Business Continuity Policy

Version: 1.00Issue Date: 7/27/2015

This Business Continuity Policy is provided to help ensure that business continuity planning and provisions are in place especially for critical business functions.

1.0 Overview

This Business Continuity Policy will help ensure that policies and processes are in place and followed so that business functions continue during times of disaster or equipment failure.

2.0 Purpose

This Business Continuity Policy is intended to ensure that policies are being followed to keep the organization operational when a disaster or equipment failure occurs.

3.0 Scope

This Business Continuity Policy applies to all systems, both hardware and software based including those that use computers and/or employees or contractors where business functions are involved. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Requirements

  • Procedures designed to restore and protect organizational processes and supporting infrastructure must be created and maintained. Procedures must cover reconstruction of affected sites and replacement of affected sites. Procedures must be stored both off site and on site.
  • The Emergency Services Office will periodically audit the various business units to determine whether they have a viable and current set of Business Continuity Policy and associated policies and plans. Changes to business needs and results of testing must be considered. Revision dates to plans and procedures and names of personnel making them must be recorded.
  • The Emergency Services Office defines the required knowledge and esperience requirements of response and recovery team members. The Emergency Services Office determines the team structures for response and recovery activities. These structures must be stated in the plans such as DR Plan, Business Recovery Plan, and Business Restoration Plan.
  • Communication processes needed to implement business continuity and recovery must be defined and prioritized in the various processes and plans such that it is known who must approve actions and actions can be readily implemented without bureaucratic delays.
  • Emergency procedures affecting safety must be defined.
  • Senior Management and Senior IT management must support the Business Continuity Policy and associated policies and plans. They must provide the strategy, philosophy, resources, and enforcement mechanisms to ensure that the plan is successful. They must be sure the plans will meet the organizational business requirements and business continuity needs.
  • Regulatory requirements must be considered by the Business Continuity Policy associated policies and plans.
  • External best practices must be considered by the Business Continuity Policy associated policies and plans.
  • Business changes or IT changes must be reflected in the Business Continuity associated policies and plans. The Change Management Plan must provide processes to ensure that the appropriate business continuity plans or procedures are kept current as changes are implemented.
  • The IT Continuity plan must support the Business Continuity Plan.
  • Emergency situations must be defined along with actions to be taken during emergency situations based on the type and severity of the situation.
  • Required access rights and the staff members must have those access rights for emergency situations must be designated in advance. The process must provide for granting the required access rights in a timely manner during an emergency and removing them when the emergency is over. Actions must be logged.
  • The disaster recovery and IT business continuity plans must cover networking including cabling, switches, routers, and firewalls.
  • As new infrastructure is added or modified, the disaster recovery and business continuity plans must be updated. Any new technology used must meet reliability and redundancy requirements to support required failure tolerance, disaster recovery, and business continuity.

5.0 Testing

  • Alternate business practices, disaster recovery, and business restoration practices shall be periodically tested.
  • Plan testing shall be done a minimum of annually and dates and times must be scheduled.
  • Tests shall be done when there are significant changes to either the IT infrastructure of business functions.
  • All parts of the recovery plan must be included in the test schedule.
  • Test plans must include procedures for restoring the production environment where critical services exist.
  • A meeting after testing must be held so test results are discussed. All failures must be analyzed and documented.
  • Problems found during testing must be documented, the appropriate processes reviewed and changed (logs of the change must be kept) and re-tested in a timely manner which allows problems to be adequately addressed.
  • Changes to plans and procedures must be documented and a change history must be documented and kept.
  • In situations where testing is not feasible, an alternative method must be used to be sure the restoration process is achievable.

6.0 Training

  • Disaster recovery, business continuity, and Business recovery staff must be appropriately and regularly trained for their roles relative to the plans.
  • Training requirements and schedule are assessed annually.
  • The training schedule must be appropriate considering turnover of recovery staff, changes to plans, and the extent of changes to plans.
  • Business and IT continuity programs must be conducted to assure that managers and personnel including stakeholders are aware of their role in both the business continuity and IT continuity strategy.

