Business Continuity Business Impact Analysis arrangements
|
|
- Alaina Bryant
- 8 years ago
- Views:
Transcription
1 Aberdeen City Council Internal Audit Report 2012/2013 for Aberdeen City Council May 2013 Business Continuity Business Impact Analysis arrangements Final Report
2 Contents Section Page 1. Executive Summary 3 2. Background and scope 5 3. Detailed findings and recommendations 7 Appendix 1 Basis of our classifications 12 Appendix 2 Terms of reference 14 Appendix 3 - Limitations and responsibilities 16 Appendix 4 - Detailed Management Comment 17 This report has been prepared solely for Aberdeen City Council in accordance with the terms and conditions set out in our engagement letter 4 th October We do not accept or assume any liability or duty of care for any other purpose or to any other party. This report should not be disclosed to any third party, quoted or referred to without our prior written consent. Internal audit work will be performed in accordance with CIPFA s Internal Audit Code of Practice for Local Government. As a result, our work and deliverables are not designed or intended to comply with the International Auditing and Assurance Standards Board (IAASB), International Framework for Assurance Engagements (IFAE) and International Standard on Assurance Engagements (ISAE) Internal Audit report for Aberdeen City Council PwC Contents
3 1. Executive Summary Report classification Total number of findings Section 3 High Critical High Medium Low Advisory Control design Operating effectiveness Total Summary of findings 1.01 We have reviewed the business continuity arrangements put in place by Aberdeen City Council, in particular the Business Impact Analysis (BIA) performed by a sample of service areas located at Marischal College. Based on our review we have raised two high points and one medium point An Internal Audit Review of Business Continuity was performed in August 2011 and a number of recommendations made. Despite this a number of the points noted in this review are similar in nature to those raised in August It is appreciated that the Corporate Risk Management Group is aware of some of these points and is taking action to address them. A summary of the points noted is included below; A lack of effective governance and compliance mechanisms along with inconsistent support and guidance for those responsible for business continuity outputs has resulted in poorly documented and in some cases non-existent business continuity plans and strategies; Each business unit has completed its own BIA and business continuity plans and strategy. No exercise has been completed to collate the information to ensure dependencies between critical processes are understood and appropriate focus is given to the critical processes the Council as a whole operates rather than the individual business unit; and Service areas have been led to believe that disaster recovery capability is such that IT systems will always be available to them. However, the network incident in January 2013 proves that this is not the case. Given the high reliance of service areas on IT systems it is questionable as to whether service areas could operate manually. Limited analysis has been performed to ensure IT disaster recovery can meet business requirements and as such service areas have limited recovery strategies should IT systems be unavailable (i.e. the ability to provide a skeleton service manually). 3
4 1.03 Although out of scope of this review it was also noted that a number of service areas have performed limited or no testing of business continuity plans and strategies. Testing of incident management and business continuity plans is the most important part of business continuity as it can help identify flaws within plans and strategies as well as providing staff with training to improve their familiarity with plans and ultimately their effectiveness in a disaster situation. Overall management comment 1.04 The completion of Business Continuity Plans including quality control has up until now been the responsibility of Services. Support in completing the plans has been available from the Emergency Planning Unit but this has not, as made clear in the Business Continuity Policy & Procedures document, extended to checking the quality of information contained in Service plans. This support will now be given where necessary. Governance arrangements for Business Continuity planning will be more clearly defined with additional resource being provided, where necessary, to support services in raising the quality of their plans and to ensure integration across functions and with ICT and Facilities Disaster Recovery arrangements. Please see appendix 4 for the detailed management comment. 4
5 2. Background and scope Background 2.01 Business continuity management gives an organisation a capability to plan for and respond to a major incident that may impact their business. It focuses on making sure that businesses can carry on providing critical functions, in the event of a disaster or emergency The Emergency Planning Unit (EPU), which forms part of the Housing and Environment Service, has responsibilities for co-ordinating the preparation, testing and review of emergency plans for the North East of Scotland. The plans cover major emergency scenarios or site specific emergencies. The unit also maintains generic plans for use in natural disasters and civil emergencies. EPU provides this service both to the Council and also to Aberdeenshire and Moray Councils as partner organisations. EPU is also responsible for supporting the development of BCPs by the Services within the Council by the provision of support, advice and guidance 2.03 Services are responsible for performing the business impact analysis and formulating, reviewing and approving business continuity plans and strategies. Services are also responsible for ensuring that business impact analysis and plan information is tested and updated periodically Following on from the Internal Audit review in 2011/12, this review has focussed on the arrangements surrounding the business impact analysis prepared for a sample of service areas and has considered these against recommended practice guidance Scope and limitations of scope 2.05 The overall scope of this review was to consider the Council s arrangements in respect of business continuity, in particular the business impact analysis (BIA) within a sample of service areas located at Marischal College: Customer Contact centre Environmental Health and Trading Standards Care Management and Adult Protection Unit The review considered each of the respective BIAs against recommended practice and assessed how these had been consolidated to provide a co-ordinated business continuity plan for Marischal College. These 3 areas were selected following discussion with Management and based on risk and priority should an incident occur impacting on Marischal College. 5
