Sample Business Continuity Management Policy
GUARDIAN NETWORK SOLUTIONS - DOCUMENT CENTER
by: Cody Faldyn
Purpose
The purpose of this policy is to provide guidance on how to mitigate interruptions to business activities establish a
framework for developing plans and procedures to be used in the event of an outage. This includes both Business
Continuity plans and IT Disaster Recovery plans to cover the whole organization.
Scope
This policy applies to all users of information assets including <Organiz ation- Name> employees, employees of
temporary employment agencies, vendors, business partners, and contractor personnel and functional units regardless
of geographic location.
This Policy covers all Information Systems environments operated by <Organization- Name> or contracted with a third
party by <Organiz ation- Name>. The term IS environment defines the total environment and includes, but is not limited
to, all documentation, physical and logical controls, personnel, hardware (e.g. mainframe, distributed, desktop, network
devices, wireless devices), software, and information.
Although this Policy explicitly covers the responsibilities of users, it does not cover the matter exclusively. Other
<Organiz ation-Name> Information Security policies, standards, and procedures define additional responsibilities. All
users are required to read, understand and comply with the other Information Security policies, standards, and
procedures. If any user does not fully understand anything in these documents, he should consult with his systems
administrator, business or functional manager, or human resources department, as applicable, who will contact the
Information Security Department.
The Information Security Department shall resolve any conflicts arising from this Policy.
Responsibilities
The sponsor of this policy is the Information Security Manager.
The Security department is responsible for maintenance and accuracy of the policy.
Any questions regarding this policy should be directed to the Security Department.
Def initions
Definition of some of the common terms:
Accountability: The guarantee that an action can be linked to an identified subject and that this subject is made
accountable for all selected actions.
Authentication: The identification requirements associated with an individual using a computer system. Identification
information must be securely maintained by the computer system and can be associated with an individual’s
authorization and system activities.
Availability: Ensuring that authorized users have access to information and associated assets when required.
Confidentiality: Ensuring that information is accessible only to those authorized to have access.
Critical: Degree to which an organization depends on the continued availability of the system or services to conduct its
normal operations.
Integrity: Safeguarding the accuracy and completeness of information and processing methods.
Non interference: Control is exercised over the entry and use of the enterprise’s electronic assets.
Non repudiation: Both the sender and receiver of information can unequivocally prove that the exchange occurred
between them.
Privacy: Information provided by employees, customers and others is protected such that it is used solely for the stated
purposes of the enterprise’s customer privacy policies, the provider has authorized such use, and its use is in
compliance with all local government privacy regulations.
Privat e Inf ormat ion: Information classification that relates to their “privacy type. This could be either customer related
information or private information related to staff (like medical records).
Sensit ive: concerned with highly classified information or involving discretionary authority over important official matters.
Sensit ive Inf ormat ion: Information requiring some protection, not generally available internally.
Policy Statement
Business Continuity Management (BCM) overview and control f ramework
Subject area ownership
The following table outlines the scope and subject areas addressed by the Business Continuity department. The table
also outlines who has a responsibility to ensure that the control framework is implemented effectively.
1. Project Initiation and Management
Establish the need for a Business Continuity Strategy and Plan (BCP), including obtaining management support and
organising and managing the project to completion within agreed upon time and budget limits.
Responsibilit y
BCM Department
2. Risk Evaluation and Control
Determine the events and environmental surroundings that can adversely affect the organisation, the damage such
events can cause, and the controls needed to prevent or minimiz e the effects of potential loss. Provide cost- benefit
analysis to justify investment in controls to mitigate risks.
Responsibilit y
BCM Department
IT Department
Business Management
Buildings Department
3. Business Impact Analysis
Identify the impacts resulting from disruptions and techniques that can be used to quantify and qualify such impacts.
Establish critical functions, their recovery priorities and inter- dependencies so that recovery time objectives can be set.
Responsibilit y
BCM Department
IT Department
Business Management
4. Developing Business Continuity / Disaster Recovery Strategies
Determine and guide the selection of alternative business recovery operating strategies for recovery of business and
information technologies within the recovery time objective, while maintaining the organisation’s critical functions.
Responsibilit y
BCM Department
IT Department
Business Management
5. Emergency Response and Operations
Develop and implement procedures for responding to and stabiliz ing the situation following an incident or event,
including establishing and managing an emergency operations center to be used as a command center during the
emergency.
