Virginia Beach Network Design Proposal For Abercrombie Architectural Firm

Jonathan L. Calhoun IS Manager Jerry Simmons UNIX Expert Testing Lab Coordinator Cost Specialist Rich Carroll Website Specialist Alieu Kamara Microsoft Windows Expert Dennis Hood Application Specialist Lane Botts Scheduling Specialist Andrew Stewart Connectivity Specialist

Table of Contents
Title Project Schedule Equipment Applications Policies o Acceptable Use Policy o Risk Assessment Policy o Information Sensitivity Policy o Virtual Private Network (VPN) Policy o Workstation Security Policy o Technology Equipment Disposal Policy o Ethics Policy o Software Installation Policy o Web Application Security o Server Security Policy o Remote Access Policy o Physical Security Access Policy o Wireless Communication Policy o Password Policy o Router Security Policy Emergency Action Plan Disaster Recovery Plan Guides o VMware o Windows Server 2008 o Floor Plan o Network Diagram

Project Schedule
Abercrombie Architectural Firm Project Schedule
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Task Name Define Proposal Objective Identify Needs Planning Site Survey Network Cable Installation Router & Switches Installation Router & Switches Configuration Workstation's Installation Workstation's Configuration Server's Installation Backup Server's Installation File Server Configuration Web Server Configuration Database Server Configuration Network System Monitoring/Tweaking Documentation of policies Project Closeout Duration 2 days 2 days 3 days 2 days 5 days 5 days 5 days 5 days 5 days 5 days 5 days 5 days 5 days 5 days 10 days 10 days 4 days Start Tue 5/6/14 Thu 5/8/14 Mon 5/12/14 Thu 5/15/14 Mon 5/19/14 Mon 5/26/14 Mon 6/2/14 Mon 6/9/14 Mon 6/16/14 Mon 6/23/14 Mon 6/30/14 Mon 7/7/14 Mon 7/14/14 Mon 7/21/14 Mon 7/28/14 Mon 8/11/14 Mon 8/25/14 Finish Wed 5/7/14 Fri 5/9/14 Wed 5/14/14 Fri 5/16/14 Fri 5/23/14 Fri 5/30/14 Fri 6/6/14 Fri 6/13/14 Fri 6/20/14 Fri 6/27/14 Fri 7/4/14 Fri 7/11/14 Fri 7/18/14 Fri 7/25/14 Fri 8/8/14 Fri 8/22/14 Thu 8/28/14 Predecessors

1,2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Abercrombie Gantt chart

Equipment
Abercrombie Project Equipment log Hardware Quantity Cost Per Item Switches 2 $4,111.00 Work Stations Laser Printers Color Printer High End Plotter Mouse & Keyboard Surge protector Unattached Servers Network Server Biometric Reader Router Cat 6 Cable Spool 1000ft Monitor 2000 20 5 1 2000 525 2 $1083.00 $230.00 $349.00 $12,050.30 $30.00 $25.50 $2169.00 Total Items Cost $8220.00 $2,166,000.00 $4600.00 $1745.00 $12,050.30 $60,000 $13,388.00 $4338.00 Final Total Cost

8 2 10 3 2000

$619.00 $379.00 $256.00 $279.00 $140.00

$4952.00 $758.00 $2560.00 $837.00 $280,000.00 $2,559,448.30

Abercrombie Equipment Reference Guide Surge protector

Figure 1.1

Switch

Figure 1.2

Router

Figure 1.3

Cat6 Cabling

Figure 1.4

Biometric Reader

Figure 1.5

Color Printer

Figure 1.6

Laser Printer

Figure 1.7

Monitor

Figure 1.8

Keyboard/ Mouse
Figure 1.9

Workstation

Figure 1.10

High end Plotter

Figure 1.11

Unattached Server

Figure 1.12

Network Server

Figure 1.13

Applications
Applying cloud based applications to the Abercrombie Architectural firms business infrastructure Cloud computing is where software applications, processing power, data and potentially even artificial intelligence are accessed over the Internet. Many large scale corporations and small private individuals now regularly use an online e-mail application such as Gmail, Yahoo! Mail , Dropbox and Google Drive Applications like these are essential to have in a professional environment.

Over the past few years it is estimated that over two million businesses have adopted to the Google Apps that provide online services like e-mail and office suite. Twenty percent of companies now also report at least some use of the Google Docs which is an online word processor. Microsoft's Azure cloud computing platform also became commercially available. Mobile computers like Apple's iPad, as well as netbooks and tablets running Google's new Chrome OS operating system, are additionally very much intended as cloud access devices for a new computing age. As we all know, the world is constantly evolving in Technology, and for any successful business large or small, implementing virtual application into your organization is the best way to stay on top. It is beneficial that every business incorporate some types of virtual application into their IT department to get a true understanding of the benefits of how more efficient and organized your business will run Middleware, a highly recommendable application to implement onto a web server is a product called Middleware. Middleware is designed and structures to help clients connect to one another through the database. Middleware enable clients to transfer files from the database through internet connectivity in one way to imagine the concept of how Middleware works let imagine two individuals talking to each other. For example lets take two consults for Quadrant Consulting Lance, and Adieu. They could possible live miles away from each other, but by picking up their telephones they can communicate with one another. While we know that the two talking, we don't notice the telephone wire connecting them, that's the middleware. Okay, so now instead of Lance, we have a database system, and Lieu let's take a web server. A popular method of integrating new applications is called a service-oriented architecture (SOA) approach. To integrate applications all doing different things, all added at different times, and all of which speak different languages, you don't need a one-size-fits-all system. (CBR Outsourcing and BPO).

The middleware connects the two together and allows them to interact: users can request data from the database system via a web browser (egg,. typing in a search on Google) and the middleware enables the database system to talk to the web server, which then returns web pages that match the user's criteria. Middleware also translate languages so that individuals that are communicating with each other can understand one another Middleware also allows all its connected clients the accessibility to pass on Information from one application to another, and does so with lots and lots of them. This is known as host and client connectivity. The best incentive in using Middleware it is an app that acts like as a server, while messaging and API service. Spice Works .

Spice Works is a type of software that will provide all the necessary applications for any IT department and all of its users to operate proficiently. Spice Works applications incorporated the cloud, therefore an IT tech can log into the server of their prospective business remotely. With network inventory and user mapping, network monitoring and alerting, license management, troubleshooting, reporting, and much more, Spice works is the free IT management app with the tools you need to tackle your IT day. Another great function that Spice Works provides is ticket management. The help desk software portion promises to help and improve the functionality of your help desk. The benefits to this is that it can be done while in office or on a business trip from a cloud based server. Manage user tickets, organize your work, create a custom user portal, and even launch a knowledge base all for free! Windows Defender Windows Defender is a built-in anti-spyware application. Keep in mind that windows Defender is not a not an antivirus. It main function is to search out spyware invading your system, that may considered as a threat or any potential software that may cause system degradation. This is done by time allocated scans of the system when set to automatic scans, the other functions in this software allow the user to scan specific folders. There are other options such as quick scans full scans and custom scans (for chosen drives only).

Windows defender also provides real-time protection. Windows Defender is busy on the prowl looking for spyware your PC. It also has real-time protection. The basis and design of this function is to stop any spyware that is detected on your system the moment it takes root. Windows Defender has a options section applied to the software, there is where the user can access all the features while becoming familiar with Real-time protection section note they are turned on automatically by default. The real-time protection includes the ability to scan files and attachments that youre downloading to determine if they carry any spyware. If file is found and to be a threat Windows Defender can alert you and, based upon your chosen options, Defender will quarantine or remove the files. Another bonus that Windows Defender has it had the functional capabilities to intercept spyware that is actively attempting to run on your PC. As with file downloads, Defender can alert you if a program on your PC is known spyware. The severity of Defenders reaction to detected items can be found in the Default actions section of the Options menu. By default, the program will take a recommended action based on the spyware that is discovered. However, you can adjust these settings to ensure the spyware is automatically quarantined or removed no matter what type of threat is found.

Office 365 Enterprise E3 includes: Office suite Office 365 Enterprise allows you to stay in the loop with all of your business needs while on the go. The mobile feature allows the user the capabilities to, Access, edit, and view Word, Excel, and PowerPoint documents. From any iPhone, Android phone, or Windows Phones. Use the OneNote, OWA, Lync Mobile, and SharePoint Newsfeed apps on most devices. Stream full versions of Office programs on any Internetconnected PC running Windows 7 or Windows 8 with Office on Demand. Your Emails can be used from any internet connection. With fast and efficient transfers. Enterprise E3 offers a hefty size 50 GB mailbox per user with the capabilities to send attachments up to 25 MB. Use archiving and legal hold capabilities, plus unlimited storage, for compliance needs. And use data loss prevention (DLP) policies and policy tips that educate your users for additional compliance enforcement in email.

Office on more devices Office on any PC

Email and calendars

Advanced email

Document and email access control Online conferencing Instant messaging and Skype connectivity File storage and sharing

The user can allow who sees your documents in view mode, also in Management control allow you to deny access to documents and email to specific people and to prevent anyone else from viewing or editing them, even if they are sent outside the organization. Host online meetings with audio and video using one-click screen sharing and HD video conferencing. Connect with other Lync users via instant message, voice calls, and video calls, and let people know your availability with your online status. Share presence, IM, and audio calling with Skype users. One Drive for Business gives each user 25GB of personal cloud storage that can be accessed from anywhere and that syncs with their PC for offline access. Easily share documents with others inside and outside the organization and control that can see and edit each file.

Team sites

Site mailboxes

Yammer Enterprise Office Online Mobility

Voicemail integration (Unified Messaging) Advanced compliance tools

Enable easy access and sharing of documents with 10GB of baseline storage plus 500 MB of storage per user. Share insights through interactive reports with Excel Services and Visio Services, and view them on mobile device browsers that support HTML5. Make it easier for teams to collaborate. Store and share email and documents in project-specific folders, so everyone on the team can find the information they need fast. Keep ideas and work moving with enterprise social networking that makes collaborating with the right people easy and that comes with advanced support, security, administration, and integrations. Create and edit Word, OneNote, PowerPoint, and Excel documents from a browser. Sync email, calendar, and contacts; access SharePoint sites; view and edit Office documents with Office Online using a browser on Windows Phone, iOS, and Android devices. Hosted voicemail support with auto-attendant capabilities. Voicemails are recorded to Exchange Online and users can access them from Outlook, Outlook Web App, or a compatible mobile phone. With the unified eDiscovery Center, you can search across SharePoint, Lync, and Exchange mailboxes. EDiscovery integrates with advanced retention and archiving, enabling in-place legal hold and case-based projects. Do more with the tool you already know: Excel. Discover and connect to data with Power Query, model and analyze this data with PowerPoint and visualize insights in interactive reports and maps with Power View and Power Map. New third-party and customer-developed apps work with Office and SharePoint to bring web services right into your documents and sites.

Self-service Business Intelligence Apps for Office and SharePoint

All Office 365 Enterprise plans include:

Reliability

Get peace of mind knowing your services are available with a guaranteed 9.9% uptime, with a financially backed service level agreement (SLA). Your data is yours. We safeguard it and protect your privacy. Your data belongs to you. Microsoft does not scan emails or documents for advertising purposes. The admin portal provides IT detailed configuration options for your services, either from an online portal or through automated management with PowerShell commands. You can use the Admin app to manage your services on the go. No need to pay for version upgrades; updates are included in your subscription. New features are rolled out to Office 365 customers in an IT-configurable experience. 24/7 phone support for all IT issues. For less urgent issues, you can make service requests directly through the admin portal.

Security Privacy

Administration

Up to date

Support

Windows Azure Virtual Machines provides on-demand, scalable computing resources. A virtual machine in Windows Azure is a server in the cloud that you configure and maintain according to your needs. It also gives you the flexibility of virtualization without having to buy or maintain the hardware to host it.

With a virtual machine in Windows Azure, you can: Deploy available versions of Windows Server or distributions of Linux operating systems by choosing from preconfigured images. Or, you can upload a virtual hard disk (VHD) that contains a server operating system and then use it to create virtual machines. Create and connect multiple virtual machines so you can load balance traffic among them. Use both automated and manual ways to create, manage, and delete a virtual machine. You can use the web portal (Windows Azure Management Portal), cmdlets for Windows PowerShell, or the Service Management APIs. Delete and recreate it whenever you need to, like you can with any other virtual machine.