6 The detailed terms of reference is set out in Appendix 2. The review did not assess whether the business continuity or disaster recovery plans themselves have been tested throughout the year. In addition, it should be noted that our work will not provide management with assurance that business continuity plans or disaster recovery plans will work in the event of an incident. 6
7 3. Detailed findings and recommendations 3.01 Controls to ensure the quality of business impact analysis and business continuity plans Finding Finding summary The Emergency Planning Unit (EPU) has provided templates that service areas should utilise in order to complete the Business Impact Analysis (BIA) and prepare business continuity strategies and plans. The EPU states guidance and support is available to service areas on how to complete and utilise these templates. However, this support is not proactively offered and rather service areas have to request it. During the course of our fieldwork we noted that very few service areas had engaged with the EPU. In addition, there is limited compliance monitoring and regular reporting of business continuity to senior management. Compliance monitoring and reporting to senior management would help to ensure visibility of business continuity and that service areas have completed templates correctly and produced realistic practical strategies and plans. This lack of control over the quality of business continuity outputs has resulted in inconsistent and in some cases poorly documented and non-existent business continuity plans and strategies. Finding detail The BIA templates provided by the EPU on the whole captures the information that would typically be expected. However, it would be expected that a suitably experienced business continuity practitioner would then take that information and perform a robust risk based analysis to formulate business continuity strategies and plans. For example, this would normally entail reviewing each of the identified critical processes to understand; Location which locations is the critical process performed from and if one location was lost could the process be performed from other locations? Business continuity plans should then specifically consider what actions would be required if the location was lost. Systems which systems does the process rely on and can disaster recovery measures restore the system before the business experiences a major impact? If not then business continuity plans should consider how the business unit would operate manually. Suppliers are there any critical internal or external suppliers and if so what actions have been taken to confirm they have adequate business 7
8 continuity plans or strategies put in place to ensure the critical process could continue if the supplier was unavailable? People what is the minimum level of staff that is required to operate the critical process and what strategies are available to supplement staff levels should they dip below that level? For example, training staff from less critical processes so they could be used in an emergency situation. Plant and equipment Does the critical process rely on any specialist pieces of plant and equipment and what continuity strategies can be put in place to reduce the impact if the plant or equipment is lost? For example, preventative maintenance or if feasible purchase or a second item. The sample documentation reviewed did not suggest this level of analysis had been undertaken and is indicative of the fact the employees being asked to perform this work have limited business continuity experience, training and support available to them with appropriate governance and compliance mechanisms in place to ensure the robustness of work performed. Specific examples include: Service areas are required to capture details of locations from which critical processes are performed and any alternative locations that could be used in a disaster. However, within the plans reviewed there were no detailed actions listed on what steps would be taken. Comments include: There are multiple spare desks available throughout ACC with ICT access and Alternative accommodation would be sought in other council locations, especially where network access is available. Both statements are general in nature and do not allow for a specific plan to be put into action during an incident. The BIA template requires service areas to consider the loss of a key supplier. In the sample of BIAs reviewed while this information had been captured it had not been used to formulate a recovery strategy. Service areas are required to capture details of the documents which are needed to perform critical processes and consider how access will be gained to these during an incident. This was inconsistently considered in the sample of BIAs reviewed. For example, one BIA reviewed noted that the business unit is heavily reliant on paper documentation held in the record storage facility at Marischal College; however there is no plan of how to retrieve these documents if access is denied to the building. The BIA template requires service areas to consider the maximum period no service could be provided. One response states There is no time period in which a basic service for emergency work not being provided would be acceptable. There are no specific details as to what the emergency work includes, and no indication is provided as to how long other services within the business unit could last. The BIA template requires service areas to consider minimum staffing levels for each critical service. One business unit comprehensively states the minimum staffing levels; however there is no strategy of how to ensure these levels are maintained. Another business unit has stated that all staff are required to maintain a minimum level of service which suggests that the question has not been fully understood. 8
9 Risks Without effective governance and compliance mechanisms along with support and guidance for those responsible for business continuity the risk exists that poorly defined strategies are produced which could result in a delay in restoring critical functions in a disaster situation. Action plan Finding rating Agreed action Responsible person / title Risk rating: High 1. Management to conclude the exercise to agree the critical processes that the Council operates 2. The EPU to provide support and guidance to the individuals completing (and testing) BIA and plans for these critical processes. Service s to review and approve BIA and plans prior to the EPU reviewing and approving. 3. EPU to report to Corporate Management Team on a quarterly basis on the status of plans (and testing of the plans) for the agreed critical processes. 4. Service areas to be responsible for developing (and testing) BIA / plans for any processes not on the Council s list of critical processes (non critical processes). 5. EPU to implement a reporting process whereby service areas report details of plans developed for non critical process. This will be reported to the Corporate Management Team on a quarterly basis. Emergency Planning Unit Officer Target date: 30 June
