Information Commissioner's Office

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Information Commissioner's Office"

Transcription

1 Information Commissioner's Office Ian Falconer Partner T: E: Internal Audit : Business Continuity Review Last updated 6 February 2012 Will Simpson Senior Manager T: E: Paul Eckersley IT Manager T: E: James Renwick IT Executive T: E: Distribution For action For information Simon Entwisle, Director of Operations David Wells, Head of IT Christopher Graham, Information Commissioner Timetable Fieldwork completed 21 September 2011 Draft report issued 18 October 2011 Management comments 17 November 2011 / 2 February 2012 Final report issued 6 February 2012

2 Contents Sections 1 Executive Summary 1 2 Detailed Findings 4 A Internal audit approach 14 B Definition of internal audit ratings 16 C D Business continuity planning process based on accepted best practice 17 Business continuity planning cycle based on accepted best practice 18 Glossary The following terms are used in this report: ICO - BCP - Capita - DR - EMT - GSI - MCA - SLA - Sunguard - Information Commissioner's Office Business Continuity Plan ICO's outsourced IT supplier Disaster Recovery Executive Management Team Government Secure Intranet Mission Critical Activity (as defined by ICO) Service Level Agreement Disaster Recovery facility in Warrington, available for four weeks in the event of a disaster Wycliffe House - ICO Headquarters This report is confidential and is intended for use by the Management Board and Directors of the ICO only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying on this report does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this report, however such loss or damage is caused. It is the responsibility solely of ICO's management to ensure that there are adequate arrangements in place in relation to risk management, governance and control.

3 1 Executive Summary 1.1 Background In accordance with our agreed internal audit plan, we undertook an improvement review of the Information Commissioner's Office's (ICO's) Business Continuity plans and processes. There have been a number of significant operational changes at the ICO in recent years, including the move to a single site in Wilmslow, an increase in home working and the development of new business activities such as the audit function and the press office. A Business Continuity Plan exists and was tested in April Following the test, the Plan was revised and will be formally approved by executive management once this audit is complete. This review will further inform our on-going understanding of ICO's governance and risk management activities. 1.2 Scope Our role as internal auditor is to provide objective and independent assurance to the Audit Committee and management that business continuity arrangements are in place and are fit for purpose. The objectives of the review were to: Provide assurance to management that the current business continuity processes and impact analysis adequately reflect the organisation's longer term requirements, particularly in light of the extensive changes in the last 12 months; Evaluate the current approach to the development of the plan; Establish whether the recent business changes affect the impact analysis Assist management in developing a road map to address any gaps, and to include any lessons learnt from the recent tests, to further develop the revised business continuity plan. Further details on responsibilities, approach and scope are included in Appendix A. 1

4 1.3 Internal Audit conclusion While there is a business continuity process in place supported by documented plans, further significant improvements are needed in a number of important areas for those plans to be considered fully fit for purpose. The development of a BCP is an iterative process, typically following the ten stages summarised at Appendix D. The ICO's current status at each stage is shown diagrammatically below: Management requested this improvement review to provide an independent view on whether or not the revised business continuity plan awaiting its approval was sufficient for its future business needs. As we conclude that further improvements are needed, it is premature to offer a formal audit opinion at this stage, but we propose to do so later in the year, after the deadlines for any agreed actions arising from our report. Appendix B defines the opinion and recommendation ratings. 1.4 Key findings The findings within this report have been organised in accordance with the phases of developing a BCP (see also Appendix C). Business Continuity Phases High Medium Low Improve't 1 - Initiation Risk analysis Business impact analysis Create strategy Emergency response Plan creation Training and awareness Maintenance and testing Communications Integrate with third-parties Total There was one finding rated as High and related to voice and data requirements that support key business activities are not defined. This is a particularly significant oversight, given that ICO deals with telephone calls and enquiries from the public. 2

5 The following findings were rated as Medium priority: ICO has not formally approved an assessment of the current threats that face the organisation in order to focus recovery plans on appropriate areas and activities. Mission critical activities need to be agreed and approved by Executive Team. In addition, the maximum tolerable period of disruption for each activity has yet to be established. No temporary alternative accommodation arrangements are in place now that the ICO has moved onto a single site; The service level agreement (SLA) with the current IT supplier does not match the requirements of the current BCP; No plan is in place for the loss of GSI connection Further details of our findings and recommendations are provided in Section Basis of our audit conclusion There is a Business Continuity Plan in place which has been updated as a result of the consolidation of ICO's head office into one building (Wycliffe House). The ICO has gone some way to identifying its mission critical activities, although these still need to be reviewed from an overall organisational perspective. Desktop exercises are carried out in order to test the BCP, and IT disaster recovery tests are also undertaken. The ICO's SLA with its IT supplier (Capita) includes business continuity arrangements which were put in place before the current BCP was developed, and these do not match the current business requirements. 1.6 Elsewhere in the sector / Points of interest As part of our work we seek to share examples of common practice we have seen at other clients or have identified in the wider sector marketplace, which we think might be of relevance to the subject of this review, for your information and consideration: We ran a workshop for the senior management of a public sector body to establish their mission critical activities. The outcome was a greatly simplified plan which also reduced implementation costs. We have found in other organisations that more resilience is being designed and implemented into the IT infrastructure, to reduce the likelihood and impact of disruption to the organisation following a disaster or incident. Some other common issues we have noted elsewhere are: A lack of a formal agreement between IT and other areas of an organisation leads to recovery priorities being determined by IT, which may not necessarily reflect the needs of the organisation. A client in the energy sector used an outsourced provider for its IT provision, but business continuity arrangements were not included in the contracts. This led to assumptions about the service provision that exceeded the contractual obligations of the supplier. A common issue is the lack of ownership of the BCP process, which allows plans to become out of date and over time become not fit for purpose. Following the creation of a BCP, ownership and momentum needs to be retained in order maintain the plan in line with changes within the organisation or its environment and to ensure on-going awareness is sustained. 1.7 Acknowledgement We would like to take this opportunity to thank the staff involved in for their co-operation during this internal audit. 3