Creating a virtual machine When you create a virtual machine, choices youll need to make include the following: The size of the virtual machine. This determines configuration such as the number of CPU cores, amount of memory, and storage capacity. For details, see Virtual Machine and Cloud Service Sizes for Windows Azure. The operating system. You can choose from stock images, some of which include SQL Server or SharePoint. Or, if youve uploaded your own VHD, you can use that as a custom image for the virtual machine. The networking configuration. If you want a virtual machine to use a virtual network, youll need to specify the virtual network when you create the virtual machine. For more information, see the Virtual Network. The cloud service configuration. Each virtual machine resides in a cloud service, either by itself or with other virtual machines. When you place virtual machines in the same cloud service, you can load balance your applications and services by configuring load-balanced endpoints. For instructions, see Load Balancing Virtual Machines

Interacting with a virtual machine The ways of communicating with or interacting with a virtual machine and whats required to allow the interaction are summarized below. Communication from outside the same cloud service or virtual network All virtual machines that are in the same cloud service or virtual network can automatically communicate with each other using a private network channel. However, to communicate with other resources on the Internet or other virtual networks, a virtual machine uses endpoints. These endpoints handle the inbound network traffic to the virtual machine. For more information about setting up endpoints for a virtual machine, see How to Set Up Communication with a Virtual Machine. Logging on to a virtual machine The way you log on to a virtual machine depends on whether its running Windows Server or Linux. For an overview of requirements and troubleshooting tips, see Connect to a Windows Azure virtual machine with RDP or SSH. For a virtual machine that is running Windows Server, you can use Remote Desktop. In the Management Portal, click the Connect button to start a Remote Desktop Connection. For more information about

logging on to a computer running Windows Server, see How to Log on to a Virtual Machine Running Windows Server. For a virtual machine that is running the Linux operating system, you use a Secure Shell (SSH) client to logon. Youll need to install an SSH client on your computer that you want to use to log on to the virtual machine. There are many SSH client programs available. The following are possible choices: If you are using a computer that is running a Windows operating system, you can use Remote Desktop. For instructions, see the PuTTY Download Page. If you are using a computer that is running a Linux operating system, you might want to use an SSH client such as OpenSSH. For more information, see OpenSSH. For instructions on logging on to a computer running Linux, see How to Log on to a Virtual Machine Running Linux Using Windows PowerShell Remoting Windows PowerShell Remoting lets you connect remotely to one or more computers from a Windows PowerShell session to run commands directly on the remote computers. You can configure your virtual machine to allow Windows PowerShell Remoting when you create it, or at a later point. You configure the virtual machine by adding an endpoint that specifies the port and protocol to use. For instructions about adding an endpoint.

product pricing 1.windows azure pricing cost base price is 500.00 yearly 500.00(x)2,100 = $1,000000 2.Windows Office 365 Enterprise E2 is $20.00 monthly with unlimited user if 300 user or more $20.00(x)2,100 +/- =$42,000 3.SpiceWorks is a free downloadable application ($0.00) 4.Google dropbox and google chrome 15.00 monthly per user (x) 2,100 +/- =$31,500 (for dropbox) Google apps $50.00 yearly per user = 50.00(x)2,100 +/- =$105,000 Microsoft Defender free download ($0.00)

Policies
Abercrombie Architectural Firm Acceptable Use Policy

1.0 Overview The Acceptable Use Policy has been put in place to protect the employees of Abercrombie not to impose restrictions to Abercrombies but allowing an established culture of openness, trust and integrity. Quadrant Network Solutions has designed this Acceptable Use Policy to protect Abercrombie's employees, partners and the company from illegal or damaging actions by individuals. This includes both internet and intranet related systems and is not limited to the computer equipment, operating systems, storage media, network accounts providing electronic mail, internet browsing, and FTP, are the property of Abercrombie. These systems are to be used for business purposes only for the interests of the company, and of our clients and customers in the course of normal operations. Effective security is a team effort involving the participation and support of every Abercrombie employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user at Abercrombie to know these guidelines, and to conduct their actions consequently. 2.0 Purpose The purpose of this policy is to outline the acceptable use of computer equipment at Abercrombie and protect the companys assets. These rules are in place to protect the employee and Abercrombie as a company. Inappropriate use of equipment and services make Abercrombie at risks of including virus attacks, compromise of network systems and services, and may cause legal issues. 3.0 Scope This policy applies to employees, contractors, consultants, temporaries, and other workers at Abercrombie, including all personnel no matter what position they are currently at Abercrombie. This policy applies to all equipment that is owned or leased by Abercrombie as-well.

4.0 Policy 4.1 General Use and Ownership Users should be aware that all the data they create on the corporate systems remains the property of Abercrombie. Employees are responsible for exercising ethical judgment and smart decision making. Individual departments are responsible for creating guidelines concerning personal use of Internet and Intranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. For security and network maintenance purposes all files will be monitored by a network administrator. Abercrombie reserves the right to audit networks and systems on a constant basis to confirm compliance with this policy. 4.2 Security and Proprietary Information The user interface for information contained on Internet and Intranet systems should be classified as either confidential or public, as shown in the information sensitivity policy. Examples of confidential information can be found in the information sensitivity policy and should be reviewed when understanding the acceptable use policy. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. Review the password policy to find more information on how to create and maintain passwords. All workstations and company devices should be secured with a password-protected automatic logout feature which sets at 10 minute timer, or you can manually log-off (control-alt-delete) when wanting to leave your work station. Encryption of files must be done with a user created password then the file is ready for encryption. All hosts used by the employee that are connected to the Abercrombie Internet and Intranet, whether owned by the employee or Abercrombie, shall be continually executing approved virus-scanning software with a current virus database unless overridden by departmental or group policy. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses or other harmful devices. Please run virus scans on all email attachments and links to ensure full security protocol. 4.3. Unacceptable Use Employees may be monitored and recorded for quality assurance. Any unacceptable actions can lead to corrective action or even termination. System and Network Activities The following activities are strictly prohibited, with no exceptions: Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including the installation or distribution of stolen software products that are not appropriately licensed for use by Abercrombie. These actions will result to legal actions and will lead to termination.

Unauthorized copying of copyrighted material without the consent of Abercrombie will result in termination and legal action. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. Get approval for any exporting and copying of information and resources through Abercrombie. Without consent can lead to legal action and termination. Training sessions will be mandatory to attend for anti-virus and awareness training. Revealing your account password to others is prohibited and accounts should never be shared. This includes family and other household members when work is being done at home. Making fraudulent offers or reselling any Abercrombie products, items, or services originating from any Abercrombie account is prohibited. Making statements about warranty, expressly or implied, unless it is a part of normal job duties is not allowed. Effecting security breaches or disruptions of network communication. Security breaches include accessing data of which the employee is not an intended addressee or logging into a server or account that the employee is not authorized to access. Bringing in unauthorized devices is also a breach of security unless otherwise authorized to do so. Port scanning or security scanning is prohibited unless authorized. Executing any form of network monitoring which will intercept data not intended for the employee, unless it is a part of the employee's job. Bypassing user authentication or security of any host, network or account. Deploying a denial of service to any user or server is prohibited. Using any program, script, command, or sending messages of any kind, with the intent to interfere with, or disable a service or user. Providing information about Abercrombies private records outside of the company to parties that are not employed by Abercrombie is prohibited. Sending spam email or un-ethical email. Any form of harassment via email, telephone or messaging. Unauthorized use, or forging or impersonating. Solicitation of email for any other email address, other than your own.

5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Abercrombie Architectural Firm Risk Assessment Policy 1.0 Purpose The purpose of this policy is to define the risks before they become issues. We strive to identify hazards and evaluate any potential risks that may cause concern. Eliminating risks is a top priority and by following this policy risk can be prevented. Risk assessments can also help in the case of requirements for information, managers knowledge, training and rules and regulations. Following these protocols can reduce the amount of risk for the company and essentially benefit it to run smoothly without problems. 2.0 Scope This policy will show the critical areas of risk and how they can be assessed. By addressing risk on a scale according to our risk matrix we can identify what risks are more harmful than others. Identifying and eliminating risk is the core of this policy and will show how to combat them. 3.0 Policy In case of potential risk: Always record and review potential risk related problems No matter how big the risk make sure to let a supervisor aware Communicate with the team to address potential risks Continue to monitor networks and infrastructure for risk related problems Any type of risk must be addressed and never ignored 4.0 Risk Assessment Process This guide will show the process in identifying and managing risk: Identify responsibilities and activities for a specific area Establish a course of action based on the risks that could apply Identify potential hazards or vulnerabilities Identify control and countermeasures for potential risks Commence risk assessments Contain potential risks by identifying control measures Develop and implement a plan of action Keep a record of informational findings for future communication Monitor and review to make sure risks are controlled

5.0 Risk Matrix

Figure 2.1 Risk Matrix Likelihood 8-9: 6-7: 5: 3-4: 1-2: Very Likely Likely Fairly Likely Unlikely Very Unlikely Consequence 8-9: 6-7: 5: 3-4: 1-2: Catastrophic Major Moderate Minor Insignificant

Likelihood Explanation Very Likely: Occurs very often. Likely: Will occur most of the time. Fairly Likely: Might occur. Unlikely: Not expected but could occur. Very Unlikely: Not expected to occur. Consequence Description Catastrophic: Severe issues which needs to be addressed ASAP Major: Significant problems needing attention Moderate: Issue needs to be worked on in a timely manor Minor: Issue can cause problems but can be worked on at a steady pace Insignificant: Issue which can be addressed when the time is right

6.0 Enforcement Risk needs to be processed as soon as it is identified. By categorizing risk according to the risk matrix we can put a priority list on what needs to be worked on right away and what can wait. Communication is a key part of identifying and reviewing risk. Communication is a key component in the risk assessment policy and must be carried out to the managers on duty.

Abercrombie Architectural Firm Information Sensitivity Policy 1.0 Purpose The Information Sensitivity Policy was created to help employees determine types of information and how some types are sensitive and should not be disclosed outside of Abercrombie without proper authorization. This policy will classify the types of information and how it will be stored and used. Quadrant Networking Solutions created this policy for the Abercrombie Company for the sole purpose of keeping employees informed about sensitive information levels. Stored information should not be shared unless it is authorized and this guide will explain the levels of authorization. This includes: electronic information, information on paper, and information shared by word of mouth or visually. All employees should familiarize themselves with the information types and how information should be stored. Sensitivity level definitions were created as guidelines and to emphasize common rule on what is deemed confidential and public. If there are any questions about the proper classification or a specific piece of information in general then please address the manager on duty. 2.0 Scope All Abercrombie information is categorized into two main classifications: Public Confidential Abercrombie Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to Abercrombie Systems, Inc. Abercrombie Confidential is classified into levels one through ten. It is understood that some information is more sensitive than other information, and should be protected in a more secure manner. The Information Sensitivity Graph shown in figure 3.1 includes the level of clearance for each title. Included is information that should be protected very closely, such as trade secrets, development programs, potential acquisition targets, and other information integral to the success of our company. Clearance levels will be provided with each user for example; allowing only those who are classified in active directory can open files with their specific clearance.

Figure 3.1 3.0 Policy The Sensitivity Guidelines below provides details on how to protect information at varying sensitivity levels. Using the graph in figure 3.1 we have developed a general sensitivity level guide into three unique groups which will provide more in depth security clearance options and information. Use these guidelines as a reference of what each level of sensitivity represents to its apparent group. 3.1 Low Sensitivity Levels (1-4): General corporate information; some personnel and technical information (This information is very basic and can be found by most search engines, although it also includes some confidential data) Who is classified under Low Sensitivity: employees, contractors, supervisors, vendors Storage Code: Keep from view of unauthorized people including general public or visitors; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate. Disposal/Destruction: Deposit outdated paper information in specially marked disposal bins on Abercrombie premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media. Do not leave passwords or company information written down and available for anyone elses eyes but your own. Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

3.2 Medium Sensitivity Levels (5-7): Business, financial, technical, and most personnel information. Marking guidelines for information in hardcopy or electronic form. Who is classified under Medium Sensitivity: managers and upper management Storage Code: Keep from view of unauthorized people including general public or visitors; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate. Make sure all files are password protected and computers are always logged off when not at desk. Individual access controls are highly recommended for electronic information. Disposal/Destruction: In specially marked disposal bins on Abercrombie premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media. Password protect all data stored on Abercrombie workstations. Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

3.3 High Sensitivity Levels (8-10): classified data, progress reports, personal company data, financial records, including all data in the network Marking guidelines for information in hardcopy or electronic form. Who is classified under High Sensitivity: upper management, high level technicians, IT managers, administrators Storage Code: Keep from view of unauthorized people including general public or visitors; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate. Make sure all files are password protected and computers are always logged off when not at desk. Individual access controls are highly recommended for electronic information. Security is a very high priority for these high sensitivity levels. Disposal/Destruction: In specially marked disposal bins on Abercrombie premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media. Password protect all data stored on Abercrombie workstations. Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Abercrombie Architectural Firm Virtual Private Network (VPN) Policy

1.0 Purpose The purpose of this policy is to offer guidelines for Remote Access Virtual Private Network (VPN) connections throughout Abercrombie Architectural firms corporate network. This will help expand Abercrombies private network over the internet which is shown in figure 4.1.

Figure 4.1 2.0 Scope This policy applies to all Abercrombie employees, contractors, consultants, temporaries, and other workers including all remote users using VPNs to access the Abercrombie network. All remote users will be required to go through the corporate office as shown in figure 4.1 before connecting to a branch network. 3.0 Policy Approved Abercrombie employees and authorized personnel (contractors, consultants, temporaries, and other workers including all remote users using VPNs) may utilize the benefits of VPNs through their own risk. VPNs need an internet connection and Abercrombie is not responsible for any data charges while a user is on the VPN. VP

It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Abercrombie internal networks. If you are authorized to connect to the VPN remotely please reference the remote policy guide along with this guide. Failing to abide by these guides can cause for corrective action and anyone found violating these policies may result in termination.

VPN use is controlled by one-time password authentication which will be sent to a users corporate email account with a password and time limit on how long the user has to use the password. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. Only one network connection is allowed, per user. VPN gateways will be set up and managed by Abercrombie network operational groups. All computers connected to the Abercrombie internal networks through the VPN must use the required most up-to-date anti-virus software. Our system login will make sure a detected up-to-date virus software is present. VPN users will be automatically disconnected from Abercrombie's network after thirty minutes of inactivity. The user must then go back through the logon authentication again to reconnect to the network. The login software requires all users register their computer as a compliant device for the Abercrombie VPN.

4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Abercrombie Architectural Firm Workstation Security Policy

1.0 Purpose The purpose of this policy is to deliver direction for workstation security for Abercrombie Architectural Firm workstations in order to guarantee the security of information on the workstation and information the workstation may have access to. This policy also provides guidance to confirm the requirements of the HIPAA under the workstation security policy terms. 2.0 Scope This policy applies to all Abercrombie Architectural Firm employees, contractors, staff members, vendors and agents with an Abercrombie Architectural Firm owned or personalworkstation connected to the Abercrombie Architectural Firm network. 3.0 Policy Proper measures must be taken when using workstations to ensure the privacy, integrity and availability of delicate information, including health information and that access to delicate information is regulated to authorized users. 3.1 Staff members using workstations shall consider the sensitivity of the information, including health information that may be retrieved and minimize the risk of unauthorized access.

3.2 Abercrombie Architectural Firm will implement physical and technical defenses for all workstations that access to electronic health information to restrict access to authorized users.

3.3 Appropriate measures include: Restricting physical access to workstations to only authorized employees. Securing workstations with Screen lock (Windows key + L) or Logging out prior to leaving area to prevent unauthorized access. Enabling a password-protected screen saver with a very short timeout period to guarantee that workstations that were left unsecured will be protected. Complying with all applicable password policies and procedures. Ensuring workstations are used for approved business purposes only. Never install unauthorized software on workstations. Storing all sensitive information, including health information on network servers. Keeping food and drink away from workstations in order to avoid accidental spills. Securing laptops that contain sensitive information by locking laptops up in cabinets. Monitors should be positioned away from public view. If necessary, install privacy screen filters

Ensuring workstations are left on but logged off in order to facilitate after-hours updates. Exit running applications and close open documents Ensuring that all workstations use a surge protector (not a power strip) or a UPS If any wireless network access is used, guarantee access is secure by following the Wireless Access policy

4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, including termination of employment.

