MGIC BUSINESS CONTINUITY PROGRAM



Similar documents
CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

Business Continuity Plan

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Business Continuity Glossary

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

Principles for BCM requirements for the Dutch financial sector and its providers.

Disaster Recovery Plan Documentation for Agencies Instructions

Technology Recovery Plan Instructions

Business Continuity Management

Business Continuity & Recovery Plan Summary

I.T. Disaster Recovery Plan

Business Continuity and Disaster Recovery Planning from an Information Technology Perspective

Documentation. Disclaimer

Code Subsidiary Document No. 0007: Business Continuity Management. September 2015

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Why Should Companies Take a Closer Look at Business Continuity Planning?

Business Continuity Planning Instructions

How To Manage A Disruption Event

Business Continuity Planning Toolkit. (For Deployment of BCP to Campus Departments in Phase 2)

SAMPLE IT CONTINGENCY PLAN FORMAT

Emergency Operations California State University Los Angeles

Comprehensive Emergency Management Plan (CEMP) Annex V CONTINUITY OF OPERATIONS PLAN (COOP)

APPENDIX 7. ICT Disaster Recovery Plan

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Disaster Recovery Planning

Desktop Scenario Self Assessment Exercise Page 1

Unit Guide to Business Continuity/Resumption Planning

A Guide for School Board Education Continuity Planning

NACo RMA LLC and NACo RMA Disaster Recovery and Business Continuity Plan. January, Page 1

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Facilitated By: Ken M. Shaurette, CISSP, CISA, CISM, CRISC FIPCO Director IT Services

Processing Sites for Commonwealth Agencies

STATE SUPPORT FUNCTION ANNEX 2 COMMUNICATIONS

Business Continuity and Emergency Preparedness Planning. Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010

Best Practices in Disaster Recovery Planning and Testing

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity and Disaster Recovery Policy

State of South Carolina Policy Guidance and Training

Building a Disaster Recovery Program By: Stieven Weidner, Senior Manager

Business Continuity Planning for Risk Reduction

Business Continuity & Recovery Plan Summary

THORNBURG INVESTMENT MANAGEMENT THORNBURG INVESTMENT TRUST. Business Continuity Plan

Business Continuity Overview

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

APPENDIX 7. ICT Disaster Recovery Plan

Business Continuity. Disaster Recovery Plan

Business Continuity Plan

BUSINESS IMPACT ANALYSIS

Business Continuity (Policy & Procedure)

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Table of Contents... 1

Temple university. Auditing a business continuity management BCM. November, 2015

CISM Certified Information Security Manager

CITY OF RICHMOND CONTINUITY OF OPERATIONS (COOP) DEPARTMENT PLAN TEMPLATE

Business continuity plan

Prudential Practice Guide

B.1 DISASTER RECOVERY

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Tufts Health Plan Corporate Continuity Strategy

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

Proposal for Business Continuity Plan and Management Review 6 August 2008

PARKES SHIRE COUNCIL BUSINESS CONTINUITY POLICY

Business Continuity Management

Franklin County Emergency Management Department (FCEMD) All County Emergency Response Team (CERT) Agencies. Table of Contents

Emergency Operations Plan ANNEX K - UTILITIES RESTORATION ESF #3, #12 I. MNWALK REQUIREMENTS. Item #: 1, 4, 46, 53, 54

D2-02_01 Disaster Recovery in the modern EPU

Boston College. Departmental Business Continuity Planning

Business Continuity. Port environment

Prudential Practice Guide

Business Continuity Management

BUSINESS CONTINUITY PLAN

Title: DISASTER RECOVERY/ MAJOR OUTAGE COMMUNICATION PLAN

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Clinic Business Continuity Plan Guidelines

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY FREQUENTLY ASKED QUESTIONS OVERVIEW CORPORATE CONTINUITY PROGRAM.

Incident Management Team The Eight Step Implementation Model. The 8 Step

BUSINESS CONTINUITY PLANNING

EMERGENCY MANAGEMENT POLICY

Business Unit CONTINGENCY PLAN

B U S I N E S S C O N T I N U I T Y P L A N

Business Continuity Planning for Schools, Departments & Support Units

BUSINESS CONTINUITY POLICY

Supervisory Policy Manual

ICT Contingency Plan Top Level Plan

Ohio Conference for Payroll Professionals Disaster Recovery

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Business Continuity Plan Assessment Tool v1.0

Glossary. Alert. Alternate Site

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Guideline on Business Continuity Management

Managing business risk

Oadby and Wigston Borough Council. Information and Communications Technology (I.C.T.) Section

NCUA LETTER TO CREDIT UNIONS

Disaster Recovery Policy

BUSINESS CONTINUITY PLAN

Transcription:

MGIC BUSINESS CONTINUITY PROGRAM Mortgage Guaranty Insurance Corporation ("MGIC") and its affiliates recognize the importance of maintaining a viable business continuity strategy and have developed a comprehensive business continuity program ("Program") designed to prevent interruptions in the business operations. MGIC's Business Continuity Planning Process The business continuity planning involves the entire company including MGIC-Australia initiatives. The Program is reviewed and approved by MGIC s Board of Directors (or a Board committee) and by senior management. It is directed by the SVP Information Services/Chief Information Officer and the Vice President Information Services - Chief Information Security Officer and administered by two full-time certified Business Continuity Coordinators dedicated to the development, execution and on-going testing of business continuity/recovery plans for all business units within MGIC, as well as the overall network and system infrastructure. Funding for the Program is through the Information Services Department and covers internal corporate and external business continuity expenditures, including personnel, equipment and services that would be needed to prepare for and respond to a business interruption. Plans are developed based on the full loss of MGIC s operational facilities, but also on the basis of a partial loss of such facilities. At time of an incident, an assessment by the MGIC Management Incident Response Team (MIRT), may result in either a full or partial activation of the business recovery plan(s). The highest-level business recovery team is the MGIC Management Incident Response Team (MIRT). The MIRT is responsible for driving the continuity initiatives for MGIC in the event of a business interruption, including damage assessment, declaration, direction and control for corporate communications, personnel and financial resource allocation, and implementation of the appropriate actions for response, recovery and restoration of MGIC s Critical business processes Example of a full activation: destruction of facilities within MGIC's headquarters where data processing and finance functions are conducted. Example of partial activation: closing of a remote location due to environmental conditions, or loss of a business function caused by an isolated incident, requiring the relocation of personnel and services. MGIC conducts Business Impact Analysis to determine the Maximum Tolerable Outage (MTO) for each business processes. The MTO is the maximum time a business process can remain unavailable before its loss starts to have an unacceptable impact on the goals or survival of the organization. Recovery plans which include Recovery Time Objectives (RTOs) are developed and prioritized based on BIA results. Recovery plans for Critical business processes are reviewed every two years or as needed in response to new or changing business unit requirements. Call trees and personnel contact lists are updated each quarter and tested at minimum on an annual basis using MIR3, MGIC s Emergency Notification Tool. Program funding requirements are reviewed periodically. Critical business processes consist of but are not limited to those business processes which impact key customer relationships, generate revenue, or ensure compliance with contractual or regulatory requirements in a material respect. Page 1

Customer Communication following a Business Interruption Declaration E-mails will be sent to all MGIC customer contacts in a timely fashion. Subsequently, information will be available by calling MGIC's Customer Service Department at 1-800-424-6442. Program Objectives The principal objectives of the Program are to: Recover MGIC s Critical business processes within 24 hours of a business interruption declaration. Satisfy obligations and commitments to safeguard the confidential information of MGIC, the customers, employees, and other business associates throughout the business resumption process. Minimize adverse financial consequences associated with an interruption of business operations. Business Continuity Team Hierarchical Structure Business continuity is based on a three level team structure. Level 1 Leaders (L1s), a.k.a. the Management Incident Response Team (MIRT), are responsible for overall management and direction of the Program and response to a business interruption. L1s are responsible for approving corporate-wide high level strategy for business continuity and reporting on its status to executive management and the Boards of Directors of MGIC and its affiliates. They approve allocation of funds and resources for these purposes. At the time of a business interruption, they notify persons who need to be mobilized, declare or cancel the assessment of the business interruption, activate emergency responses and resolve questions that arise in the response to the business interruption. Level 2 Leaders (L2s) are responsible for direction of the critical business processes if a business interruption is declared. L2s provide guidance in planning, promote awareness of the Program within MGIC, review and approve elements of planning and participate in testing the Program. At the time of a declaration, they assist the L1s in mobilizing resources and activating emergency responses. Level 3 Leaders (L3s) are responsible for tactical planning and recovery of business processes if a business interruption is declared. L3s create business continuity plans for their teams, review their plans and participate in testing and establish priorities for recovery within their Critical business processes. At the time of a declaration, they Page 2