6 2 Detailed Findings 2.1 Risk analysis 1. Medium Formal risk assessment Finding and Implication Proposed action Agreed action (Date / Ownership) As part of the business continuity planning process, (see for a process overview at Appendix C), it is good practice for an organisation to identify its key services and processes and to create a list of all known or anticipated threats that face them. These threats should include natural and man-made events. After Identifying its threats, an organisation should risk assess these and focus on threats of highest priority. Priority is determined by likelihood or frequency and the consequence of the threat occurring. The ICO's Mission Critical Activities (MCAs) have been documented within the Business Continuity Plan (BCP).However, the formal risk assessment was carried out in 2005, and therefore, the vulnerabilities of critical resources and risks they face may be out of date and may not been properly identified or assessed. There is a risk to the ICO that some threats may not have been considered or may have been prioritised incorrectly, leading to a plan that may not be effective. a) ICO should re-evaluate the threats that could disrupt the organisation s key services and identify the critical activities, assets and resources that support them. b) ICO should re-evaluate the organisation s objectives, stakeholder obligations and statutory duties, and identify those activities, assets and resources including those outside the organisation, that support the delivery of these key services. c) ICO should assess the impact and consequences over time of the failure of these activities, assets and resources (See Business impact analysis below) When the ICO business continuity plan was developed in 2005 a risk analysis was carried out. The presentation and subsequent risk table can be found in Meridio. However the ICO acknowledges that the current arrangements for Business Continuity need updating We will set up a small group, led by Simon Entwisle, to put a proposal for how that review should be carried out to ET by 31 December The review will involve IT and Internal Compliance. It will take account of the business continuity elements of the work already being undertaken in relation to ICO s commitment to ISO27002 Information Security code of practice. The current plan was developed by looking at corporate MCAs. It then breaks down ICO responses into departments. The plan s incident management processes have been invoked and successfully applied. Date Effective: Review to be completed by 30 April 2012 Owner: Simon Entwisle 4

7 2.2 Business impact analysis 2. Medium Mission critical activities Finding and Implication Proposed action Agreed action (Date / Ownership) An important part of any business continuity plan is the business impact analysis (BIA). Good practice is for organisations to determine and document the impact of a disruption to the activities that support its key processes. Mission Critical Activities (MCAs) have been identified within the BCP by individual departments, with each setting out what they consider to be their MCAs. The MCAs were revisited in 2011 to establish the corporate level mission critical activities essential to the survival or continuity of ICO. However, these have not be been approved by Executive Team. There is a risk that the MCAs within the BCP may be incorrect leading to misallocation of resources and recovery effort in the event of a disaster. Consideration needs to be given to deciding on which activities are truly mission critical for the ICO as a whole, as well as any interdependencies that may exist between them. For instance, Internal Compliance may not be a critical activity for the ICO and may delay the re-establishing of that function. a) Linked to the recommendation above, the Executive Team (ET) should re-evaluate the organisation's mission critical activities based on ICO's objectives, stakeholder obligations and statutory duties and confirm that the activities identified are mission critical. b) For each activity supporting the delivery of key services, ICO should assess the impacts that would occur if the activity was disrupted, and then establish the maximum tolerable period of disruption for each activity. c) ICO should also identify any inter-dependent activities, assets, supporting infrastructure or resources that will be required in order to maintain mission critical activities. The MCA s were originally identified following a BIA. The BIA summary can be found on Meridio along with other documentation about the BIA. However, it is accepted that the MCA s may require updating. A brief review of the MCA s was carried out as part of the BCP text in April 2011 which identified a number of over-arching MCA s and accepted that further work may be required. Further review of the MCA to be undertaken as part of the overall review. Date Effective: Review to be completed by 30 April 2012 Owner: Simon Entwisle 5

8 3. Medium IT supplier SLA Finding and Implication Proposed action Agreed action (Date / Ownership) As part of defining business continuity requirements, arrangements need to be agreed with suppliers in order for equipment, resources and services to be available when they are needed, based on the BIA (see 2 above). The current SLA with Capita (ICO's outsourced IT supplier) has systems, services and application recovery times defined. However we understand these were established before the current BCP was written, and in some cases the expected recovery times differ from those outlined in the BCP, for example: REPORT NET (MIS) - 10 days (3 days in BCP) KOFAX (Scanning) - 10 days (3 days in BCP) CIPHR (HR system) - 3 days (absent from BCP ) There is a risk that Capita may not recover systems in the timeframe currently required by the ICO. a) Following the BIA (above), once maximum tolerable periods of disruptions to activities have been assessed, the systems and applications that support these need to be documented within the BCP. b) Timeframes for recovery of the systems then need to be agreed with Capita to ensure that they will be able to recover these systems in the required timeframe. This may result in additional costs due to the recovery not being built into the current contract. c) The SLA then needs to be amended to reflect the recovery requirements which are in line with the revised BCP. Agreed. Using the output from the BIA the priorities for recovery of systems will be revised within the IT DR schedule. Based on the most recent IT DR test (Jul 2011) it is expected that all systems will be restored in between 2-3 days. This timeframe will be used in the review of the BIA. Should either the time to recover or the number of users able to use the systems change then the existing DR provision will need to be revisited and may result in increased costs, although it may be the case that the current DR is over provisioned. Date Effective: July 2012 Owner: Head of IT 6

9 2.3 Create strategy 4. Medium Alternative accommodation Finding and Implication Proposed action Agreed action (Date / Ownership) When creating a business continuity strategy, there needs to be consideration of people, premises and technology that fulfil the achievement of mission critical activities. For the MCAs, the minimum levels of staff needed to fulfil these requirements and the subsequent accommodation requirements have not been defined. Should Wycliffe House be lost or become unavailable, there is only a verbal agreement with the landlord (Emerson) that alternative accommodation in the area will be provided, if available. There is an IT disaster recovery site, (provided by Sunguard, a specialist IT recovery services provider), with ten desks and workstations. However this facility is only available for four weeks and its primary function is to allow the recovery of the IT infrastructure. The ICO has in the order of 30 laptops which could be redeployed and thereby reduce the need to replace desktop equipment. However, a procedure for this is not included in the BCP. There is a risk that without the minimum staffing requirements being defined and alternative accommodation being available, the ICO will fail to deliver its MCAs in the event of a disaster. a) ICO should determine the minimum staffing requirements in order to carry out its key objectives both in the initial recovery phase and throughout the recovery process. b) Once these minimum requirements have been established an alternative accommodation strategy needs to be developed. This could be achieved through re-allocation of Regional Office space, arrangements for accommodation within other government departments (often through a reciprocal arrangement) or a formal agreement with the current (or possibly other) landlord for alternative accommodation. c) ICO should determine whether a strategy of re-deploying laptops is appropriate, and/or make alternative provisions for the use of critical staff. The ICO is happy with the current arrangements however as part of the review group will undertake more work to formalise our approach and build in a review period for our arrangement with Emerson to ensure that it remains feasible in the event of economic climate change. The group will also be asked to consider the option to arrange a reciprocal arrangement with other organisations. It is agreed that the BCP could build in more detail about meeting space available to rent. Date Effective: Review to be completed by 30 April 2012 Owner: Simon Entwisle 7

