Business Continuity Plan Assessment Tool v1.0

Transcription

1 Appendix 5 Annex F To NSERP Business Continuity Plan Assessment Tool v1.0 Continuity Plan Assessment Tool v1.0.doc Page 1 of 17

2 Business Continuity Plan Assessment Tool v1.0 This tool is designed to assess an organization s business continuity plan. Assessment categories include 1) Plan Authority, 2) Plans, 3) Plan Resources, 4) Training, Exercising & Validation, and 5) Maintenance. The assessment process is focused at a non-detailed level and addresses what is considered to be key elements of the various categories. This tool was developed based upon: The EMO NS Business Continuity Management Guide v1.0 The Nova Scotia Draft Standard for Business Continuity Management The Business Continuity Institute 2007 Good Practice Guidelines How to Use This Document Key Issues / Questions Items which should be evident within the organization s business continuity plan. These may be considered a minimum standard to be compliant with what is expected of an organization s plan. Assessment Options (Y, P, N, NA). Y = The item exists. P = The item partially exists. N = The item does not exist. NA = The item is not applicable. Examples of evidence that would support a positive assessment - The examiner may use the examples listed in this column to support the selection of an appropriate assessment option and supporting comments if required. Comments Detailed explanation of findings identifying issues requiring attention. Recommendations Directions for plan improvement and compliance with established criteria. Continuity Plan Assessment Tool v1.0.doc Page 2 of 17

3 1.0 Plan Authority This section reviews plan authority. Any plan developed to support an effective response to a business continuity event requires the authority to do so. This authority must be provided from the most senior level of the organization and be evident within the process. Item Key Issues / Questions Y P N NA Examples of evidence that would support a positive assessment Has senior management provided the authority to support an effective response to a business continuity event? Senior management has provided authority by indicating the authorization to do so with a written statement and / or signature Has senior management assigned responsibility for a business continuity response to identified individuals in the organization? Is the authority for the business continuity plan and response clearly evident in the plan(s)? Individuals with various BCM response responsibilities have been identified within various response based documents where appropriate. Authority for the plan and response is written in each of the plan documents. Section 1.1 Comments: Section 1.1 Recommendations: Continuity Plan Assessment Tool v1.0.doc Page 3 of 17

4 2.0 Plans Providing for an effective response to an organization wide business continuity event may require the invoking of an organization s incident management plan, crisis communications plan and business continuity plan(s). This section reviews various aspects of the incident management plan, crisis communications plan and business continuity plan(s). The review for each section is at a non-detailed level and focuses on the major elements of the various plans The incident management plan defines how the strategic issues of a incident affecting the organization would be addressed and managed by the executive team. The crisis communications plan defines how communications with the key stakeholders will be managed. The business continuity plan addresses the business disruption, interruption or loss from the initial response to the point at which normal business operations are resumed. Continuity Plan Assessment Tool v1.0.doc Page 4 of 17

5 2.1 Incident Management Plan This section reviews aspects of the organization s incident management plan. Item Key Issues / Questions Y P N NA Examples of evidence that would support a positive assessment Does the organization have an incident management plan? The organization will show evidence of a written plan for use by senior management to respond to business continuity events Does the plan identify a senior management team member who has been appointed as the owner of the plan? A member of the senior management team has been identified within the plan as the owner. Typically this is the DM or some other senior official Have the scope and the objectives of the The scope and the objectives have been clearly identified. This will plan been identified? Are the people, roles and responsibilities of the incident management team identified within the plan? Are various all hazards and hazard specific plan options identified and addressed within the plan? Does the incident management plan identify contact lists for key employees, suppliers, service providers, etc.? Does the incident management plan have an operations centre identified? Does the incident management plan identify a reliable mechanism by which to communicate? Are the appropriate people aware of the incident management plan and are they identified? Does the incident management plan document the key personnel, resources, services and actions required to implement and manage a response? include what is covered by the plan and what is not. Each person who is on the IMT is identified in the plan along with their role and responsibilities. Plan is written from an all hazards approach. Addresses loss of facilities, IT, Data, staff, equipment, services, supplies, utilities. Addresses certain hazard specific options where required based on a TRVA. Contact lists for key employees, suppliers, service providers are included. Names, telephone numbers, cell numbers and fax numbers are listed. A place to setup and manage the emergency has been identified. A primary and alternate form of communications has been identified. A distribution list has been created. Each person on the list has been sent the most current version of the plan. Key personnel, resources, services and actions required to implement and manage a response have been clearly identified. Continuity Plan Assessment Tool v1.0.doc Page 5 of 17

