DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY



Similar documents
Business Continuity Management

Business Continuity Management Policy

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Business continuity management policy

Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

Statement of Guidance

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

Business Continuity Management

Business Continuity Business Continuity Management Policy

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Emergency Response and Business Continuity Management Policy

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

BCP and DR. P K Patel AGM, MoF

BS BUSINESS CONTINUITY MANAGEMENT

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

BUSINESS CONTINUITY MANAGEMENT POLICY

Flinders University IT Disaster Recovery Framework

BUSINESS CONTINUITY POLICY

Overview. Emergency Response. Crisis Management

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

How To Manage A Business Continuity Strategy

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

The PNC Financial Services Group, Inc. Business Continuity Program

How To Manage A Disruption Event

Business Continuity and Disaster Recovery Policy

Business Continuity Management

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

1.0 Policy Statement / Intentions (FOIA - Open)

Principles for BCM requirements for the Dutch financial sector and its providers.

Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems

Unit Guide to Business Continuity/Resumption Planning

Business Continuity Management (BCM) Policy

BUSINESS CONTINUITY POLICY

Information Security Management System. Business Continuity and Disaster Recovery Plan Policy. The Smart Cube. Description Change

Prudential Practice Guide

Temple university. Auditing a business continuity management BCM. November, 2015

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity (Policy & Procedure)

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

Business Continuity and Disaster Recovery Planning

Business Continuity Management AIRM Presentation

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Business Continuity Plan

External Supplier Control Requirements BCM

Emergency Management and Business Continuity Policy

Business Continuity and Disaster Planning

BUSINESS CONTINUITY STRATEGY

The PNC Financial Services Group, Inc. Business Continuity Program

TRUST POLICY FOR EMERGENCY PLANNING

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

Global Statement of Business Continuity

Supervisory Policy Manual

De Nederlandsche Bank N.V. May Assessment Framework for Financial Core Infrastructure Business Continuity Management

Business continuity management policy

Business Continuity Standards A Primer

Business Continuity Policy

Solihull Clinical Commissioning Group

Business Continuity Overview

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

Business Continuity Policy

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Proposal for Business Continuity Plan and Management Review 6 August 2008

Guidance Note XGN XXX.1

Business Resiliency Business Continuity Management - January 14, 2014

Business Continuity Planning

D2-02_01 Disaster Recovery in the modern EPU

Chapter II: Business Continuity Management Organization

Business Continuity Glossary

Table of Contents... 1

Business Continuity Plan Assessment Tool v1.0

Business Continuity Planning for Risk Reduction

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Guideline on Business Continuity Management

Subject: Internal Audit of Information Technology Disaster Recovery Plan

Why Should Companies Take a Closer Look at Business Continuity Planning?

Business Continuity Policy and Business Continuity Management System

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

BUSINESS CONTINUITY PLANNING GUIDELINES

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Business Continuity Management For Small to Medium-Sized Businesses

Business Continuity Management. Policy Statement and Strategy

Monetary Authority of Singapore BUSINESS CONTINUITY MANAGEMENT GUIDELINES

Tips and techniques a typical audit programme

GUIDANCE DOCUMENT FOR COMPLETION OF RESIDENTIAL CARE ESTABLISHMENTS BUSINESS CONTINUITY PLAN TEMPLATE WEST MIDLANDS

INSURANCE REGULATORY AUTHORITY IRA/PG/ GUIDELINE TO THE INSURANCE INDUSTRY ON THE BUSINESS CONTINUITY MANAGEMENT

Business continuity plan

Transcription:

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY This document outlines a set of policies and procedures for formalising a Business Continuity programme, and provides guidelines for developing, maintaining and exercising Business Continuity Plans (BCPs). Prepared By: R. Gough Approved By: Business Continuity Management Group Revision Date: Effective Date: PURPOSE: The purpose of this policy is to formalise the Business Continuity programme of Merthyr Tydfil County Borough Council and to provide guidelines for developing, maintaining and exercising Business Continuity Plans (BCPs). This policy establishes the basic principles and framework necessary to ensure emergency response, resumption and recovery, restoration and permanent recovery of the Merthyr Tydfil County Borough Council s operations and business activities during a business interruption event. SCOPE: This policy applies to all Merthyr Tydfil County Borough Council staff, facilities and IT systems at all locations, throughout the County Borough. Merthyr Tydfil County Borough Council shall be prepared for scenarios including, but not limited to, natural disaster, power outage, hardware/telecommunications failures, data corruption, explosives and chemical, biological and nuclear hazards. These events may be local in nature, rendering only a single Merthyr Tydfil County Borough Council facility inaccessible, or could have regional impact, with multiple Merthyr Tydfil County Borough Council facilities in a geographic region becoming inaccessible. This policy provides guidance for the resumption and recovery of time sensitive business operations in accordance with pre-established timeframes as well as ensuring that adequate plans are in place for the less time sensitive business operations. POLICY: Merthyr Tydfil County Borough Council recognises the potential strategic, operational, and financial and stakeholder support risks associated with service interruptions and the importance of maintaining viable capability to continue the Merthyr Tydfil County Borough Council s business processes with minimum impact in the event of an emergency. DEFINITIONS: BCMG Business Continuity Management Group BCP Business Continuity Plan BIA Business Impact Analysis CMT Crisis Management Team RTO Recovery Time Objective 1