10 2.4 Training and awareness 5. Low Staff Training Finding and Implication Proposed action Agreed action (Date / Ownership) Training programmes need to be implemented to educate staff about the BCP, the scope of the plan and the procedures they will be expected to follow. Although some staff from the Operations Directorate has attended government seminars on business continuity and disaster recovery, there has been no other training for management or staff. Business continuity does not have a high profile within ICO as some policy areas. Other more high profile areas of policy such as Equality and Diversity are also accompanied by compulsory training. There is a risk that without on-going training in support of policies and procedures that staff will be unaware of what to do in the event of a disaster. Raising the profile of business continuity and disaster recovery within ICO can only be achieved through management endorsement and awareness training. a) ICO should develop a training or awareness programme in order to educate staff about business continuity and their responsibilities. b) Any training programme should be supported by senior management to ensure staff have sufficient time and materials for the process to be effective. Training and awareness can take many forms including, seminars, workshops, video presentations, individual training sessions and e- learning. The ICO is on the MoJ BC forum distribution list and carries out an annual test of the BCP to help to raise awareness at a senior level. There may be a decision to be made at ET level as to the extent the ICO wants to train staff on BC. It is proposed that the BC group would establish BC champions that could raise awareness/provide training at directorate level. Date Effective: Date Effective: Review to be completed by 30 April 2012 Owner: Simon Entwisle 8

11 2.5 Maintenance and testing 6. Low IT disaster recovery tests Finding and Implication Proposed action Agreed action (Date / Ownership) A key area that ensures successful execution of a business continuity plan is thorough testing. Tests are designed to record lessons learnt and the likely recovery time. Once established, an organisation should review the outcome of the test to confirm that it meets their requirements. If this is not the case, the strategy or recovery processes should be amended. A desktop test of the BCP was carried out in April 2011 and its findings documented. A separate ITDR test was carried out in July 2011 over two days. However, two days was insufficient time to recover four systems (CMEH, Merido, Exchange and DUIS) and the test was not extended beyond the two days. All these systems had a stated requirement for recovery within 3 days in the BCP, however it is not known if these can be recovered on time due to the recovery not being completed within the two-day test window. There is a risk that due to the time limitations on testing, ICO cannot be certain that these systems can be recovered within the required timeframe. a) ICO, with Capita, should repeat the ITDR test to allow full recovery to take place for each system. The actual time taken to recover each system should be recorded, reviewed against the strategy and any corrective action taken to achieve recovery objectives or amend the strategy. The July 2011 DR test did not restore all systems completely. However, during the test the question of whether to allow all restores to continue for a full restore was discussed. It was agreed that the test had demonstrated that applications were being restored and that these were operable. Sufficient data had been obtained to be able to project the length of time the restore of each application would take. On this basis the DR test was stopped. A subsequent review deemed the test to have been successful. The lessons learned form the DR test identified several bottlenecks which have been addressed. No repeat of the DR test is considered necessary. The next one will be summer Date Effective: This action be closed Owner: Head of IT 9

12 7. Low Backup tests Finding and Implication Proposed action Agreed action (Date / Ownership) Organisations should have backup arrangements in place based on the importance of systems and related data, and the frequency of data changes. For effective system recovery, the most recent backups should be stored offsite, in line with good practice. Regular tests of backups should be undertaken to ensure their reliability. In addition, there should be periodic tests of full system recovery. Management should implement a schedule of recovery tests to provide assurance that systems and data could be recovered in the event of a disaster. This is a very minor point. The audit notes that there are ad-hoc request to restore files for users, this happens every 2-3 months. A check has been added to the monthly IT schedule: It is to review when the last restore was made and request one if no restore has been made for three months. Data backups for all systems and data are taken on a daily basis and 2 copies are produced. One is retained on-site and one tape is sent off-site for storage at Iron Mountain, where a rolling 2 months of data is retained. Date Effective: Added to IT calendar- Action complete Owner: Head of IT There is some ad-hoc recovery of single files and folders to satisfy requests from users. However, there is currently no formal test plan in place. The Capita SLA states that a test must be carried out every three months to demonstrate that data and information can be successfully recovered from backups but this however has not been done since changes were made to the IT infrastructure in early The Senior IT Service Manager stated that the intention was to implement a rolling recovery programme to ensure each server would be tested once within a 12-month period. At the time of the review, the rolling programme was not in place and it was uncertain when it would be. There is a risk that without testing of backups that the ICO may be vulnerable to data loss in the event of a disaster or hardware failure, as recovery may not be possible. 10

13 2.6 Communications 8. High Telecommunications Finding and Implication Proposed action Agreed action (Date / Ownership) When creating a business continuity strategy, consideration of the communication requirements (for voice and data) need to be established to fulfil the restoration of mission critical activities. The ICO deals with calls and enquiries from the public and we would expect that telecommunications would feature within the business continuity arrangements. Telecommunications are not included in the BCP or ITDR plan and therefore the time it would take to recover voice and data networks has not been established. There are ten phones at the ITDR site although this site is primarily designed for IT use when recovering IT systems. Some staff have ICO mobile phones which could be utilised during an incident. However, no formal plans are in place to confirm the number of telephones required or the data communication requirements in the event that the ICO office was to be unavailable. There is a risk that the ICO would not be able to take telephone enquiries from the public, colleagues or its suppliers in the event of a disaster. a) As part of the BIA and strategy creation, telecommunication requirements to support the MCAs should be defined and contingency arrangements are put in place. b) Emergency telecommunications should also be factored in to future business continuity tests. Agree telephone requirements to be included in BIA. The existing arrangement is to transfer the Main 0300 and Press Office number through BT. The Press office number is redirected every time work is undertaken on the phone system. The main 0300 number will be tested as a part of the next IT DR test Date Effective: September 2012 Owner: Head of IT 11