7.0 Document Control and Distribution

  • Current copies of business continuity plans and policies shall be stored in at least two locations including a normal location and an off site location at least ten miles distant from each other.
  • One office (Emergency Services Office) must be responsible for maintaining and distributing the Business Continuity Policy and associated policies and plans. Details about recovery site locations and backup media must be available to recovery personnel.
  • Procedures about transporting recovery media to the recovery site and performing the recovery operations at the recovery site must be maintained by the Emergency Services Office.
  • Updates to the Business Continuity Policy and associated policies and plans must be distributed to all organizational members involved in the business recovery or business continuity process that have authorization and a need to know. Outdated hard copies of the plans should be destroyed in compliance with procedures for destroying confidential information.
  • A plan distribution strategy muct be created and consider all the people who have a need to know and consider the confidentiality of information contained in the plans being distributed. Those who the plans are distributed to must be authorized and have a need to know. Distribution of parts of the plan should be considered where appropriate.
  • A distribution list should be kept which shows who has copies of what versions of the plan. The distribution list should be kept current.

8.0 Business Processes

  • Business departments who own business processes must determine what tasks relevant to their functions are critical.
  • For each business critical task, at least one alternative business process must be determined. The alternative practices must be defined and documented so that someone unfamiliar with the task could carry it out with minimum training.
  • Procedures should be created which will describe how to update the normal systems which support the business function after the business recovery has taken place.
  • Hard copies of the alternative business practices and recovery processes should be stored offsite in at least two locations.
  • Required resources and equipment such as office supplies and equipment should be stored in alternate sites such that the alternate business practices may be carried out using that equipment.
  • Alternate business processes must be periodically tested and test results must be used to improve the process as appropriate.
  • Business staff must be tranined in alternate business procedures.
  • As regular business procedures are modified, alternate procedures are reviewed to be sure they are still sufficient to cover the business need and modified as required. Alternate procedures should be reviewed annually to be sure they remain current.

9.0 Contacts and Resources

  • The contact details of both business stakeholders, system managers, recovery staff, service providers and other relevant parties must be kept both offsite and onsite so they are available in the event of a disaster. The contact details must be kept current by the Emergency Services Office.
  • Contact information for alternate staff, service providers, business stakeholders, and vendors should be available in case primary contacts are not available.
  • Processes and contact information with public authorities must be defined and available to ensure safety.
  • All critical resources must be identified which are needed to implement the plan. Resources include files, programs, operating systems, amd hardware.
  • A list of all resources including IT systems is contained in the business continuity and recovery plans so that systems and services that are not critical may be recovered later.

10.0 Alternate Site

  • Upper level management must consider the criticality of the various business functions and determine whather an alternate site for business continuity should be created based on need and cost. The alternate type of site will be determined based on functionality, time to go operational, and cost. Upper management will need to decide the type of site to implement.
  • The functionality and capacity of the alternate site must be periodically tested to be sure it can meet the business needs of critical systems. Test results must be reviewed and appropriate action taken based on the test results. Actions may be upgrade to the site, changes to processes or other actions which increase capacity of the alternate site or reduce the time to go live. Any changes to the business or IT continuity plans should be made.
  • The functionality and capacity of the alternate site must be periodically reviewed to be sure it can meet the business needs of critical systems.
  • Re-direction of telecom services to the secondary site must be available when a secondary site is used.
  • Contracts with telecom, backup, and server providers as required should be set up in advance.
  • Contact information of telecom providers must be kept on the primary site and at the secondary site.

