Local Authority Cyber Resilience Planning Guide

This guide is to assist managers in preparing and implementing Business Continuity Plans, to aid Cyber Resilience.

June 2021 Version 3

Background

Following the events of 11th September 2001, and the London bombings of 7th July 2005, and the WannaCry malware incidents across the NHS, have caused many organisations to consider an annual review process for their Business Continuity Planning.

The guide aims to mitigate the impact of unforeseen events on the business. Subsequently, the Civil Contingencies Act 2004 and the events of 7thJuly 2005 have also heightened the need for a robust Business Continuity planning framework. In todays interconnected Internet driven world such planning is even more important. The shift to Cloud computing is making this even more difficult.

This guide was originally written in 2003 and has been updated over the years. The approach is still sound and this is continued work in progress.

Mark Brett MRes CITP CMngr FICPEM FBCS FCMI MCIIS MEPS MSyI

Honorary Visiting Fellow (Cyber Security)

Cyber Centre London Metropolitan University

Your welcome to make use of the contents of this document for non-commercial purposes including Public Sector use. However I would ask that you acknowledge the fact in your derived work.

INTRODUCTION

Every year unforeseen emergencies take their toll on business and industry -- in lost business and escalated costs. Something can be done. Business and industry can limit the impact and losses, returning quickly to normal operations if they plan ahead.

This guide provides step-by-step advice on how to create and maintain a comprehensive Business Continuity Planning Programme.

To begin, you need not have in-depth knowledge of Cyber Resilience. What you need is the authority to create a plan and a commitment from the Chief Officer to make Business Continuity Planning part of the corporate culture If you already have a plan, use this guide as a resource to assess and update your plan. The guide is organised as follows:

Section 1: 4 Steps in the Planning Process -- how to form a planning team; how to conduct a vulnerability analysis; how to develop a plan; and how to implement the plan. The information can be applied to virtually any type of business or industry.

Section 2: Business Continuity Planning Considerations -- how to build such Business Continuity Planning capabilities as Health & Safety, Property Protection, Communications and Community Outreach.

Section 3: Hazard-Specific Information -- technical information about specific hazards your building or site may face.

Section 4: Information Sources -- where to turn for additional information.

Appendix A BCM plan and risk assessment toolkit

What Is an Emergency?

An emergency is any unplanned event that can cause disruption or significant injuries to employees, customers or the public; or that can shut down your business, disrupt operations, cause physical or environmental damage, or threaten the facility's financial standing or public image. Obviously, numerous events can be "emergencies," including:

1.Fire 

2.Hazardous materials incident 

3.Flood or flash flood 

4.Terrorist Incident 

5. Malicious Incident (public or Employee)

6.Winter storm (Weather) 

7.Communications failure 

8.Civil disturbance (Transport strikes) 

9.Loss of key supplier or customer 

10.Explosion (Gas etc)

The term "disaster" has been left out of this document because it lends itself to a preconceived notion of a large-scale event, usually a "natural disaster." In fact, each event must be addressed within the context of the impact it has on the authority and the community. What might constitute a nuisance to the Council in general could be a "disaster" to a section or department.

What Is Cyber Resilience?

Cyber Resilience is the process of ; preparing for, mitigating, responding to and recovering from an emergency, which involves Cyber, that is a system or service, which is delivered by a network or the Internet, to a remote device, often through a web browser.

Business Continuity Planning is a dynamic process. Planning, though critical, is not the only component. Training, conducting exercises, testing equipment and co-ordinating activities with the community are other important functions.

Making the "Case" for Cyber Resilience

To be successful, Business Continuity Planning requires senior management support. The chief executive sets the tone by authorising planning to take place and directing senior management to get involved.

When presenting the "case" for Cyber Resilience, avoid dwelling on the negative effects of an emergency (e.g., deaths, fines, and criminal prosecution) and emphasise the positive aspects of preparedness. For example:

1. It helps the Council fulfill its’ moral responsibility to protect employees, the community and the environment.

2. It facilitates compliance with regulatory requirements such as Health & Safety.

3. It enhances the Council’s ability to recover from financial losses, regulatory fines, complaints from members and the public, damage to equipment and business interruption.

4. It reduces exposure to civil or criminal liability in the event of an incident.

5. It enhances the Council’s image and credibility with employees, customers, suppliers and the community.

SECTION 1

4 STEPS IN THE PLANNING PROCESS

Having established what your planning for (the scope)

Step 1 -- Establish a Planning Team 

Step 2 -- Analyse Capabilities and Hazards

Step 3 -- Develop the Plan 

Step 4 -- Implement the Plan

STEP 1 -- ESTABLISH A PLANNING TEAM.