14 9. Low Communications planning Finding and Implication Proposed action Agreed action (Date / Ownership) Controlling communications tithe public and stakeholders is essential to managing any crisis. Contact details of relevant stakeholders and suppliers are contained within the BCP and there is a cascade system for communication to staff. However, whilst messages that need to be sent to different audiences have been drafted (public as well as friends and family) best practice would be to have all key messages relating to different incident and target audiences in place. Internal and external messages need to be properly vetted by management in order to ensure that the correct message is sent to the appropriate recipients, The two messages that current exist relate to public messages via website or e- mails, and a statement for friends and family. The existing messages need to be further developed so they can be used for most scenarios. Messages need to be for specific audiences and may need to be drafted for different mediums ( out of office message, voic as well press statements and responses to enquiries). The ICO will review the current messages. Due Date April 2012 Owner: Simon Entwisle The messages contained within the BCP are as follows: "Due to a fire / explosion / incident at the offices of the ICO in xxx, we may be unable to respond to any new queries or ongoing cases within our usual timescales. We can assure you that all members of staff are safe and that no-one has been injured). (At this time we have no reports of any injuries to visitors or staff). The management of the incident is being handled by the emergency services / our own staff who are working to a well developed and practised plan. There will be a further statement as soon as more information is available." and "At present we have no information regarding xxxx. As soon as he / she arrives at xxxx hospital where all patients and staff from offices are being treated, I will ensure that you are informed. Please can you let me have your name and a telephone number where you can be reached." There is a risk that poor communication during a disaster scenario may lead to reputational damage to the organisation through conflicting messages to the press and public or staff may not be clear what is expected of them. 12

15 2.7 Integrate with third parties 10. Medium GSI connection Finding and Implication Proposed action Agreed action (Date / Ownership) IT is good practice for business continuity plans to include any dependencies on third-parties organisations such as suppliers of IT or alternative facilities and other government departments. The disaster recovery site (Sunguard) is available to ICO for four weeks following a disaster at Wycliffe House in order to re-establish IT systems. Should the GSI connection to Wycliffe House be lost, a new GSI connection would take longer than four weeks to be reinstated at a different location. There is currently no contingency within the plan for alternative GSI connection. a) ICO should discuss with Capita and Energis (GSI contactor) to determine the actual timeframe for re-establishment of a GSI connection should connectivity to Wycliffe House be lost. This needs to be reflected within the revised BCP. b) Contingency arrangements should be developed for accessing GSI resources during an outage whether this be via regional offices or other government departments. The GSi contract has SLAs that apply across all government customers these will be added to the BCP The BIA will establish whether contingency access to GSi is required. Further investigation will be undertaken on how a non GSi connection would be used for and what the security restrictions would be. Date Effective: April 2012 Owner: Head of IT 13

16 A Internal audit approach Approach Our audit was carried out in accordance with the guidance contained within the Government s Internal Audit Standards and the Auditing Practices Board s Guidance for Internal Auditors. We also had regard to the Institute of Internal Auditors guidance on risk based internal auditing (2005). Our internal audit approach is based upon the underlying principles of the Combined Code on Corporate Governance together with the associated Turnbull Committee guidelines on internal control (2005) that require management to identify, assess and manage the risks that are significant to the achievement of the organisation s overall business objectives. We will also have regard to the HM Treasury Management of Risk Guidance (2001). Our role as internal auditor is to provide objective and independent assurance to the Audit Committee and management that it is doing so successfully for each of the areas being audited. Our aim in completing this audit was to ensure that ICO has appropriate arrangements in place to identify, manage and report on risk. We will achieved our audit objectives by: meeting with key staff to gain an understanding of the arrangements in place, building upon the information we had already gained through our audit planning process; identifying the key risks, management controls to mitigate the risks and evaluating the effectiveness of the controls identified; and reviewing key documents in support the above processes. The findings and conclusions from this review will support our annual opinion to the Audit Committee on the adequacy and effectiveness of internal control arrangements. Responsibilities It is the responsibility of management to ensure that there are adequate controls and activities in place to ensure that the ICO's business objectives can be met and that the risks to the ICO are minimised. Based on the work we have carried out, we provide an objective assessment of the adequacy and effectiveness of controls and activities established by management to manage the identified risks to the ICO. During the course of our review we have conducted interviews and, where necessary, testing/verification work to support our assessment of the adequacy and effectiveness of current arrangements. It is our reporting protocol to balance our reporting of positive practice with areas for attention. This enables the ICO to build upon its strengths, whilst focusing upon key findings and associated recommendations, which if acted upon, should enhance the control environment and improve the management of key risks. This report is part of a continuing dialogue between the ICO and ourselves. For this reason, we do not consider it appropriate for the report to be made available to third parties. Nor do we accept responsibility for any reliance that third parties may place upon the report. 14

17 Please refer to our letter of engagement for full details of responsibilities and other terms and conditions. Scope Our review considered the following areas/sub risks: Business continuity plans (BCP) may not accurately reflect the current nature and structure of the organisation resulting in a failure to maintain business operations in the event of a disaster; Risk assessment and impact analysis may be insufficient leading to a plan which is not fit for purpose; Communication, awareness and training may be insufficient, leading to failure to implement the plan in the event of a disaster; and IT disaster recovery plans may not be embedded in the overall business continuity plan leading to IT systems not able to support the resumption of operations. Capita ITS - ICO Disaster Recovery Post Test Report (26 August 2011) ICO Retention Schedule (information asset list) Capita SLA extract - Business Continuity Service Capita SLA extract - Data Backup, Data Retrieval and Data Retention Policy Capita SLA extract - Penalties Iron Mountain information (extract from Locations The following locations were visited during the course of this review: Wycliffe House (Head Office), Wilmslow Additional information Client staff The following staff were consulted as part of this review: Emma Dean, Senior Operations Support Manager Paul Arnold, Head of Customer Contact John Rackstraw, Senior IT Service Manager Documents received The following documents were received during the course of this audit: Business Continuity Plan (v2.3 July 2011) Organisation Chart ICO Business Continuity Plan Test and Review Results (07 April 2011) 15