11.0 Off Site Storage and Backups

  • The IT staff must provide information to business owners and upper management about the requirements for off site storage and off site alternate business continuity sites. Information about available alternate sites, locations, technologies, and costs along with business needs must be provided and considered. The methods used to update offsite storage and alternate locations along with how often information is updated must be considered.
  • A backup rotation cycle must be established, documented, and followed with set responsibilities for required actions.
  • Regular testing of off site restoration is required and responsibilities for the action along with who gets the reports of test results must be established.
  • Documentation of recovery processes, restoration procedures and contact information must be kept offsite at the alternate sites and at backup storage facilities.
  • The security classification of data on all backup media and devices must be considered and appropriate electronic and physical security measures must be followed in accordance with organizational security policy including during storage, restoration, use, and transportation of data or information.
  • The backup site and alternate site must be at least ten miles from the primary site (not within the local area). Security experts establish minimum distances but the recommended distance is increasing so ten miles is an example and not necessarily a good minimum distance.
  • The arrangements for off site storage must be reviewed annually by management to determine whether they meet the business need and are effective in preventing the loss of data.

12.0 Post Recovery

  • The correct process for recovery at the primary site must be created and published for the use of recovery teams.
  • Recovery teams must be established and appropriately sized for the scope of the recovery task.
  • Recovery teams must be briefed and trained in the recovery process.
  • Briefing and training sessions must be provided and allow for team feedback through discussion and testing which can be used to improve the recovery process.
  • Improvements to recovery processes should be made based on information from sessions after training or recovery events.

13.0 Enforcement

Since following the Business Continuity Policy is important for ensuring the business continuity of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, termination of contracts, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

14.0 Other Policies/Plans

  • Business Continuity Plan - Integrates the Business processes with the Incident Response Plan and Business Contingency Plan. Roles and responsibilities along with the notification and escalation processes must be defined. Considers disaster recovery, IT Processes and their support of the business processes. Considers emergency response plans.
  • Disaster Recovery Policy - How to recover business processes at alternative sites.
  • Backup and Recovery Policy - Plan for recovery of data and systems at alternative sites or normal sites.
  • Business Contingency Plan - Provides for continuing business without the usual resources.
  • Business Restoration Plan - How to get the business operating normally at regular facilities. Defines steps required to get the business operating normally again after a disaster.
  • IT Continuity Pan - Provides a plan specific to information technology continuity but must support the Business Continuity Plan. Identifies which computer systems support which business processes and who the contacts are for both the systems and the business processes. It identifies the order in which systems will be recovered. This plan is driven by the Business Impact Analysis.
    • The IT Continuity Plan must be prioritized according to the importance of business functions considering which systems support each function.
    • The IT Continuity Plan only includes systems that support the required business functions previously defined in the Business Impact Analysis.
    • The minimum recovery configuration must be documented for each service regarding facilities, equipment, software, and personnel.
    • IT management and personnel assess and implement redundant technologies within IT infrastructure in support of business functions as the criticality warrents it. These technologies include but are not limited to RAID, UPS, redundant power supplies, supplemental cooling, and generators.
  • Incident Response Policy and Incident Response Plan must be integrated with the Business Continuity Policy and associated policies and plans.
  • Project plans to support the business and IT recovery process for the various scenarios must be created. Available resources and funding must be available to support the recovery projects and the resources and funding required must not be tied to business process that would be broken in the event of the threat materializing.

15.0 Additional Requirements

  • Business Impact Analysis - Must identify critical business functions, assess and define possible impact situations, and analyze methods to continue business functions and recover from each situation. Determines processes and resources that must be available to carry the business through the various scenarios. Business processes must be mapped to supporting IT services and supporting servers. Business costs of interruption should be quantified where possible. The Business Impact Analysis must be reviewed annually for new threats, business processes, and changes to IT support.
  • The Change Management Plan must consider the Business continuity policy, disaster recovery policy, backup and recovery policy, business contingency plan, and business restoration plan as changes are made so the appropriate changes are made to plans in a timely manner. Any changes to systems, network or other items that may affect the business processes or support must be reflected in the Business Continuity Policy and associated policies and plans.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________