There must be an individual or group in charge of developing the Business Continuity Plan. The following is guidance for making the appointment.

1. Form the Team.

The size of the planning team will depend on the department’s operations, requirements and resources. Usually involving a group of people is best because:

a. It encourages participation and gets more people invested in the process. b. It increases the amount of time and energy participants are able to give. c. It enhances the visibility and stature of the planning process. d. It provides for a broad perspective on the issues.

Determine who can be an active member and who can serve in an advisory capacity. In most cases, one or two people will be doing the bulk of the work.

Some of the planning and co-ordination, could be out sourced to the Emergency Planning .At the very least, you should obtain input from all functional areas. Remember:

Senior management  
Line management  
Personnel and Occupational Health  
Engineering and maintenance  
Health & Safety

f. Public information officer (Press & Publicity)

Security  
Community relations and groups  
Councillors as appropriate  
Departmental Representatives (Operational Service Delivery)  
Legal Services  
Finance and purchasing

Have participants appointed in writing by senior management. Their job descriptions could also reflect this assignment and extra duties.

2. Establish Authority.

Demonstrate management's commitment and promote an atmosphere of empowerment by "authorising" the planning group to take the steps necessary to develop a plan. The Chief Officer or the Business Unit Manager should lead the group. Establish a clear line of authority between group members and the group leader, though not so rigid as to prevent the free flow of ideas.

3. Issue a Mission Statement – Which quantifies the purpose and scope of the plan.

Have the Chief Executive or Service/Business Unit Manager issue a mission statement to demonstrate the authority’s commitment to Cyber Resilience. The statement should:

Define the purpose of the plan and indicate that it will involve the entire organisation. Define the authority and structure of the planning group

4. Establish a Schedule and Budget

Establish a work schedule and planning deadlines. Timelines can be modified as priorities become more clearly defined.

Develop an initial budget for such things as research, printing, seminars, consulting services and other expenses that may be necessary during the development process.

STEP 2 -- ANALYSE CAPABILITIES AND HAZARDS.

This step entails gathering information about current capabilities and about possible hazards and emergencies, and then conducting a vulnerability analysis to determine the facility's capabilities for handling emergencies.

1. WHERE DO YOU STAND RIGHT NOW? Establishing a baseline

Review Internal Plans and Policies. Documents to look for include:

a. Evacuation plan

Fire protection plan  
Health &Safety procedures

d Environmental policies

Security procedures  
Insurance programs  
Finance and purchasing procedures  
Quality Procedures  
Personnel Handbook  
Internal SLAs and External Contracts.  
Health & Safety risk assessments  
Risk management plan

m Capital improvement program n. Mutual aid agreements

Business Continuity Planning Guide

2. Establish Partnerships

Meet with external agencies, community organisations and utilities. Ask about potential emergencies and about their plans and available resources for responding

Sources of information include:

Local Resilience Forum Cooridnator
Emergency Planning Officer
Local Hospital 
Local Community
Liaison Groups Fire Brigade
Local Police Ambulance Emergency Planning Officer 
Telecommunications Companies
Cellular providers
Electric,
Gas and Water Utilities 
Neighbouring Authorities

Web sites see: http://www.ukresilience.info/contingencies/cont_index.htm Business Continuity Institute see: www.thebci.org Association of Local Authority Risk Managers http://www.alarm-uk.com/ Society of Information Technology Management SOCITM: www.socitm.net

Emergency Planning Society :http://www.emergplansoc.org.uk/

3. Identify Codes and Regulations

Identify applicable legislation and local regulations such as:

Occupational Health & Safety regulations Environmental regulations Fire procedure codes Corporate policies

4. Identify Critical Services and Operations

You'll need this information to assess the impact of potential emergencies and to determine the need for backup systems. Areas to review include:

Council services and the facilities and equipment needed to produce them  
Products and services provided by suppliers, especially sole source vendors  
Lifeline services such as electrical power, water, sewer, gas, telecommunications  and transportation  
Operations, equipment and personnel vital to the continued functioning of the  facility

5. Identify Internal Resources and Capabilities

Resources and capabilities that could be needed in an emergency include:

a. Personnel -- Fire, Police and Ambulance Council Emergency services response team, security, Business Continuity Planning group, Fire wardens, First Aid, Public Information Officers. Computer Emergency Response Team

b. Equipment -- fire protection and suppression equipment, communications equipment, first aid supplies, emergency supplies, warning systems, emergency power equipment.

c. Facilities – Establish a Crisis Management Centre (, media briefing area, survivor reception centres, first-aid stations. Communications point, internal and external. An emergency website, either part of the corporate one or separate. Make sure people know the address of it.

d. Organisational capabilities -- training, evacuation plan, employee support system (Counselling)

e. Backup systems -- arrangements with other facilities to provide for: Identify your Business critical processes and systems.

