Local Authority Cyber Resilience Planning Guide
This guide is to assist managers in preparing and implementing Business Continuity Plans, to aid Cyber Resilience.
Last updated
This guide is to assist managers in preparing and implementing Business Continuity Plans, to aid Cyber Resilience.
Last updated
(C) 2003-2021Mark Brett
June 2021 Version 3
Background
Following the events of 11th September 2001, and the London bombings of 7th July 2005, and the WannaCry malware incidents across the NHS, have caused many organisations to consider an annual review process for their Business Continuity Planning.
The guide aims to mitigate the impact of unforeseen events on the business. Subsequently, the Civil Contingencies Act 2004 and the events of 7thJuly 2005 have also heightened the need for a robust Business Continuity planning framework. In todays interconnected Internet driven world such planning is even more important. The shift to Cloud computing is making this even more difficult.
This guide was originally written in 2003 and has been updated over the years. The approach is still sound and this is continued work in progress.
Mark Brett MRes CITP CMngr FICPEM FBCS FCMI MCIIS MEPS MSyI
Honorary Visiting Fellow (Cyber Security)
Cyber Centre London Metropolitan University
© Mark Brett 2003-2021
Your welcome to make use of the contents of this document for non-commercial purposes including Public Sector use. However I would ask that you acknowledge the fact in your derived work.
INTRODUCTION
Every year unforeseen emergencies take their toll on business and industry -- in lost business and escalated costs. Something can be done. Business and industry can limit the impact and losses, returning quickly to normal operations if they plan ahead.
This guide provides step-by-step advice on how to create and maintain a comprehensive Business Continuity Planning Programme.
To begin, you need not have in-depth knowledge of Cyber Resilience. What you need is the authority to create a plan and a commitment from the Chief Officer to make Business Continuity Planning part of the corporate culture If you already have a plan, use this guide as a resource to assess and update your plan. The guide is organised as follows:
Section 1: 4 Steps in the Planning Process -- how to form a planning team; how to conduct a vulnerability analysis; how to develop a plan; and how to implement the plan. The information can be applied to virtually any type of business or industry.
Section 2: Business Continuity Planning Considerations -- how to build such Business Continuity Planning capabilities as Health & Safety, Property Protection, Communications and Community Outreach.
Section 3: Hazard-Specific Information -- technical information about specific hazards your building or site may face.
Section 4: Information Sources -- where to turn for additional information.
Appendix A BCM plan and risk assessment toolkit
What Is an Emergency?
An emergency is any unplanned event that can cause disruption or significant injuries to employees, customers or the public; or that can shut down your business, disrupt operations, cause physical or environmental damage, or threaten the facility's financial standing or public image. Obviously, numerous events can be "emergencies," including:
1.Fire
2.Hazardous materials incident
3.Flood or flash flood
4.Terrorist Incident
5. Malicious Incident (public or Employee)
6.Winter storm (Weather)
7.Communications failure
8.Civil disturbance (Transport strikes)
9.Loss of key supplier or customer
10.Explosion (Gas etc)
The term "disaster" has been left out of this document because it lends itself to a preconceived notion of a large-scale event, usually a "natural disaster." In fact, each event must be addressed within the context of the impact it has on the authority and the community. What might constitute a nuisance to the Council in general could be a "disaster" to a section or department.
What Is Cyber Resilience?
Cyber Resilience is the process of ; preparing for, mitigating, responding to and recovering from an emergency, which involves Cyber, that is a system or service, which is delivered by a network or the Internet, to a remote device, often through a web browser.
Business Continuity Planning is a dynamic process. Planning, though critical, is not the only component. Training, conducting exercises, testing equipment and co-ordinating activities with the community are other important functions.
Making the "Case" for Cyber Resilience
To be successful, Business Continuity Planning requires senior management support. The chief executive sets the tone by authorising planning to take place and directing senior management to get involved.