6 Has the incident management plan been signed off by the senior management team? The senior management team has physically signed the document to indicate that they are aware of it and accept its contents. Section 2.1 Comments: Section 2.1 Recommendations: Continuity Plan Assessment Tool v1.0.doc Page 6 of 17

7 2.2 Crisis Communications Plan This section reviews aspects of the organization s crisis communications plan. The crisis communications plan defines how communications with the key stakeholders will be managed. The following assessment is based on a corporate crisis communications plan. Item Key Issues / Questions Y P N NA Examples of evidence that would support a positive assessment Does the organization have a crisis communications plan? A crisis communications plan has been written based upon the template created by Communications Nova Scotia Does the plan have stated goals / Goals and objectives of the plan are clearly stated. objectives? Are the crisis communications team members, roles and responsibilities identified and assigned? Crisis communications team members, roles and responsibilities have been identified and assigned. Names and contact information is found within the plan Are key spokespeople identified? Names of key spokes people, their contact info and subject matter expertise have been identified Does the plan identify/explain a situation A process to asses the situation has been identified in the plan. assessment procedure? Is a location for the team to operate identified within the plan? A physical space for the team to setup has been secured and identified in the plan Does the plan identify/explain a The plan describes a generic process to develop key messages for mechanism to develop key messages? Does the plan identify/explain procedures for informing internal and external audiences? Does the plan identify/explain the process for media monitoring? Does the plan identify/explain the process to deal with rumor control? Does the plan identify/explain a process to track activity? Does the plan identify/explain the process for follow-up and evaluation? an event. Internal and external audiences have been identified and procedure for getting key messages to each have been identified and documented in the plan. Media monitoring processes have been identified and documented in the plan. A process to deal with rumors has been identified and documented in the plan.?????have been identified and documented in the plan. A process for follow-up and evaluation has been identified and documented in the plan. Continuity Plan Assessment Tool v1.0.doc Page 7 of 17

8 Section 2.2 Comments: Section 2.2 Recommendations: Continuity Plan Assessment Tool v1.0.doc Page 8 of 17

9 2.3 Business Continuity Plan(s) This section reviews aspect of the organization s business continuity plan(s). It s assumed that most organizations will have multiple business continuity plans to support business resumption due to their size, complexity and geographic dispersion. A head office / regional office / satellite office structure may have independent plans at each location. Item Key Issues / Questions Y P N NA Examples of evidence that would support a positive assessment Does the organization have an all hazards business continuity plan(s) with an appropriate number of sub-plans to support the resumption of its most All hazards approach, specific hazards addressed, emergency management organizational structures, identified urgent programs/services. Addresses loss of staff, data, IT, services, utilities, equipment, supplies, major impacts to the organization. urgently required programs/services? Does the plan(s) identify urgently BCP lists urgently required programs/services, program/services required programs/services? Does the plan(s) identify action steps to resume urgently required programs/services? Does the plan identify the members and the roles responsibilities of the BCM Response Team? Does the plan(s) identify the owner/custodian of the plan(s)? Does the plan(s) identify its scope and objectives? Does the plan(s) identify/explain assumptions been documented? Does the plan(s) identify a document history? Does the plan(s) identify/explain a confidentiality notification? Does the plan(s) identify a distribution list? Does the plan(s) identify/explain a purpose statement? indicate resumption priority Discrete action steps to resume an interrupted service have been documented, easy to use, may be actionable by someone with appropriate knowledge/skills Each role and responsibility for the team is identified. Members of the team with contact info is identified, subject matter experts identified. Each plan has a named custodian with responsibility for the plan. Each plan has a clearly define scope which identifies the aspects of the organization covered by the plan. Plan assumptions are listed Document history including date, author, revision notes, other explanations of what has changed Underscores the importance of maintaining confidentiality of private information contained within BC plans List of who receives the documents and updates The purpose of the plan is stated and addresses the needs of the department in relation to it s overall BCP. Continuity Plan Assessment Tool v1.0.doc Page 9 of 17

