NHS 24 - Business Continuity Strategy

Transcription

1 NHS 24 - Strategy Version: 0.3 Issue Date: 20/09/2005 Status: Issued for Board Approval Status: draft Page 1 of 13

2 Table of Contents 1 INTRODUCTION PURPOSE SCOPE ASSUMPTIONS BUSINESS CONTINUITY POLICY STATEMENT BCM ORGANISATIONAL FRAMEWORK BUSINESS CONTINUITY PLAN STRUCTURE RISK ASSESSMENT CORE BUSINESS CONTINUITY STRATEGIES BCP EXERCISE, TESTING, AND MAINTENANCE APPENDIX A KEY DEFINITIONS APPENDIX B SCENARIO CAUSES...13 Document Details Distribution: Name NHS 24 Board NHS 24 Executive Team Role Document Change Log Version Author Issue Date Comment 0.1 Graeme Newman 10 June 2005 First draft issued for internal review 0.2 Graeme Newman 27 July 2005 Second draft issued for internal review 0.3 Graham Dixon 20 September 2005 Amended after review Status: draft Page 2 of 13

3 1 Introduction 1.1 The NHS 24 service provides 24-hour confidential healthcare advice and information to the Scottish public. 1.2 Continued availability and stability of this service and the components that support it are critical to the long-term success of NHS 24 and to the welfare of the people of Scotland. 1.3 In order to manage this requirement a business continuity planning project has been launched; this document defines the organisation-wide strategy for the implementation of a coherent Management framework within NHS The design and implementation methodology is based on that outlined in the BS7799 standard for Information Security Management which encompasses the development of strategies and plans. 2 Purpose 2.1 This document is designed to provide a logical link between the Business Impact Assessment and associated Risk Assessment as defined in the BS7799 standard and the detailed operational Plans that will be designed to respond to each individual failure scenario. 2.2 Consequently, this document will form a critical component of the overall BCM framework and will meet the requirements identified within the audit reports issued by both PricewaterhouseCoopers and Audit Scotland. 2.3 Appendix A provides a glossary that will ensure consistent terminology is used throughout the organisation in reference to business continuity planning and its various elements. This will help improve understanding of the process and individual responsibilities within it. 2.4 The ultimate objective is the development of a comprehensive and coherent business continuity strategy to safeguard the NHS 24 service and protect the Scottish public. 3 Scope 3.1 The scope of this Strategy is as defined within the Business Impact Assessment. Any changes to the scope of the underlying business impact assessment should be immediately reflected within this document. 3.2 This scope definition should be maintained alongside the Information Security Management System (ISMS) Scope as defined within the ISMS Scoping Document. 3.3 The scope of this strategy will be restricted to the internal operations of NHS 24 and will not extend to the detailed plans that should be maintained by relevant partners and suppliers, except to ensure that a process is in place to enable the integration of NHS 24 plans with those of key partners and suppliers and maintain consistency across the wider NHS organisation. Status: draft Page 3 of 13

4 4 Assumptions 4.1 It is assumed that NHS 24 does not have any business continuity obligations under the Civil Contingencies Act 2004 (neither as a Category 1 nor a Category 2 responder) as the organisation is not a Health Board under the specific definition contained within the Act. 4.2 It is assumed that the key partners and suppliers of NHS 24 have responsibility for the development of their own business continuity plans and these will be made available during the planning process. These critical dependencies will be relied upon by NHS 24 and referenced within the BCP documentation and will be necessary in order to ensure an end-to-end solution. 5 Policy Statement 5.1 The NHS 24 Board and Executive Team are committed to the development and implementation of an organisation-wide Management framework. 5.2 The contents and structure of the Plan will be based upon the findings of an operational risk assessment and comprehensive business impact assessment. 5.3 The Plan will be designed to ensure the continued availability of all mission critical activities in the event of a major adverse incident. 5.4 The Plan will be tested on a periodic basis in order to ensure that the plans are effective and practical and to ensure a process of continuous improvement. 5.5 All members of NHS 24 staff will be made aware of the Plan and their role within it through a structured training and awareness programme. 5.6 The Plan will be continually kept up to date and maintained in order to ensure it remains relevant in light of changing circumstances, risks, and operational procedures. 6 BCM Organisational Framework 6.1 Within NHS 24 the Executive Team have direct responsibility and accountability for ensuring business continuity within the organisation. A single individual within this team should be given ultimate responsibility for business continuity and this currently sits with the Director of IT. 6.2 A Manager should be appointed to oversee the day-to-day development and operation of the BCM framework. It is their responsibility to co-ordinate the development and implementation of coherent Plans across the organisation (and partner / supplier networks) and report on progress to the Executive Team. This role is similar to that of the Emergency Planning Officer (EPO) that is normally a recognised position in each of the other Health Boards in NHS Scotland. 6.3 Individuals should be appointed within each Directorate as Planners. It will be their responsibility to develop the detailed operational Plans in line with the standards established in this high-level strategy and the requirements dictated by the Business Impact Assessment [Ref 1]. Status: draft Page 4 of 13

