitoring of local, state, and regional health organizations, and security systems (fire alarm, door locks, carbon monoxide alarms, video surveillance systems).
  2. Crisis Identified: Identified by first responders: CTO (Chief Technical Officer), infosec staff, IT staff, HR lead.
  3. Crisis Prioritized (Priority Level): Prioritized by first responders: CTO (Chief Technical Officer), infosec staff, IT staff, HR lead.
  4. Crisis Mode Activated: Activated by first responders: CTO (Chief Technical Officer), infosec staff, IT staff, HR lead.
  5. Crisis Mode Call Tree/Notifications: First responders: CTO (Chief Technical Officer), infosec staff, IT staff, HR lead, will begin their communication and notification process with the rest of the crisis management team.
  6. Convene Crisis Management Team: CTO (Chief Technical Officer), infosec staff, IT staff, HR lead, department leads, local police and fire departments will meet within a maximum of one hour.
  7. Initial Assessment: What are the facts of the crisis, and what is/isn’t confirmed? Who or what is affected? What has happened? How did it happen? Where did it happen? Document all information and data.
  8. Immediate Actions: Emergency operations, data and asset recovery/protection, evacuation, and accountability of personnel (this might happen in the earlier stages depending on the situation).
  9. Ongoing Management of Crisis: Continue to reduce the risk and spread of the crisis, social media control, restore communication, etc.
  10. Assessment/Recovery: Determine the who/what/why/how of the crisis. Secure all assets, personnel, and inventory. Communication between local police and fire department should conclude.
  11. Evaluation: Determine what crisis management plan systems or policies worked and what didn’t.
  12. Documentation: Record all data obtained from the crisis from start to finish.
  13. Review: Using the evaluation and documentation of the crisis and the crisis management plan, determine with crisis management team members and first responders how to improve the crisis management plan.

Summary

While this crisis management plan is intended to be used as a general framework for how to properly and effectively manage a crisis at Dalton, Walton, and Carlton, Inc.’s facilities, a separate detailed crisis management plan and disaster recovery plan should be created, tested continuously, and revised for each plausible type of crisis.

References

Fennelly, L. J. (2017). Effective Physical Security (5th ed.). Cambridge, MA: Elsevier.

McCrie, Robert. Security Operations Management (Third Edition). Butterworth-Heinemann.

KukrejaI, S. (2020, January 13). What is Crisis and Different Types of Crisis. Retrieved February 26, 2020, from https://www.managementstudyhq.com/what-is-crisis-and-different-types-of-crisis.html

Purdue University. (n.d.). Emergency Level Definitions. Retrieved February 26, 2020, from https://www.purdue.edu/ehps/emergency_preparedness/emergency/levels.html

 

 

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s