10 Does the plan(s) identify a policy statement? Policy statement supporting the plan that provides for authority and direction on the plan Does the plan(s) identify/explain emergency response instructions? Instructions detailing who to call with regards to health, fire, policing or other situations requiring an emergency response from a first responding agency Does the plan(s) identify/explain an incident declaration process? Process to declare an incident as actionable under the scope of the BCP Does the plan(s) identify/explain a BCP Who is responsible for activating the BCP and what should they do activation procedure? Does the plan(s) identify/explain a notification procedure? Call tree identified, who should be notified of what when an event happens Does the plan(s) identify/explain reporting requirements? How internal reporting will happen, scheduled reports, who will receive what info Does the plan(s) identify/explain which programs / services which require an Identifies which programs/services require an alternate work place strategy due to their urgent status. alternate relocation strategy? Does the plan(s) identify/explain the alternate relocation strategy for those Detailed explanation of alternate work relocation strategy for those programs/services requiring one. programs / services that require one? Does the plan(s) identify/explain emergency services contact information? Contact numbers for emergency services providers and services they would be expected to supply Does the plan(s) identify/explain Employee contact lists are within the plan employee contact information? Does the plan(s) identify/explain supplier contact information? Supplier contact info is within the plan, names, telephone numbers, business names Does the plan(s) identify/explain how damage assessment will be handled? for damage assessment, overview of the process Does the plan(s) identify/explain occupational health and safety issues for OH&S issues, overview of the process may be addressed? Does the plan(s) identify/explain security issues may be addressed? for safety issues, overview of the security issues addressed Does the plan(s) identify/explain how IT issues may be addressed? for IT and disaster recovery, overview of the process Does the plan(s) identify/explain how Continuity Plan Assessment Tool v1.0.doc Page 10 of 17

11 telecommunications issues may be addressed? Does the plan(s) identify/explain how human resources issues may be addressed? Does the plan(s) identify/explain how finance issues may be addressed? Does the plan(s) identify/explain how legal / regulatory issues may be addressed? Does the plan(s) identify/explain how insurance issues may be addressed? Does the plan(s) identify/explain how salvage and restoration issues may be addressed? Does the plan(s) describe commonly used acronyms? Does the plan(s) identify/explain define key terminology? Have the plan(s) been signed off by the senior management team? for telecom issues, overview of the process, how phones will be redirected in case of emergency for HR issues, overview of the process, how HR issues will be addressed for financial issues, overview of the process, how financial issues will be addressed for legal/regulatory issues, overview of the process, how legal/regulatory issues will be addressed for insurance issues, overview of the process, how insurance issues will be addressed for salvage/issues, overview of the process, how HR issues will be addressed Commonly used acronyms are listed with their corresponding definition. Key terminology is listed and explained. Senior management has signed off on the plan. Section 2.3 Comments: Section 2.3 Recommendations: Continuity Plan Assessment Tool v1.0.doc Page 11 of 17

12 3.0 Plan Resources This section reviews aspects of the organization s business continuity plan resources. Resources need to be identified and must be accessible in support of the response to a business continuity event within the stated timeframes. A review of resources may be necessary in many areas. Some specialist resources may be required, both of equipment and personnel. Decisions are needed on competencies and skills required by staff and/or external specialists who may be used. Arrangements for mutual aid, for sharing specialist, knowledge, equipment, and for standardizing procedures and equipment between government organizations can increase cost effectiveness. Item Key Issues / Questions Y P N NA Examples of evidence that would support a positive assessment Are there clear procedures for authorizing business continuity event expenditures? Procedures for authorizing expenditures are documented. Names/positions of contact people are listed Do you have arrangements to ensure that contractors and/or other resources will, where relevant, support the organizations response to a BCM event, and be able to continue critical services in an business continuity event? Does the BCM plan identify the process for obtaining extra equipment/services in a major business continuity event? Are the resources required to respond to a business continuity event accessible within the stated timeframes? Is there a procedure for authorizing funds beyond a stated spending limit authority? Are mutual aid agreements/service level agreements in-place with partnering organizations? Is the authority to use specified resources stated? Are resource contact lists detailed in the plan? Procurement policy recognises the issue. Relevant contractors required to show adequate arrangements are in place. Advance arrangements made e.g. stand by contracts, other formal arrangements with suppliers, mutual aid. Regularly updated lists of suppliers and contact numbers, especially for after hours. RTOs are indicated Process identifies who is to be contacted and what must be documented to get access to additional funds MOUs / SLAs are included in document and signed by organization representatives. Statements form use of resources are explicit. Contact names and info for staff, suppliers, emergency response, etc. Continuity Plan Assessment Tool v1.0.doc Page 12 of 17

