Information Security Policy. Chapter 11. Business Continuity



Similar documents
Business Continuity Management

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Guidance Note XGN XXX.1

Business Continuity Management Policy

1.0 Policy Statement / Intentions (FOIA - Open)

Business continuity management and planning

Risk Management & Business Continuity Manual

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

How To Manage A Disruption Event

Update from the Business Continuity Working Group

Smart Meters Programme Schedule 8.6. (Business Continuity and Disaster Recovery Plan) (CSP North version)

Principles for BCM requirements for the Dutch financial sector and its providers.

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

Risk Management Guidelines

Information Services IT Security Policies B. Business continuity management and planning

Business Continuity Planning and Disaster Recovery Planning

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Guideline - Business Continuity Plan

Prudential Practice Guide

Departmental Business Continuity Framework. Part 2 Working Guides

BUSINESS CONTINUITY POLICY

Business Continuity Planning Manual. Version 1

Business Continuity Policy and Business Continuity Management System

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

PBSi Business Continuity Planning

Operational Risk Publication Date: May Operational Risk... 3

Essex Clinical Commissioning Groups. Business Continuity Management System. Scope and Policy

BUSINESS CONTINUITY MANAGEMENT POLICY

#316 The Security Elements of Business Continuity & Disaster Recovery Plans

How to Exercise a Business Continuity Plan (BCP)

Disaster Recovery Policy

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

Desktop Scenario Self Assessment Exercise Page 1

Business Continuity Policy. Version 1.0

Business Continuity Policy

BUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE

Business Continuity Planning

Business Continuity (Policy & Procedure)

BUSINESS CONTINUITY PLAN

Business Continuity Management

Emergency Response and Business Continuity Management Policy

Update from the Business Continuity Working Group

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

Guidelines 1 on Information Technology Security

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

39 GB Guidance for the Development of Business Continuity Plans

Business Continuity Plan

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

University of Sunderland Business Assurance Information Security Policy

Supervisory Policy Manual

University of Glasgow. Business Continuity Management. Guidance Notes

Business Continuity Plan

Business Continuity Business Continuity Management Policy

Prudential Practice Guide

Incident Management Policy

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems

IT Disaster Recovery Plan Template

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

LFRS Business Continuity Planning

Overview TECHIS Manage information security business resilience activities

Business continuity plan

External Supplier Control Requirements BCM

Strategic Alliance. Business Continuity Policy

Offsite Disaster Recovery Plan

Shepway District Council Risk Management Policy

PAPER-6 PART-4 OF 5 CA A.RAFEQ, FCA

Business Continuity Management Policy

University of Brighton School and Departmental Information Security Policy

The PNC Financial Services Group, Inc. Business Continuity Program

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

BCP and DR. P K Patel AGM, MoF

Business Continuity Plan Toolkit

How To Ensure That Sovini Is A Successful Business

ICT Contingency Plan Top Level Plan

Business continuity management policy

How To Manage A Business Continuity Strategy

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

AUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE

NHS 24 - Business Continuity Strategy

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

POLICY. 1) Business Continuity Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management

Business Continuity Planning advice for Businesses with employees

Aberdeen City Council IT Disaster Recovery

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Internal Audit Report Disaster Recovery / Business Continuity Planning

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

Business Continuity Plan Template

BUSINESS CONTINUITY STRATEGY

BUSINESS CONTINUITY STRATEGY

Transcription:

Information Security Policy Chapter 11 Business Continuity Author: Policy & Strategy Team Version: 0.5 Date: July 2008 Version 0.5 Page 1 of 6

Document Control Information Document ID Document title Sefton Council Business Continuity Policy Version 0.5 Status Draft for comment, Amended by RR 12/6/2008 to include comments from LP and CR. See comments. Amended 30/6/2008 comments from PB. Amended 30/6/2008 minor changes and remove comments for circulation. Amended RR 2/7 Minor typos from PB Author R.Roscoe Job title Data Protection and Information Security Officer Department Information Services Policy and Strategy Publication date Approved by Next review date Distribution Version 0.5 Page 2 of 6

Contents 1. BUSINESS CONTINUITY... 4 1.1. OVERVIEW... 4 1.2. POLICY STATEMENT... 4 1.3. SCOPE OF THE POLICY... 4 2. REQUIREMENTS... 4 2.1. BUSINESS CONTINUITY MANAGEMENT PROCESS... 4 2.2. BUSINESS CONTINUITY AND RISK ASSESSMENT... 5 2.3. DEVELOPING AND IMPLEMENTING CONTINUITY PLANS... 5 2.4. BUSINESS CONTINUITY PLANNING FRAMEWORK... 5 2.5. DOCUMENTATION... 5 2.6. TRAINING... 6 2.7. TESTING, MAINTAINING AND REASSESSING BUSINESS CONTINUITY PLANS... 6 3. POLICY COMPLIANCE... 6 Version 0.5 Page 3 of 6