(1) Payroll  
(2) Communications  
(3) Production  
(4) Customer services  
(5) Post room services and receiving i.e. CFM print runs  
(6) Information systems support  
(7) Emergency power  
(8) Recovery support

6. Identify External Resources

There are many external resources that could be needed in an emergency. In some cases, formal agreements may be necessary to define the facility's relationship with the following:

Local Resilience Forum (LRF) 
Fire Brigade  
Hazardous materials Health & Safety Executive  
Emergency medical services
Hospitals  
Local Police liaison
Community service organisations  
Utilities  
Key Contractors & Suppliers

7. Suppliers of emergency equipment

Insurance companies

Do an Insurance Review

Meet with Insurance Officer (Finance Dept) to review all policies and cover. (See Section 2: Recovery and Restoration.) Insurance is not a substitution to proper planning and preparedness.

8. Conduct A Vulnerability (Risk) Analysis

The next step is to assess the vulnerability of your site -- the probability and potential impact of each emergency. Use the Vulnerability (Risk) Analysis Chart in the appendix section to guide the process, which entails assigning probabilities, estimating impact and assessing resources, using a numerical system. The lower the score the better.

9. Brainstorm Potential Emergencies & Scenarios to plan for

In the first column of the chart, list all emergencies that could affect your department, including those identified by the Emergency Planning officer. Consider both:

a. Emergencies that could occur within your Site / Department b. Emergencies that could occur in your community

Historical -- What types of emergencies have occurred in the community, at this facility and at other facilities in the area?

a. b. c. d. e. f. g. h.

Fires Severe weather Hazardous material spills Transportation accidents Bomb threats

Transport strikes Terrorism and Industrial action

Utility outages

Geographic -- What can happen as a result of the facility's location?

Keep in mind:

Proximity to flood spots, electrical lines, railways, major roads etc.  
Proximity to companies that produce, store, use or transport hazardous material  
Proximity to major transportation routes and airports  
Proximity to terrorist targets.

Technological -- What could result from a process or system failure? Possibilities include:

Fire, explosion, hazardous materials incident - storage batteries  
Safety system failure  
Telecommunications failure  
Computer system failure  
Power failure  
Heating/cooling system failure  
Emergency notification system failure

Human Error -- What emergencies can be caused by employee error? Are employees trained to work safely? Do they know what to do in an emergency? Human error is the single largest cause of workplace emergencies and can result from:

Poor training  
Poor maintenance  
Carelessness  
Misconduct  
Substance abuse

f. Fatigue

Physical -- What types of emergencies could result from the design or construction of the facility? Does the physical facility enhance safety? Consider:

a. The physical construction of the facility b. Hazardous processes or by-products c. Facilities for storing combustibles 

d. Layout of equipment

e. Lighting

Evacuation routes and exits  
Proximity of survivor reception centres

Regulatory -- What emergencies or hazards are you regulated to deal with? Analyse each potential emergency from beginning to end. Consider what could happen as a result of:

Prohibited access to the facility  
Loss of electric power  
Communication lines down  
Ruptured gas mains  
Water damage  
Smoke damage  
Structural damage  
Air or water contamination  
Explosion  
Building collapse  
Trapped persons  
Chemical release

10. Estimate Probability

In the Probability column, rate the likelihood of each emergency's occurrence. This is a subjective consideration, but useful nonetheless. Use a simple scale of 1 to 5, with 1 as the lowest probability and 5 as the highest.

11. Assess the Potential Human Impact (HARM Modelling)

Analyse the potential human impact of each emergency -- the possibility of death or injury.

Assign a rating in the Human Impact column of the Vulnerability Analysis Chart. Use a 1 to 5 scale with 1 as the lowest impact and 5 as the highest.

12. Assess the Potential Property Impact

Consider the potential property for losses and damages. Again, assign a rating in the Property Impact column, 1 being the lowest impact and 5 being the highest. Consider:

Cost to replace  
Cost to set up temporary replacement  
Cost to repair

13. Assess the Potential Business Impact

Consider the potential loss of market share. Assign a rating in the Business Impact column. Again, 1 is the lowest impact and 5 the highest. Assess the impact of the following. This applies to your Department and your external (CCT) suppliers if applicable. Check your SLA’s and Contracts.