10 3.02 Consolidation of business impact analysis information Finding Each business unit has completed its own BIA and business continuity plans and strategy. No exercise has been completed to collate the information to ensure dependencies between critical processes are understood and appropriate focus is given to the critical processes the Council as a whole operates rather than the individual business unit. For example, if a major incident impacted Marischal College then a number of service areas and processes would be impacted. Without a consolidated view of critical processes operating then the risk exists of an uncoordinated response and delays in recovering critical processes. For example; a business unit may decide to send staff home unaware that this would have a major impact on the ability to provide a customer facing critical process a non critical business unit may decide to send its staff to an alternative location unaware that a critical customer facing function is sending its people there too. This may impact the ability of the customer facing process to meet the needs of the public. Risks Without a consolidated view of critical processes operating then the risk exists of an uncoordinated response and delays in recovering critical processes Action plan Finding rating Agreed action Responsible person / title Risk rating: High Following completion of the actions noted in 3.01 the following should occur; 1. The EPU to review the plans and strategies to recover the critical functions to ensure dependencies between units are clearly understood and plans cater for these dependencies 2. Property to produce an inventory of all available desk space within the Council and then work with the EPU to determine where critical functions would relocate to should their primary location be impacted by a disaster. The results of this exercise should be communicated to the business unit so they can update plans accordingly. 1. Emergency Planning Unit Officer 2. Asset Management Officer Target date: 31 July
11 3.03 Disaster recovery linkage to business continuity Finding In typical business continuity process service areas would determine the maximum time they could not operate a process before a major impact is experienced. This is known as the Maximum Acceptable Outage (MAO). The IT department then use this information to determine whether they can restore the IT systems and data prior to the MAO expiring. If this is not feasible the business unit needs to develop plans to operate manually. From the discussions held and the plans reviewed it is apparent that service areas have limited plans or recovery strategies should IT systems be unavailable (i.e. the ability to provide a skeleton service manually). There is a need to perform an analysis to ensure IT disaster recovery can meet business requirements and as such service areas Risks IT systems may not be reinstated within an acceptable timeframe to all critical services. The MAO set may not be achievable in the event of a major incident. Action plan Finding rating Agreed action Responsible person / title Risk rating: Medium Following the IT outage in January the ICT Team have conducting an exercise to identify and remove single points of failure within the IT network. A disaster recovery test was performed in April 2013, with a further test scheduled for June As part of the disaster recovery test the ICT and the EPU will perform an exercise to ensure that disaster recovery is in place for all systems supporting critical functions and that the systems can be restored in line with business requirements. The results of this exercise will be reported to CMT and where systems can t be restored in line with business requirements then CMT will determine what alternative strategies (if any) will be put in place. IT Manager Target date: 30 September
12 Appendix 1 Basis of our classifications Individual finding ratings Finding rating Assessment rationale Critical A finding that could have a: Critical impact on operational performance; or Critical monetary or financial statement impact; or Critical breach in laws and regulations that could result in material fines or consequences; or Critical impact on the reputation or brand of the organisation which could threaten its future viability. High A finding that could have a: Significant impact on operational performance; or Significant monetary or financial statement impact ; or Significant breach in laws and regulations resulting in significant fines and consequences ; or Significant impact on the reputation or brand of the organisation. Medium A finding that could have a: Moderate impact on operational performance; or Moderate monetary or financial statement impact; or Moderate breach in laws and regulations resulting in fines and consequences; or Moderate impact on the reputation or brand of the organisation. Low A finding that could have a: Minor impact on the organisation s operational performance; or 12
13 Minor monetary or financial statement impact; or Minor breach in laws and regulations with limited consequences; or Minor impact on the reputation of the organisation. Advisory A finding that does not have a risk impact but has been raised to highlight areas of inefficiencies or good practice. Report classifications Findings rating Points Report classification Points Critical 40 points per finding Low risk 6 points or less High 10 points per finding Medium risk 7 15 points Medium 3 points per finding High risk points Low 1 point per finding Critical risk 40 points and over 13
14 Appendix 2 Terms of reference This review is being undertaken as part of the 2012/2013 internal audit plan approved by the Audit & Risk Committee in February Background Business continuity management gives an organisation a capability to plan for and respond to something that may impact their business. It focuses on making sure that businesses can carry on doing the most important things, in the event of a disaster or emergency. The Aberdeen City Council Corporate Management Team (CMT) has identified Service areas requiring business continuity plans and has prioritised a number of these as being critical due to the impact of any disruption on service provision. Following on from the Internal Audit review in 2011/12, this review will focus on the arrangements surrounding the business impact analysis prepared for two service areas and will consider these against best practice guidance. Scope Review of the Council s arrangements surrounding the business impact analysis (BIA) within a sample of service areas within Marischal College. include; Customer Contact centre This will Environmental Health and Trading Standards Care Management and Adult Protection Unit The review will consider each of the respective BIAs and then how these have been consolidated to provide a Marischal College perspective We will review each BIA against best practice guidance, including considering; 14