When presenting the "case" for Cyber Resilience, avoid dwelling on the negative effects of an emergency (e.g., deaths, fines, and criminal prosecution) and emphasise the positive aspects of preparedness. For example:
1. It helps the Council fulfill its’ moral responsibility to protect employees, the community and the environment.
2. It facilitates compliance with regulatory requirements such as Health & Safety.
3. It enhances the Council’s ability to recover from financial losses, regulatory fines, complaints from members and the public, damage to equipment and business interruption.
4. It reduces exposure to civil or criminal liability in the event of an incident.
5. It enhances the Council’s image and credibility with employees, customers, suppliers and the community.
SECTION 1
4 STEPS IN THE PLANNING PROCESS
Having established what your planning for (the scope)
Step 1 -- Establish a Planning Team
Step 2 -- Analyse Capabilities and Hazards
Step 3 -- Develop the Plan
Step 4 -- Implement the Plan
There must be an individual or group in charge of developing the Business Continuity Plan. The following is guidance for making the appointment.
1. Form the Team.
The size of the planning team will depend on the department’s operations, requirements and resources. Usually involving a group of people is best because:
a. It encourages participation and gets more people invested in the process. b. It increases the amount of time and energy participants are able to give. c. It enhances the visibility and stature of the planning process. d. It provides for a broad perspective on the issues.
Determine who can be an active member and who can serve in an advisory capacity. In most cases, one or two people will be doing the bulk of the work.
Some of the planning and co-ordination, could be out sourced to the Emergency Planning .At the very least, you should obtain input from all functional areas. Remember:
Senior management
Line management
Personnel and Occupational Health
Engineering and maintenance
Health & Safety
f. Public information officer (Press & Publicity)
Security
Community relations and groups
Councillors as appropriate
Departmental Representatives (Operational Service Delivery)
Legal Services
Finance and purchasing
Have participants appointed in writing by senior management. Their job descriptions could also reflect this assignment and extra duties.
2. Establish Authority.
Demonstrate management's commitment and promote an atmosphere of empowerment by "authorising" the planning group to take the steps necessary to develop a plan. The Chief Officer or the Business Unit Manager should lead the group. Establish a clear line of authority between group members and the group leader, though not so rigid as to prevent the free flow of ideas.
3. Issue a Mission Statement – Which quantifies the purpose and scope of the plan.
Have the Chief Executive or Service/Business Unit Manager issue a mission statement to demonstrate the authority’s commitment to Cyber Resilience. The statement should:
Define the purpose of the plan and indicate that it will involve the entire organisation. Define the authority and structure of the planning group
4. Establish a Schedule and Budget
Establish a work schedule and planning deadlines. Timelines can be modified as priorities become more clearly defined.
Develop an initial budget for such things as research, printing, seminars, consulting services and other expenses that may be necessary during the development process.
This step entails gathering information about current capabilities and about possible hazards and emergencies, and then conducting a vulnerability analysis to determine the facility's capabilities for handling emergencies.
1. WHERE DO YOU STAND RIGHT NOW? Establishing a baseline
Review Internal Plans and Policies. Documents to look for include:
a. Evacuation plan
Fire protection plan
Health &Safety procedures
d Environmental policies
Security procedures
Insurance programs
Finance and purchasing procedures
Quality Procedures
Personnel Handbook
Internal SLAs and External Contracts.