Business interruption  
Employees unable to report to work  
Customers unable to reach facility  
Authority in violation of contractual agreements  
Imposition of fines and penalties or legal costs  
Interruption of critical supplies  
Interruption of Service Delivery

14. Assess Internal and External Resources

Next assess your resources and ability to respond. Assign a score to your Internal Resources and External Resources. The lower the score the better. To help you do this, consider each potential emergency from beginning to end and each resource that would be needed to respond. For each emergency ask these questions:

Do we have the needed resources and capabilities to respond?

Will external resources be able to respond to us for this emergency as quickly as we may need them, or will they have other priority areas to serve?

If the answers are yes, move on to the next assessment. If the answers are no, identify what can be done to correct the problem. For example, you may need to:

Develop additional emergency procedures  
Conduct additional training  
Acquire additional equipment  
Establish mutual aid agreements  
Establish agreements with specialised contractors

15. Add the Columns

Total the scores for each emergency. The lower the score the better. While this is a subjective rating, the comparisons will help determine planning and resource priorities -- the subject of the pages to follow.

STEP 3 -- DEVELOP THE PLAN

You are now ready to develop a Business Continuity Planning plan. This section describes how.

PLAN COMPONENTS

Your plan should include the following basic components.

1. Executive Summary

The executive summary

Gives management a brief overview of the purpose of the plan Details the Business Continuity Planning policy Authorises the facilities and responsibilities of key personnel; Details the types of emergencies that could occur

Explains how and where response operations will be managed.

 2. Business Continuity Planning Elements This section of the plan briefly describes the facility's approach to the core elements

Cyber Resilience, which are:

Command and control Communications Life and Limb - protecting your staff and the public. Property protection Community outreach Recovery and restoration Administration and logistics.

These elements, which are described in detail in Section 2, are the foundation for the emergency procedures that your facility will follow to protect personnel and equipment and resume operations.

3. Emergency Response Procedures

The procedures spell out how the facility will respond to emergencies. Whenever possible, develop them as a series of checklists that can be quickly accessed by Senior Management, Department heads, response personnel and employees.

Determine what actions would be necessary to:

Assess the situation  
Protect employees, customers, visitors, equipment, vital records and other  assets, particularly during the first phase of the emergency  
Get the business back up and running.

Specific procedures might be needed for any number of situations such as bomb threats or fire, and for such functions as:

Warning employees and customers Communicating with personnel and community responders Conducting an evacuation and accounting for all persons in the facility Managing response activities Activating and operating an emergency operations centre Fighting fires Shutting down operations Protecting vital records Restoring operations

4. Support Documents

Documents that could be needed in an emergency include:

Emergency call lists -- lists (wallet sized if possible) of all persons on and off site who would be involved in responding to an emergency, their responsibilities and their 24-hour telephone numbers.

Building and site maps that indicate:

Utility shutoffs  
Water hydrants  
Water main valves  
Water lines  
Gas main valves  
Gas lines  
Electrical cut-offs  
Electrical substations  
Storm drains  
Sewer lines  
Location of each building (include name of building, street name and number)  
Floor plans  
Alarm and communicators  
Fire extinguishers  
Fire suppression systems  
Exits  
Stairways  
Designated escape routes  
Restricted areas  
Hazardous Materials (including cleaning supplies and chemicals)  
Copies of building plans  
Copies of telecommunication route plans (Telephone and fibre cables)  
Location of High-value items; (Deeds, Bonds, Contracts, evidence etc.)

5.Resource lists

Lists of major resources (equipment, supplies, and services) that could be needed in an emergency; mutual aid agreements with other companies and government agencies.

Emergency escape procedures and routes  
Procedures for employees who perform or shut down critical operations before an evacuation  
Procedures to account for all employees, visitors and contractors after an evacuation is completed  
Rescue and medical duties for assigned employees  
Procedures for reporting emergencies  
Names of persons or departments to be contacted for

THE DEVELOPMENT PROCESS

The following is guidance for developing the plan.

1. Identify Challenges and Prioritise Activities

Determine specific goals and milestones. Make a list of tasks to be performed, by whom and when. Determine how you will address the problem areas and resource shortfalls that were identified in the vulnerability analysis.

2. Write the Plan

Assign each member of the planning group a section to write. Determine the most appropriate format for each section.

Establish an aggressive timeline with specific goals. Provide enough time for completion of work, but not so much as to allow assignments to linger. Establish a schedule for:

First draft  
Peer review (include other sections)  
Second draft  
Tabletop exercise (invite other sections/departments to participate)  
Final draft  
Printing  
Distribution publish widely including intranet – share best practise  
Amendments procedures

3. Establish a Training Schedule

Have one person or department responsible for developing a training schedule for your facility. For specific ideas about training, refer to Step 4.