Abercrombie Architectural Firm Technology Equipment Disposal Policy 1.0 Overview Technology equipment has parts that cannot be thrown away in a regular disposal bin. Proper disposal of technology equipment is both environmentally friendly and also required by law in some states. Also all, Hard Drives, USB flash drives, or any other storage medium will most likely contain company data, which can be considered sensitive. To keep company data secure, all storage devices must be properly erased before being disposed or donated. However, this is still not sufficient enough for proper disposal because, the data that had been erased is still there until you start to add new files. There are specific tools that will be used to correct this issue before a data device is disposed of. 2.0 Purpose This policy has been created to help define the correct way and requirements for the proper disposal of technology equipment. 3.0 Scope This Technology Equipment Disposal Policy applies to all equipment owned by Abercrombie Architectural Firm. 4.0 Policy 4.1 Technology Equipment Disposal 1. Any technology equipment that have reached the end of their useful life they should be sent to the local Information Technology office for proper disposal. 2. Information Technology will securely erase all storage devices in accordance with current industry practices. 3. Technology Equipment that is working, but has reached the end of its useful life for Abercrombie Architectural Firm, will be made purchasable for our employees. 4. A lottery system will be used to determine who has the opportunity to purchase available equipment. 5. All equipment that is made purchasable must go through the lottery process. Employees cannot purchase their cubicle/office computer directly or reserve a system. This gives all employees an equal chance to get a piece of equipment. 6. Information technology and Finance will determine the appropriate cost for each technology equipment. . 7. All purchases are final. No warranty or support will be provided for any equipment sold. 8. Any technology equipment that is not in working order or remaining from the lottery process will be donated or disposed of according to current environmental guidelines. Information Technology has contacted with several local organizations to donate or properly dispose of outdated technology equipment. 9. Prior to leaving Abercrombie Architectural Firm premises, al technology equipment must be removed from the Information Technology inventory system.

4.2 Abercrombie Architectural Firm Ramifications Failure to properly dispose of technology equipment can or will have several negative effects to Abercrombie Architectural Firm including fines, negative customer views and costs to notify constituents of data loss. 5.0 Enforcement Any employee that has been found to have violated any of these policies will be subject to disciplinary actions, including termination of employment.

Abercrombie Architectural Firm Ethics Policy

1.0 Overview Abercrombie Architectural Firm purpose for this ethics policy is to establish a culture of trust and integrity in our business practices. Effective ethics is a company effort involving the support of Abercrombie Architectural Firm employee. All employees should familiarize themselves with the ethics guidelines that follow this introduction. Abercrombie Architectural Firm is committed to protecting employees, partners, vendors and the company from actions that are deemed illegal or damaging by individuals, either knowingly or unknowingly. When Abercrombie Architectural Firm addresses issues proactively and uses correct judgment, it will help set us apart from competitors. Abercrombie Architectural Firm will not tolerate any wrongdoing or illegal actions at any time. Abercrombie Architectural Firm will take the appropriate measures in acting quickly in correcting any issue if the ethical code is broken. Any infractions of this code of ethics will not be tolerated. 2.0 Purpose Our purpose for authoring documentation on an ethics policy is to emphasize that employees and consumers expectation to be fairly treated in the workplace. This policy will guide the company behavior to ensure appropriate conduct. 3.0 Scope This policy applies to employees, contractors, consultants, temporaries, and other workers at Abercrombie Architectural Firm, including all personnel affiliated with Abercrombie. 4.0 Policy 4.1. Executive Commitment to Ethics Upper management within Abercrombie Architectural Firm must set a prime example. In any business practice, honesty and integrity must be top priority for executives. Executives must use an open door policy and welcome to listen to suggestions and concerns from employees. This will allow employees to feel comfortable discussing any issues that could affect the company and will alert executives to the concerns within the workforce. Executives must disclose any conflict of interests regard their position within Abercrombie Architectural Firm.

4.2. Employee Commitment to Ethics Abercrombie Architectural Firm employees will treat everyone in the workplace with respect and dignity, promote a team environment with the intent to avoid any unethical behavior. Every employee needs to apply effort and intelligence to maintaining ethical values in the workplace. Employees must disclose any conflict of interests regard their position within Abercrombie Architectural Firm. Employees will help Abercrombie Architectural Firm to increase customer satisfaction by providing quality service and timely response to inquiries. 4.3. Company Awareness Promotion of ethical behavior within interpersonal communications of employees will be rewarded. Abercrombie Architectural Firm will promote a trustworthy and honest atmosphere to reinforce the idea of ethics within the company. 4.4. Maintaining Ethical Practices Abercrombie Architectural Firm will strengthen the importance of the integrity message and the attitude will start at the top. Every employee, manager, director needs consistently maintain an ethical position and support ethical behavior. Employees at Abercrombie Architectural Firm should motivate open dialogue, get honest comments and treat everyone fairly, with honesty. Abercrombie Architectural Firm has a reputable practice that the disclosure committee to make sure the ethical code is distributed to all employees and that concerns regarding the code can be addressed. 4.5. Unethical Behavior Abercrombie Architectural Firm will evade the intent and presence of unethical or compromising practice in relationships, actions and communications. Abercrombie Architectural Firm will not tolerate harassment or discrimination. Unauthorized use of company trade secrets and marketing practices, operational, personnel, financial, source code, & technical information that is integral to the success of our company will not be tolerated. Abercrombie Architectural Firm will not authorize any impropriety at any time and we will act ethically and responsibly in accordance with laws. Abercrombie Architectural Firm employees will not use corporate resources or business relationships for personal use or gain. 5.0 Enforcement Any breaches of this code of ethics will not be tolerated by Abercrombie Architectural Firm and will act quickly in correcting the issue if the ethical code is broken. Any employee found to have violated this policy may be subject to disciplinary action, including termination of employment

Abercrombie Architectural Firm Software Installation Policy

1.0 Overview Permitting employees to install software on company computer opens the organization up to preventable exposure. The introduction of malware from infected Installed software, unlicensed software which could be exposed in a review, and programs which can be used to hack the organizations network are instances of the problems that can be introduced when employees install software on company equipment. 2.0 Purpose To reduce the risk of loss of program functionality, the exposure of sensitive information controlled within Abercrombie Architectural Firm computing network, the risk of introducing malware, and the legal exposure of running unlicensed software. 3.0 Scope This policy covers all computers, servers, and smartphones within Abercrombie Architectural Firm. 4.0 Policy Employees may not install software on Abercrombie Architectural Firm computing devices operated within the Abercrombie Architectural Firm network. Software requests must first be approved by the IT department and then sent via email with approval. Software must be selected from an approved software list, maintained by the IT department. The IT Department will attain and track the licenses, test new software for conflict and compatibility, and perform the installation. 5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, including termination of employment.

Abercrombie Architectural Firm Web Application Security Assessment Policy 1.0 Purpose The purpose of this policy is to define web application security assessments within Abercrombie. Web application assessments are performed to identify potential or realized weaknesses as a result of inadvertent miss-configuration, weak authentication, insufficient error handling, sensitive information Leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of Abercrombie services available both internally and externally as well as satisfy compliance with any relevant policies in place. 2.0 Scope This policy covers all web application security assessments requested by any individual, group or Department for the purposes of maintaining the security posture, compliance, risk management, and change Control of technologies in use at Abercrombie. All web application security assessments will be performed by delegated security personnel either Employed or contracted by Abercrombie. All findings are considered confidential and are to be distributed to persons on a need to know basis. Distribution of any findings outside of Abercrombie is strictly prohibited unless approved by the Chief Information Officer. Any relationships within multi-tiered applications found during the scoping phase will be included in the Assessment unless explicitly limited. Limitations and subsequent justification will be documented prior to the start of the assessment. 3.0 Policy Web applications are subject to security assessments based on the following criteria: Any New or Major Application Releases will be review then only deemed suitable for implementation use subject to a full assessment prior to approval of IT Department Head. Third Party or Acquired Web Application will be fully review then revised as seen fit for operation. Point Releases Any changes in new applications will be strongly review before deployment into the infrastructure. Patch Releases will constitute a review based on the level of seriousness. Emergency Releases An emergency release will be allowed to forgo security assessments and Carry the assumed risk until such time that a proper assessment can be carried out. 3.1 Risk High Any risk issues that may labeled as a high risk must be corrected must be corrected immediately, and or apply other necessary measures to correct to problem. This would also include stopping implementation of exposed software with a high risk warrant

 Medium Medium risk issues are reviewed according to severity, after further investigation proper scheduling will be applied. Low Issues that appear to be low in threats will be fully reviewed then applied to the infrastructure. 3.2 Security Assessment Level Full A full assessment is comprised of tests for all known web application vulnerabilities using Both automated and manual tools based on the OWASP Testing Guide. A full assessment will use Manual penetration testing techniques to validate discovered vulnerabilities to determine the Overall risk of any and all discovered. Quick A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum. Targeted A targeted assessment is performed to verify vulnerability remediation changes or New application functionality. 3.3 Duration The amount of web applications will be applied to the required amount of days deemed appropriate for use for proper planning and will be modified according to the organizations scope. 3.4 Exemptions Exemptions to the need for a security assessment will be made by the Chief Information Officer or Delegated manager based on risk and criticality of needed application changes/functionality/architecture. Exemptions will assume the associated risk and will be documented as required by the change control Policies. 4.0 Responsibilities Lies in the hand of the Security Engineering and will be responsible for all web application including the scope assessment, while determining and discovering relevant issues that may be a risk all issues will be reported and then supervised by the Project Management and application stakeholders. 5.0 Enforcement Web application assessments are a requirement of the change control process and are required to adhere to this policy unless found to be exempt. All application releases must pass through the change control process. Any web applications that do not adhere to this policy may be taken offline until such time that a formal assessment can be performed at the discretion of the Chief Information Officer.

6.0 Definitions Web Application Any service that accepts and processes HTTP/HTTPS protocols. Major Release A change in software or new updates including new codes Point Release An application software update/code change as part of the application lifecycle. Patch Release Any application or form of software that corrects imperfections in the software

Abercrombie Architectural Firm Server Security Policy 1.0 Purpose The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Abercrombie. Effective implementation of this policy will minimize unauthorized access to Abercrombie proprietary information and technology. 2.0 Scope This policy applies to server equipment owned and/or operated by Abercrombie, and to servers registered under any Abercrombie-owned internal network domain. This policy is specifically for equipment on the internal Abercrombie network. For secure configuration of equipment external to Abercrombie on the DMZ, refer to the Internet DMZ Equipment Policy. 3.0 Policy 3.1 Ownership and Responsibilities All internal servers deployed at Abercrombie must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by InfoSec. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by InfoSec. Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact: Server contact(s) and location, and a backup contact Hardware and Operating System/Version Main functions and applications, if applicable Information in the corporate enterprise management system must be kept up-to-date. Configuration changes for production servers must follow the appropriate change management procedures. 3.2 General Configuration Guidelines Operating System configuration should be in accordance with approved InfoSec guidelines. Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible.

The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do. Always use standard security principles of least required access to perform a function. Do not use root when a less privileged account will suffice. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). Servers should be physically located in an access-controlled environment. Servers are specifically prohibited from operating from uncontrolled cubicle areas.

3.3 Monitoring All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: All security related logs will be kept online for a minimum of 1 week. Daily incremental tape backups will be retained for at least 1 month. Weekly full tape backups of logs will be retained for at least 1 month. Monthly full backups will be retained for a minimum of 2 years. Security-related events will be reported to InfoSec, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Securityrelated events include, but are not limited to: o Port-scan attacks o Evidence of unauthorized access to privileged accounts o Anomalous occurrences that are not related to specific applications on the host. 3.4 Compliance Audits will be performed on a regular basis by authorized organizations within Abercrombie. Audits will be managed by the internal audit group or InfoSec, in accordance with the Audit Policy. InfoSec will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification. Every effort will be made to prevent audits from causing operational failures or disruptions. 4.0 Enforcement An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Abercrombie Architectural Firm Remote Access Policy 1.0 Purpose The purpose of this policy is to outline standards for linking to Abercrombie's network from any host. These criteria are designed to lessen the potential exposure to Abercrombie from damages which may effect from unauthorized use of Abercrombie resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical Abercrombie internal systems, etc. 2.0 Scope This policy applies to all Abercrombie personnel, contractors, vendors and representatives with a Abercrombie-owned or personally-owned computer or terminal used to link to a Abercrombie. This policy applies to remote access connections used to do work on behalf of Abercrombie, including reading or sending email and viewing intranet web assets. Remote access implementations that are covered by this policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL, SSH, VPN, and cable modems, etc.

3.0 Policy 3.1 General It is the duty of Abercrombie employees, contractors, vendors and agents with remote access rights to Abercrombies corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to Abercrombie. Overall access to the Internet for leisure use by immediate household members through the Abercrombie Network on personal computers is permitted for employees that have flat-rate services. The Abercrombie employee is responsible to ensure the family member does not violate any Abercrombie policies, does not perform illegal actions, and does not use the access for outside business activities. The Abercrombie employee bears responsibility for the consequences should the access be misused. Please review the following policies for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of Abercrombie's network: a. Acceptable Encryption Policy b. Virtual Private Network (VPN) Policy c. Wireless Communications Policy d. Acceptable Use Policy

4. For additional information regarding Abercrombies remote access link options, including how to order or disconnect service, cost assessments, troubleshooting, etc., go to the Remote Access Services website. 3.2 Requirements 1. Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-phrase see the Password Policy. 2. At no time should any Abercrombie employee provide their login or email password to anyone, not even family members. 3. Abercrombie employees and contractors with remote access privileges must ensure that their Abercrombie-owned or personal computer or workstation, which is remotely connected to Abercrombies corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user. 4. Abercrombie employees and contractors with remote access privileges to Abercrombie's corporate network must not use non-Abercrombie email accounts (Google, Yahoo, Hotmail), or other outside resources to conduct Abercrombie business, thus ensuring that authorized business is never confused with personal business. 5. Routers for dedicated ISDN lines configured for access to the Abercrombie network must meet minimum verification requirements of CHAP. 6. Reconfiguration of a home user's equipment for the purpose of split-tunneling or dual homing is not permitted at any time. 7. Frame Relay must meet minimum verification requirements of DLCI standards. 8. Non-standard hardware configurations must be approved by Remote Access Services, and InfoSec must approve security configurations for access to hardware. 9. All hosts that are connected to Abercrombie internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes private computers. Third party connections must comply with requirements as stated in the Third Party Agreement. 10. Personal equipment used to connect to Abercrombie's networks must meet the requirements of Abercrombie-owned equipment for remote access.