Health & Safety risk assessments
Risk management plan
m Capital improvement program n. Mutual aid agreements
Business Continuity Planning Guide
2. Establish Partnerships
Meet with external agencies, community organisations and utilities. Ask about potential emergencies and about their plans and available resources for responding
Sources of information include:
Local Resilience Forum Cooridnator
Emergency Planning Officer
Local Hospital
Local Community
Liaison Groups Fire Brigade
Local Police Ambulance Emergency Planning Officer
Telecommunications Companies
Cellular providers
Electric,
Gas and Water Utilities
Neighbouring Authorities
Web sites see: http://www.ukresilience.info/contingencies/cont_index.htm Business Continuity Institute see: www.thebci.org Association of Local Authority Risk Managers http://www.alarm-uk.com/ Society of Information Technology Management SOCITM: www.socitm.net
Emergency Planning Society :http://www.emergplansoc.org.uk/
3. Identify Codes and Regulations
Identify applicable legislation and local regulations such as:
Occupational Health & Safety regulations Environmental regulations Fire procedure codes Corporate policies
4. Identify Critical Services and Operations
You'll need this information to assess the impact of potential emergencies and to determine the need for backup systems. Areas to review include:
Council services and the facilities and equipment needed to produce them
Products and services provided by suppliers, especially sole source vendors
Lifeline services such as electrical power, water, sewer, gas, telecommunications and transportation
Operations, equipment and personnel vital to the continued functioning of the facility
5. Identify Internal Resources and Capabilities
Resources and capabilities that could be needed in an emergency include:
a. Personnel -- Fire, Police and Ambulance Council Emergency services response team, security, Business Continuity Planning group, Fire wardens, First Aid, Public Information Officers. Computer Emergency Response Team
b. Equipment -- fire protection and suppression equipment, communications equipment, first aid supplies, emergency supplies, warning systems, emergency power equipment.
c. Facilities – Establish a Crisis Management Centre (, media briefing area, survivor reception centres, first-aid stations. Communications point, internal and external. An emergency website, either part of the corporate one or separate. Make sure people know the address of it.
d. Organisational capabilities -- training, evacuation plan, employee support system (Counselling)
e. Backup systems -- arrangements with other facilities to provide for: Identify your Business critical processes and systems.
(1) Payroll
(2) Communications
(3) Production
(4) Customer services
(5) Post room services and receiving i.e. CFM print runs
(6) Information systems support
(7) Emergency power
(8) Recovery support
6. Identify External Resources
There are many external resources that could be needed in an emergency. In some cases, formal agreements may be necessary to define the facility's relationship with the following:
Local Resilience Forum (LRF)
Fire Brigade
Hazardous materials Health & Safety Executive
Emergency medical services
Hospitals
Local Police liaison
Community service organisations
Utilities
Key Contractors & Suppliers
7. Suppliers of emergency equipment
Insurance companies
Do an Insurance Review
Meet with Insurance Officer (Finance Dept) to review all policies and cover. (See Section 2: Recovery and Restoration.) Insurance is not a substitution to proper planning and preparedness.
8. Conduct A Vulnerability (Risk) Analysis
The next step is to assess the vulnerability of your site -- the probability and potential impact of each emergency. Use the Vulnerability (Risk) Analysis Chart in the appendix section to guide the process, which entails assigning probabilities, estimating impact and assessing resources, using a numerical system. The lower the score the better.
9. Brainstorm Potential Emergencies & Scenarios to plan for
In the first column of the chart, list all emergencies that could affect your department, including those identified by the Emergency Planning officer. Consider both:
a. Emergencies that could occur within your Site / Department b. Emergencies that could occur in your community
Historical -- What types of emergencies have occurred in the community, at this facility and at other facilities in the area?
a. b. c. d. e. f. g. h.
Fires Severe weather Hazardous material spills Transportation accidents Bomb threats
Transport strikes Terrorism and Industrial action
Utility outages
Geographic -- What can happen as a result of the facility's location?
Keep in mind:
Proximity to flood spots, electrical lines, railways, major roads etc.
Proximity to companies that produce, store, use or transport hazardous material
Proximity to major transportation routes and airports
Proximity to terrorist targets.