4. Coordinate with Outside Agencies and Organisations

Meet periodically with other government agencies and community organisations. Inform appropriate government agencies that you are creating a Business Continuity plan. While their official approval may not be required, they will likely have valuable insights and information to offer.

Determine central government and local requirements for reporting emergencies, and incorporate them into your procedures. Appoint a ‘logist’ to keep detailed records of all executive orders, actions and operations. Number and time record all options. This will include actions, outcomes and costs incurred, along with details of who authorised the actions.

Trigger Points and Protocols

The CRASH Gates Protocol Trigger Points can be thought of a pre-defined Consequence Relevance Acceleration Severity and Harm (CRASH) Gates.

The CRASH Gate model for assessing Cyber incident trigger points;

Consequence Scaling

Locally contained within the Organisation at a Sub-Departmental / Directorate Level
Locally contained within the Organisation at Departmental / Directorate Level
Local contained within the Organisation
Affecting multiple Organisations Sub-Regionally
Affecting multiple Organisations Regionally
Affecting multiple Organisations Nationally

Relevance Scoring

We do not have this technology in our infrastructure
We have this technology, we are fully patched.
We have this technology, we are partially patched
We have this technology, we are not patched
We have this technology, we are compromised

Severity Scoring

Not affecting our infrastructure directly
Affecting some of our infrastructure
Affecting most of our infrastructure
Affecting all of our infrastructure
Our infrastructure is over run and non-functioning

HARM Levels

The organisation is unaffected
The organisation is affected, but fully operational
The organisation is affected, and is partially operational
The organisation is compromised essential services still functioning
The organisation is compromised essential services lost.

Determine protocols and trigger points for turning command and control of a response over to outside agencies.

Some details that may need to be worked out are:

Which gate or entrance will responding emergency service units use?  
Where and to whom will they report?  
How will they be identified? How will they know you? (tabards/ID)  
How will facility personnel communicate with outside responders?  
Who will be in charge of response activities?

Determine what kind of identification authorities (Police/Fire) will require to allow your key personnel into your facility during an emergency. Develop and agree special ID cards and tabards etc. Ensure everyone is thoroughly briefed.

Produce A4 laminated cards which detail the key roles and responsibilities for each job.

Produce a pocket size card, with emergency contact numbers, and the five major points of the job role, where to report to etc.

Determine the needs of disabled persons and non-English-speaking personnel. For example, a blind employee could be assigned a partner in case an evacuation is necessary.

A disabled person is anyone who has a physical or mental impairment that substantially limits one or more major life activities, such as seeing, hearing, walking, breathing, performing manual tasks, learning, caring for oneself or working.

Be mindful of language barriers, written and verbal.

Your emergency planning priorities may be influenced by government regulation. To remain in compliance you may be required to address specific Business Continuity Planning functions that might otherwise be a lower priority activity for that given year.

5. Maintain Contact with Other Departments

Communicate with other offices and departments within the authority to learn:

Their emergency notification requirements 
The conditions where mutual assistance would be necessary 
How offices will support each other in an emergency 
Names, email, telephone numbers and mobile numbers of key personnel Incorporate this information into your procedures.

6. Conduct Training and Revise plans and procedures as necessary.

Share review information with other Departmental representatives. Use the Intranet server to publish timely information

Distribute the first draft to group members for review. Revise as needed.

For a second review, conduct a tabletop exercise with management and personnel who have a key Business Continuity Planning responsibility. In a conference room setting, describe an emergency scenario and have participants discuss their responsibilities and how they would react to the situation. Based on this discussion, identify areas of confusion and overlap, and modify the plan accordingly.

7. Seek Final Approval

Arrange a briefing for the Chief Officer and Senior Management and obtain written approval.

8. Distribute the Plan

Place the final plan in four-ring binders and number all copies and pages. Document control procedures are essential for quality and auditing.

Each individual who receives a copy should be required to sign for it and be responsible for posting subsequent changes.

Ensure the plan is published on the Intranet and kept up to date. Consider storing the plan on a secure Internet facility, this will ensure authorised people can access the plan from anywhere.

Determine which sections of the plan would be appropriate to show to other agencies (some sections may refer to Confidential Corporate or Departmental Information or include private listings of names, telephone numbers or access codes and passwords). Distribute the final plan to:

Chief Officers and Senior Managers  
Key members of the authority's emergency response organisation  
Chief Executives Office,  
Emergency Planning Unit.  
Community emergency response agencies (appropriate sections)  
Key external suppliers. Ensure you figure in their emergency plans.