11. Organizations or persons who wish to implement non-standard Remote Access solutions to Abercrombie production network must obtain prior approval from Remote Access Services, InfoSec, and the Site Manager. 4.0 Enforcement Any employee found to have violated these rules and regulations may be subject to disciplinary action, up to and including termination of employment.

Abercrombie Architectural Firm Physical Security Access Policy 1.0 Purpose This document will provide guidance for all visitors and employees sponsoring visitors to Abercrombie Architectural Firm. 2.0 Cancellation or Expiration The rules and regulations stated in this document do not have an expiration date. However, this document is reviewed and updated quarterly. 3.0 Scope This policy applies to all Visitors to any premise of Abercrombie Architectural Firm, and to employees who sponsor Visitors. These policies apply to all visitors and employee sponsored visitors who enter Abercrombie Architectural Firm property. 4.0 Policy Statement We aim to create a secure and safe working environment for all or employees and visitors. 4.1 Parking Visitors are encouraged to use designated Visitor Parking spots. If these spots are all occupied, then the regular employee parking spots can be used. 4.2 Check-In All Visitors must arrive at a designated Check-In entrance (the main reception desk). All Visitors must present a government-issue photo identification at time of Check-In. All Visitors must be met by their employee sponsor at the designated Check-In entrance. A Visitor cannot sponsor another Visitor. Pets are not allowed on property; the only exception is assistance animals such as Seeing Eye Dogs. Prior arrangements may be required since some areas (manufacturing, assembly, and clean rooms) are not appropriate for animals under any circumstances. Visitors must sign two copies of a Visitors Agreement. All Visitors must read this agreement and keep their copy of this agreement with them at all times during their visit. Visitors will be required to initial the Each Visitor will be asked to verbally verify they understand the Emergency Evacuation section of the Visitor Agreement document, All Visitor electronics (laptops, other computer equipment, cell phones, etc.) will be checked in with security until they are ready to leave the property. 4.3 Visitor Badges Visitor Badges must be worn at all time. Employees are instructed to immediately report anyone not wearing a Visitor or Employee badge. 4.4 Photographs and Cameras

Visitors are not permitted to take photographs inside of Abercrombie Architectural Firm premises, unless discussed specifically with sponsoring employees.

4.5 Information Disclosure Visitors should not request information they are not privileged to know. 4.6 Check-Out Visitors will check out at the same location they checked in. All visitors will receive all checked in items in exchange for the Visitors Badge while Checking-Out. 4.7 Exit Inspection Visitors may be subject to a brief search of their personal items as they exit the premise. The authorization for this search is the signature on the Visitor Agreement Form (review the Check-In section of this document). 4.8 Network or System Access Visitors that require internet access are free to use the Visitor Wireless Network. Access to this network requires on-line agreement to the terms and conditions of network use. The access code on the back of the Visitor badge is used to gain access to the Visitors Wireless Network. Visitors who require access our companies IT networks will express permission from their employee sponsor. If access is authorized said Visitor will have to read and sign an Acceptable Use Policy. The Visitor will receive temporary credentials and an IT department point of contact to monitor the Visitors activity. Remote Access to Abercrombie Architectural Firm networks are regulated by IT Department. 4.9 On Courtesy All employees of Abercrombie Architectural Firm are to bear in mind at all times that all Visitors are either Customers or potential Customers. Even in the case of clear violations of this policy, all actions, dealings and conversations are to be courteous in nature. 5.0 Penalties Violation of any of the requirements in this policy by any employee will result in suitable disciplinary action, up to and including prosecution and / or termination. Violation of any of the requirements in this policy by any Visitor can result in similar disciplinary action against the sponsoring employee, and can also result in termination of services with any associated consulting organization or prosecution in the case of criminal activity.

6.0 Other Policies All Corporate Policies and Procedures are to be considered confidential information. While many of these Corporate Documents are required by Visitors as part of their visit, any policies or procedures not required in this capacity should be considered to be governed by the Information Disclosure section of this document.

Abercrombie Architectural Firm Wireless Communication Policy 1.0 Overview The purpose of this policy is to secure and safeguard the information assets owned by Abercrombie. Abercrombie provides computer devices, networks, and other electronic information systems to meet goals, missions, and initiatives. Abercrombie grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets.

This plan specifies the conditions that wireless infrastructure devices must meet to
connect to Abercrombies network. Only those wireless infrastructure devices that meet the criteria stated in this policy or are granted an exemption by the Information Security Department are approved for connectivity to a Quadrant Network Solutions network. 2.0 Scope All personnel, freelancers, consultants, and other workers at Abercrombie, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of Abercrombie must stick to this policy. This policy applies to all wireless infrastructure devices that connect to an Abercrombie network or reside on a Abercrombie site that provide wireless connectivity to endpoint devices counting, but not limited to, laptops, cellular phones, desktops, and personal digital assistants (PDAs). This includes any form of wireless device capable of transferring packet data. The Information Security Department must approve exemptions to this policy in advance.

3.0 Policy Statement 3.1 General Network Access Requirements All wireless infrastructure devices that exist in a Abercrombie site and links to a Abercrombie network, or provide access to information classified as Abercrombie Confidential, Abercrombie Highly Confidential, or Abercrombie Restricted must:

o o o o o

3.1.1 Abide by the criteria specified in the Wireless Communication Standard. 3.1.2 Be installed, supported, and maintained by an accepted support team. 3.1.3 Use Abercrombie accepted authentication procedures and infrastructure. 3.1.4 Use Abercrombie accepted encryption protocols. 3.1.5 Maintain a hardware address (MAC address) that can be listed and tracked. o 3.1.6 Not hinder wireless access deployments maintained by other support organizations.

3.2 Lab and Isolated Wireless Device Requirements All lab wireless infrastructure devices that provide admission to Abercrombie Confidential, Abercrombie Highly Confidential, or Abercrombie Restricted information must adhere to section 3.1. Lab and isolated wireless devices that do not provide general network connectivity to the Abercrombie network must: o 3.2.1 Must be isolated from the corporate network (that is it must not provide any corporate connectivity) and comply with the DMZ Lab Security Policy or the Internal Lab Security Policy. o 3.2.2 Not interfere with wireless access deployments sustained by other organizations. o 3.3 Home Wireless Device Requirements o 3.3.1 Wireless infrastructure devices that provide direct admission to the Abercrombie corporate network, must conform to the Home Wireless Device Requirements detailed in the Wireless Communication Standard. o 3.3.2 Wireless infrastructure devices that fail to follow the Home Wireless Device Requirements must be installed in a way that disallows direct access to the Abercrombie corporate network. o Access to the Abercrombie corporate network through this device must use standard remote access verification. 4.0 Enforcement An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a contractor temporary worker, or vendor may result in the termination of their contract Abercrombie.

Abercrombie Architectural Firm Password Policy 1.0 Overview Passwords create security and confidentiality for data stored in companys servers, offices and workstations. Every user is solely responsible to create a strong and difficult to guess password. A weak password makes it easy for viruses to access your computer and this can lead to the virus gaining access to the Abercrombie Architectural Firm network. Also an easy to guess password makes it easy for hackers to access your computer and hence gains access to the Abercrombie network. As an Abercrombie Architectural Firm employee, its your responsibility to take these following steps when creating your password. 2.0 Purpose The purpose of this policy is to guide employees of Abercrombie Architectural Firm in creating a strong and secure password. 3.0 Scope The scope of this policy applies to all accounts used to access Abercrombie Architectural Firm resources domain and other systems that contain confidential data. This policy document is owned by Abercrombie Architectural Firm. Every owner of individual systems, servers, workstations, desktops and other devices are responsible for the enforcement of this policy. 4.0 Policy 4.1 General

All Abercrombie Architectural Firm employees should take note that their passwords should not be shared or disclose to anyone. It is a breach of this Policy to share your password or other users password and it would be considered an act of gross misconduct. All account holders and system administrators will protect the security of these passwords in a reasonable manner. Computing accounts needs to be protected by strong passwords. All Abercrombie Architectural Firm owned computing devices must have password protection enabled. On a quarterly basis, all system-level passwords need to be changed, such as Microsoft Windows Administrator, Application Administration, Scheduling Administration, IS Administration, etc. All user-level passwords should be changed at a minimum of every six months, with a Suggested change interval of every four months; such as desktop, email, web, etc. Passwords must not be included in email messages or other forms of electronic communication.

 Wherever the Simple Network Management Protocol (SNMP) is used to access systems, the community strings must be well-defined as rather than the standard defaults of public, private and system and must be distinct from the passwords used to log in interactively to the systems. A keyed hash must be used where accessible, such as SNMPv2. All user-level and system-level passwords must follow accordingly to the guidelines defined below. 4.2 Guidelines 4.2.1 General password construction guidelines All users at Abercrombie Architectural Firm must be mindful of how to select strong passwords. Strong passwords consist of the following characteristics: It must be at least six characters long. It should contain at least three of the five following character classes: -Upper case characters - Lower case characters - Numbers - Punctuation - Special characters such as! @ # $ % ^ & * ( ) _ + | ~ =\`{}[]:;<>?,./) It should not be based on personal information, names of family, etc. It must not be a word in any language, slang, dialect, jargon, etc. Weak passwords have the following characteristics: A weak password contains less than six characters. A weak password is a word found in a dictionary (English or foreign). A weak password uses names of family, pets, friends, co-workers, fantasy characters, etc. A weak password contains computer terms and names, commands, hardware, software. A weak password uses predictable words such as Greensboro, greenhouse, goodnight. A weak password uses personal information such as addresses and phone numbers. A weak password uses word or number patterns like cccaabb, QWERTY, abcwvuts, 1233987, etc. A weak password uses names of any of the above spelt backwards or followed by a digit, such as, password1, 1password. Try to create passwords that can be easily remembered. You can create a password based on a

Poem title, affirmation, or other phrase. For instance, the phrase might be: "Things fall apart the center cannot hold" and the password could be: "Tfatcch!" or some other variation.

4.2.2 Password protection standards Do not use the same password for Abercrombie Architectural Firm as for other nonAbercrombie Architectural Firm, such as your personal ISP account, online banking, e-shopping, option trading, benefits etc. use different passwords for your desktop login account and your remote access account. Do not share your Abercrombie Architectural Firm passwords with anyone, including Information Services staff, administrative assistants or secretaries. All passwords should be treated as sensitive, confidential Quadrant Network Solution information. Below is a list of donts: Dont reveal a password over the phone to ANYONE. Dont reveal a password in an email message. Dont reveal a password to your line manager. Dont talk about a password in front of others. Dont hint at the format of a password such as my family name. Dont reveal a password on questionnaires or security forms. Dont share a password with family members. Dont reveal a password to co-workers while on holiday. Dont use the Remember Password feature of applications. Dont write passwords down and store them anywhere in your office. Dont store passwords in a file on ANY computer system using PDAs or computer devices without encryption. If an account or password compromise is suspected, report the incident to the Information Security Department. All passwords are to be immediately changed. If another employee or someone stresses that you disclose your password, refer them to this document or have them call someone in the IS Service Desk. 4.2.3 Application development standards Application developers are obligated to make sure their programs contain the following security safety measures. Applications: All programs should support authentication of individual users, not groups;

All programs should not store passwords in clear text or in any easily reversible form; Shall provide some sort of role management, such that one user can take over the responsibilities of another without having to know the others password; All programs should support TACACS+, RADIUS and/or X.509 with LDAP security retrieval, wherever possible.

4.2.4 Use of Passwords and Pass phrases for Flexible Access Users Access to the Abercrombie Architectural Firm Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase. Such as Wi-Fi, VPN, SSL, etc. Passphrases Passphrase are generally longer versions of passwords and are, therefore, more secure. Passphrases are different from passwords. A passphrases is mostly used for public/private key authentication. A passphrase is normally composed of few words and because of this, a passphrase is mostly less vulnerable to dictionary attacks. A public/private key system describes a mathematical association between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "answer" the private key, the user cannot gain access. All of the guidelines above that apply to passwords apply to passphrases. 5.0 Enforcement All employees of Abercrombie Architectural Firm that is found to have breached this Policy would be subject to disciplinary action, up to and including termination of employment. Random password cracking or guessing may be implemented on a periodic basis by the Information Security Department. If a password is guessed or cracked during these trainings, the user will be required to change their password. 6.0 Terms and Definitions Application Administration Account It is any account that is precisely for the administration of an application, such as, Oracle Database Administrator, IS System Administrator.

Flexible access A number of means by which users may connect their personal systems to the Abercrombie Architectural Firm network, such as: Job flexible access locations providing wireless and wired Ethernet connectivity; Remote access service supporting Virtual Private Network (VPN) connectivity; Application specific services e.g. SSL, SSH, secure ftp, secure email etc.

Abercrombie Architectural Firm Router Security Policy 1.0 Purpose This document describes a mandatory minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of Abercrombie. 2.0 Scope All routers and switches connected to Abercrombie production networks are affected. Routers and switches within inner, secured labs are not affected. Routers and switches within DMZ areas fall under the Internet DMZ Equipment Policy. 3.0 Policy All router needs to meet the following configuration standards:

No local user accounts are configured on the router. Routers must use TACACS+ for every user authentication. The enable password on the router must be reserved in a secure encrypted form. Reversible encryption algorithms, such as the Cisco type 7 Vigenre encryption, are unacceptable. The router must have the enable password set to the recent production router password from the router's support organization. The following services or features must be deactivated: o IP directed broadcasts o TCP small services o UDP small services o All source routing o All web services running on router o Auto-configuration The subsequent services should be deactivated; unless a business requirement is provided: o Cisco discovery protocol and other discovery protocols o Dynamic trunking o Scripting environments, such as the TCL shell The following services must be configured: o Password-encryption o NTP configured to a corporate standard source Use corporate standardized SNMP community strings. Default strings, such as public or private must be erased. SNMP must be configured to utilize the most secure version of the protocol permissible by the combination of the device and management systems. Access control lists must be used to limit the source and kind of traffic that can terminate on the device itself. Access control lists for transiting the device are to be added as business requirements arise.