5 6.4 Other than the Manager / EPO, all of the positions highlighted within Figure 6.1 should be adopted by existing personnel within NHS 24 as an expansion of their existing functions. The Manager should be able to maintain an objective view across the organisation and is not focussed on one particular element (such as IT or Operations). 6.5 Together with the Manager, the Planners will form the Working Group. This group will have the responsibility of developing, implementing, and maintaining the NHS 24 Plans. 6.6 The Forum will represent the single source of all effort within the organisation and will meet on a monthly basis to develop plans, identify inter-dependencies and co-ordinate planning and testing efforts across departments and thereafter on at least a quarterly basis to ensure all documentation is kept up to date. This group will also serve as the forum for meeting with key partners and suppliers to ensure consistency and integration of end-to-end Plans. Figure 6.1: BCP Organisation Chart Status: draft Page 5 of 13

6 7 Plan Structure 7.1 It is important to note that the Plan is not a single, unified document, but a set of multiple operational plans and checklists designed to be used in the event of one or more BCP scenarios as defined in section The framework consists of further documents, including the Business Impact Assessment and Strategy, which must all be managed as an integrated, interdependent document set. Changes made in one document will nearly always necessitate changes in the subordinate documents. 7.3 All plans will be based on standard templates used across the wider NHS 24 organisation in order to facilitate ease of integration and simplify usage. 7.4 Figure 7.1 below depicts the major documents contained within the Management framework. Figure 7.1: BCM Framework Document Set 7.5 These documents will be owned by the Manager and will be maintained on a regular basis by the appointed Planners. 7.6 Working copies of all business continuity documentation will be stored on the main shared drive and also stored in hardcopy at each of the contact centres and Delta House. It will be the responsibility of the Manager to ensure that the hard copy documentation is kept up to date at all sites. Status: draft Page 6 of 13

7 Table 7.1: BCM Framework Document Set Ownership Document Title Document Description Document Owner Business Impact Assessment Strategy IT Risk Assessment Operational Risk Assessment High-Level Business Continuity Plan Training & Awareness Plan Test Strategy Business Unit Recovery Plans Contains detailed information relating to Mission Critical Activities and Recovery Objectives for these and their key dependencies. Outlines the high-level approach to implementing a Management framework within this organisation Details the major risks relating to the information systems within the business and recommends strategies for managing these risks This is a risk register maintained within the corporate services department that identifies and quantifies the key operational risks facing this organisation. Provides an overview of the major business continuity plans, identifies interdependencies and provides a call-out tree to navigate between documents. Details the plans for providing training and awareness sessions covering the BCP throughout the wider organisation. Details the strategy for testing the BCP in a live environment, including frequency of tests and volumes. Multiple detailed plans relating to the recovery of individual business units after a BCP event. These will include, for example, alternate manual processes required to maintain continuity in the event of a technology failure. Manager Manager IT Security Manager Risk Manager Manager Manager Test Manager Planners Status: draft Page 7 of 13