15 Has a BIA been completed and updated within the past 12 months; Does the BIA identify the Critical Activities of the service area; Have the consequences of the loss of the critical activities been assessed; Have dependencies for the critical activities been assessed; Have Maximum Acceptable Outages (MAOs) been established for the critical activities; Have RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives) been identified for IT systems supporting critical activities; Where critical activities rely on IT systems can disaster recovery measures recover systems in sufficient time to meet the RTO and if not what plans have been put in place (i.e. does the RTO / RPO meet the requirements of the MAO and if not what plans are in place); Has the service identified all the resources, equipment and premises needed to carry out each critical activity; Has the service determined the minimum level of service that each activity could operate at in a recovery environment; Have the BIAs involved and been signed off by Senior Management; Do the BIAs meet the needs of the wider Council, giving consideration to Council-wide risks and allowing for linkage with other service areas; Have BC risks been assessed and mitigation measures been put in place (e.g. contingencies)? How have the individual BIAs completed by service areas been consolidated to understand dependencies between service areas residing in Marischal College? Limitations of scope The scope of our review is outlined above. We will not assess whether the business continuity plans themselves have been tested throughout the year. In addition, it should be noted that our work will not provide management with assurance that business continuity plans or disaster recovery plans will work in the event of an incident. Furthermore we will not review the disaster recovery plans 15
16 Appendix 3 - Limitations and responsibilities Limitations inherent to the internal auditor s work We have undertaken a review of Business Continuity, subject to the limitations outlined below. Internal control Internal control, no matter how well designed and operated, can provide only reasonable and not absolute assurance regarding achievement of an organisation's objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems. These include the possibility of poor judgment in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances. Future periods Our assessment of Business Continuity is as at March Historic evaluation of effectiveness is not relevant to future periods due to the risk that: the design of controls may become inadequate because of changes in operating environment, law, regulation or other; or the degree of compliance with policies and procedures may deteriorate. Responsibilities of management and internal auditors It is management s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management s responsibilities for the design and operation of these systems. We endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carry out additional work directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. Accordingly, our examinations as internal auditors should not be relied upon solely to disclose fraud, defalcations or other irregularities which may exist. 16
17 Appendix 4 - Detailed Management Comment 1. Background This internal audit and recent events affecting Marischal College have highlighted the requirement for quality and compliance arrangements to be transferred from Services and to be managed corporately. It is recommended and agreed that this responsibility should sit with the Emergency Planning Strategist. The report also recommends that corporate governance arrangements are clarified to ensure that, in addition to ensuring that effective Business Continuity Plans for critical functions are produced and maintained, corporate arrangements are in place (particularly with regard to facilities and systems) to support the delivery of these critical functions. 2. Quality Control, Compliance and Review Services will be responsible for ensuring all appropriate Business Continuity Planning documentation is completed for critical functions under their control. The Emergency Planning Unit will review documentation and highlight shortcomings. Services will be offered support where required from the Emergency Planning Unit and will be given deadlines to rectify shortcomings. Status reports will be provided to CMT who will be expected to take action where progress is not being made 3. Corporate Issues The Emergency Planning Unit will, from the plans provided, extract information regarding the facilities and systems required to support critical functions. This information will be used to inform Facilities and ICT Disaster Recovery plans which will identify from where critical functions will be delivered together with details of how ICT systems will be provided to support these critical functions. 4. Governance Arrangements CMT will receive regular progress reports regarding status of Business Continuity Planning across the organisation. They will be responsible for taking appropriate action where targets are not being met. 17
18 The Director of Housing and Environment will be the lead Director with the Emergency Planning Strategist being responsible for ensuring plans are completed and reviewed as necessary. The Emergency Planning Strategist, Facilities and ICT staff will be responsible for ensuring Disaster Recovery plans are in place to ensure critical functions can be delivered from appropriate facilities using necessary systems. Services will be responsible for producing Business Continuity Plans for critical functions under their control. 5. Current Status All Services have been asked to provide an up to date list of all the plans they should have in place together with a copy of everything they actually have in place. The Emergency Planning Strategist is working through these plans to ensure compliance and to identify where support and additional resource may be required. Existing asset information has been provided and this will be assessed against requirements identified in Business Continuity Plans. ICT have introduced measures to remove the network single point of failure which exacerbated the recent network outage. This was tested successfully at the beginning of April. The next full ICT Disaster Recovery test is scheduled for 22 June. This will test the readiness of infrastructure and the integrity of replicated data at the Disaster Recovery data centre. The results of that test will assist Services in clarifying potential downtime of the systems supporting their critical functions and allow them to assess the need for identifying alternative working arrangements (e.g. manual systems). The Risk Manager intends to, subject to appropriate approvals, purchase a module for Covalent. This module is designed to manage policies and, amongst other projects, will be used to store and provide access to the Business Continuity Plans. It will automate the process of managing the review and maintenance of the plans. It will also provide high quality management reports on individual and corporate plan status. The module is being trialled at the moment and, if purchased, will greatly assist in the corporate management of Business Continuity. 18