Responsibilit y
BCM Department
IT Department
Business Management
Buildings Department
6. Developing and Implementing Business Continuity / Contingency Plans
Design, develop, and implement the business continuity plan that provides recovery within the recovery time objective.
Responsibilit y
BCM Department
Plan Owners
Business Management
7. Awareness and Training Programmes
Prepare a program to create corporate awareness and enhance the skills required to develop, implement, maintain,
and execute the business continuity plan.
Responsibilit y
BCM Department
8. Maintaining and Exercising Business Continuity Plans
Pre- plan and co-ordinate plan exercises, and evaluate and document plan exercise results. Develop processes to
maintain the currency of continuity capabilities and the plan document in accordance with the organisation’s strategic
direction. Verify that the Plan will prove effective by comparison with a suitable standard, and report results in a clear
and concise manner.
Responsibilit y
BCM Department
Plan Owners
Business Management
9. Public Relations and Crisis Communication
Develop, co- ordinate, evaluate, and exercise plans to handle the media during crisis situations, provide trauma
counseling for employees and their families, key customers, critical suppliers, owners/stockholders, and corporate
management during crisis. Ensure all stakeholders are kept informed on an as- needed basis.
Responsibilit y
BCM Department
10. Co-ordination with Public Authorities
Establish applicable procedures and policies for coordinating response, continuity, and restoration activities with local
authorities while ensuring compliance with applicable statutes or regulations.
Responsibilit y
BCM Department
Documentation
Plans should be relevant to the needs of the specific department and must take into consideration the inter-
dependencies between business and IT systems.
Maintenance and restoration of business and IT operations within required timescales must be stated within the plans.
The restoration of the specified operations should be agreed in advance and co- ordinated with the relevant service
provider i.e. IT support or third party.
The continuity plan documents will be communicated to relevant staff to provide them with the necessary understanding
of emergency procedures, process and their specific role during and after a business interruption.
Control f ramework
A single strategy / framework for the continuity plans should be maintained to ensure consistency and establish priorities
within <Organiz ation-Name>. Each continuity plan should state clearly the criteria for activation and list the individuals
(with deputies) responsible for executing the plan. The framework will include:
the criteria for activation;
emergency procedures and liaison with the emergency services to reduce the impact on personnel;
alternative locations and relocation to the sites;
resumption to establish business as normal; and
responsibilities of individuals, describing who is authoriz ed to take actions during an interruption.
Policy assumptions
The term must in this policy denotes a mandatory action;
The term should in this policy denotes a recommended action;
This policy is based on documented conditions that are assumed to be true during creation;
There are no concurrent disasters being experienced in any other location outside of the immediate geographical
region;
Any off- site storage facilities, back up or recovery sites are intact and not impacted;
Exceptions
The policy does not include:
Recovery procedures for any staff members conducting their operations from locations outside of <Organiz ation-
Name> property.
Recovery procedures for internal or external vendors outside the organisation that <Organiz ation- Name> are
dependent upon for support. However, departments must satisfy themselves that key third parties and suppliers
have adequate business continuity / disaster recovery arrangements in place to support <Organiz ation- Name>.
Review and update of this policy statement
This Policy Statement must be reviewed at least annually by the Director of Business Continuity to ensure alignment to
appropriate strategic direction, and its continued relevance to the organiz ation’s current and planned operations.
Continuity and crisis management plans will be live documents that must be maintained on a regular basis by testing
and updating. For the continuity programme to be successful, continuity planning must be embedded in the culture of the
whole organiz ation and any new developments or changes should include continuity. For this reason it is imperative that
each department within <Organiz ation- Name> is involved in the development, maintenance, update and testing of the
plans.
Plans should also be reviewed and updated when a change is applied to a system. This will ensure that procedures
are kept up to date and are effective. For all new systems that are to be introduced to <Organization- Name>,
availability and recoverability should be inbuilt into their implementation.
Business Continuity Procedures
Project initiation and management
Management structure
Accountability for business continuity planning resides with the Business Continuity department. A steering committee has
also been established to discuss IT continuity. A steering group should be established to guide and monitor Business
Continuity activity within the business departments.
The Business Continuity department will provide assistance to identify, assess and determine strategy and actions, but
ownership remains with IT and business management.
Position holder(s)
Business Continuity activity should be recognised in the job descriptions of the person(s) performing these activities.
Where possible, the person(s) should be qualified or have appropriate training provided to enable them to support the
business continuity activity.