Technological -- What could result from a process or system failure? Possibilities include:
Fire, explosion, hazardous materials incident - storage batteries
Safety system failure
Telecommunications failure
Computer system failure
Power failure
Heating/cooling system failure
Emergency notification system failure
Human Error -- What emergencies can be caused by employee error? Are employees trained to work safely? Do they know what to do in an emergency? Human error is the single largest cause of workplace emergencies and can result from:
Poor training
Poor maintenance
Carelessness
Misconduct
Substance abuse
f. Fatigue
Physical -- What types of emergencies could result from the design or construction of the facility? Does the physical facility enhance safety? Consider:
a. The physical construction of the facility b. Hazardous processes or by-products c. Facilities for storing combustibles
d. Layout of equipment
e. Lighting
Evacuation routes and exits
Proximity of survivor reception centres
Regulatory -- What emergencies or hazards are you regulated to deal with? Analyse each potential emergency from beginning to end. Consider what could happen as a result of:
Prohibited access to the facility
Loss of electric power
Communication lines down
Ruptured gas mains
Water damage
Smoke damage
Structural damage
Air or water contamination
Explosion
Building collapse
Trapped persons
Chemical release
10. Estimate Probability
In the Probability column, rate the likelihood of each emergency's occurrence. This is a subjective consideration, but useful nonetheless. Use a simple scale of 1 to 5, with 1 as the lowest probability and 5 as the highest.
11. Assess the Potential Human Impact (HARM Modelling)
Analyse the potential human impact of each emergency -- the possibility of death or injury.
Assign a rating in the Human Impact column of the Vulnerability Analysis Chart. Use a 1 to 5 scale with 1 as the lowest impact and 5 as the highest.
12. Assess the Potential Property Impact
Consider the potential property for losses and damages. Again, assign a rating in the Property Impact column, 1 being the lowest impact and 5 being the highest. Consider:
Cost to replace
Cost to set up temporary replacement
Cost to repair
13. Assess the Potential Business Impact
Consider the potential loss of market share. Assign a rating in the Business Impact column. Again, 1 is the lowest impact and 5 the highest. Assess the impact of the following. This applies to your Department and your external (CCT) suppliers if applicable. Check your SLA’s and Contracts.
Business interruption
Employees unable to report to work
Customers unable to reach facility
Authority in violation of contractual agreements
Imposition of fines and penalties or legal costs
Interruption of critical supplies
Interruption of Service Delivery
14. Assess Internal and External Resources
Next assess your resources and ability to respond. Assign a score to your Internal Resources and External Resources. The lower the score the better. To help you do this, consider each potential emergency from beginning to end and each resource that would be needed to respond. For each emergency ask these questions:
Do we have the needed resources and capabilities to respond?
Will external resources be able to respond to us for this emergency as quickly as we may need them, or will they have other priority areas to serve?
If the answers are yes, move on to the next assessment. If the answers are no, identify what can be done to correct the problem. For example, you may need to:
Develop additional emergency procedures
Conduct additional training
Acquire additional equipment
Establish mutual aid agreements
Establish agreements with specialised contractors
15. Add the Columns
Total the scores for each emergency. The lower the score the better. While this is a subjective rating, the comparisons will help determine planning and resource priorities -- the subject of the pages to follow.
You are now ready to develop a Business Continuity Planning plan. This section describes how.
PLAN COMPONENTS
Your plan should include the following basic components.
1. Executive Summary
The executive summary
Gives management a brief overview of the purpose of the plan Details the Business Continuity Planning policy Authorises the facilities and responsibilities of key personnel; Details the types of emergencies that could occur
Explains how and where response operations will be managed.
2. Business Continuity Planning Elements This section of the plan briefly describes the facility's approach to the core elements
Cyber Resilience, which are:
Command and control Communications Life and Limb - protecting your staff and the public. Property protection Community outreach Recovery and restoration Administration and logistics.
These elements, which are described in detail in Section 2, are the foundation for the emergency procedures that your facility will follow to protect personnel and equipment and resume operations.
3. Emergency Response Procedures
The procedures spell out how the facility will respond to emergencies. Whenever possible, develop them as a series of checklists that can be quickly accessed by Senior Management, Department heads, response personnel and employees.