19 This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
Aberdeen City Council IT Asset Management
Aberdeen City Council IT Asset Management Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates
More informationAberdeen City Council IT Governance
Aberdeen City Council IT Governance Internal Audit Report 2013/2014 for Aberdeen City Council May 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary where applicable Terms or
More informationAberdeen City Council
Aberdeen City Council Internal Audit Report Final Contract management arrangements within Social Care & Wellbeing 2013/2014 for Aberdeen City Council January 2014 Internal Audit KPI Targets Target Dates
More informationAberdeen City Council IT Disaster Recovery
Aberdeen City Council IT Disaster Recovery Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates
More informationAberdeen City Council IT Security (Network and perimeter)
Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary
More informationAberdeen City Council. Fleet Management Final Report
Aberdeen City Council Fleet Management Final Report Internal Audit Report 2013/2014 for Aberdeen City Council February 2014 Internal Audit KPI Targets Target Dates Actual Dates Red/Amber/ Green Commentary
More informationDacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery
Dacorum Borough Council Final Internal Audit Report IT Business Continuity and Disaster Recovery Distribution list: Chris Gordon Group Manager Performance, Policy and Projects John Worts ICT Team Leader
More informationSouth Northamptonshire Council Contract Assurance: Leisure Contract
South Northamptonshire Council Contract Assurance: Leisure Contract FINAL Internal Audit Report 2012/2013 January 2013 Contents 1. Executive summary 4 2. Background and scope 5 3. Detailed current year
More informationOxford City Council Managing Capital Projects
www.pwc.co.uk Internal Audit Report 2014/2015 August 2015 Oxford City Council Managing Capital Projects Table of Contents 1. Executive Summary... 3 2. Background and scope... 5 3. Detailed findings...
More informationBusiness Continuity Management
Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not
More informationDacorum Borough Council Final Internal Audit Report
Dacorum Borough Council Final Internal Audit Report ICT Change Management Distribution list: Chris Gordon Group Manager Neil Telkman - Information, Security and Standards Officer Gary Osler ICT Service
More informationNORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)
NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) Subject and version number of document: Serial Number: Business Continuity Management Policy
More informationAvon & Somerset Police Authority
Avon & Somerset Police Authority Internal Audit Report IT Service Desk FINAL REPORT Report Version: Date: Draft to Management: 19 February 2010 Management Response: 12 May 2010 Final: 13 May 2010 Distribution:
More informationIntroduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT
INFORMATION SECURITY: UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT FACTSHEET This factsheet will introduce you to Business Continuity Management (BCM), which is a process developed to counteract systems
More informationIT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS
NOTTINGHAM CITY HOMES IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS Report issued: February 2011 Audit Plan: The matters raised in this report are only those that came to the attention of the auditor
More informationAppendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15
Appendix 6c Final Internal Audit Report Disaster Recovery Planning June 2007 Report 6c Page 1 of 15 Contents Page Executive Summary 3 Observations and Recommendations 8 Appendix 1 - Audit Framework 13
More informationBusiness continuity management policy
Business continuity management policy health.wa.gov.au Effective: XXX Title: Business continuity management policy 1. Purpose All public sector bodies are required to establish, maintain and review business
More informationBusiness Continuity Management For Small to Medium-Sized Businesses
Business Continuity Management For Small to Medium-Sized Businesses Produced by NORMIT and Norfolk County Council Resilience Team For an electronic copy of this document visit www.normit.org Telephone
More informationInformation Services IT Security Policies B. Business continuity management and planning
Information Services IT Security Policies B. Business continuity management and planning Version 1 Date created: 28th May 2009 Approved by Directorate: 2nd July 2009 Review date: 1st July 2010 Primary
More informationBusiness Continuity (Policy & Procedure)
Business Continuity (Policy & Procedure) Publication Scheme Y/N Can be published on Force Website Department of Origin Force Operations Policy Holder Ch Supt Head of Force Ops Author Business Continuity
More informationBUSINESS CONTINUITY MANAGEMENT FRAMEWORK
BUSINESS CONTINUITY MANAGEMENT FRAMEWORK Document Author: Civil Contingencies Service - Authorised by the CCS Joint Management Board - Version 1.0. Issued December 2012 Page 1 FRAMEWORK STATEMENT Business
More informationRecommendation Current Position and Explanation for Slippage: Target Dates:
IT Disaster Recovery 2012/13 Recommendation R1: A Disaster Recovery Plan should be developed and approved. As a minimum, this should include; the identification and prioritisation of key IT systems the
More informationBUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS
BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS DIRECTORATE OF BANKING SUPERVISION AUGUST 2009 TABLE OF CONTENTS PAGE 1.0 INTRODUCTION..3 1.1 Background...3 1.2 Citation...3
More informationGovernance and Audit Committee 23 November 2015
Agenda Item 7 Governance and Audit Committee 23 November 2015 Welland Internal Audit Consortium Internal Audit Plan & Performance Update 2015/16 Purpose of report: To provide Members with information on
More informationTemple university. Auditing a business continuity management BCM. November, 2015
Temple university Auditing a business continuity management BCM November, 2015 Auditing BCM Agenda 1. Introduction 2. Definitions 3. Standards 4. BCM key elements IT Governance class - IT audit program
More informationBusiness Continuity Management Policy
Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3
More informationSOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT 11-02. IT Backup, Recovery and Disaster Recovery Planning
SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT 11-02 IT Backup, Recovery and Disaster Recovery Planning Executive Summary Introduction As part of the 2011/12 Audit Plan and following discussions
More informationBusiness Continuity Management Framework 2014 2017
Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity
More informationPrinciples for BCM requirements for the Dutch financial sector and its providers.
Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011
More informationItem 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010
Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010 This report has been prepared on the basis of the limitations set out on page 16. Contents Page
More informationShankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.
Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management
More informationInternal Audit Report Disaster Recovery / Business Continuity Planning
Audit Committee, 28 November 2013 Internal Audit Report Disaster Recovery / Business Continuity Planning Executive summary and recommendations Introduction As part of the Internal Audit Plan for 2013-14,
More informationCENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
More informationHow To Manage A Disruption Event
BUSINESS CONTINUITY FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Manager Organisational
More informationProposal for Business Continuity Plan and Management Review 6 August 2008
Proposal for Business Continuity Plan and Management Review 6 August 2008 2008/8/6 Contents About Newton IT / Quality of our services. BCM & BS25999 Overview 2. BCM Development in line with BS25999 3.
More informationDesktop Scenario Self Assessment Exercise Page 1
Page 1 Neil Jarvis Head of IT Security & IT Risk DHL Page 2 From reputation to data loss - how important is business continuity? Neil Jarvis Head of IT Security (EMEA) DHL Logistics IT Security Taking
More informationThe end of SAS70 what next for Performance Assurance?
Enhancing Trust and Transparency The end of SAS70 what next for Performance Assurance? A perspective on transitioning from SAS 70 to ISAE 3402 pwc Enhancing Trust and Transparency 1 Contents What you need
More informationEntitlements Management System (EMS) Technology Update Project Health Check Review
Entitlements Management System (EMS) Technology Update Project Health Check Review February 2010 Final This report and PricewaterhouseCoopers deliverables are intended solely for the Department of Finance
More informationBusiness Continuity Planning
Business Continuity Planning We believe all organisations recognise the importance of having a Business Continuity Plan, however we understand that it can be difficult to know where to start. That s why
More informationBusiness Continuity Plan Template
Business Continuity Plan Template Disclaimer This publication has been produced to provide a guide for people anticipating going into business and for business owners. It should not be regarded as an
More informationBusiness Continuity Plan Toolkit
Business Continuity Plan Toolkit March 2015 1 Contents The Template instructions for use... 2 Introduction... 3 What is the purpose of this toolkit?... 3 Why do you need a Business Continuity Plan?...
More informationBusiness Continuity Policy and Business Continuity Management System
Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain
More informationInternal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority
Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:
More informationENTERPRISE RISK MANAGEMENT POLICY
ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving
More informationTips and techniques a typical audit programme
Auditing Business Continuity Planning Tips and techniques a typical audit programme Karen Wills, Senior Internal Auditor St James s Place Wealth Management February 2014 Contents Background Roles and Responsibilities
More informationPayroll Review. Internal Audit Final Report 09_10 1.4. Assurance rating this review. Moderate. Distribution List. Chief Executive - Peter Sloman
Review Internal Audit Final Report 09_10 1.4 Assurance rating this review Moderate Distribution List Chief Executive - Peter Sloman Interim Executive Finance Director Nigel Pursey Heads of Finance - Penny
More informationAnnual Report of Internal Audit 2012/13
Open Decision Item 4 Audit & Governance Committee 19 th June 2013 Annual Report of Internal Audit 2012/13 SYNOPSIS To report on Internal Audit s opinion of the overall adequacy and effectiveness of the
More informationKPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity
INFORMATION RISK MANAGEMENT KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity ADVISORY Contents Agenda: Global trends and BCM
More informationBirmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy
Birmingham CrossCity Clinical Commissioning Group Business Continuity Management Policy Version V1.0 Ratified by Operational Development Group Date ratified 6 th November 2014 Name of originator / author
More informationInformation Commissioner's Office
Phil Keown Engagement Lead T: 020 7728 2394 E: philip.r.keown@uk.gt.com Will Simpson Associate Director T: 0161 953 6486 E: will.g.simpson@uk.gt.com Information Commissioner's Office Internal Audit 2015-16:
More informationAcknowledgement. First edition August 2006 Second edition July 2009 Third edition June 2015
WESTERN AUSTRALIAN GOVERNMENT BUSINESS CONTINUITY MANAGEMENT GUIDELINES Third Edition Acknowledgement RiskCover has produced the Business Continuity Management Guidelines to assist the Western Australian
More informationwww.td.com.au Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012
Business Continuity - IT Disaster Recovery Discussion Paper - - Version V2.0R Wednesday, 5 September 2012 Commercial in Confidence Melbourne Sydney 79-81 Coppin St Level 2 Richmond VIC 3121 414 Kent St
More information1.0 Policy Statement / Intentions (FOIA - Open)
Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies
More informationGUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