The router must be comprised in the corporate enterprise management system with a designated point of contact. Each router must have the succeeding statement presented for all forms of login whether remote or local: "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS FORBIDDEN. You must have explicit authorization to access or modify this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device. Use of this system will constitute consent to monitoring." Telnet may on no occasion be used across any network to manage a router, except if there is a secure tunnel protecting the whole communication path. SSH version 2 is the favored management protocol. Dynamic routing protocols must use authentication in routing updates sent to neighbors. Password hashing for the authentication string must be activated when supported. A corporate standard will be created and revised at least annually to define items required but not defined in this policy, such as NTP servers. The corporate router configuration standard will define the category of sensitive routing and switching devices, and necessitate additional services or configuration on sensitive devices including: o IP access list accounting o Device logging o Inbound packets at the router sourced with invalid addresses, such as RFC1918 addresses, or those that might be used to spoof network traffic will be disposed of. o Router console and modem access must be limited by additional security controls

4.0 Enforcement Any employee found to have violated this policy could be subject to disciplinary action, up to and including termination of employment. 5.0 Exceptions Exceptions to this policy must be documented and approved in writing by the Chief Information Officer or their authorized representative. Documented exceptions must be accessible to auditors.

Abercrombie Architectural Firm Emergency/Disaster Response Plan EMERGENCY ACTION PLAN

Facility Name: Abercrombie building 1 & 2 Facility Address: 1217 & 1219 Virginia Beach Blvd Virginia Beach, VA 23456 DATE PREPARED: 08/14/2014

EMERGENCY PERSONNEL NAMES AND PHONE NUMBERS Name: Jerry Simmons EMERGENCY COORDINATOR: Name: Richard Carroll AREA/FLOOR MONITORS: Area/Floor: Building 1 Area/Floor: Building 2 Name: Alieu Kamara Name: Lanier Botts Phone: 336 615 7253 Phone: 336 558 3551 Phone: 336 662 2998

Phone: 336 337 7650

ASSISTANTS TO PHYSICALLY CHALLENGED (If applicable): Name: Name: Date: 08/14/2014 EVACUATION ROUTES Evacuation route maps have been posted in each work area. The following information is marked on evacuation maps: 1. 2. 3. 4. a. Emergency exits Primary and secondary evacuation routes Locations of fire extinguishers Fire alarm pull stations location Assembly points Site personnel should know at least two evacuation routes. Phone: (_______________) Phone: (________________)

EMERGENCY PHONE NUMBERS FIRE DEPARTMENT: VA Beach Fire & Rescue Co Inc. 757 662 8941 PARAMEDICS: Immanuel Family Practice 757 856-9996 AMBULANCE: Princess Ann County Emergency Services 757 641-7565 POLICE: 911 SECURITY (If applicable): 757 444 1212 BUILDING MANAGER: John Clark 757 293 6464

UTILITY COMPANY EMERGENCY CONTACTS ELECTRIC: 1-866-DOM-HELP (1-866-366-4357) WATER: (757) 385-4631 VIRGINIA NATURAL GAS (866) 229 3579 TELEPHONE COMPANY (757) 448 2121 Date: 08/14/2014

EMERGENCY REPORTING AND EVACUATION PROCEDURES Types of emergencies to be reported by site personnel are: MEDICAL FIRE SEVERE WEATHER BOMB THREAT CHEMICAL SPILL STRUCTURE CLIMBING/DESCENDING EXTENDED POWER LOSS DATA COMPROMISE

MEDICAL EMERGENCY

Call medical emergency phone number (check applicable): Paramedics Ambulance Fire Department Other

Provide the following information: a. Nature of medical emergency, b. Location of the emergency (address, building, room number), and c. Your name and phone number from which you are calling. Do not move victim unless absolutely necessary. Call the following personnel trained in CPR and First Aid to provide the required assistance prior to the arrival of the professional medical help: Name: Name: Phone: Phone:

If personnel trained in First Aid are not available, as a minimum, attempt to provide the following assistance: 1. Stop the bleeding with firm pressure on the wounds (note: avoid contact with blood or other bodily fluids). 2. Clear the air passages using the Heimlich Maneuver in case of choking. In case of rendering assistance to personnel exposed to hazardous materials, consult the Material Safety Data Sheet (MSDS) and wear the appropriate personal protective equipment. Attempt first aid ONLY if trained and qualified.

Date: 08/14/2014

FIRE EMERGENCY When fire is discovered: Activate the nearest fire alarm Notify the local Fire Department by calling 757 662 8941 or 911 If the fire alarm is not available, notify the site personnel about the fire emergency by the following means (check applicable):

Voice Communication Phone Paging Radio Other (specify)

Fight the fire ONLY if: The Fire Department has been notified. The fire is small and is not spreading to other areas. Escaping the area is possible by backing up to the nearest exit. The fire extinguisher is in working condition and personnel are trained to use it. Upon being notified about the fire emergency, occupants must: Leave the building using the designated escape routes. Assemble in the designated area (specify location): Remain outside until the competent authority (Designated Official or designee) announces that it is safe to reenter. Designated Official, Emergency Coordinator or supervisors must (underline one): Disconnect utilities and equipment unless doing so jeopardizes his/her safety. Coordinate an orderly evacuation of personnel. Perform an accurate head count of personnel reported to the designated area. Determine a rescue method to locate missing personnel. Provide the Fire Department personnel with the necessary information about the facility. Perform assessment and coordinate weather forecast office emergency closing procedures Area/Floor Monitors must: Ensure that all employees have evacuated the area/floor. Report any problems to the Emergency Coordinator at the assembly area. Assistants to Physically Challenged should: Assist all physically challenged employees in emergency evacuation. Date: 08/08/2014

EXTENDED POWER LOSS In the event of extended power loss to a facility certain precautionary measures should be taken depending on the geographical location and environment of the facility: Unnecessary electrical equipment and appliances should be turned off in the event that power restoration would surge causing damage to electronics and effecting sensitive equipment. Facilities with freezing temperatures should turn off and drain the following lines in the event of a long term power loss. Fire sprinkler system Standpipes Potable water lines Toilets Add propylene-glycol to drains to prevent traps from freezing Equipment that contain fluids that may freeze due to long term exposure to freezing temperatures should be moved to heated areas, drained of liquids, or provided with auxiliary heat sources. Upon Restoration of heat and power: Electronic equipment should be brought up to ambient temperatures before energizing to prevent condensate from forming on circuitry. Fire and potable water piping should be checked for leaks from freeze damage after the heat has been restored to the facility and water turned back on.

CHEMICAL SPILL The following are the locations of: Spill Containment and Security Equipment: Personal Protective Equipment (PPE): MSDS: When a Large Chemical Spill has occurred: Immediately notify the designated official and Emergency Coordinator. Contain the spill with available equipment (e.g., pads, booms, absorbent powder, etc.). Secure the area and alert other site personnel. Do not attempt to clean the spill unless trained to do so. Attend to injured personnel and call the medical emergency number, if required. Call a local spill cleanup company or the Fire Department (if arrangement has been made) to perform a large chemical (e.g., mercury) spill cleanup. Evacuate building as necessary

When a Small Chemical Spill has occurred: Notify the Emergency Coordinator and/or supervisor (select one). If toxic fumes are present, secure the area (with caution tapes or cones) to prevent other personnel from entering. Deal with the spill in accordance with the instructions described in the MSDS. Small spills must be handled in a safe manner, while wearing the proper PPE. Review the general spill cleanup procedures. Date: 08/14/2014

STRUCTURE CLIMBING/DESCENDING EMERGENCIES

Building 1 2 1 2 2 4 4 2

Floor

Location Office 232 Office 401 Office 427 Office 200

Emergency Response Team Team A Reserve Team B Reserve Team A Team B

Emergency Response Organization(s): Name Team A Team Lead Jane Allen Phone: Ext.232 Name Team B Team Lead Buddy Kitts Phone: Ext 200 N/A. If no Emergency Response Organization available within 30-minute response time additional personnel trained in rescue operations and equipped with rescue kit must accompany the climber(s).

BOMB FACTS: PRETEND DIFFICULTY HEARING KEEP CALLER TALKING IF CALLER SEEMS AGREEABLE TO FURTHER CONVERSATION, ASK QUESTIONS LIKE: When will it go off? Certain Hour Time Remaining Where is it located? What kind of bomb? What kind of package? How do you know so much about the bomb? What is your name and address? If building is occupied, inform caller that detonation could cause injury or death. Activate malicious call trace: Hang up phone and do not answer another line. Choose same line and dial *57 (if your phone system has this capability). Listen for the confirmation announcement and hang up. Call Security at Ext.1212 and relay information about call. Did the caller appear familiar with plant or building (by his/her description of the bomb location)? Write out the message in its entirety and any other comments on a separate sheet of paper and attach to this checklist. Notify your supervisor immediately. Building Area

SEVERE WEATHER AND NATURAL DISASTERS Tornado: When a warning is issued by sirens or other means, seek inside shelter. Consider the following: Small interior rooms on the lowest floor and without windows, Hallways on the lowest floor away from doors and windows, and Rooms constructed with reinforced concrete, brick, or block with no windows. Stay away from outside walls and windows. Use arms to protect head and neck. Remain sheltered until the tornado threat is announced to be over. Earthquake: Stay calm and await instructions from the Emergency Coordinator or the designated official. Keep away from overhead fixtures, windows, filing cabinets, and electrical power. Assist people with disabilities in finding a safe place. Evacuate as instructed by the Emergency Coordinator and/or the designated official. Flood: If indoors: Be ready to evacuate as directed by the Emergency Coordinator and/or the designated official. Follow the recommended primary or secondary evacuation routes. If outdoors: Climb to high ground and stay there. Avoid walking or driving through flood water. If car stalls, abandon it immediately and climb to a higher ground. Hurricane: The nature of a hurricane provides for more warning than other natural and weather disasters. A hurricane watch issued when a hurricane becomes a threat to a coastal area. A hurricane warning is issued when hurricane winds of 74 mph or higher, or a combination of dangerously high water and rough seas, are expected in the area within 24 hours. Once a hurricane watch has been issued: Stay calm and await instructions from the Emergency Coordinator or the designated official. Moor any boats securely, or move to a safe place if time allows. Continue to monitor local TV and radio stations for instructions. Move early out of low-lying areas or from the coast, at the request of officials. If you are on high ground, away from the coast and plan to stay, secure the building, moving all loose items indoors and boarding up windows and openings. Collect drinking water in appropriate containers. Once a hurricane warning has been issued: Be ready to evacuate as directed by the Emergency Coordinator and/or the designated official. Leave areas that might be affected by storm tide or stream flooding.

During a hurricane: Remain indoors and consider the following: Small interior rooms on the lowest floor and without windows, Hallways on the lowest floor away from doors and windows, and Rooms constructed with reinforced concrete, brick, or block with no windows. Blizzard: If indoors: Stay calm and await instructions from the Emergency Coordinator or the designated official. Stay indoors! If there is no heat: Close off unneeded rooms or areas. Stuff towels or rags in cracks under doors. Cover windows at night. Eat and drink. Food provides the body with energy and heat. Fluids prevent dehydration. Wear layers of loose-fitting, light-weight, warm clothing, if available. If outdoors: Find a dry shelter. Cover all exposed parts of the body. If shelter is not available: Prepare a lean-to, wind break, or snow cave for protection from the wind. Build a fire for heat and to attract attention. Place rocks around the fire to absorb and reflect heat. Do not eat snow. It will lower your body temperature. Melt it first. If stranded in a car or truck: Stay in the vehicle! Run the motor about ten minutes each hour. Open the windows a little for fresh air to avoid carbon monoxide poisoning. Make sure the exhaust pipe is not blocked. Make yourself visible to rescuers. Turn on the dome light at night when running the engine. Tie a colored cloth to your antenna or door. Raise the hood after the snow stops falling. Exercise to keep blood circulating and to keep warm.

CRITICAL OPERATIONS During some emergency situations, it will be necessary for some specially assigned personnel to remain at the work areas to perform critical operations. Assignments: Work Area Description of Assignment Name Job Title

Personnel involved in critical operations may remain on the site upon the permission of the site designated official or Emergency Coordinator. In case emergency situation will not permit any of the personnel to remain at the facility, the designated official or other assigned personnel shall notify the appropriate management offices to initiate backups. This information can be obtained from the Emergency Evacuation Procedures included in the Emergency/Disaster Response Plan. The following offices should be contacted: Name/Location:________________________________ Telephone Number:_____________________________ Name/Location:________________________________ Telephone Number:_____________________________ Name/Location:________________________________ Telephone Number:_____________________________

TRAINING The following personnel have been trained to ensure a safe and orderly emergency evacuation of other employees: Facility: Name Responsibility Date Title

Abercrombie

Computer Disaster Recovery Plan Policy 1.0 Overview:

Since disasters happen so rarely, management often ignores the disaster recovery planning process. It is important to realize that having a contingency plan in the event of a disaster gives Abercrombie a competitive advantage. This policy requires management to financially support and diligently attend to disaster contingency planning efforts. Disasters are not limited to adverse weather conditions. Any event that could likely cause an extended delay of service should be considered.

2.0 Purpose:
The purpose of this DRP document is twofold: first to capture all of the information relevant to the enterprises ability to withstand a disaster, and second to document the steps that the enterprise will follow if a disaster occurs. Note that in the event of a disaster the first priority of Abercrombie is to prevent the loss of life. Before any secondary measures are undertaken, Abercrombie will ensure that all employees, and any other individuals on the organizations premises, are safe and secure. After all individuals have been brought to safety, the next goal of Abercrombie will be to enact the steps outlined in this DRP to bring all of the organizations groups and departments back to business-as-usual as quickly as possible. This policy defines the need for management to support ongoing disaster planning for Abercrombie.