Determine what actions would be necessary to:
Assess the situation
Protect employees, customers, visitors, equipment, vital records and other assets, particularly during the first phase of the emergency
Get the business back up and running.
Specific procedures might be needed for any number of situations such as bomb threats or fire, and for such functions as:
Warning employees and customers Communicating with personnel and community responders Conducting an evacuation and accounting for all persons in the facility Managing response activities Activating and operating an emergency operations centre Fighting fires Shutting down operations Protecting vital records Restoring operations
4. Support Documents
Documents that could be needed in an emergency include:
Emergency call lists -- lists (wallet sized if possible) of all persons on and off site who would be involved in responding to an emergency, their responsibilities and their 24-hour telephone numbers.
Building and site maps that indicate:
Utility shutoffs
Water hydrants
Water main valves
Water lines
Gas main valves
Gas lines
Electrical cut-offs
Electrical substations
Storm drains
Sewer lines
Location of each building (include name of building, street name and number)
Floor plans
Alarm and communicators
Fire extinguishers
Fire suppression systems
Exits
Stairways
Designated escape routes
Restricted areas
Hazardous Materials (including cleaning supplies and chemicals)
Copies of building plans
Copies of telecommunication route plans (Telephone and fibre cables)
Location of High-value items; (Deeds, Bonds, Contracts, evidence etc.)
5.Resource lists
Lists of major resources (equipment, supplies, and services) that could be needed in an emergency; mutual aid agreements with other companies and government agencies.
Emergency escape procedures and routes
Procedures for employees who perform or shut down critical operations before an evacuation
Procedures to account for all employees, visitors and contractors after an evacuation is completed
Rescue and medical duties for assigned employees
Procedures for reporting emergencies
Names of persons or departments to be contacted for
THE DEVELOPMENT PROCESS
The following is guidance for developing the plan.
1. Identify Challenges and Prioritise Activities
Determine specific goals and milestones. Make a list of tasks to be performed, by whom and when. Determine how you will address the problem areas and resource shortfalls that were identified in the vulnerability analysis.
2. Write the Plan
Assign each member of the planning group a section to write. Determine the most appropriate format for each section.
Establish an aggressive timeline with specific goals. Provide enough time for completion of work, but not so much as to allow assignments to linger. Establish a schedule for:
First draft
Peer review (include other sections)
Second draft
Tabletop exercise (invite other sections/departments to participate)
Final draft
Printing
Distribution publish widely including intranet – share best practise
Amendments procedures
3. Establish a Training Schedule
Have one person or department responsible for developing a training schedule for your facility. For specific ideas about training, refer to Step 4.
4. Coordinate with Outside Agencies and Organisations
Meet periodically with other government agencies and community organisations. Inform appropriate government agencies that you are creating a Business Continuity plan. While their official approval may not be required, they will likely have valuable insights and information to offer.
Determine central government and local requirements for reporting emergencies, and incorporate them into your procedures. Appoint a ‘logist’ to keep detailed records of all executive orders, actions and operations. Number and time record all options. This will include actions, outcomes and costs incurred, along with details of who authorised the actions.
The CRASH Gates Protocol Trigger Points can be thought of a pre-defined Consequence Relevance Acceleration Severity and Harm (CRASH) Gates.
The CRASH Gate model for assessing Cyber incident trigger points;
Consequence Scaling
Locally contained within the Organisation at a Sub-Departmental / Directorate Level
Locally contained within the Organisation at Departmental / Directorate Level
Local contained within the Organisation
Affecting multiple Organisations Sub-Regionally
Affecting multiple Organisations Regionally
Affecting multiple Organisations Nationally
Relevance Scoring
We do not have this technology in our infrastructure
We have this technology, we are fully patched.