8 Emergency Communications Plan Disaster Recovery Plan Crisis Management Plan Test Plans Details the plans, procedures, and protocols required for communication both internally and externally during and after a BCP event. Provides detailed operational and technical procedures for the invocation of the technical disaster recovery solution. Provides key contact information for emergency services and relevant members of staff to be used in the event of a major crisis. Also focuses on procedures for events such as bomb / terrorism threats, including emergency evacuation procedures. Provides detailed, repeatable test scenarios for each individual BCP event. Communications Director IT Director Manager Test Manager 8 Risk Assessment 8.1 The fault tree depicted in Figure 8.1 provides a breakdown of the high-level failure scenarios that the BCP will be designed to respond to. 8.2 The BCP will not be designed to cover a scenario where there is more than one simultaneous failure of a contact centre as this has been deemed to be exceptionally low likelihood and would not be economical to plan for. 8.3 Appendix B provides a sample set of events that may give rise to each of the scenarios shown below. It is recommended, however, that the failure scenarios be managed by business continuity plans at the effect level (e.g. critical application failure) rather than the causal level (e.g. software bug). The operational risk process will focus upon reducing the likelihood of these effects by managing the potential causes. Status: draft Page 8 of 13

9 Figure 8.1: BCP Event Tree 8.4 The scenarios described within the end box of each branch of the tree will constitute the entirety of planned BCP scenarios. 8.5 It should be noted that the business continuity planning process must be closely aligned with the operational risk management process. The organisation s BCP will minimise the impact of the events described above, whereas, the operational risk management process will reduce the likelihood of the individual events occurring (where possible). Status: draft Page 9 of 13

10 9 Core Strategies 9.1 NHS 24 has been designed from the Blueprint stage onwards with resilience and business continuity in mind. In order to respond to the scenarios outlined above, the organisation will make use of the following core strategies: virtualisation, data disaster recovery, callback, and manual operating procedures. Virtualisation 9.2 The contact centre is based on a virtual model, passing calls seamlessly between three geographically disperse centres. It is not currently considered economically viable to plan for a scenario where multiple contact centres fail simultaneously. 9.3 Should there be a major failure at one of the contact centres calls can be immediately rerouted to the other two centres for an indefinite period. Call demand and operational capacity in the remaining centres will have to be carefully managed during this period to ensure a continuous service. Data Disaster Recovery 9.4 A data disaster recovery (DDR) facility has been developed that provides back-up system capacity in the event of a major IT failure. This facility is located at a separate contact centre over 200 miles from the primary site. 9.5 The central PRM database is replicated onto the DDR facility every 15 minutes in order to ensure continuity of data when the system is switched over. Call-Back 9.6 Call management techniques will be used at times of increased service demand or at times where operating capacity is unexpectedly below the anticipated levels. The primary techniques are national call-back and busy messaging. 9.7 National call-back is the process of placing all non-urgent calls into the First Advice Queue, where callers are called-back in priority order. This ensures a clinically safe way of reducing the burden on the service and ensuring that all serious calls can be dealt with despite reduced contact centre capacity. 9.8 Often used in parallel with national call-back, a busy message can be placed at the frontend of the system ensuring that only serious and urgent callers access the service during any BCP event, this will reduce the demand and protect vital resources. Manual Operating Procedures 9.9 In order to manage the cutover period during any major systems outage, comprehensive manual operating procedures have been developed in order to run the service from a paper-based system These procedures will allow the organisation to provide a continuous, clinically safe service in the event of any major systems failure. Status: draft Page 10 of 13

11 10 BCP Exercise, Testing, and Maintenance 10.1 Each element of the overall Plan should be tested in an operational context on at least an annual basis. Testing should be used to simulate each of the defined BCP scenarios at differing volumes of demand and system load The following techniques will be used to test the defined Plans: Desktop document review: a logical process walkthrough by experienced contact centre staff to ensure the completeness and integrity of proposed plans Software simulation: simulation of selected failure scenarios through a software model to test the integrity of proposed plans. This form of testing will be vital prior to conducting a fully functional test Work area recovery tests: a physical simulation of selected scenarios confined to defined work areas and specific continuity plans Fully functional testing: a full simulation of all major failure scenarios in a live environment in order to test the end-to-end business continuity process Results from these simulations should be used to further refine and improve the Business Continuity Plans and ensure they remain current in the changing business context. All plans should be reviewed at least annually even if there are no process improvements identified by the simulations The process of desktop reviews and work area recovery tests will be used as core training techniques to ensure that front-line staff are fully familiar with the processes and procedures to be used in certain failure scenarios. This learning will then be further reinforced during the fully functional tests, coupled with lessons learnt exercises after the event. Status: draft Page 11 of 13