18 B Definition of internal audit ratings Internal audit opinion Design effectiveness Opinion Operating effectiveness Rating We have not been able to form an opinion on whether the internal controls examined have been designed to achieve the risk management objectives required by management Overall, we have concluded that, in the areas examined, the risk management activities and controls are suitably designed to achieve the risk management objectives required by management Overall, we have concluded that, except for the specific weaknesses identified by our audit, in the areas examined, the risk management activities and controls are suitably designed to achieve the risk management objectives required by management. Overall, we have concluded that, in the areas examined, the risk management activities and controls are not suitably designed to achieve the risk management objectives required by management. No opinion can be given Green Amber Red We have not been able to form an opinion on whether the internal controls examined were operating to provide reasonable assurance that the related risk management objectives were achieved during the period under review Those activities and controls were operating with sufficient effectiveness to provide reasonable assurance that the related risk management objectives were achieved during the period under review Except for the controls listed below those activities and controls that we examined were operating with sufficient effectiveness to provide reasonable assurance that the related risk management objectives were achieved during the period under review. Those activities and controls that we examined were not operating with sufficient effectiveness to provide reasonable assurance that the related risk management objectives were achieved during the period under review No opinion can be given Green Amber Red Audit issue rating Within each report, every audit issue is given a rating. The ratings are summarised in the table below. Rating Description Features High Medium Low Improvement Findings that are fundamental to the management of risk in the business area, representing a weakness in control that requires the immediate attention of management Important findings that are to be resolved by line management. Findings that identify non-compliance with established procedures. Items requiring no action but which may be of interest to management or best practice advice Key control not designed or operating effectively Potential for fraud identified Non compliance with key procedures / standards Non compliance with regulation Impact is contained within the department and compensating controls would detect errors Possibility for fraud exists Control failures identified but not in key controls Non compliance with procedures / standards (but not resulting in key control failure) Minor control weakness Minor non compliance with procedures / standards Information for department management Control operating but not necessarily in accordance with best practice 16

19 C Business continuity planning process based on accepted best practice 1. Initiation Get a sponsor, authority, scope and funding 2. Risk analysis 3. Business impact analysis 4. Create strategy Natural threats Man made threats Prior warnings No warnings Current processes Critical success factors Key performance indicators Timeline Milestones Methods Document and prioritize current risks. (These include natural and man made disasters and scenarios) Develop a low level business process blueprint; determine what is needed to sustain the business (both in the recovery phase and ongoing) Using the risk analysis and business impact analysis, formulate a possible strategy based on facts and assumptions in evidence (This can have a number of courses of action dependent on the scenario) 5. Emergency response Incident commander Emergency operations centre Integrate the planned strategy with emergency response procedures. Set activation criteria for when to invoke the plan 6. Plan creation 7. Training and awareness Organise and structure plan Assign teams, roles, responsibilities. Catalogue procedures Leadership Skills Specific processes Create and organise the plan including personnel assignment and detailed procedures Teach individuals the skills to perform there role in the BC/DR plan. Educate the organisation about the plan and what to do 8. Maintain and test 9. Communications Desktop Modular Functional Parallel Full Internal: Teams, stakeholders, unaffected units External:public People must practice their roles to gain proficiency. Test to ensure the plan is fit for purpose and up to date using structured exercises to identify deficiencies. Public, employees, stakeholders. Planned communications in advance, poor communication can be more damaging than the disaster. Plans include an uninterruptible communication system 10. Integrate with third parties Government Business partners Integration with suppliers clients, emergency services and other government departments 17

20 D Business continuity planning cycle based on accepted best practice 18

21 Grant Thornton UK LLP. All rights reserved. "Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication.

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office IT Procurement Review Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Last updated 18 June 2012 Will Simpson Senior Manager T: 0161 953 6486 E: will.g.simpson@uk.gt.com

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Internal Audit 2013-14: Follow up Last updated 4 July 2014 Distribution For action Senior Corporate Governance Manager Timetable Fieldwork completed 21 May 2014 Draft

More information

Information Commissioner's Office

Information Commissioner's Office Phil Keown Engagement Lead T: 020 7728 2394 E: philip.r.keown@uk.gt.com Will Simpson Associate Director T: 0161 953 6486 E: will.g.simpson@uk.gt.com Information Commissioner's Office Internal Audit 2015-16:

More information

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery Dacorum Borough Council Final Internal Audit Report IT Business Continuity and Disaster Recovery Distribution list: Chris Gordon Group Manager Performance, Policy and Projects John Worts ICT Team Leader

More information

Business continuity strategy

Business continuity strategy Business continuity strategy 2009 2012 Table of contents 1 Why this strategy is needed 3 2 Aim of the strategy 4 3 Our approach to business continuity 4 PROCESS 4 STRUCTURE 5 DOCUMENTATION 6 DISRUPTION

More information

1.0 Policy Statement / Intentions (FOIA - Open)

1.0 Policy Statement / Intentions (FOIA - Open) Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies

More information

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning 4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business

More information

Business Continuity Management Framework 2014 2017

Business Continuity Management Framework 2014 2017 Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity

More information

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

More information

Business Continuity Policy and Business Continuity Management System

Business Continuity Policy and Business Continuity Management System Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain

More information

Tips and techniques a typical audit programme

Tips and techniques a typical audit programme Auditing Business Continuity Planning Tips and techniques a typical audit programme Karen Wills, Senior Internal Auditor St James s Place Wealth Management February 2014 Contents Background Roles and Responsibilities

More information

Business Continuity Management Policy

Business Continuity Management Policy Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3

More information

Business Continuity Business Impact Analysis arrangements

Business Continuity Business Impact Analysis arrangements Aberdeen City Council Internal Audit Report 2012/2013 for Aberdeen City Council May 2013 Business Continuity Business Impact Analysis arrangements Final Report Contents Section Page 1. Executive Summary

More information

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA 1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Review of the Agile process used to develop the ICE system Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Last updated 15 March 2013 Will Simpson Senior

More information

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY VERSION 1.0 ISSUED JULY 2015 CONTENTS Page CONTENTS VERSION CONTROL FOREWORD i ii iii POLICY 1 Scope 1 Aim and Objectives 1 Methods and Standards 1

More information

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15 Appendix 6c Final Internal Audit Report Disaster Recovery Planning June 2007 Report 6c Page 1 of 15 Contents Page Executive Summary 3 Observations and Recommendations 8 Appendix 1 - Audit Framework 13

More information

Guidance Note XGN XXX.1

Guidance Note XGN XXX.1 Guidance Note XGN XXX.1 Risk Assessment and Business Continuity Planning 1. This Guidance Note provides further detail on matters institutions should consider in assessing disruption scenarios and certain

More information

SLOUGH BOROUGH COUNCIL. CONTACT OFFICER: Roger Parkin, Director Customer & Transactional Services (For all enquiries) (01753)

SLOUGH BOROUGH COUNCIL. CONTACT OFFICER: Roger Parkin, Director Customer & Transactional Services (For all enquiries) (01753) SLOUGH BOROUGH COUNCIL REPORT TO: Audit Committee DATE: 10 th November 2011 CONTACT OFFICER: Roger Parkin, Director Customer & Transactional Services (For all enquiries) (01753) 875207 WARD(S): PORTFOLIO:

More information

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS DIRECTORATE OF BANKING SUPERVISION AUGUST 2009 TABLE OF CONTENTS PAGE 1.0 INTRODUCTION..3 1.1 Background...3 1.2 Citation...3

More information

Proposal for Business Continuity Plan and Management Review 6 August 2008

Proposal for Business Continuity Plan and Management Review 6 August 2008 Proposal for Business Continuity Plan and Management Review 6 August 2008 2008/8/6 Contents About Newton IT / Quality of our services. BCM & BS25999 Overview 2. BCM Development in line with BS25999 3.