Have key personnel keep a copy (paper or electronic) of the plan in their homes? Inform employees about the plan and

Consolidate emergency plans for better co-ordination. Stand-alone plans, such as Computer Disaster Recovery Plans, Fire Protection plan or Health and Safety plan, should be incorporated into one comprehensive plan.

STEP 4 -- IMPLEMENT THE PLAN

Implementation means more than simply exercising the plan during an emergency. It means acting on recommendations made during the vulnerability analysis, integrating the plan into authority operations, training employees and evaluating the plan.

INTEGRATE THE PLAN INTO DEPARTMENTAL OPERATIONS

Emergency planning must become part of the corporate culture.

Look for opportunities to build awareness; to educate and train personnel; to test procedures; to involve all levels of management, all departments and where appropriate the community in the planning process; and to make Business Continuity Planning part of what personnel do on a day-to-day basis.

Include the emergency procedures into induction training. Ensure the emergency procedures are discussed at a quarterly management

meeting as an agenda item. Build the process into all project plans.

Test how Completely the Plan has been Integrated by Asking:

How well does senior management support the responsibilities outlined in the plan?

Have emergency planning concepts been fully incorporated into the Department’s accounting, personnel and financial procedures?

How can the Council’s processes for evaluating employees and defining job classifications better address Business Continuity Planning responsibilities?

Are there opportunities for distributing emergency preparedness information through corporate newsletters, employee manuals or employee mailings?

What kinds of safety posters or other visible reminders would be helpful? Do personnel know what they should do in an emergency? 

CONDUCT TRAINING, EXERCISES AND EXERCISES

Everyone who works at or visits (Contractors) the site requires some form of training. This could include periodic employee discussion sessions to review procedures, technical training in equipment use for emergency responders, evacuation exercises and full-scale exercises. Below are basic considerations for developing a training plan.

1. Planning Considerations

Assign responsibility for developing a training plan. Consider the training and information needs for employees, contractors, visitors, managers and those with an emergency response role identified in the plan. Determine for a 12 month period:

Who will be trained?  
Who will do the training?  
What training activities will be used?  
When and where each session will take place?  
How the session will be evaluated and documented?

Use the Training Exercises and Exercises Chart in the appendix section to schedule training activities or create one of your own.

Consider how to involve community responders in training activities. Conduct reviews after each training activity. Involve both personnel and community responders in the evaluation process.

2. Training Activities

Training can take many forms:

a. Orientation and Education Sessions (Discussion Exercises) These are regularly scheduled discussion sessions to provide information, answer questions and identify needs and concerns.

b. Tabletop Exercise -- Members of the Business Continuity Planning group meet in a conference room setting to discuss their responsibilities and how they would react to emergency scenarios. This is a cost-effective and efficient way to identify areas of overlap and confusion before conducting more demanding training activities.

c. Walk-through Exercise -- The Business Continuity Planning group and response teams actually perform their emergency response functions. This activity generally involves more people and is more thorough than a tabletop

d. Functional Exercises -- These exercises test specific functions such as medical response, emergency notifications, warning and communications procedures and equipment, though not necessarily at the same time. Personnel are asked to evaluate the systems and identify problem areas.

e. Evacuation Exercise -- Personnel walk the evacuation route to a designated area where procedures for accounting for all personnel are tested. Participants are asked to make notes as they go along of what might become a hazard during an emergency, e.g., stairways cluttered with debris, smoke in the hallways. Plans are modified accordingly.

f. Full-scale Exercise -- A real-life emergency situation is simulated as closely as possible. This exercise involves authority emergency response personnel, employees, management and community response organisations.

3. Employee Training

General training for all employees should address:

Individual roles and responsibilities  
Information about threats, hazards and protective actions  
Notification, warning and communications procedures  
Means for locating family members in an emergency  
Emergency response procedures  
Evacuation, shelter and accountability procedures  
Location and use of common emergency equipment  
Emergency shutdown procedures

The scenarios developed during the vulnerability analysis can serve as the basis for training events.

4. Evaluate and Modify the Plan

Conduct a formal audit of the entire plan at least once a year. Among the issues to consider are:

How can you involve all levels of management in evaluating and updating the plan?  
Are the problem areas and resource shortfalls identified in the vulnerability analysis being sufficiently addressed?  
Does the plan reflect lessons learned from exercises and actual events?  
Do members of the Business Continuity Planning group and emergency response team understand their respective responsibilities? Have new members been trained?  
Does the plan reflect changes in the physical layout of the facility? Does it  reflect new facility processes?
Are photographs and other records of facility assets up to date?  
Is the facility attaining its training objectives?  
Have the hazards in the facility changed? (H&S Risk Assessments)  
Are the names, titles and telephone numbers in the plan current?  
Are steps being taken to incorporate Business Continuity Planning into the business processes?  
Have community agencies and organisations been briefed on the plan? Are they involved in evaluating the plan?