More informationVISION FOR LEARNING AND DEVELOPMENT
VISION FOR LEARNING AND DEVELOPMENT As a Council we will strive for excellence in our approach to developing our employees. We will: Value our employees and their impact on Cardiff Council s ability to
More informationBUSINESS CONTINUITY STRATEGY 2014-2017
BUSINESS CONTINUITY STRATEGY 2014-2017 This strategy covers the period 01 April 2014 31 March 2017 and was approved by the Major Incident Working Group 19.03.2014 Caroline Rushmer Major Incident and Business
More informationSolihull Clinical Commissioning Group
Solihull Clinical Commissioning Group Business Continuity Policy Version v1 Ratified by SMT Date ratified 24 February 2014 Name of originator / author CSU Corporate Services Review date Annual Target audience
More informationAberdeen City Council. Performance Management Process. External Audit Report o: 2008/19
Aberdeen City Council Performance Management Process External Audit Report o: 2008/19 Draft Issued: 11 February 2009 Final Issued: 6 April 2009 Contents Pages Pages Management Summary Introduction 1 Background
More informationBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing axcient.com 2015. Axcient, Inc. All Rights Reserved. 1 Best Practices in Disaster Recovery Planning and Testing Disaster Recovery plans are widely
More informationCITY UNIVERSITY OF HONG KONG Business Continuity Management Standard
PUBLIC Version: 1.0 CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief
More informationColeg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:
Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory Assurance Rating: Distribution List: Draft Report: Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation
More informationColeg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:
Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management Assurance Rating: Distribution List: Final Report Audit Committee Principal Vice Principal, (Resources and Financial Planning)/Director
More informationRisk Management Policy and Framework
Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871
More informationCompany Management System. Business Continuity in SIA
Company Management System Business Continuity in SIA Document code: Classification: Company Project/Service Year Document No. Version Public INDEX 1. INTRODUCTION... 3 2. SIA S BUSINESS CONTINUITY MANAGEMENT
More informationTHE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK
THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date
More informationBusiness Continuity Management. Policy Statement and Strategy
Business Continuity Management Policy Statement and Strategy November 2011 Title Business Continuity Management Policy & Strategy Date of Publication: Cabinet Council Published by Borough Council of King
More informationICT Business Continuity & Disaster Recovery for Local Authorities. White Paper
ICT Business Continuity & Disaster Recovery for Local Authorities White Paper Contents 1 Introduction...3 1.1 What Constitutes a Disaster?...3 1.2 Phases...3 1.3 Overall Contingency Planning...3 2 Discovery
More informationHOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO 22301 AUDITS, CERTIFICATION AND TRAINING
HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO 22301 AUDITS, CERTIFICATION AND TRAINING ISO 22301 BUSINESS CONTINUITY MANAGEMENT SYSTEMS Most organisations will, at some point, be faced with having to respond
More informationBusiness continuity management and planning
B Business continuity management and planning This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information
More informationBusiness Continuity Management
Business Continuity Management Policy Statement & Strategy July 2009 Basildon District Council Business Continuity Management Policy Statement The Council is committed to ensuring robust and effective
More informationRISK MANAGEMENT STRATEGY
RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate
More informationInternal Audit Report 2015/16
Isle of Wight Council Internal Audit Report 2015/16 Business Continuity and IT Disaster Recovery April 2016 FINAL E - 37 Contents 1. Executive summary 2 2. Detailed current year findings 4 Appendix A:
More informationUniversity of Glasgow. Policy for. Business Continuity Management
University of Glasgow Policy for Business Continuity Management 1 Policy Statement The University of Glasgow is committed to delivering the highest possible quality of service to our students, and the
More informationAPPENDIX 2 GENERIC OPERATIONAL RISKS RISK TABLES & ADDITIONAL ACTION PLANS MONITORING REPORT MARCH 2006
APPENDIX 2 GENERIC OPERATIONAL S TABLES ADDITIONAL ACTION PLANS MONITORING REPORT MARCH 2006 GENERIC S AFFECTING MOST OR ALL SERVICES OPERATIONAL S OF HYNDBURN BOROUGH COUNCIL PROFESSIONAL LIKELI- HOOD
More informationHow To Manage A Business Continuity Strategy
Business continuity strategy 2009 2012 Table of contents 1 Why this strategy is needed 3 2 Aim of the strategy 4 3 Our approach to business continuity 4 PROCESS 4 STRUCTURE 5 DOCUMENTATION 6 DISRUPTION
More informationBusiness Continuity Management (BCM) Policy
Business Continuity Management (BCM) Policy Reference number: Corporate 042 Title: Business Continuity Management (BCM) Policy Version number: Version 2 Policy Approved by: LLR PCT Cluster Board Date of
More informationPOLICY. 1) Business Continuity Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management
POLICY Policy Title: Management Descriptors: 1) Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management Category: Risk Management Intent Organisational Scope Definitions Policy
More informationGuideline - Business Continuity Plan