PROCEDURES: Statement of Policy Business continuity policy and planning are fundamental to ensure against organisational and reputation risk to Merthyr Tydfil County Borough Council in case of business interruption. The whole of the Council must develop, exercise, test and maintain plans for the resumption and recovery of business functions and processing resources. The resumption and recovery plans must be based on a risk assessment that considers potential losses due to unavailability of service versus the cost of resumption. These plans shall anticipate a variety of probable scenarios ranging from local to regional crisis. BC policy and planning complement crisis management in recognising that Merthyr Tydfil County Borough Council staff are the most important assets of the Council and ensuring the necessary ability to continue critical business processes in spite of an emergency or to resume them before their unavailability disrupts the work of the affected directorates or the whole of Merthyr Tydfil County Borough Council. Responsibilities The Business Continuity Management Group is responsible for this policy. The following sections denote the distribution of responsibilities for Merthyr Tydfil County Borough Council business continuity. Key Stakeholders The key stakeholders who participate in council BC programme policy, planning and governance are senior management and critical systems, services and applications owners: Executive Board Members / Crisis Management Team; Business Continuity Management Group; Business Continuity Coordinators; Resilience/ Business Continuity staff; Information Solutions Group; Human Resources Services; Internal Audit; Legal; Risk Management The Business Continuity Plan The BCMG shall develop the council BCP to recover from a council crisis and provide, at the very minimum, the ability to recover critical processes with Recovery Time Objectives (RTOs) less than three days. The recovery plans for a local crisis and recovery of critical processes with RTOs greater than three days shall be developed by the BC coordinator and the senior management responsible for the service areas. Recovery plans for business functions and systems with Merthyr Tydfil County Borough Council-wide impact shall be the responsibility of the BCMG and be addressed in the enterprise-wide business continuity plans. The BCMG shall have overall oversight as to the creation of local plans to provide leadership and guidance, and ensure appropriate consistency and coordination among the various business dependencies, as well as compliance with UK/ international standards. During a major council business interruption event, the Exec Board /CMT shall activate the Disaster Recovery Site if required. The BCMG shall work with the affected service areas to ensure smooth execution of the council and service area-specific BCPs requiring activation of the Disaster Recovery Site. 2

In some cases, it may not be necessary to relocate staff to the Disaster Recovery Site. To address local crisis situations, alternate approaches for resumption including remote work, working from other office buildings, etc., shall be identified for affected service areas working with the respective management and BC Coordinator(s), the BCMG and security, facilities and IT teams. Develop Resumption and Recovery Plans for People Assets The Business Continuity Management Group (BCMG) is responsible for establishing a clear chain of command for the council, starting with the Council s Chief Executive/ or relevant designated Director for business continuity policy and procedures. Each service area shall be responsible for their own chain-of-command planning. The BCMG shall ensure fulfillment of chain of command planning by the service area for business continuity. Merthyr Tydfil County Borough Council senior management shall be provided with communication approaches and tools to ensure communication among themselves and with the staff for emergency response and business continuity. Merthyr Tydfil County Borough Council service areas shall implement and maintain a basic communication plan for all service area staff for emergency response and business continuity. Guidance on what constitutes a basic communication plan shall follow a standard to be developed and issued by the BCMG. Confidentiality of staff personal contact information for this purpose shall be managed in compliance with the Merthyr Tydfil County Borough Council s Information Security and HR policies and practices. Business continuity plans shall identify the designated primary staff member (from the business operation) and an alternate who can perform functional responsibilities in the absence of the primary staff member. Some BC staff members may be required to work from remote offices or from home. The BCMG shall work with HR to develop clear guidance on how the non-bc staff shall report their time during crisis. These staff may be directed to suspend their regular duties until the operations are restored at a permanent site or some alternate direction is provided by the council s senior management. Develop Resumption and Recovery Plans for Facilities and Office Space In order to successfully resume the council s critical business operations during a council crisis, the BCMG must provide a safe, easily accessible and fully operational location with adequate resources (ICT and others) for the Council s BC staff to report to and initiate operations from during the period of crisis. The alternate facility, the Disaster Recovery Site, should be at a safe distance from the primary work area to withstand any disruption. The alternate facility must provide a Command Centre facility that leverages a separate power grid and dedicated Internet and telephone lines to support efficient response during crisis. The facility must provide adequate office space and alternate communication links for the senior management of council to perform operational decisionmaking. For Business Restoration and Permanent Recovery, the BCMG shall work closely with the service areas to coordinate the activities involved in restoring the business operations of Merthyr Tydfil County Borough Council and ultimately return to an original/new permanent operating site. 3