Mandatory
The purpose of this DRP document is twofold: first to capture all of the information relevant to the enterprises ability to withstand a disaster, and second to document the steps that the enterprise will follow if a disaster occurs. Note that in the event of a disaster the first priority of Abercrombie is to prevent the loss of life. Before any secondary measures are undertaken, Abercrombie will ensure that all employees, and any other individuals on the organizations premises, are safe and secure. After all individuals have been brought to safety, the next goal of Abercrombie will be to enact the steps outlined in this DRP to bring all of the organizations groups and departments back to business-as-usual as quickly as possible. This includes:

3.0 Scope:
The Abercrombie DRP takes all of the following areas into consideration: Network Infrastructure Servers Infrastructure Telephony System Data Storage and Backup Systems Data Output Devices End-user Computers Organizational Software Systems Database Systems IT Documentation This DRP does not take into consideration any non-IT, personnel, Human Resources and real estate related disasters. For any disasters that are not addressed in this document, please refer to the business continuity plan created by Abercrombie.

Version Information & Changes

Mandatory Any changes, edits and updates made to the DRP will be recorded in here. It is the responsibility of the Disaster Recovery Lead to ensure that all existing copies of the DRP are up to date. Whenever there is an update to the DRP, Abercrombie requires that the version number be updated to indicate this. Name of Person Making Change Role of Person Making Change

Date of Change 01/01/09 01/01/10 01/03/10

Version Number 1.0 2.0 2.1

Notes

Maurice Malone DR Lead Larry Crumb Curtis Jackson DR Lead CEO

Initial version of DR Plan Revised to include new standby facilities Replaced John Smith as DR Lead

4.0 Disaster Recovery Teams & Responsibilities:

Mandatory
In the event of a disaster, different groups will be required to assist the IT department in their effort to restore normal functionality to the employees of Abercrombie. The different groups and their responsibilities are as follows:

Disaster Recovery Lead(s) Disaster Management Team Facilities Team

Network Team Server Team Applications Team Operations Team Management Team Communications Team Finance Team

The lists of roles and responsibilities in this section have been created by Abercrombie and reflect the likely tasks that team members will have to perform. Disaster Recovery Team members will be responsible for performing all of the tasks below. In some disaster situations, Disaster Recovery Team members will be called upon to perform tasks not described in this section.

5.0 Disaster Recovery Lead

Mandatory The Disaster Recovery Lead is responsible for making all decisions related to the Disaster Recovery efforts. This persons primary role will be to guide the disaster recovery process and all other individuals involved in the disaster recovery process will report to this person in the event that a disaster occurs at Abercrombie regardless of their department and existing managers. All efforts will be made to ensure that this person be separate from the rest of the disaster management teams to keep his/her decisions unbiased; the Disaster Recovery Lead will not be a member of other Disaster Recovery groups in Abercrombie.

Role and Responsibilities

Make the determination that a disaster has occurred and trigger the DRP and related processes. Initiate the DR Call Tree. Be the single point of contact for and oversee all of the DR Teams. Organize and chair regular meetings of the DR Team leads throughout the disaster. Present to the Management Team on the state of the disaster and the decisions that need to be made. Organize, supervise and manage all DRP test and author all DRP updates.

Contact Information
Name Zoe Farrington Barry Zain Role/Title Primary Disaster Lead Secondary Disaster Lead Work Phone Number 757-272-3333 757-522-3533 Home Phone Number Mobile Phone Number 757-492-3354 757-622-6733

6.0 Disaster Management Team: Elective The Disaster Management Team that will oversee the entire disaster recovery process. They will be the first team that will need to take action in the event of a disaster. This team will evaluate the disaster and will determine what steps need to be taken to get the organization back to business as usual.

Role & Responsibilities

Set the DRP into motion after the Disaster Recovery Lead has declared a disaster Determine the magnitude and class of the disaster Determine what systems and processes have been affected by the disaster Communicate the disaster to the other disaster recovery teams Determine what first steps need to be taken by the disaster recovery teams Keep the disaster recovery teams on track with pre-determined expectations and goals Keep a record of money spent during the disaster recovery process Ensure that all decisions made abide by the DRP and policies set by Abercrombie Get the secondary site ready to restore business operations Ensure that the secondary site is fully functional and secure Create a detailed report of all the steps undertaken in the disaster recovery process Notify the relevant parties once the disaster is over and normal business functionality has been restored After Abercrombie is back to business as usual, this team will be required to summarize any and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster

Contact Information Name Jane Deihl Mark Brzezinski Role/Title Normal title Normal title Work Phone Number 757-555-3333 757-222-3333 Home Phone Number Mobile Phone Number 757-222-0033 757-222-3300

7.0 Facilities Team

Mandatory

The Facilities Team will be responsible for all issues related to the physical facilities that house IT systems. They are the team that will be responsible for ensuring that the standby facilities are maintained appropriately and for assessing the damage too and overseeing the repairs to the primary location in the event of the primary locations destruction or damage. Role & Responsibilities Ensure that the standby facility is maintained in working order Ensure that transportation is provided for all employees working out of the standby facility Ensure that hotels or other sleeping are arranged for all employees working out of the standby facility Ensure that sufficient food, drink, and other supplies are provided for all employees working out of the standby facility Assess, or participate in the assessment of, any physical damage to the primary facility Ensure that measures are taken to prevent further damage to the primary facility Work with insurance company in the event of damage, destruction or losses to any assets owned by Abercrombie Ensure that appropriate resources are provisioned to rebuild or repair the main facilities in the event that they are destroyed or damaged After Abercrombie is back to business as usual, this team will be required to summarize any and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster

Contact Information
Name Joseph Thomas Margo Thompson Role/Title VP Facilities Standby Facility Manager Work Phone Number 757-222-3333 757-441-5151 Home Phone Number Mobile Phone Number 757-990-3333 757-887-5315

8.0 Network Team

Mandatory The Network Team will be responsible for assessing damage specific to any network infrastructure and for provisioning data and voice network connectivity including WAN, LAN, and any telephony connections internally within the enterprise as well as telephony and data connections with the outside world. They will be primarily responsible for providing baseline network functionality and may assist other IT DR Teams as required.

Role & Responsibilities

In the event of a disaster that does not require migration to standby facilities, the team will determine which network services are not functioning at the primary facility

If multiple network services are impacted, the team will prioritize the recovery of services in the manner and order that has the least business impact. If network services are provided by third parties, the team will communicate and coordinate with these third parties to ensure recovery of connectivity. In the event of a disaster that does require migration to standby facilities the team will ensure that all network services are brought online at the secondary facility Once critical systems have been provided with connectivity, employees will be provided with connectivity in the following order: o All members of the DR Teams o All C-level and Executive Staff o All IT employees o All remaining employees Install and implement any tools, hardware, software and systems required in the standby facility Install and implement any tools, hardware, software and systems required in the primary facility After Abercrombie is back to business as usual, this team will be summarize any and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster

Contact Information

Name Kahleel Jordan Braylon Leetch

Role/Title Network Manager Network Administrator

Work Phone Number 757-551-4141 757-444-1111

Home Phone Number

Mobile Phone Number 757-008-4141 757-909-5454

9.0 Server Team:

Mandatory The Server Team will be responsible for providing the physical server infrastructure required for the enterprise to run its IT operations and applications in the event of and during a disaster. They will be primarily responsible for providing baseline server functionality and may assist other IT DR Teams as required. Role & Responsibilities In the event of a disaster that does not require migration to standby facilities, the team will determine which servers are not functioning at the primary facility

If multiple servers are impacted, the team will prioritize the recovery of servers in the manner and order that has the least business impact. Recovery will include the following tasks: o Assess the damage to any servers o Restart and refresh servers if necessary Ensure that secondary servers located in standby facilities are kept up-to-date with system patches Ensure that secondary servers located in standby facilities are kept up-to-date with application patches Ensure that secondary servers located in standby facilities are kept up-to-date with data copies Ensure that the secondary servers located in the standby facility are backed up appropriately Ensure that all of the servers in the standby facility abide by Abercrombies server policy Install and implement any tools, hardware, and systems required in the standby facility Install and implement any tools, hardware, and systems required in the primary facility After Abercrombie is back to business as usual, this team will be summarize any and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster

Contact Information
Name Abby Martinez Barbara Burger Role/Title Operations Manager Systems Administrator Work Phone Number 757-448-8112 757-221-0012 Home Phone Number Mobile Phone Number 757-521-0101 757-885-9512

10.0 Applications Team:

Mandatory The Applications Team will be responsible for ensuring that all enterprise applications operates as required to meet business objectives in the event of and during a disaster. They will be primarily responsible for ensuring and validating appropriate application performance and may assist other IT DR Teams as required. Role & Responsibilities In the event of a disaster that does not require migration to standby facilities, the team will determine which applications are not functioning at the primary facility If multiple applications are impacted, the team will prioritize the recovery of applications in the manner and order that has the least business impact. Recovery will include the following tasks: o Assess the impact to application processes

Restart applications as required Patch, recode or rewrite applications as required Ensure that secondary servers located in standby facilities are kept up-to-date with application patches Ensure that secondary servers located in standby facilities are kept up-to-date with data copies Install and implement any tools, software and patches required in the standby facility Install and implement any tools, software and patches required in the primary facility After Abercrombie is back to business as usual, this team will be summarize any and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster

o o

Contact Information Name Scott Pervis Darius McBride Role/Title Program Manager Systems Administrator Work Phone Number 757-880-1212 757-458-7451 Home Phone Number Mobile Phone Number 757-587-6565 757-698-7474

11.0 Operations Team:

Mandatory This teams primary goal will be to provide employees with the tools they need to perform their roles as quickly and efficiently as possible. They will need to provision all Abercrombie employees in the standby facility and those working from home with the tools that their specific role requires. Role & Responsibilities Maintain lists of all essential supplies that will be required in the event of a disaster Ensure that these supplies are provisioned appropriately in the event of a disaster Ensure sufficient spare computers and laptops are on hand so that work is not significantly disrupted in a disaster Ensure that spare computers and laptops have the required software and patches Ensure sufficient computer and laptop related supplies such as cables, wireless cards, laptop locks, mice, printers and docking stations are on hand so that work is not significantly disrupted in a disaster Ensure that all employees that require access to a computer/laptop and other related supplies are provisioned in an appropriate time frame If insufficient computers/laptops or related supplies are not available the team will prioritize distribution in the manner and order that has the least business impact This team will be required to maintain a log of where all of the supplies and equipment were used

After Abercrombie is back to business as usual, this team will be required to summarize any and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster

Contact Information Name Thaddeus Maddox Mitchell Carter Role/Title Helpdesk Manager Systems Administrator Work Phone Number 757-241-0445 757-500-8002 Home Phone Number Mobile Phone Number 757-852-9631 757-672-0147

12.0 Senior Management Team:

Mandatory The Senior Management Team will make any business decisions that are out of scope for the Disaster Recovery Lead. Decisions such as constructing a new data center, relocating the primary site etc. should be made by the Senior Management Team. The Disaster Recovery Lead will ultimately report to this team. Role & Responsibilities Ensure that the Disaster Recovery Team Lead is help accountable for his/her role Assist the Disaster Recovery Team Lead in his/her role as required Make decisions that will impact the company. This can include decisions concerning: o Rebuilding of the primary facilities o Rebuilding of data centers o Significant hardware and software investments and upgrades o Other financial and business decisions

Contact Information Name Damien Woody Erica Watts CEO COO Role/Title Work Phone Number 757-202-5885 757-322-2001 Home Phone Number Mobile Phone Number 757-961-1001 757-604-4110

13.0 Communication Team:

Elective

This will be the team responsible for all communication during a disaster. Specifically, they will communicate with Abercrombies employees, clients, vendors and suppliers, banks, and even the media if required. Role & Responsibilities Communicate the occurrence of a disaster and the impact of that disaster to all Quadrant Network Solutions employees Communicate the occurrence of a disaster and the impact of that disaster to authorities, as required Communicate the occurrence of a disaster and the impact of that disaster to all Quadrant Network Solutions partners Communicate the occurrence of a disaster and the impact of that disaster to all Quadrant Network Solutions clients Communicate the occurrence of a disaster and the impact of that disaster to all Quadrant Network Solutions vendors Communicate the occurrence of a disaster and the impact of that disaster to media contacts, as required After Abercrombie is back to business as usual, this team will be required to summarize any and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster Contact Information Name Jordan Sparks Verra Kemp Role/Title VP HR Media Relations Work Phone Number 757-442-8555 757-855-4550 Home Phone Number Mobile Phone Number 757-085-4747 757-665-9998

14.0 Finance Team:

Elective This team will be responsible for ensuring that all of Abercrombies finances are dealt with in an appropriate and timely manner in the event of a disaster. The finance team will ensure that there is money available for necessary expenses that may result from a disaster as well as expenses from normal day-to-day business functions. Role & Responsibilities Ensure there is sufficient cash on-hand or accessible to deal with small-scale expenses caused by the disaster. These can include paying for accommodations and food for DR team members, incremental bills, etc. Ensure there is sufficient credit available or accessible to deal with large-scale expenses caused by the disaster. These can include paying for new equipment, repairs for primary facilities, etc.

Review and approve Disaster Teams finances and spending Ensure that payroll occurs and that employees are paid as normal, where possible Communicate with creditor to arrange suspension of extensions to scheduled payments, as required Communicate with banking partners to obtain any materials such as checks, bank books etc. that may need to be replaced as a result of the disaster

Contact Information Name Jake Smith Fred Johnson CFO Controller Role/Title Work Phone Number 757-444-1128 757-558-7882 Home Phone Number Mobile Phone Number 757-852-6695 757-221-1474

14.0 Other Organization Specific Teams Elective Define the teams goals here.

Role & Responsibilities

List of teams roles and responsibilities

Contact Information
Name As Required As Required Role/Title Work Phone Number Home Phone Number Mobile Phone Number

15.0 Disaster Recovery Call Tree Mandatory In a disaster recovery or business continuity emergency, time is of the essence so Abercrombie will make use of a Call Tree to ensure that appropriate individuals are contacted in a timely manner.