More information

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0 NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy Version 1.0 Document Control Title: Status: Version: 1.0 Issue date: May 2014 Document owner: (Name,

More information

Business Continuity (Policy & Procedure)

Business Continuity (Policy & Procedure) Business Continuity (Policy & Procedure) Publication Scheme Y/N Can be published on Force Website Department of Origin Force Operations Policy Holder Ch Supt Head of Force Ops Author Business Continuity

More information

BUSINESS CONTINUITY FRAMEWORK

BUSINESS CONTINUITY FRAMEWORK BUSINESS CONTINUITY FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Manager Organisational

More information

Auditing data protection a guide to ICO data protection audits

Auditing data protection a guide to ICO data protection audits Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit

More information

BUSINESS CONTINUITY PLAN

BUSINESS CONTINUITY PLAN Business Logo Here BUSINESS CONTINUITY PLAN FOR SMALL TO MEDIUM SIZED BUSINESSES DATE :??? VERSION:?? PRODUCED BY DURHAM CIVIL CONTINGENCIES UNIT BUSINESS CONTINUITY PLAN LIST OF CONTENTS 1. DISCLAIMER...4

More information

NHS 24 - Business Continuity Strategy

NHS 24 - Business Continuity Strategy NHS 24 - Strategy Version: 0.3 Issue Date: 20/09/2005 Status: Issued for Board Approval Status: draft Page 1 of 13 Table of Contents 1 INTRODUCTION...3 2 PURPOSE...3 3 SCOPE...3 4 ASSUMPTIONS...4 5 BUSINESS

More information

Oadby and Wigston Borough Council. Information and Communications Technology (I.C.T.) Section

Oadby and Wigston Borough Council. Information and Communications Technology (I.C.T.) Section Appendix 1 Oadby and Wigston Borough Council Information and Communications Technology (I.C.T.) Section Information Communication Technology Contingency and Disaster Recovery Plan Version 0.1 10/04/09

More information

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS NOTTINGHAM CITY HOMES IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS Report issued: February 2011 Audit Plan: The matters raised in this report are only those that came to the attention of the auditor

More information

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK BUSINESS CONTINUITY MANAGEMENT FRAMEWORK Document Author: Civil Contingencies Service - Authorised by the CCS Joint Management Board - Version 1.0. Issued December 2012 Page 1 FRAMEWORK STATEMENT Business

More information

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy Reference No: CG 01 Version: Version 1 Approval date 18 December 2013 Date ratified: 18 December 2013 Name of Author

More information

Business Continuity Policy

Business Continuity Policy Business Continuity Policy St Mary Magdalene Academy V1.0 / September 2014 Document Control Document Details Document Title Document Type Business Continuity Policy Policy Version 2.0 Effective From 1st

More information

State of South Carolina Policy Guidance and Training

State of South Carolina Policy Guidance and Training State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Business Continuity Management Policy June 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy

More information

Statement of Guidance

Statement of Guidance Statement of Guidance Business Continuity Management All Licensees 1. Statement of Objectives 1.1. To enhance the resilience of the financial sector and to minimise the potential impact of a major operational

More information

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT 11-02. IT Backup, Recovery and Disaster Recovery Planning

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT 11-02. IT Backup, Recovery and Disaster Recovery Planning SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT 11-02 IT Backup, Recovery and Disaster Recovery Planning Executive Summary Introduction As part of the 2011/12 Audit Plan and following discussions

More information

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management

More information

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) Subject and version number of document: Serial Number: Business Continuity Management Policy

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Version 1 approved by SMG December 2013 Business Continuity Policy Version 1 1 of 9 Business Continuity Management Summary description: This document provides the rationale

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine

More information

Vendor Management. Outsourcing Technology Services

Vendor Management. Outsourcing Technology Services Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring

More information

South Oxfordshire District Council and Vale of White Horse District Council Risk Management Strategy

South Oxfordshire District Council and Vale of White Horse District Council Risk Management Strategy 2013 2016 South Oxfordshire District Council and Vale of White Horse District Council Risk Management Strategy 2013-2016 1 1 Context 3 SCOPE 3 WHAT IS RISK MANAGEMENT? 3 LOCAL AND NATIONAL DRIVERS 3 Business

More information

Information Services IT Security Policies B. Business continuity management and planning

Information Services IT Security Policies B. Business continuity management and planning Information Services IT Security Policies B. Business continuity management and planning Version 1 Date created: 28th May 2009 Approved by Directorate: 2nd July 2009 Review date: 1st July 2010 Primary

More information

Moving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide

Moving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide Transition Guide Moving from BS 25999-2 to ISO 22301 The new international standard for business continuity management systems Extract from The Route Map to Business Continuity Management: Meeting the

More information

Business continuity management policy

Business continuity management policy Business continuity management policy health.wa.gov.au Effective: XXX Title: Business continuity management policy 1. Purpose All public sector bodies are required to establish, maintain and review business

More information

Clinic Business Continuity Plan Guidelines

Clinic Business Continuity Plan Guidelines Clinic Business Continuity Plan Guidelines Published: January 2015 Table of Contents Emergency Notification Contacts Primary... 2 Emergency Notification Contacts Backups (in case primary is unavailable)...