Develop IT Systems Resumption and Recovery Plans The council BCP shall develop a coordinated strategy involving plans, policies, procedures, and technical measures that enable the recovery of IT systems, operations, and data that is identified as critical. The BCMG will also work closely with ICT service area that is responsible for development and maintenance of the technology and information that support critical business processes of the Merthyr Tydfil County Borough Council. The council s network architecture and telecommunications shall ensure redundancy and the council s ability to withstand local and regional crisis. BC policy and planning shall be integrated in ICT policy, budget and implementation decisions. ICT budget guidelines and incentives shall take into account good practices concerning business continuity planning and preparedness. For new application development, BC planning should be integrated in all phases of the ICT project life cycle, starting from Business Requirements, System Architecture, Design, Construction, Testing, Implementation, Maintenance and Retirement. Testing The Council Corporate BCP should be tested at least annually to ensure credible recovery preparedness. The scope, objectives, and measurement criteria of each test shall be determined and coordinated by the BCMG. Test results shall be shared with the Exec Board/CMT. Service area-specific BCPs should also be tested annually. The respective service area management and the BC coordinator shall work with the BCMG to perform these service area specific tests. Corporate Communications The council and service area-specific BCPs shall include mandatory instructions, advice, process, procedure or guidance concerning internal and external communications. External communication during time of crisis is a critical business process. The Exec Board/CMT shall work with the Corporate Communications to develop the process and messages that will be communicated to the press and to staff in the event of a council or business unit-specific business interruption. Training Business Continuity training for the BCMG, BC Coordinators, and BC staff is essential for effective resumption and recovery of operations. BCMG staff shall ensure training to keep up to date regarding the business continuity industry and the Merthyr Tydfil County Borough Council s business processes, latest technologies, tools, UK /International standards and regulations that guide the development of BC plans. BC coordinators and BC staff must be trained about their business resumption and recovery roles in coordination with the BCMG. BCP Maintenance and Management Reporting Council and service area-specific BCPs shall be updated bi-annually using the templates issued by the BCMG. All of the council s service areas shall update their BCPs as often as changes require, with notification of changes to the BCMG. All major updates should be incorporated as soon as possible and not held to satisfy a pre-arranged schedule. The BCMG shall evaluate and implement automated tools to support business continuity planning. Reporting business continuity planning status and progress is a key element of creating an effective BC programme in the council. The BCMG shall report the status and progress of the BC programme to the Exec Board/CMT on a semi-annual basis or after every council BC test. 4

Business Continuity Programme Governance As demonstrated in this policy, Business Continuity is a council concern affecting all service areas and therefore must receive senior management guidance and oversight. The Key Stakeholders listed in this policy shall participate in the Council s BC programme governance. A formal BC programme governance structure shall be developed to ensure effective decisionmaking and compliance with international standards such as PAS 56, BS 25999. Policy Compliance Consistent compliance with this policy is essential to its effectiveness. All the Council s service areas are expected to adhere to this policy and to follow it consistently. The BCMG will assess the preparedness of all the service areas and report annually to senior management via the Exec Board/CMT. The assessment will include the quantification of the Council s exposures including, but not limited to, the resumption of time-sensitive operations and the recovery of other operations. Applicable National Standards The Merthyr Tydfil County Borough Council s BC policy is based on PAS-56 and BS 25999 standards. The British Standards Institute Publicly Available Specification 56 (PAS 56) "Guide to Business Continuity Management" provides an overview of the activities and outcomes involved in setting up a BC management process and makes recommendations for best practices. BS 25999 has been developed by a broad based group of world class experts representing a cross-section of industry sectors and the government to establish the process, principles and terminology of Business Continuity Management. It provides a basis for understanding, developing and implementing business continuity within your organisation and gives you confidence in business-to-business and business-to customer dealings. It also contains a comprehensive set of requirements based on BCM best practice and covers the whole BCM lifecycle. BS 25999 is suitable for any organisation, large or small, from any sector. It is particularly relevant for organizations which operate in high risk environments such as finance, telecommunications, transport and the public sector, where the ability to continue operating is paramount for the organization itself and its customers and stakeholders. The standards BS 25999 comprises two parts: Part 1, the Code of Practice, provides BCM best practice recommendations. Please note that this is a guidance document only. Part 2, the Specification, provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice. This is the part of the standard that you can use to demonstrate compliance via an auditing and certification process. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information