The Disaster Recovery Team Lead calls all Level 1 Members (Blue cells)

Level 1 members call all Level 2 team members over whom they are responsible (Green cells) Level 1 members call all Level 3 team members over whom they are directly responsible (Beige cells) Level 2 Members call all Level 3 team members over whom they are responsible (Beige cells) In the event a team member is unavailable, the initial caller assumes responsibility for subsequent calls (i.e. if a Level 2 team member is inaccessible, the Level 1 team member directly contacts Level 3 team members). Contact Office Mobile Home

DR Lead DR Management Team Lead DR Management Team 1 DR Management Team 2 Facilities Team Lead Facilities Team 1 Network Team Lead LAN Team Lead LAN Team 1 WAN Team Lead

Communications Team 1

Finance Team Lead

Finance Team 1

A Disaster Recovery Call Tree Process Flow diagram can help clarify the call process in the event of an emergency. This sample may be used as-is or replaced with a custom flow process.

16.0 Recovery Facilities:

Elective In order to ensure that Abercrombie is able to withstand a significant outage caused by a disaster, it has provisioned separate dedicated standby facilities. This section of this document describes those facilities and includes operational information should those facilities have to be used. This section will vary depending on the type of standby facility that your organization uses. Please append this section according to the measures and facilities that your organization has in place. Some organizations may not have a standby facility at their disposal; in this situation, skip this section. This section is currently populated by an example of a company with a dedicated standby facility. Description of Recovery Facilities Elective (Mandatory where facilities exist) The Disaster Command and Control Center or Standby facility will be used after the Disaster Recovery Lead has declared that a disaster has occurred. This location is a separate location to the primary facility. The current facility, located at <<Address of Standby Facility>> is <<standby facilitys actual distance away from the primary facility>> miles away from the primary facility. The standby facility will be used by the IT department and the Disaster Recovery teams; it will function as a central location where all decisions during the disaster will be made. It will also function as a communications hub for Abercrombie. The standby facility must always have the following resources available:

Copies of this DRP document Fully redundant server room Sufficient servers and storage infrastructure to support enterprise business operations Office space for DR teams and IT to use in the event of a disaster External data and voice connectivity Sleeping quarters for employees that may need to work multiple shifts Kitchen facilities (including food, kitchen supplies and appliances) Bathroom facilities (Including toilets, showers, sinks and appropriate supplies) Parking spaces for employee vehicles

17.0 Transportation to the Standby Facility:

Elective (Mandatory where facilities exist) In the event of a disaster, only the Disaster Recovery Teams and select members of the IT department will work out of the standby facility. Since the standby facility is located <<standby facilitys actual distance away from the primary facility>> miles away from the primary facility, employees will need to be provided with transportation to the facility if they do not own vehicles or are unable to use them and hotel accommodations if necessary. Include only those transportation providers that are appropriate given the location of the Standby Facility. Taxi Providers Taxi Company 1 Address Phone Number <<Map of Taxi Company 1s Location>> <<Directions to get to Rental Car Company 1 from the standby facility>> Taxi Company 2 Address Phone Number <<Map of Taxi Company 2s Location>> <<Directions to get to Rental Car Company 1 from the standby facility>> Rental Car Providers Rental Car Company 1 Address Phone Number <<Map of Rental Car Company 1s Location>> <<Directions to get to Rental Car Company 1 from the standby facility>> Rental Car Company 2 Address Phone Number <<Map of Rental Car Company 1s Location>>

<<Directions to get to Rental Car Company 1 from the standby facility>>

Travel Agents (for air or train travel) Travel Agent 1 Address Phone Number <<Map of Travel Agent 1s Location>> <<Directions to get to Rental Car Company 1 from the standby facility>> Travel Agent 2 Address Phone Number <<Map of Travel Agent 2s Location>> <<Directions to get to Rental Car Company 1 from the standby facility>> Airports Airport 1 Address Phone Number <<Map of Airport 1s Location>> <<Directions to get to Rental Car Company 1 from the standby facility>> Airport 2 Address Phone Number <<Map of Airport 2s Location>> <<Directions to get to Rental Car Company 1 from the standby facility>>

17.0 Operational Considerations:

Elective (Mandatory where facilities exist)

If employees are required to stay at the Standby Facility for extended periods of time and require hotel accommodations, they will be provided by Abercrombie. The Facilities Team will be responsible for determining which employees require hotel accommodations and ensuring sufficient rooms are made available. If employees are required to stay at the Standby Facility for extended periods of time and require food, it will be provided by Abercrombie. The Facilities Team will be responsible for determining which employees require food and ensuring sufficient is made available via groceries, restaurants or caterers as appropriate. While in the Standby Facility, employees must work under appropriate, sanitary and safe conditions. The Facilities team will be responsible for ensuring that this facility is kept in proper working order. Include only those operations considerations providers that are appropriate given the facilities of the Standby Facility. Accommodations Hotel 1 Address Phone Number <<Map of Hotel 1s Location>> <<Directions to get to Hotel 1 from the standby facility>> Hotel 2 Address Phone Number <<Map of Hotel 1s Location>> <<Directions to get to Hotel 2 from the standby facility>> Food, Beverages and Other Supplies Restaurant/Grocery 1 Address Phone Number <<Map of Restaurant/Grocery 1s Location>> <<Directions to get to Restaurant/Grocery 1 from the standby facility>>

Restaurant/Grocery 2 Address Phone Number <<Map of Restaurant/Grocery 2s Location>> <<Directions to get to Restaurant/Grocery 2 from the standby facility>> Restaurant/Grocery 3 Address Phone Number <<Map of Restaurant/Grocery 3s Location>> <<Directions to get to Restaurant/Grocery 3 from the standby facility>> Catering Caterer 1 Address Phone Number <<Map of Caterer 1s Location>> <<Directions to get to Caterer 1 from the standby facility>> Caterer 2 Address Phone Number <<Map of Caterer 2s Location>> <<Directions to get to Caterer 2 from the standby facility>> Standby Facility Maintenance Maintenance Company Address Phone Number

18.0 Data and Backups:

Mandatory This section explains where all of the organizations data resides as well as where it is backed up to. Use this information to locate and restore data in the event of a disaster. Data in Order of Criticality Rank 1 Data <<Data Name or Group>> Data Type <<Confidential, Public, Personally identifying information>> Back-up Frequency <<Frequency that data is backed up>> Backup Location(s) <<Where data is backed up to>>

2 3 4

19.0 Communicating During a Disaster:

Mandatory In the event of a disaster Abercrombie will need to communicate with various parties to inform them of the effects on the business, surrounding areas and time lines. The Communications Team will be responsible for contacting all of Abercrombies stakeholders. Communicating with the Authorities Mandatory The Communications Teams first priority will be to ensure that the appropriate authorities have been notified of the disaster, providing the following information:

The location of the disaster The nature of the disaster The magnitude of the disaster The impact of the disaster Assistance required in overcoming the disaster Anticipated time lines Point of Contact <<Contact Name>> Phone Number 111-222-3333 E-mail <<Contact E-mail>>

Authorities Contacts
Authorities Police Department

Fire Department

<<Contact Name>>

111-222-3333

<<Contact E-mail>>

20.0 Communicating with Employees:

Mandatory The Communications Teams second priority will be to ensure that the entire company has been notified of the disaster. The best and/or most practical means of contacting all of the employees will be used with preference on the following methods (in order): E-mail (via corporate e-mail where that system still functions) E-mail (via non-corporate or personal e-mail) Telephone to employee home phone number Telephone to employee mobile phone number The employees will need to be informed of the following: Whether it is safe for them to come into the office Where they should go if they cannot come into the office Which services are still available to them Work expectations of them during the disaster Employee Contacts Name John Smith Fred Jones Role/Title Employee Employee Home Phone Number 111-222-3333 111-222-3333 Mobile Phone Number 111-222-3333 111-222-3333 Personal Email Address jsmith@org.org fjones@org.org

21.0 Communicating with Clients:

Mandatory After all of the organizations employees have been informed of the disaster, the Communications Team will be responsible for informing clients of the disaster and the impact that it will have on the following: Anticipated impact on service offerings Anticipated impact on delivery schedules Anticipated impact on security of client information Anticipated time lines Crucial clients will be made aware of the disaster situation first. Crucial clients will be E-mailed first then called after to ensure that the message has been delivered. All other clients will be contacted only after all crucial clients have been contacted.

Crucial Clients
Mandatory
Add or delete rows to reflect the crucial clients your enterprise must contact. Company Name <<Company Name>> Point of Contact <<Contact Name>> Phone Number 111-222-3333 E-mail <<Contact E-mail>>

Secondary Clients
Elective
Company Name <<Company Name>> Point of Contact <<Contact Name>> Phone Number 111-222-3333 E-mail <<Contact E-mail>>

22.0 Communicating with Vendors:

Mandatory After all of the organizations employees have been informed of the disaster, the Communications Team will be responsible for informing vendors of the disaster and the impact that it will have on the following:

Adjustments to service requirements Adjustments to delivery locations Adjustments to contact information Anticipated time lines

Crucial vendors will be made aware of the disaster situation first. Crucial vendors will be Emailed first then called after to ensure that the message has been delivered. All other vendors will be contacted only after all crucial vendors have been contacted. Vendors encompass those organizations that provide everyday services to the enterprise, but also the hardware and software companies that supply the IT department. The Communications Team will act as a go-between between the DR Team leads and vendor contacts should additional IT infrastructure be required. Crucial Vendors Mandatory Add or delete rows to reflect the crucial vendors your enterprise must contact. Company Name <<Company Name>> Point of Contact <<Contact Name>> Phone Number 111-222-3333 E-mail <<Contact E-mail>>

Secondary Vendors Elective Company Name <<Company Name>> Point of Contact <<Contact Name>> Phone Number 111-222-3333 E-mail <<Contact E-mail>>

23.0 Communicating with the Media:

Elective After all of the organizations employees have been informed of the disaster, the Communications Team will be responsible for informing media outlets of the disaster, providing the following information:

An official statement regarding the disaster The magnitude of the disaster The impact of the disaster Anticipated time lines

Media Contacts Company Name <<Company Name>> Point of Contact <<Contact Name>> Phone Number 111-222-3333 E-mail <<Contact E-mail>>

24.0 Communicating with Other group/stakeholders:

Elective Define the contact, the circumstances under which they are contacted, and the information that is communicated here.

Other Contacts
Company Name <<Company Name>> Point of Contact <<Contact Name>> Phone Number 111-222-3333 E-mail <<Contact E-mail>>

24.0 Dealing with a Disaster

Mandatory If a disaster occurs in Abercrombie the first priority is to ensure that all employees are safe and accounted for. After this, steps must be taken to mitigate any further damage to the facility and to reduce the impact of the disaster to the organization. Regardless of the category that the disaster falls into, dealing with a disaster can be broken down into the following steps: Disaster identification and declaration DRP activation Communicating the disaster Assessment of current and prevention of further damage Standby facility activation Establish IT operations Repair and rebuilding of primary facility Disaster Identification and Declaration Mandatory Since it is almost impossible to predict when and how a disaster might occur, Abercrombie must be prepared to find out about disasters from a variety of possible avenues. These can include:
1) 2) 3) 4) 5) 6) 7)

First hand observation System Alarms and Network Monitors Environmental and Security Alarms in the Primary Facility Security staff Facilities staff End users 3rd Party Vendors Media reports

Once the Disaster Recovery Lead has determined that a disaster had occurred, s/he must officially declare that the company is in an official state of disaster. It is during this phase that the Disaster Recovery Lead must ensure that anyone that was in the primary facility at the time of the disaster has been accounted for and evacuated to safety according to the companys Evacuation Policy. While employees are being brought to safety, the Disaster Recovery Lead will instruct the Communications Team to begin contacting the Authorities and all employees not at the impacted facility that a disaster has occurred.

25.0 DRP Activation:

Mandatory Once the Disaster Recovery Lead has formally declared that a disaster has occurred s/he will initiate the activation of the DRP by triggering the Disaster Recovery Call Tree. The following

information will be provided in the calls that the Disaster Recovery Lead makes and should be passed during subsequent calls:

That a disaster has occurred The nature of the disaster (if known) The initial estimation of the magnitude of the disaster (if known) The initial estimation of the impact of the disaster (if known) The initial estimation of the expected duration of the disaster (if known) Actions that have been taken to this point Actions that are to be taken prior to the meeting of Disaster Recovery Team Leads Scheduled meeting place for the meeting of Disaster Recovery Team Leads Scheduled meeting time for the meeting of Disaster Recovery Team Leads Any other pertinent information

If the Disaster Recovery Lead is unavailable to trigger the Disaster Recovery Call Tree, that responsibility shall fall to the Disaster Management Team Lead Communicating the Disaster Refer to the Communicating during a Disaster section of this document. Assessment of Current and Prevention of Further Damage Mandatory Before any employees from Abercrombie can enter the primary facility after a disaster, appropriate authorities must first ensure that the premises are safe to enter. The first team that will be allowed to examine the primary facilities once it has been deemed safe to do so will be the Facilities Team. Once the Facilities Team has completed an examination of the building and submitted its report to the Disaster Recovery Lead, the Disaster Management, Networks, Servers, and Operations Teams will be allowed to examine the building. All teams will be required to create an initial report on the damage and provide this to the Disaster Recovery Lead within state time frame of the initial disaster. During each teams review of their relevant areas, they must assess any areas where further damage can be prevented and take the necessary means to protect Abercrombie's assets. Any necessary repairs or preventative measures must be taken to protect the facilities; these costs must first be approved by the Disaster Recovery Team Lead.

26.0 Standby Facility Activation:

Mandatory The Standby Facility will be formally activated when the Disaster Recovery Lead determines that the nature of the disaster is such that the primary facility is no longer sufficiently functional or operational to sustain normal business operations.

Once this determination has been made, the Facilities Team will be commissioned to bring the Standby Facility to functional status after which the Disaster Recovery Lead will convene a meeting of the various Disaster Recovery Team Leads at the Standby Facility to assess next steps. These next steps will include:
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.