In addition to a yearly audit, evaluate and modify the plan at these times:

After each training exercise  
After each emergency  
When personnel or their responsibilities change  
When the layout or design of the facility changes  
When policies or procedures change  
Remember to brief personnel on changes to the plan.

Audit:

Conduct a formal audit of the entire plan at least once a year

Appendix A

Business Continuity Planning Toolkit with Risk Assessment diagnostics

Organisation Name [BUSINESS CONTINUITY PLAN COMPONENTS]

[Change all headings as required]

Directorate / Department:

Contact Name: 

E-Mail:

Business Continuity Planning Outline  
Business Continuity Plan Template

III. Business Continuity Plan Worksheets A. Checklist

B. Business Process Template C. Recovery Procedures Template D. Risk Assessment Worksheets

Date Completed:

Phone:

Written by: _____________________________________Date:____________ Written by: _____________________________________Date:____________

Review Date: [. ]

I. Business Continuity Planning Outline Phase One

Identify Current Mission-Critical Business Processes (See Operations Plan for starting point)  
Assess Impact or Importance of Business Processes, considering:  
Health and Safety  
Revenue or Cash Flow (Treasury) implications  
Number of Citizens, Businesses, or Employees Impacted  
Central Government Reporting Requirements

Public Perception

Identify Resources and Dependencies  
Evaluate Risk or Likelihood of Failure  
Application Systems and Interfaces  
IT Infrastructure

Third Party Products

Supply Chain  
Infrastructure (Facilities, Telecom, Utilities)

Establish Priority Based upon Impact and Risk

Phase Two

Develop Business Continuity Plan Based upon Available Resources and Time Make Assumptions to Focus Plan

Devise Alternatives to Complete Core Business Processes, considering: Roles & Responsibilities Communication Channels Manual Work arounds

Triggering Events Who Invokes the Plan Required Training & Preparation How & Who Maintains the Plan Needed Supplies & Equipment Additional Staffing Needs What Ends the Plan Clean-Up

Review for Completeness

Phase Three

Exercise the Plan Make Modifications as Needed

II. Business Continuity Plan Template

The following sections are included in a Contingency Plan Template. It is a sample template, therefore, sections may be added or deleted as appropriate.

Phase I

PROCESS: Provide the name and a brief overview of the critical business function as it

currently exists. PRIORITY:

Determine the priority of this contingency plan relative to the other contingency plans, if multiple failures occur within an authority. Use this section if applicable.

RISK DESCRIPTION:

Describe in simple terms the risk concern and the impact to the authority. Include the nature and likelihood of expected disruptions or impacts. For example:- Electrical power is unavailable. If processing cannot be resumed within 3 days, Client checks will be late.  
Describe briefly any significant dependencies or linkages of the business process with programs within the authority, with other authorities, or with other parties either inside or outside of central or regional or place based partnership  
State explicitly any assumptions, which your Directorate or Business Unit is making in this contingency plan.  MITIGATING STRATEGIES:

Provide a brief conceptual description of how the contingency plan for the business process is intended to work.

For example:- Conduct additional quality assurance review of documents prior to mailing.

Set up account in advance with alternate supplier(s) and establish procedures for using the alternate supplier.

Investigate feasibility and cost of an uninterruptible power supply.

Describe the level of services to be provided during the disruption.

For example:

Provide continuation of normal operations.

Provide continuation of service in a degraded mode.

Provide complete departure from normal functions as quickly

Business Continuity Planning Guide

Phase 2

ACTIVATION TRIGGER(S): Describe the specific events or conditions that will trigger or invoke the plan.

For example:

Employees can’t access building entry via electronic access cards or tokens.

RECOVERY PROCEDURES:

Describe the expected life or duration of the contingency plan.  For example: How long it might be necessary to operate under the plan.  Any special timing-related constraints, e.g., back-up batteries need re-charging after 10 hours.  
Provide detailed, step-by-step procedures for initiating and executing contingency operations, and for transitioning back to normal (non-contingency) operations with the names of the persons who are to serve specific roles regarding the plan.  For example: Initiate internal and vendor list notification procedures – Responsibility: Ms. X Get backup listings from off-site storage – Responsibility: Mr. Y Contact alternate supplier to provide needed supplies – Responsibility:

IMPLEMENTATION:

Name BCP Coordinator and Team

Provide the name and contact information of the person who will give the order to invoke the plan.

Provide the name of the person who will give the order to return to normal operations.