More information

Essex Fire Authority

Essex Fire Authority Internal Audit Report (2.13/.14) FINAL with the Civil Contingencies Act 1 October 2013 Contents Section Page Executive Summary 1 Action Plan 5 Findings and Recommendations 6 Debrief meeting 15 August 2013

More information

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015 Business Continuity Management Governance Frank Higgins Abu Dhabi March 2015 Different Names Same Concept BCM (Business Continuity Management) BSI 25999 IPOCM (Incident Preparedness & Operational Continuity

More information

BUSINESS CONTINUITY STRATEGY

BUSINESS CONTINUITY STRATEGY BUSINESS CONTINUITY STRATEGY January 2009 CONTENTS Page BACKGROUND 1 OVERVIEW 1 AIM AND OBJECTIVES 1 CORE BUSINESS OF THE COUNCIL 2 ORGANISATION STRUCTURE 2 RISK IDENTIFICATION AND MITIGATION STRATEGIES

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

More information

Aberdeen City Council IT Disaster Recovery

Aberdeen City Council IT Disaster Recovery Aberdeen City Council IT Disaster Recovery Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates

More information

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT INFORMATION SECURITY: UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT FACTSHEET This factsheet will introduce you to Business Continuity Management (BCM), which is a process developed to counteract systems

More information

Prudential Practice Guide

Prudential Practice Guide Prudential Practice Guide LPG 232 Business Continuity Management March 2007 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal

More information

Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY ARRANGEMENTS Information Technology. Final Report 2014/15-06

Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY ARRANGEMENTS Information Technology. Final Report 2014/15-06 Comhairle nan Eilean Siar Internal Audit Review Information Technology Final Report 2014/15-06 3 rd November 2014 CONTENTS Page SECTION 1 - EXECUTIVE SUMMARY 1-6 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS

More information

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness Issue Date: August 31, 2006 Audit Report Number 2006-DP-0005 TO: Lisa Schlosser, Chief Information Officer, A FROM: Hanh Do, Director, Information System Audit Division, GAA SUBJECT: Review of HUD s Information

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Policy Statement & Strategy July 2009 Basildon District Council Business Continuity Management Policy Statement The Council is committed to ensuring robust and effective

More information

Business Continuity Management For Small to Medium-Sized Businesses

Business Continuity Management For Small to Medium-Sized Businesses Business Continuity Management For Small to Medium-Sized Businesses Produced by NORMIT and Norfolk County Council Resilience Team For an electronic copy of this document visit www.normit.org Telephone

More information

Smart Meters Programme Schedule 8.6. (Business Continuity and Disaster Recovery Plan) (CSP North version)

Smart Meters Programme Schedule 8.6. (Business Continuity and Disaster Recovery Plan) (CSP North version) Smart Meters Programme Schedule 8.6 (Business Continuity and Disaster Recovery Plan) (CSP North version) Schedule 8.6 (Business Continuity and Disaster Recovery Plan) (CSP North version) Amendment History

More information

Business Continuity Planning Manual. Version 1

Business Continuity Planning Manual. Version 1 Business Continuity Planning Manual Version 1 Business Continuity Planning for NHS Organisations Business Continuity Planning Manual CONTENTS INTRODUCTION... 1 BACKGROUND... 3 1. SCOPE, AIMS AND OBJECTIVES...

More information

Departmental Business Continuity Framework. Part 2 Working Guides

Departmental Business Continuity Framework. Part 2 Working Guides Department for Work and Pensions Departmental Business Continuity Framework Part 2 Working Guides Page 1 of 60 CONTENTS Guide to business impact analysis...3 Guide to business continuity planning...7 Guide

More information

BCP and DR. P K Patel AGM, MoF

BCP and DR. P K Patel AGM, MoF BCP and DR P K Patel AGM, MoF Key difference between BS 25999 and ISO 22301 ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management

More information

Internal Audit Strategic and Annual Plans 2015/16

Internal Audit Strategic and Annual Plans 2015/16 Internal Audit Strategic and Annual Plans 2015/16 Financial Scrutiny and Audit Committee 10 February 2015 Agenda Item No 8 Summary: This report provides an overview of the stages followed prior to the

More information

Business Continuity Policy. Version 1.0

Business Continuity Policy. Version 1.0 Business Continuity Policy Version.0 January 206 Contents Contents Version control Foreword Policy. Scope.2 Aim and objectives.3 Methods and standards.4 Responsibilities.5 Governance.6 Training and exercises

More information

SUBJECT: REPLACEMENT OF CORPORATE ELECTRONIC DATA STORAGE, BACKUP AND DISASTER RECOVERY SOLUTIONS

SUBJECT: REPLACEMENT OF CORPORATE ELECTRONIC DATA STORAGE, BACKUP AND DISASTER RECOVERY SOLUTIONS REPORT TO CABINET TO BE HELD ON 15 SEPTEMBER 2015 Key Decision No Forward Plan Ref No 23K Corporate Priority The proposals in this report contribute to the delivery of all the Council s priorities Cabinet

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Business Continuity Management. Policy Statement and Strategy

Business Continuity Management. Policy Statement and Strategy Business Continuity Management Policy Statement and Strategy November 2011 Title Business Continuity Management Policy & Strategy Date of Publication: Cabinet Council Published by Borough Council of King

More information

Strategic Alliance. Business Continuity Policy

Strategic Alliance. Business Continuity Policy Version 1.1 April 2016 Contents Contents Version control Foreword Policy Scope Aim and objectives Methods and standards Responsibilities Governance Training and exercises Page i ii 1 2 2 2 Version 1.1

More information

Internal Audit - progress report 2015-16 and 2016-17 plan

Internal Audit - progress report 2015-16 and 2016-17 plan Audit Committee, 16 March 2016 Internal Audit - progress report 2015-16 and 2016-17 plan Executive summary and recommendations Introduction Grant Thornton have prepared the attached report which sets out

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

Disaster Recovery and Business Continuity Plan

Disaster Recovery and Business Continuity Plan Disaster Recovery and Business Continuity Plan Table of Contents 1. Introduction... 3 2. Objectives... 3 3. Risks... 3 4. Steps of Disaster Recovery Plan formulation... 3 5. Audit Procedure.... 5 Appendix

More information

Internal Audit Report Disaster Recovery / Business Continuity Planning

Internal Audit Report Disaster Recovery / Business Continuity Planning Audit Committee, 28 November 2013 Internal Audit Report Disaster Recovery / Business Continuity Planning Executive summary and recommendations Introduction As part of the Internal Audit Plan for 2013-14,

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four Data Handling in University Business Impact Analysis ( BIA ) Agenda Overview Terminologies Performing

More information

Principles for BCM requirements for the Dutch financial sector and its providers.