Project management
Any Business Continuity project should follow standard <Organization- Name> project lifecycle guidelines.
Risk evaluation and control
Risk identif ication
<Organiz ation-Name> should establish a process to identify threats. These should include, but not be limited to, the
following:
Natural, man- made, technological, economic or political disasters;
Accidental versus intentional; and
Internal versus external.
Risk evaluation
<Organiz ation-Name> departments should establish a process to determine the probability of events, considering
suitable:
Sources of information;
Methods of evaluating likelihood versus impact;
Methods of evaluating threats and vulnerabilities; and
Methods of evaluating the effectiveness of controls.
Business impact analysis (BIA)
Frequency
The BIA should be conducted at least yearly for critical services. The BIA should also be reviewed whenever structural,
technological or procedural considerations indicate (such as new product launch, new project, change in premises or
technology systems).
Quantitative impact
The BIA should quantify the impacts of business interruption to existing and new systems. Assessment factors include
the following:
Financial Impact
Customer services
Regulatory / Fines / Legal liability
Health & safety
Reputation
Moral
Once all of the factors above have been considered and quantified as far as is possible, an overall impact should then
be given to the system and used to determine the requirements for availability and recoverability. The overall ratings are
defined as:
0 – No requirement for the system (very rarely found)
1 – Work around in- place (i.e. system has very little or no impact if lost)
2 – Acceptable impact. Work around requires monitoring. (i.e. if lost, the system could be replaced by a manual
workaround with little impact)
3 – Unacceptable impact that requires direct action (i.e. typically an unacceptable financial or customer service
impact that requires a direct mitigating action)
4 – Single business critical process stops immediately (i.e. a single process for either a single or multiple
services halts. High impact)
5 – Totally critical. Multiple services stopped. (i.e. multiple services stop immediately with a very high impact to
<Organiz ation-Name>)
The impact of a business interruption to services from key suppliers or third- parties should also be clearly analyz ed
and understood.
Recovery timef rames and minimum resource requirements
The BIA should lead to a clear determination and definition of:
The recovery time objectives for each of the critical services.
The order of recovery for critical systems, business functions, and support functions, based on parallel and
interdependent activities.
Business and IT requirements for recovery.
The minimum resource requirements for recovery and resumption of critical functions and support systems.
Develop business continuity strategies
Review recovery issues
Based on the results of the Risk Analysis and BIA, <Organiz ation-Name> departments should review:
Recovery timeframes;
Recovery options;
Recovery location(s);
Personnel requirements;
Communications requirements;
Technology recovery issues for each support service; and
Non- technology recovery issues for each support service.
Identif y alternative recovery strategies
Based on the results of the Risk Analysis and BIA, business units should explore alternatives and agree their strategy.
Recovery strategies may include:
Doing nothing;
Defer action;
Manual procedures;
Reciprocal agreements;
Alternative site or business facility;
Service bureau;
Consortium.
Currency of recovery strategies
Similar to the BIA, the strategy should be formally reviewed at least yearly, and signed off by the Business Continuity
board. The strategy should also be reviewed whenever the BIA is modified or when new alternatives for recovery are
made available.
Communication of strategies
Staff should be aware of the recovery strategies being implemented within <Organiz ation- Name> that affects their area
and who they are dependent on.
Emergency response and operations
Response and evacuation procedures
The business must own, manage, and be accountable for the processes of:
Emergency notification & activation;
Emergency drills;
Emergency warden identification and training; and
Evacuation procedures and review.
Crisis Management Team (CMT )
A CMT must be established, comprising senior executives of <Organiz ation- Name>. The CMT will rehearse their
procedures at least annually. Ownership and maintenance of the CMT plan resides with the BCM Department. The role
of the CMT is to:
Analyse the disaster situation and provide effective assessment ;
Estimate the event’s direct impact on <Organiz ation- Name>;
Undertake command and decision authority roles during the incident;
Demonstrate awareness of the likely political / media interest and formulate a response at Board Level.
Developing and implementing continuity plans
Plan considerations
Each continuity plan should contain essential information for preparing for, and recovering from, an incident. This
includes, but is not restricted to:
Overview of the adopted recovery strategy;
Overview of the BIA results;
Management structure and composition;
Management and staff cascade lists and notification procedures;
Invocation authorities and procedures;
Detail of recovery teams, members and tasks;
Definition of recovery requirements and timeframes
Distribution of continuity plans
Copies of relevant continuity plans will be held on site and off site by members of the individual continuity and recovery
teams and the BCM department.