Provide a brief description of significant resources needed to implement, execute, and transition out of contingency operation. Also identify the person who is responsible for acquiring these resources, as events may warrant.

For example: Staffing and scheduling of personnel. Equipment, temporary hardware and software, forms and supplies, etc. Possible temporary working facilities. Communications, both verbal and data.

Phase 3

Provide a brief description of any training or exercising of the plan that will be necessary.

For example: Perform a structured walk-through to ensure that all the processes will work as expected.

Perform an exercise or “dry-run” to ensure that all the processes work.

Perform a “mock” exercise with required staff and vendors on a non-work day.

In continuity planning, the maintenance process ensures that people and process aspects of the plan which need additional work are properly addressed and corrected.

The following types of maintenance should be conducted for every business continuity plan in your Directorate or Business Unit:

o Scheduled o Unscheduled o Post exercised

BUSINESS CONTINUITY PLANNING WORKSHEETS

A. Checklist 

B. Business Process Template 

C. Recovery Procedures Template

D. Risk Assessment Worksheets

COMPONENTS OF A Cyber Resilience Plan

CHECKLIST

Checklist Components

AUTHORITY: Authority Name * PROCESS: Business Process Name * Business Process Overview PRIORITY:

Priority within authority

RISK DESCRIPTION:

Risk Description Impact of Risk on Authority Nature and likelihood of disruptions Dependencies upon business process Assumptions MITIGATING STRATEGIES: Mitigating Strategies description Level of service to be provided

ACTIVATION TRIGGER(S): Activation Trigger(s) * 

RECOVERY PROCEDURES: Duration of contingency plan Recovery Procedures/Work-Around * Responsible person for each action

IMPLEMENTATION: Person invoking plan Person ordering return to normal operations Resources Required *

MAINTAINING/EXERCISING PLAN Training Required Exercising Required Person responsible to obtain resources Maintenance Required

Business Process [Title]

Process:

Priority:

Risk Description:

Mitigating Strategies:

Activation Trigger(s):

CONTINGENCY PLAN

RECOVERY PROCEDURE ACTION PLAN Recovery Procedures (Action Plan):

Duration:

Implementation: Person Responsible:

Invokes Plan:

Return to Normal Operations:

Resources Required:

(Staff, supplies, etc.)

Sample Risk Assessment Worksheet

Purpose and Directions Purpose:

This worksheet is intended to provide a framework for answering the following questions for a particular business process:

Where could a potential failure occur?  
Does it impact this business process? If so, how much?  
What has been done or is in progress to mitigate the threat of a failure?

Based on the answers to the above questions: 4. What is the remaining risk?

By answering the last question, you should be in a better position to focus your contingency planning efforts, particularly which business processes are most in need of contingency planning and what specific failures do the contingency plans need to address and at what level of detail.

Directions:

Choose a particular business process.

Review the areas of concern to determine if any need to be added or expanded upon that are specific to the business process. Modify spreadsheet as

appropriate. Note: the Remediation or Mitigation Status Values are stored in columns E-I, which are hidden.

For each area of concern, assign a level of dependency of High, Medium, Low, or Not Applicable (or blank).

Choose from the drop-down list of choices for the Remediation or Mitigation Status. This information will most likely come from the individuals within your authority that are responsible for status reports. If the choices do not properly reflect your status, type in your own status description.

Based on the level of dependency and the remediation or mitigation status, assess the remaining risk and assign a value of High, Medium, or Low. Alternatively, you may choose to comment on your analysis rather than assign a specific level of risk.

Once you have determined the highest remaining risk areas, focus your Contingency Planning initiative to address the risk areas. This would include which business processes need contingency plans, how detailed the plans should be, and

RISK ASSESSMENT WORKSHEET

Directorate/ Business Unit

Business Process:

Areas of Concern Mitigation status

Risk Assessment (H/M/L)

Level of Dependency (H/M/L)

Hardware Operating System 

Third Party Software 

Utilities/Macros Date-Impacted

Custom Source Code/SCL 

Internal Interfaces 

External Interfaces (Banks, Government Agencies, Other NC)

Shared Data  Communications/Network

Hardware Operating System Third Party Software

Telephone Switches

Voice Mail Voice Response Units Customer Service Centre reliance Mobile Phones Pagers Fax

Power Water/Sewer Fire Alarm Systems Security Systems Building Control Systems Parking Control Systems

Application Interfaces Hardware Infrastructure Supplier Support

PC/LAN

COMMUNICATIONS

FACILITIES

DEPENDENCIES

PreviousPost PSN Assurance Process (P2AP) - Strawman NextFast Time Cyber Collaboration & Communications

Last updated 2 years ago