A testing schedule will be established through agreement between, the Director of BCM and the plan maintainers. A
clearly defined scope should be documented and agreed prior to each test. Test scripts must be completed in
advance, with expected results indicated. This will be matched against actual results, and any discrepancies either
formally accepted or progressed for resolution.
Public relations and crisis communications
A central crisis management team along with the Business Continuity department will:
Develop, co- ordinate, evaluate, and exercise plans to handle the media during crisis situations;
Develop, co- ordinate, evaluate, and exercise plans to communicate with employees and their families, key
customers, critical suppliers, and corporate management during crisis; and
Develop, co- ordinate, evaluate, and exercise plans to provide trauma counseling for employees and their
families.
Communication arrangements should be tested as part of CMT simulation testing.
Coordination with public authorities
The Director of BCM in conjunction with senior business managers and IT, will:
Establish applicable procedures and policies for co- ordinating continuity and restoration activities with local
authorities and emergency services;
Ensure compliance with applicable statutes or regulations.
Compliance Measurement
Compliance with Business Continuity Management Policy is mandatory. <Organiz ation- Name> managers must ensure
continuous compliance monitoring within their organizations. Compliance with Business Continuity Management Policy
will be a matter for periodic review by Information Security Audit team as per the audit guidelines and procedures
mentioned in Security Control Framework and the Security Auditing Guidelines. Compliance measurement should also
include periodic review for Security Quality Assurance. Violations of the policies, standards, and procedures of
<Organiz ation-Name> will result in corrective action by management. Disciplinary action will be consistent with the
severity of the incident, as determined by an investigation, and may include, but not be limited to:
Loss of access privileges to information assets
Other actions as deemed appropriate by management, Human Resources, and the Legal Department.
Waiver Criteria
This Policy is intended to address information security requirements. Requested waivers must be formally submitted to
the Information Security Department, including justification and benefits attributed to the waiver, and must be approved
by the Information Security Manager. The waiver should only be used in exceptional situations when communicating
non- compliance with the policy for a specific period of time. At the completion of the time period the need for the waiver
should be reassessed and re- approved, if necessary. No policy should be provided waiver for more than three
consecutive terms.
The waiver should be monitored to ensure its concurrence with the specified period of time and exception.
All exceptions to this policy must be communicated through the Policy Waiver Request Form.