T hird party suppliers and key business partners
Where all or part of an activity is performed by 3rd parties, and that activity is critical to <Organiz ation- Name>,
assurances must be made that they have appropriate business continuity to support <Organization- Name>. The
Director of BCM will provide assistance with evaluating external plans and recovery provision.
Training and awareness
<Organiz ation-Name> should satisfy themselves that staff engaged on business continuity / disaster recovery activities
have the appropriate training and knowledge. This will include a sound understanding/appreciation of both Business
Continuity and Disaster Recovery strategies and plans, continuity skills, an awareness of <Organiz ation- Name>
business operations and service structure. <Organiz ation- Name> departments shall satisfy themselves that all staff are
aware of expectations held of them should an emergency arise.
Maintaining and testing the plan
Overview
Each plan should have its essential information periodically reviewed and, where necessary, updated to reflect changes
in staffing, personal details, business & system functionality, organizational structure, and recovery requirements.
The testing process should verify that plans are up to date and match the needs of the department and system.
Members of each recovery team must be familiar with the plans through the testing process.
The types of testing may include, but not be restricted to:
Table top at department or functional level using scenarios and examples of business interruption which are
relevant to the department;
Call- out cascade activation;
Simulations i.e. crisis management;
Technical recovery to an alternate location: this may require component and connectivity testing for specific items
in addition to the recovery test;
Business rehearsal at an alternate location;
Complete rehearsals i.e. building evacuations;
Recovery of critical mainframe and midrange applications at an alternate data centre;
Recovery and restoration of critical application and data at an alternate data centre;
Recovery of telephony at an alternate location.
Any testing techniques should reflect the nature of the specific area within the BCP.
Frequency of tests and maintenance
<Organiz ation-Name> plans should be tested on a frequent basis in line with the testing strategy to meet the changing
environment within <Organiz ation- Name>. Testing of the plans will ensure that the plan is effective and satisfies the
recovery needs of the organiz ation.
Critical business units and IT systems should test their plans at least every six months. Those plans deemed non-critical
should be tested on a yearly basis.
Def ining schedule, scope and results of testing
A testing schedule will be established through agreement between, the Director of BCM and the plan maintainers. A
clearly defined scope should be documented and agreed prior to each test. Test scripts must be completed in
advance, with expected results indicated. This will be matched against actual results, and any discrepancies either
formally accepted or progressed for resolution.
Public relations and crisis communications
A central crisis management team along with the Business Continuity department will:
Develop, co- ordinate, evaluate, and exercise plans to handle the media during crisis situations;
Develop, co- ordinate, evaluate, and exercise plans to communicate with employees and their families, key
customers, critical suppliers, and corporate management during crisis; and
Develop, co- ordinate, evaluate, and exercise plans to provide trauma counseling for employees and their
families.
Communication arrangements should be tested as part of CMT simulation testing.
Coordination with public authorities
The Director of BCM in conjunction with senior business managers and IT, will:
Establish applicable procedures and policies for co- ordinating continuity and restoration activities with local
authorities and emergency services;
Ensure compliance with applicable statutes or regulations.
Compliance Measurement
Compliance with Business Continuity Management Policy is mandatory. <Organiz ation- Name> managers must ensure
continuous compliance monitoring within their organizations. Compliance with Business Continuity Management Policy
will be a matter for periodic review by Information Security Audit team as per the audit guidelines and procedures
mentioned in Security Control Framework and the Security Auditing Guidelines. Compliance measurement should also
include periodic review for Security Quality Assurance. Violations of the policies, standards, and procedures of
<Organiz ation-Name> will result in corrective action by management. Disciplinary action will be consistent with the
severity of the incident, as determined by an investigation, and may include, but not be limited to:
Loss of access privileges to information assets
Other actions as deemed appropriate by management, Human Resources, and the Legal Department.
Waiver Criteria
This Policy is intended to address information security requirements. Requested waivers must be formally submitted to
the Information Security Department, including justification and benefits attributed to the waiver, and must be approved
by the Information Security Manager. The waiver should only be used in exceptional situations when communicating
non- compliance with the policy for a specific period of time. At the completion of the time period the need for the waiver
should be reassessed and re- approved, if necessary. No policy should be provided waiver for more than three
consecutive terms.
The waiver should be monitored to ensure its concurrence with the specified period of time and exception.
All exceptions to this policy must be communicated through the Policy Waiver Request Form.