13 Section 3.1 Comments: Section 3.1 Recommendations: Continuity Plan Assessment Tool v1.0.doc Page 13 of 17

14 4.0 Training, Exercising and Validation This section reviews aspects of the organization s business continuity plan exercising and validation. Well designed exercises, plus reviews of how the business continuity event plan and procedures perform in actual incidents, are often the only way of testing plan outcomes. (Exercises are taken to include table top as well as live exercises). Exercises can act as a training activity as well as (but not always at the same time as) a method of plan validation, so it is important that the aims of any particular exercises are clear. External involvement in at least some exercise design, management and/or review is helpful. This gives an important external element of challenge. In addition the individual designing and running an exercise cannot effectively test their own reactions, which weakens the value of exercises if they are always run by a organization s own business continuity event management coordinator/planning team. There should always be a review/debrief after an exercise or incident, involving all players; and a organization/remo should be able to show that actions have been taken, if necessary, as a result of this. 4.1 Training Item Key Issues / Questions Y P N NA Examples of evidence that would support a positive assessment Do the plan(s) have a training strategy that covers all those who have responsibilities under business continuity management? Training needs analysis and records of trained staff. Training strategy. Structured annual training program. Program of continuous professional development for BCM coordinator and planning committee If individuals at your organization have a specialized skill/training in business continuity event management, with a regional application, do you have a process in place to ensure their training is current? Does your department training program align with provincial training program? Do you share training with partners and neighbouring organizations where appropriate? Are training opportunities promoted to individuals who may need the training and to their managers? Do you evaluate the quality and effectiveness of training provided? Training records. Formal arrangements with region. Shared personnel resources e.g. business continuity event site manager, business continuity event public information officer, EOC Manager etc. Discussed with provincial EMO training unit. Joint training timetables. Joint local training and exercises program. Program discussed with neighbouring departments. Shared training calendar. Appropriate advertising material (leaflets, posters, calendars etc). Aims set for training. Feedback sought from trainees and line managers on achievement of aims and on the quality of training. Continuity Plan Assessment Tool v1.0.doc Page 14 of 17

15 Section 4.1 Comments: Section 4.1 Recommendations: Continuity Plan Assessment Tool v1.0.doc Page 15 of 17

16 4.2 Exercising and Validation Item Key Issues / Questions Y P N NA Examples of evidence that would support a positive assessment Are all business continuity plans covered by a regular exercise program and subsequent debriefing? Rolling program of exercises for both all hazards plans as well as hazard specific plans. Notes from debriefing/review meeting held after every exercise Is there a system of quality control for exercises, including reviewing achievement against aims? Are the conclusions of exercises /incident debriefs used where relevant to improve plans? Feedback arrangements. Participant feedback covers aims and whether achieved and quality. Occasional external reviews. Notes of debriefing meeting after all exercises/incidents. Action plans. Section 4.2 Comments: Section 4.2 Recommendations: Continuity Plan Assessment Tool v1.0.doc Page 16 of 17

17 5.0 Maintenance This section reviews aspects of the organization s business continuity plan maintenance. Item Key Issues / Questions Y P N NA Examples of evidence that would support a positive assessment Does the plan(s) have a maintenance process? A plan maintenance process is identified within the plan documentation Does the plan identify/explain how it is Details on how the plan is to be maintained is evident. to be maintained? Does the plan(s) identify/explain who is the person/people to maintain it? The various individuals who are responsible for plan maintenance are identified Does the plan identify/explain the maintenance schedule and/or triggers? Plan updates are based upon a specific schedule and /or when certain trigger events occur such as staff change, technology update, etc. Section 5.1 Comments: Section 5.1 Recommendations: Continuity Plan Assessment Tool v1.0.doc Page 17 of 17