1. Business Continuity. 1.1. Overview Business Continuity Planning (BCP) is a corporate process designed to protect critical business processes and services from the effects of major system failures or disasters and to ensure their timely and prioritised resumption following any business continuity incident. BCP is a part of corporate risk management. As our organisation is highly dependent on computers, networks and communications systems, a large area of BCP is concerned with the effects of major failure of information systems. This policy covers that area. The Council accepts that there are risks associated with heavy reliance on information systems, and that major incidents will happen. It therefore requires that each department: Identify and assess potential risks that loss of information system(s) may have on their service Develop plans to minimise the impact a loss of information system(s) would have on their service Ensure the information system(s) that support their service can be restored in an acceptable timeframe. Identify any critical business processes and services without which there would be a serious risk to the health and well-being of citizens These plans can then be used by supporting services (I.S, Personnel, Technical Services etc.) to focus and prioritise their recovery efforts. 1.2. Policy Statement This policy defines the baseline requirements for the Council and its departments to develop plans to counteract interruptions to business activities, to protect critical business processes from the effects of major information system(s) failures or disasters and to ensure their timely and prioritised resumption following any business continuity incident. This policy covers not only the computer systems but also the people and processes that use them to provide services. 1.3. Scope of the Policy This policy applies to all departments and staff of Sefton Council. The contents of this policy must be communicated to any Third Parties, Partners or External Service Providers responsible for the provision or support of any information system (e.g. hardware, software, network/telephony, personnel, technical facilities etc), service or business process. 2. Requirements 2.1. Business continuity management process A managed process must be developed by the Council and maintained to ensure adequate business continuity throughout the organisation in the event of major failures of information systems. This process must address all information security requirements. At minimum: Responsibility for corporate BCP must be assigned and documented. Any BCP related to Information Systems must align with all existing Corporate Risk Management functions, (e.g. the Contingency and Emergency Planning functions, Financial Risk Management and the ISD BCP). The Council must ensure that adequate financial, technical, organisational and environmental resources are available to address the identified requirements. The range of information systems-related risks faced by the organisation, in terms of threats, vulnerabilities, likelihood of occurrence and the potential impact of failure on departments, must be fully understood by each department of the Council. This assessment must cover not only the computer systems but also the risks related to people, processes that use them to provide service. Version 0.5 Page 4 of 6

All critical departmental processes, and the information assets they rely upon, must be identified. (This may be done using an extension of the Asset Management process defined in Chapter 12.) Each department must understand and document the range of impacts that identified risks may have on their service The process must ensure the safety of staff and the protection of key information systems and organisational assets. The process must consider insurance where appropriate and ensure premiums are kept up to date. 2.2. Business continuity and risk assessment The Council s strategy and plans for maintaining business continuity must be developed on the basis of appropriate risk (probability and impact) assessment. Events that can cause interruptions to business processes must be identified, along with the probability and impact of such interruptions and their consequences for information security. The risk assessment must identify, quantify and prioritise risks against organisational and departmental objectives. All identified risks must be analysed. Steps must be taken to eliminate or mitigate any threats and vulnerabilities where appropriate thus reducing the risk of occurrence. Residual risks must then be addressed by the BCP framework. 2.3. Developing and implementing continuity plans Corporate and Departmental plans must be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required timescales following interruption to or failure of critical business processes. 2.4. Business continuity planning framework A single corporate framework business continuity plan must be developed and maintained to ensure all plans are coherent, consistently address information security requirements, and identify priorities for testing, maintenance and reassessment of departmental and corporate plans. BCP for Information Systems must align with all existing Corporate Risk Management, (e.g. Corporate BCP, Contingency and Emergency Planning, the ISD BCP and Financial Risk management. 2.5. Documentation At minimum, BCP plans must document the following in such a way that the documentation remains available in the event of failure of critical information and communications systems. Basic requirements are that: Key responsibilities are documented and accepted by the owner. Key contacts, both external and internal, required to support restoration of service to normal are documented. Escalation procedures must be clear and documented, showing how to assess the situation and whether to initiate a major incident response. Mobilisation and briefing procedures for internal staff are documented. Mobilisation and briefing procedures for third party suppliers are documented. Emergency procedures are documented. Version 0.5 Page 5 of 6

Fallback procedures for alternate facilities are documented. Temporary Operational procedures are documented. Resumption Procedures are documented. Critical assets (including key skills) are documented. All third party support contracts and details of their invocation processes are documented. 2.6. Training All staff involved in the recovery have been adequately trained in the recovery process and any technical skills required. 2.7. Testing, maintaining and reassessing business continuity plans Business continuity plans must be tested at least annually and updated annually; following a test; following a major change to information systems, staffing, organisational structure or business environment to ensure that they remain effective and that they comply with all requirements for information security. At minimum: Change management processes across the Council must ensure that the needs of the BCP framework are addressed. Every change to hardware, software, people, processes, organisational structure, buildings or business environment must be assessed for its impact on any business continuity plans currently in place. Likely changes include: Addresses. Telephone numbers. Personnel. Locations. Facilities. Resources. Legislation. Contractors. Suppliers. Key customers. Business processes. Risk appetite and overall business strategy. To avoid a large overhead generated by the above, BCP documentation must be designed to avoid unnecessary detail. A walkthrough of each BCP plan must be carried out at least annually using real-life scenarios. Technical Disaster Recovery processes must work in the required timescale, and must not be impacted by practical problems, out-of-hours restrictions and availability of staff and third party services. Third party supplier services upon which Business Continuity depend must be tested at least annually to ensure that they will meet their contractual obligations. Rehearsals of dealing with major incidents must be held annually. 3. Policy Compliance If you do not understand the implications of this policy or how it may apply to you, seek advice from the Information Services Department via the IS Helpdesk on 0151 934 4999. Version 0.5 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information