Determination of impacted systems Criticality ranking of impacted systems Recovery measures required for high criticality systems Assignment of responsibilities for high criticality systems Schedule for recovery of high criticality systems Recovery measures required for medium criticality systems Assignment of responsibilities for medium criticality systems Schedule for recovery of medium criticality systems Recovery measures required for low criticality systems Assignment of responsibilities for recovery of low criticality systems Schedule for recovery of low criticality systems Determination of facilities tasks outstanding/required at Standby Facility Determination of operations tasks outstanding/required at Standby Facility Determination of communications tasks outstanding/required at Standby Facility Determination of facilities tasks outstanding/required at Primary Facility Determination of other tasks outstanding/required at Primary Facility Determination of further actions to be taken

During Standby Facility activation, the Facilities, Networks, Servers, Applications, and Operations teams will need to ensure that their responsibilities, as described in the Disaster Recovery Teams and Responsibilities section of this document are carried out quickly and efficiently so as not to negatively impact the other teams. Restoring IT Functionality Mandatory Refer to the Restoring IT Functionality section of this document. Repair & Rebuilding of Primary Facility Elective Before the enterprise can return operations to Primary Facilities, those facilities must be returned to an operable condition. The tasks required to achieve that will be variable depending on the magnitude and severity of the damage. Specific tasks will be determined and assigned only after the damage to Primary Facilities has been assessed. Other Organization Specific Steps Required Elective

27.0 Restoring IT Functionality:

Mandatory

Should a disaster actually occur and Abercrombie need to exercise this plan, this section will be referred to frequently as it will contain all of the information that describes the manner in which Abercrombies information system will be recovered. This section will contain all of the information needed for the organization to get back to its regular functionality after a disaster has occurred. It is important to include all Standard Operating Procedures documents, run-books, network diagrams, software format information etc. in this section. Current System Architecture Mandatory In this section, include a detailed system architecture diagram. Ensure that all of the organizations systems and their locations are clearly indicated. IT Systems Mandatory Please list all of the IT Systems in your organization in order of their criticality. Next, list each systems components that will need to be brought back online in the event of a disaster. Add or delete rows as needed to the table below. Rank 1 2 3 IT System System Components (In order of importance)

28.0 Criticality Rank-One System:

In this section you will be required to rank each systems components in order of criticality, supplying the information that each system will require to bring it back online. First, vendor and model information, serial numbers and other component specific information will be gathered. Next, you will be required to attach each components runbooks or Standard Operating Procedure (SOP) documents. Each component must have a runbook or SOP document associated with it. If you do not have these documents for all components, please refer to the following Info-Tech Research Group notes for more information:

SOP Research: o SOP 101: Standard Operating Procedures o How to Write an SOP o How to Implement SOPs o Step-by-Step SOP Template o Hierarchical SOP Template o Flowchart SOP Template Runbooks Research:

o o o

Don't Run without Runbooks Free IT Staff Time: Implement Runbook Automation How to Start Building Runbooks <<State the name of the IT System here>> <<State the name of the specific IT Component here>> <<State the name of the IT Components vendor here>> <<State the name of the IT Components model number here>> <<State the name of the IT Components serial number here>>
<<State the IT Components Recovery Time Objective here>> <<State the IT Components Recovery Point Objective here>>

System Name Component Name Vendor Name Model Number Serial Number
Recovery Time Objective Recovery Point Objective

Title: Standard Operating Procedures for <<Component Name>> Document No.: <<Number of the SOP document>>

Security Level: << Public, Restricted, or Departmental (the specific department is named).

Effective Date: <<The date from which the SOP is to be implemented and followed>> Review Date: <<The date on which the SOP must be submitted for review and revision>>

SOP Author/Owner:

SOP Approver:

a) Purpose

This SOP outlines the steps required to restore operations of IT System Name.
b) Scope

This SOP applies to the following components of IT System Name:

Web server Web server software Application server Application server storage system Application server software

Application server backup Database server Database server storage system Database server software Database server backup Client hardware Client software

c) Responsibilities

The following individuals are responsible for this SOP and for all aspects of the system to which this SOP pertains:

SOP Process: << SOP Owner>> Network Connectivity: <<Appropriate Network Administrator>> Server Hardware: <<Appropriate Systems Administrator>> Server Software: <<Appropriate Application Administrator>> Client Connectivity: <<Appropriate Network Administrator>> Client Hardware: <<Appropriate Helpdesk Administrator>> Client Software: <<Appropriate Helpdesk Administrator>>

For details of the actual tasks associated

d) Definitions

This section defines acronyms and words not in common use:

Document No.: Number of the SOP document as defined by [insert numbering scheme] Effective Date: The date from which the SOP is to be implemented and followed Review Date: The date on which the SOP must be submitted for review and revision Security Level: Levels of security are categorized as Public, Restricted, or Departmental SOP: Standard Operating Procedure

e) Changes Since Last Revision

Add to this list as required Nature of change, date of change, individual making the change, individual authorizing the change.

f) Documents/Resources Needed for this SOP

The following documents are required for this SOP:

Add to this list as required Document

g) Related Documents

The following documents are related to this SOP and may be useful in the event of an emergency. Their documents below are hyperlinked to their original locations and copies are also attached in the appendix of this document:

Add to this list as required Document

h) Procedure

The following are the steps associated with bringing <<Component Name>> back online in the event of a disaster or system failure. Step
1 2

Action <<Step 1 Action>>

Responsibility <<Person/group responsible>>

Criticality Rank-Two System

Repeat as above for as many systems as the enterprise makes use of.

28.0 Plan Testing & Maintenance:

Mandatory While efforts will be made initially to construct this DRP is as complete and accurate a manner as possible, it is essentially impossible to address all possible problems at any one time. Additionally, over time the Disaster Recovery needs of the enterprise will change. As a result of these two factors this plan will need to be tested on a periodic basis to discover errors and omissions and will need to be maintained to address them. For more information on DRP Testing and Maintenance, please refer to the following Info-Tech Research Group solution set for more information: Make Sure the DRP is Ready for a Disaster Maintenance Mandatory The DRP will be updated <<indicate frequency>> or any time a major system update or upgrade is performed, whichever is more often. The Disaster Recovery Lead will be responsible for updating the entire document, and so is permitted to request information and updates from other employees and departments within the organization in order to complete this task. Maintenance of the plan will include (but is not limited to) the following:
1. Ensuring that call trees are up to date 2. Ensuring that all team lists are up to date 3. Reviewing the plan to ensure that all of the instructions are still relevant to the

organization 4. Making any major changes and revisions in the plan to reflect organizational shifts, changes and goals 5. Ensuring that the plan meets any requirements specified in new laws

6. Other organizational specific maintenance goals

During the Maintenance periods, any changes to the Disaster Recovery Teams must be accounted for. If any member of a Disaster Recovery Team no longer works with the company, it is the responsibility of the Disaster Recovery Lead to appoint a new team member. Testing Mandatory Abercrombie is committed to ensuring that this DRP is functional. The DRP should be tested every <<indicate frequency>> in order to ensure that it is still effective. Testing the plan will be carried out as follows: Select which method(s) your organization will employ to test the DRP
1) Walk throughs- Team members verbally go through the specific steps as documented in

the plan to confirm effectiveness, identify gaps, bottlenecks or other weaknesses. This test provides the opportunity to review a plan with a larger subset of people, allowing the DRP project manager to draw upon a correspondingly increased pool of knowledge and experiences. Staff should be familiar with procedures, equipment, and offsite facilities (if required).
2) Simulations- A disaster is simulated so normal operations will not be interrupted.

Hardware, software, personnel, communications, procedures, supplies and forms, documentation, transportation, utilities, and alternate site processing should be thoroughly tested in a simulation test. However, validated checklists can provide a reasonable level of assurance for many of these scenarios. Analyze the output of the previous tests carefully before the proposed simulation to ensure the lessons learned during the previous phases of the cycle have been applied.
3) Parallel Testing- A parallel test can be performed in conjunction with the checklist test

or simulation test. Under this scenario, historical transactions, such as the prior business day's transactions are processed against preceding day's backup files at the contingency processing site or hot site. All reports produced at the alternate site for the current business date should agree with those reports produced at the alternate processing site.
4) Full-Interruption Testing- A full-interruption test activates the total DRP. The test is

likely to be costly and could disrupt normal operations, and therefore should be approached with caution. The importance of due diligence with respect to previous DRP phases cannot be overstated. Any gaps in the DRP that are discovered during the testing phase will be addressed by the Disaster Recovery Lead as well as any resources that he/she will require.

29.0 Call Tree Testing

Elective Testing of the call trees is normally a good idea. Feel free to omit this section if you feel that it is irrelevant. Call Trees are a major part of the DRP and Abercrombie requires that it is tested every <<Enter time frame here>> in order to ensure that it is functional. Tests will be performed as follows:
1) Disaster Recovery Lead initiates call tree and gives the first round of employees called a

code word.
2) The code word is passed from one caller to the next. 3) The next work day all Disaster Recovery Team members are asked for the code word. 4) Any issues with the call tree, contact information etc. will then be addressed accordingly.

_____________________________________________________

Guides
Creating and implementing a VMWare window using Ubuntu

1.

Click on the windows key at the bottom left corner.

A. Double click on the icon to open it.

2. Click on create a new virtual machine B. Select typical configuration, then click next.

3.

There are 3 options when selecting the operating system.

A. Select Installer disc image file (iso) B. Click on browse, then click/students/virtual machine/Ubuntu-10.04-desktop-i386

4.

Click open, your option for choosing an operating system will then look like this

A. This shows that your operating system is ready to be installed, click next B. Fill out the information, be sure to not use weak passwords! It is recommended to use 7 to 12 characters. C. It is also recommended to use a mixture of uppercase, lowercase, numbers, and special characters when creating a strong password.

5. Name your virtual Machine by default will name its self. The location of your iso image will come up as well, and you have the option of storing it at a different location, but you must have a copy of the iso image in that other location. Click next

6. You must specify what size disk you want to install. A. it recommended to use 20 GB B. Select store virtual disk as a single file C. Click next

7. Here you will click finish unless you want to implement any further customizations to your hardware otherwise click Finish

8. After your VMWare is configured it will startup it will download the necessary file to run, depending upon your computer it can take a few minutes, this is what your VMWare should look like

9. After youve downloaded VM Ware and its ready for use, you need to log in 10. As you created this VM it asked your name, username, and password 11.

This is what your screen should look like, and this VM Is ready for use. You are now ready to run your virtual machine.

Installing Windows Server 2008 R2 Enterprise 64-bit 1. Insert the appropriate Windows Server 2008 installation media into your DVD drive. 2. Reboot the computer.

3. When prompted for an installation language and other regional options, make your selection and click Next

4. Next, press Install Now to begin the installation process.

5. On Select the Operating System you want to install page, from the displayed Windows Server 2008 R2 editions, select the appropriate edition that is to be installed. 6. On Please read the License terms page, check I accept the license terms checkbox and click Next.

7. In the "Which type of installation do you want?" window, click the only available option Custom (Advanced).

8. On Where do you want to install Windows page, ensure that the hard disk drive on which Windows Server 2008 R2 is to be installed is selected. Once selected, click Drive options (advanced).

9. From the enabled options, click New to create a new disk drive partition. On the Size field, specify the size of the new volume in MB. 10. On the displayed Install Windows message box, click OK. Back on the same page, click to select the hard disk drive partition where Windows Server 2008 R2 is to be installed and click Next.

11. On the Installing Windows page, wait till the Windows Server 2008 R2 installed and the computer get restarted.

12. After second restart, on the displayed screen, click OK to change the user password before logging on for the first time.

13. On the available fields, type and retype the new password and press Enter.

Installing Active Directory on Windows Server 2008 R2 Enterprise 64-bit

1. From the Windows Start menu, open Administrative Tools > Server Manager.

2. In the Server Summary section of the Server Manager window, click View Network Connections.

3. In the Network Connections window, right-click the private adapter and select Properties.

4. Select Internet Protocol Version 4, and then click Properties.

5. Copy the IP address that is displayed in the IP address box and paste it into the Preferred DNS server box. Then, click OK.

Click OK in the Properties dialog box, and close the Network Connections window.

6. In the Server Manager window, open the Roles directory and in the Roles Summary section, click Add Roles.

7. On the Select Server Roles page, select the Active Directory Domain Services check box, and then click Next on this page and on the Confirmation page.

8. On the Installation Progress page, click Install.

9. On the Results page, after the role is successfully added, click Close.

Enable the Remote Registry 1. Open the Server Manager window if it is not already open. 2. In the Properties area of the Local Servers page, click Remote Managemen. 3. Select the Enable remote management of this server from other computers check box. Install Active Directory Domain Services (DCPROMO) Now that you have prepared the server, you can install AD DS.

Tip: As an alternative to performing steps 1 through 3, you can type dcpromo.exe at the command prompt. Then, skip to step 4. 1. If it is not already open, open the Server Manager window. 2. Select Roles > Active Directory Domain Services. 3. In the Summary section,click Run the Active Directory Domain Services Installation Wizard (dcpromo.exe).

4. On the Welcome page of the Active Directory Domain Services Installation Wizard, ensure that the Use advanced mode installation check box is cleared, and then click Next.

5. On the Operating System Capability page, click Next.

6. On the Choose a Deployment Configuration page, select Create a new domain in a new forest and then clickNext.

7. On the Name the Forest Root Domain page, enter the domain name that you choose during preparation steps. Then, click Next.

8. After the installation verifies the NetBIOS name, on the Set Forest Functional Level page, select Windows Server 2008 R2 in the Forest function level list. Then, click Next.

The installation examines and verifies your DNS setting. 9. On the Additional Domain Controller Options page, ensure that the DNS server check box is selected, and then click Next.

10. In the message dialog box that appears, click Yes.

11. On the Location for Database, Log Files, and SYSVOL page, accept the default values and then click Next.

12. On the Directory Services Restore Mode Administrator Password page, enter the domain administrator password that you chose during the preparation steps. This is not your admin password that was emailed to you during the creation of your server, although you can use that password if you want to. Then, click Next.

13. On the Summary page, review your selections and then click Next. The installation begins.

14. If you want the server to restart automatically after the installation is completed, select the Reboot on completion check box.

15. If you did not select the Reboot on completion check box, click Finish in the wizard. Then, restart the server.

16. After a few minutes, reconnect to your server by using the Console in your Control Panel or RDP. 17. To log in, perform the following steps: a. Click Switch User, and then click Other User. b. For the user, enter the full domain name that you chose, followed by a back slash and Administrator. c. Enter the password that was emailed to you when you first built the server. If you changed your password for the local admin account to this server before you began the installation of AD DS, use that password. d. Click the log in button. The installation of Active Directory Domain Services on your server is complete.

Floor Plan

Network Diagram