12 11 Appendix A Key Definitions 11.1 Management (BCM): A holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities Plan (BCP): A clearly defined and documented plan for use at the time of a Emergency, Event, Incident and/or Crisis (E/I/C). Typically a plan will cover all the key personnel, resources, services and actions required to manage the BCM process Business Impact Analysis (BIA): The management level analysis by which an organisation assesses the quantitative (financial) and qualitative (non-financial) impacts, effects and loss that might result if the organisation were to suffer a E/I/C. The findings from a BIA are used to make decisions concerning Business Continuity Management strategy and solutions Business Impact Resource Recovery Analysis (BIRRA): An assessment of the minimum level of resources e.g. personnel, workstations, technology, telephony required, overtime, after a E/I/C to maintain the continuity of the organisation s Mission Critical Activities at a minimum level of service / production. Generally considered to be part of a BIA it is an integral part of any subsequent resource Gap Analysis IT Disaster Recovery Plan: An integral part of the organisation s BCM plan by which it intends to recover and restore its IT and telecommunications capabilities after an event Level of (LBC): The minimum level of business continuity of services and/or products that is acceptable to the organisation or industry to achieve its business objectives that may be influenced or dictated by regulation or legislation Mission Critical Activities (MCA): The critical operational and/or business support activities (either provided internally or outsourced) without which the organisation would quickly be unable to achieve its business objective(s) i.e. services and/or products Operational Risk: The risk that deficiencies in information systems or internal controls will result in unexpected loss. The risk is associated with human error, system failures and inadequate procedures and controls Recovery Point Objective (RPO): The point in time to which data must be restored in the event of a business continuity emergency, event or incident. This dictates the maximum tolerable level of data loss Recovery Time Objective (RTO): An essential output from the BIA that identifies the time by which Mission Critical Activities and/or their dependencies must be recovered Risk Appetite: The willingness of an organisation to accept a defined level of risk in order to conduct its business cost-effectively. Different organisations at different stages of their existence will have different levels of risk appetite Single Point of Failure: The only (single) source of a service, activity and/or process i.e. there is no alternative, whose failure would lead to the total failure of a Mission Critical Activity and/or dependency. Status: draft Page 12 of 13

13 12 Appendix B Scenario Causes 12.1 The table below highlights some of the potential causes of the BCP scenarios described in Section 8. It is not intended to be a definitive list and is merely provided in order to demonstrate the breadth of risks that are covered by managing the identified scenarios. Table 12.1: Failure Scenarios Level 1 Effect Level 2 Effect Level 3 Effect Cause Failure of Contact Centre Facility Failure of Critical Technology Loss of Key Personnel Failure of Critical Supplier / Partner Failure of Building Services / Amenities Damage / Destruction of Buildings Critical Application Failure Incoming / Outgoing Telephony Failure - Air Conditioning Failure Power Failure Water Failure - Fire Flood Earthquake Bomb Explosion Terrorist Attack - Software Bug Unexpected Excess Demand Computer Virus Hack Attack Hardware Failure Network Failure Symposium / Meridian Failure PSTN Failure Software Bug Hardware Failure Supplier Liquidation Cable Damage Regional Power Blackout Unexpected Excess Demand - - Unexpected Excess Demand Mass Illness Absenteeism Industrial Action Severe Weather Failure of GP- OOH Co-op - Unexpected Excess Demand Staff Absent Failure of HNC - Denial of Service Attack Cable Damage Supplier Liquidation Hack Attack Status: draft Page 13 of 13