mobilize team members, conduct recovery team meetings, prioritize recovery initiatives, support recovery efforts and report on their status within their areas of responsibility. MGIC Command and Control (diagram below) At time of a business interruption declaration, Level 1 Leaders will organize into a command and control structure similar to the Incident Command System (ICS). The Incident Command System is a well organized team approach for managing critical incidents. It has been in practice for over 35 years and is used today by Federal, State, County and local emergency response agencies. ICS is being widely adopted by the private sector. MGIC uses a hierarchical team structure for business recovery marked by clear separation of duties, decision making and communication in order to maximize the efficiencies of the recovery teams. The highest-level business recovery team is the Management Incident Response Team (MIRT). The MIRT is responsible for driving the recovery initiatives for MGIC in the event of a business interruption, including damage assessment, declaration, direction and control for corporate communications, personnel and financial resource allocation, and implementation of the appropriate actions for response, recovery and restoration of MGIC s Critical business processes. The MIRT is led by SVP Information Services/Chief Information Officer, who has primary responsibility for the Program, together with the Vice President Information Services - Chief Information Security Officer. Their primary roles and responsibilities include: Declare or cancel the assessment of the business interruption. MGIC will declare a business interruption when natural occurrences, technological problems or other Page 3

emergencies interrupt the operations of a critical business process of MGIC, resulting in the time to resume the critical business process exceeding the Maximum Tolerable Outage (MTO) of that critical business process. Activation of the Emergency Operations Center (EOC). The EOC is a pre-defined location that is activated in a business interruption or emergency from which the overall command, control, communication and coordination are conducted. Supervision and management of the MIRT. Management and monitoring of overall recovery efforts. Authorization and prioritization of all recovery efforts. Recovery Process MGIC s goal is to recover all Critical business processes within a recovery time objective of 24 hours from declaration of a business interruption. Critical business processes consist of but not limited to those business processes which impact key customer relationships, generate revenue, or ensure compliance with contractual or regulatory requirements in a material respect. Business Recovery Plans are developed for all Critical business processes. Every three years a complete evaluation is undertaken to define these business functions within MGIC. MGIC protects all electronic and hard-copy "Production" information for the purposes of recovering MGIC's Critical business processes in the event of a business interruption. To ensure an uninterrupted power supply, MGIC has installed diesel powered generators that take over within 15 seconds if a sub-standard power supply is identified. Recovery Data Center - MGIC owns or leases all equipment necessary to recover MGIC's computing environment. This equipment is installed and in a rapid recovery state within a leading co-location hosting services company 90 miles from MGIC s Corporate Headquarters. MGIC owns and maintains an Emergency Operations Center (EOC) as well as office ready workspace which addresses the operational requirements for its Milwaukee based workforce. This workspace includes: desks, PCs, phones, printers, scanners, copiers, direct connectivity to the recovery data center and wireless access for additional connectivity. Functional business recovery exercises are conducted at minimum on an annual basis leveraging the office ready recovery workspace connected directly to the co-location recovery center. Participants execute recovery plans that include the complete loss and recovery/continuation of MGIC s Critical business processes.. MGIC establishes an Emergency Operations Center in the event of a business interruption. MGIC's business recovery plan is developed to support three distinct phases of the business interruption: response; recovery; and resumption of business. (See diagram) Page 4

Phases of a Disaster RESPONSE RECOVERY RESUMPTION Emergency Response BCT Command and Control Decision for Declaration Invoke manual procedures for business continuance Recover Critical Business Functions Resume full daily activities of critical functions Address non-critical business functions Address migration or return to permanent facility Event occurs Declaration Critical Functions operational w/current date RTO - Recovery Time Objective Business interruptions at a Customer s Location: An event could interrupt business operations of the customers of MGIC and its affiliates, consisting of mortgage lenders and servicers. The insurance operations of MGIC and its affiliates do not involve direct contact with borrowers whose loans are insured or require physical presence at the insured s property. Therefore, MGIC does not need to deliver personnel, equipment or other resources to the site of a customer's business interruption. MGIC's contacts are almost entirely with lenders which submit loans for insurance and loan servicers who collect mortgage payments and handle and report to MGIC defaults and foreclosures. Those servicers remit premiums to MGIC and report the status of the loan default to MGIC primarily by electronic means, but they can also remit premiums by other methods of payment and report and communicate with MGIC by mail, fax, phone and other customary forms of delivery. MGIC communicates with lenders and servicers and makes claim payments by electronic means, but also by the other above-mentioned means customarily used. MGIC's internal operations at its corporate headquarters and remote field facilities would continue after an event affecting a customer because they are independent of the event impacting the customer. These operations include fraud investigation, claims, premium processing, and underwriting. In particular, MGIC could conduct fraud investigations even after an event affecting a customer in substantially the same way it conducts them before the event, because they are conducted primarily on the basis of files and information available at MGIC's offices and Page 5

incidentally by direct contacts with customers and other persons and public records. Those contacts generally can be conducted as described above by various means that should remain available even if the customer is affected by an event. Fraudulent activities can then be reported to regulatory authorities under MGIC's current procedures. Impacted customers can leverage numerous pre-existing communication methods offered by MGIC to continue business. (i.e. internet, fax, traditional mail, electronic mail and telephones) BUSINESS CONTINUITY PROGRAM (6/15)- ljm Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information