Principles for BCM requirements for the Dutch financial sector and its providers. Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011

More information

FINAL. Internal Audit Report. Data Centre Operations and Security

FINAL. Internal Audit Report. Data Centre Operations and Security FINAL Internal Audit Report Data Centre Operations and Security Document Details: Reference: Report nos from monitoring spreadsheet/2013.14 Senior Manager, Internal Audit & Assurance: ext. 6567 Engagement

More information

Version: 3.0. Effective From: 19/06/2014

Version: 3.0. Effective From: 19/06/2014 Policy No: RM66 Version: 3.0 Name of Policy: Business Continuity Planning Policy Effective From: 19/06/2014 Date Ratified 05/06/2014 Ratified Business Service Development Committee Review Date 01/06/2016

More information

Date Monday 5 March 2012 Matters arising from the Audit Committee meeting on 5 December 2011 Agenda item 3 Discussion time.

Date Monday 5 March 2012 Matters arising from the Audit Committee meeting on 5 December 2011 Agenda item 3 Discussion time. Meeting Audit Committee Date Monday 5 March 2012 Paper title Matters arising from the Audit Committee meeting on 5 December 2011 Agenda item 3 Discussion time NA Purpose of paper Discussion and information

More information

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy WEST YORKSHIRE FIRE & RESCUE SERVICE Business Continuity Management Strategy Date Issued: 12 November 2012 Review Date: 12 November 2015 Version Control Version Number Date Author Comment 0.1 June 2011

More information

Update from the Business Continuity Working Group

Update from the Business Continuity Working Group 18 June 2015 Performance and Resources Board 14 To note Update from the Business Continuity Working Group Issue 1 The Business Continuity Working Group oversees the development, maintenance and improvement

More information

Business Continuity Management Policy and Framework

Business Continuity Management Policy and Framework Management Policy and Framework Version: Produced by: Date Produced: Approved by: Updated: 7 University Manager with the assistance of the Operational Group 11 th March 2010 Steering Group (14 December

More information

Emergency Response and Business Continuity Management Policy

Emergency Response and Business Continuity Management Policy Emergency Response and Business Continuity Management Policy Owner: John Duffy, Registrar & Secretary Last updated: September 2012 Version: 04 Document control Date Version Author Changes To be populated

More information

BUSINESS IMPACT ANALYSIS

BUSINESS IMPACT ANALYSIS Introduction A Business Impact Analysis (BIA) is an assessment by the Business of the potential financial and non-financial impact of an outage. It is designed to define the basic requirements for the

More information

Business Continuity and Disaster Recovery Planning

Business Continuity and Disaster Recovery Planning Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

University of Glasgow. Business Continuity Management. Guidance Notes

University of Glasgow. Business Continuity Management. Guidance Notes University of Glasgow Business Continuity Management Guidance Notes 1 Contents Page 1 Introduction to Business Continuity Management 3 2 Roles and Responsibilities 4 3 Business Impact Analysis 5 4 Developing

More information

Business Continuity Plan

Business Continuity Plan Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions

More information

BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION

BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION EXCERPT FROM THE FOREWORD TO THE 2ND EDITION The events of 9/11 have cast a long shadow over the world and led to a vital reappraisal of Enterprise Risk

More information

Manchester City Council

Manchester City Council Manchester City Council Accounts Audit Plan 2009/10 18 December 2009 Contents Page 1 Introduction 2 2 Approach and audit risks 3 3 Administration 13 4 Planned outputs 16 Appendices A B IFRS Action Plan

More information

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY AUTHOR/ APPROVAL DETAILS Document Author Written By: Human Resources Authorised Signature Authorised By: Helen Shields Date: 20

More information

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY Zurich Management Services Limited Registered in England: No 2741053 Registered Office The Zurich Centre, 3000 Parkway Whiteley, Fareham Hampshire, PO15 7JZ CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY

More information

WILTSHIRE POLICE FORCE POLICY

WILTSHIRE POLICE FORCE POLICY Template v4 WILTSHIRE POLICE FORCE POLICY BUSINESS CONTINUITY MANAGEMENT SYSTEMS (BCMS) Effective from: July 2013 Version: 2.0 Next Review Date: July 2015 POLICY STATEMENT Wiltshire Police has a statutory

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

APPENDIX 50. Enterprise risk management - Risk management overview

APPENDIX 50. Enterprise risk management - Risk management overview APPENDIX 50 Enterprise risk management - Risk management overview Energex regulatory proposal October 2014 ENTERPRISE RISK MANAGEMENT Risk Management Overview (RMO) 06 11 2013 Table of Contents 1. INTRODUCTION...

More information

Confident in our Future, Risk Management Policy Statement and Strategy

Confident in our Future, Risk Management Policy Statement and Strategy Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents

More information

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015 Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,

More information

Company Management System. Business Continuity in SIA

Company Management System. Business Continuity in SIA Company Management System Business Continuity in SIA Document code: Classification: Company Project/Service Year Document No. Version Public INDEX 1. INTRODUCTION... 3 2. SIA S BUSINESS CONTINUITY MANAGEMENT

More information

Health Informatics Service Accreditation Manual. Assessment Process. May 2013, Version 1

Health Informatics Service Accreditation Manual. Assessment Process. May 2013, Version 1 Health Informatics Service Accreditation Manual Assessment Process May 2013, Version 1 Contents 1. Contacts... 2 2. Introduction... 3 3. Assessment principles... 6 4. Assessment outcome... 7 5. Planning

More information

Clinic Business Continuity Plan Guidelines

Clinic Business Continuity Plan Guidelines Clinic Business Continuity Plan Guidelines Emergency notification contacts: Primary Role Name Address Home phone Mobile/Cell phone Business Continuity Plan Coordinator QSP Business Continuity Plan Coordinator

More information

Update from the Business Continuity Working Group

Update from the Business Continuity Working Group 23 June 2014 Performance and Resources Board 19 To note Update from the Business Continuity Working Group Issue 1 The Business Continuity Working Group oversees the development, maintenance and improvement

More information

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

Section A: Introduction, Definitions and Principles of Infrastructure Resilience Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose

More information

NHS 111 National Business Continuity Escalation Policy

NHS 111 National Business Continuity Escalation Policy NHS 111 National Business Continuity Escalation Policy 1 NHS England INFORMATION READER BOX Directorate Medical Operations Patients and Information Nursing Policy Commissioning Development Finance Human

More information