Guideline - Business Continuity Plan 1. Introduction: The Business Continuity Plan is a component of the Risk and Business Management suite. This suite includes: Risk Management including risk registers
More informationManaging Risk Control Environment and Responsibilities
Managing Risk Page 1 of 8 Contents Introduction...3 Risk...3 Risk management - using the framework...3 Source of risk...3 Likelihood and impact...3 Inherent risk...4 Risk-reducing measures...4 Effectiveness...5
More informationBusiness Continuity Management
Business Continuity Management Version 1 approved by SMG December 2013 Business Continuity Policy Version 1 1 of 9 Business Continuity Management Summary description: This document provides the rationale
More informationDepartmental Business Continuity Framework. Part 2 Working Guides
Department for Work and Pensions Departmental Business Continuity Framework Part 2 Working Guides Page 1 of 60 CONTENTS Guide to business impact analysis...3 Guide to business continuity planning...7 Guide
More informationAuditing data protection a guide to ICO data protection audits
Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit
More informationESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1
ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1 June 2007 The ESCB has developed a glossary of major business continuity terms for market
More informationBusiness Continuity Policy
Business Continuity Policy 1 NHS England INFORMATION READER BOX Directorate Medical Commissioning Operations Patients and Information Nursing Trans. & Corp. Ops. Commissioning Strategy Finance Publications
More informationPAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA
1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand
More informationEssex Fire Authority
Internal Audit Report (2.13/.14) FINAL with the Civil Contingencies Act 1 October 2013 Contents Section Page Executive Summary 1 Action Plan 5 Findings and Recommendations 6 Debrief meeting 15 August 2013
More informationGovernance, Risk and Best Value Committee
Governance, Risk and Best Value Committee 2.00pm, Wednesday 23 September 2015 Internal Audit Report: Integrated Health & Social Care Item number Report number Executive/routine Wards Executive summary
More informationInformation Commissioner's Office
Information Commissioner's Office Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Internal Audit 2011-12: Business Continuity Review Last updated 6 February 2012 Will Simpson Senior Manager
More informationVersion: 3.0. Effective From: 19/06/2014
Policy No: RM66 Version: 3.0 Name of Policy: Business Continuity Planning Policy Effective From: 19/06/2014 Date Ratified 05/06/2014 Ratified Business Service Development Committee Review Date 01/06/2016
More informationManaging contractors involved in high impact activities
www.pwc.co.uk November 2011 Managing contractors involved in high impact activities A study of practices adopted by major organisations across six different sectors Contents 1. Introduction 2 2. Executive
More informationPolice and Crime Commissioner for Staffordshire and Chief Constable of Staffordshire
www.pwc.co.uk Government and Public Sector 04/03/2015 Police and Crime Commissioner for Staffordshire and Chief Constable of Staffordshire External Audit Plan 2014/15 Contents Code of Audit Practice and
More informationMoving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide
Transition Guide Moving from BS 25999-2 to ISO 22301 The new international standard for business continuity management systems Extract from The Route Map to Business Continuity Management: Meeting the
More informationBusiness Continuity Policy
Business Continuity Policy St Mary Magdalene Academy V1.0 / September 2014 Document Control Document Details Document Title Document Type Business Continuity Policy Policy Version 2.0 Effective From 1st
More informationRISK MANAGEMENT FOR INFRASTRUCTURE
RISK MANAGEMENT FOR INFRASTRUCTURE CONTENTS 1.0 PURPOSE & SCOPE 2.0 DEFINITIONS 3.0 FLOWCHART 4.0 PROCEDURAL TEXT 5.0 REFERENCES 6.0 ATTACHMENTS This document is the property of Thiess Infraco and all
More informationBUSINESS CONTINUITY MANAGEMENT PLAN
BUSINESS CONTINUITY MANAGEMENT PLAN For Thistley Hough Academy Detailing arrangements for Recovery and Resumption of Normal Academy Activity Table of Contents Section Content 1.0 About this Plan 1.1 Document
More informationabcdefghijklmnopqrstu
abcdefghijklmnopqrstu Business Continuity A Framework for NHS Scotland Strategic Guidance for NHS Organisations in Scotland 1 Contents 1. Introduction 4 1.1 Business Continuity Overview 5 2. Roles and
More informationEMERGENCY PREPAREDNESS PLAN Business Continuity Plan
EMERGENCY PREPAREDNESS PLAN Business Continuity Plan GIS Bankers Insurance Group Powered by DISASTER PREPAREDNESS Implementation Small Business Guide to Business Continuity Planning Surviving a Catastrophic
More informationReport 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010
Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 This report has been prepared on the basis of the limitations set
More informationInformation Commissioner's Office
Information Commissioner's Office IT Procurement Review Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Last updated 18 June 2012 Will Simpson Senior Manager T: 0161 953 6486 E: will.g.simpson@uk.gt.com
More informationHow To Understand The Importance Of Internal Control
FINANCIAL REPORTING COUNCIL INTERNAL CONTROL REVISED GUIDANCE FOR DIRECTORS ON THE COMBINED CODE OCTOBER 2005 FINANCIAL REPORTING COUNCIL INTERNAL CONTROL REVISED GUIDANCE FOR DIRECTORS ON THE COMBINED
More information