We have this technology, we are partially patched
We have this technology, we are not patched
We have this technology, we are compromised
Severity Scoring
Not affecting our infrastructure directly
Affecting some of our infrastructure
Affecting most of our infrastructure
Affecting all of our infrastructure
Our infrastructure is over run and non-functioning
HARM Levels
The organisation is unaffected
The organisation is affected, but fully operational
The organisation is affected, and is partially operational
The organisation is compromised essential services still functioning
The organisation is compromised essential services lost.
Determine protocols and trigger points for turning command and control of a response over to outside agencies.
Some details that may need to be worked out are:
Which gate or entrance will responding emergency service units use?
Where and to whom will they report?
How will they be identified? How will they know you? (tabards/ID)
How will facility personnel communicate with outside responders?
Who will be in charge of response activities?
Determine what kind of identification authorities (Police/Fire) will require to allow your key personnel into your facility during an emergency. Develop and agree special ID cards and tabards etc. Ensure everyone is thoroughly briefed.
Produce A4 laminated cards which detail the key roles and responsibilities for each job.
Produce a pocket size card, with emergency contact numbers, and the five major points of the job role, where to report to etc.
Determine the needs of disabled persons and non-English-speaking personnel. For example, a blind employee could be assigned a partner in case an evacuation is necessary.
A disabled person is anyone who has a physical or mental impairment that substantially limits one or more major life activities, such as seeing, hearing, walking, breathing, performing manual tasks, learning, caring for oneself or working.
Be mindful of language barriers, written and verbal.
Your emergency planning priorities may be influenced by government regulation. To remain in compliance you may be required to address specific Business Continuity Planning functions that might otherwise be a lower priority activity for that given year.
5. Maintain Contact with Other Departments
Communicate with other offices and departments within the authority to learn:
Their emergency notification requirements
The conditions where mutual assistance would be necessary
How offices will support each other in an emergency
Names, email, telephone numbers and mobile numbers of key personnel Incorporate this information into your procedures.
6. Conduct Training and Revise plans and procedures as necessary.
Share review information with other Departmental representatives. Use the Intranet server to publish timely information
Distribute the first draft to group members for review. Revise as needed.
For a second review, conduct a tabletop exercise with management and personnel who have a key Business Continuity Planning responsibility. In a conference room setting, describe an emergency scenario and have participants discuss their responsibilities and how they would react to the situation. Based on this discussion, identify areas of confusion and overlap, and modify the plan accordingly.
7. Seek Final Approval
Arrange a briefing for the Chief Officer and Senior Management and obtain written approval.
8. Distribute the Plan
Place the final plan in four-ring binders and number all copies and pages. Document control procedures are essential for quality and auditing.
Each individual who receives a copy should be required to sign for it and be responsible for posting subsequent changes.
Ensure the plan is published on the Intranet and kept up to date. Consider storing the plan on a secure Internet facility, this will ensure authorised people can access the plan from anywhere.
Determine which sections of the plan would be appropriate to show to other agencies (some sections may refer to Confidential Corporate or Departmental Information or include private listings of names, telephone numbers or access codes and passwords). Distribute the final plan to:
Chief Officers and Senior Managers
Key members of the authority's emergency response organisation
Chief Executives Office,
Emergency Planning Unit.
Community emergency response agencies (appropriate sections)
Key external suppliers. Ensure you figure in their emergency plans.
Have key personnel keep a copy (paper or electronic) of the plan in their homes? Inform employees about the plan and
Consolidate emergency plans for better co-ordination. Stand-alone plans, such as Computer Disaster Recovery Plans, Fire Protection plan or Health and Safety plan, should be incorporated into one comprehensive plan.
Implementation means more than simply exercising the plan during an emergency. It means acting on recommendations made during the vulnerability analysis, integrating the plan into authority operations, training employees and evaluating the plan.
INTEGRATE THE PLAN INTO DEPARTMENTAL OPERATIONS
Emergency planning must become part of the corporate culture.
Look for opportunities to build awareness; to educate and train personnel; to test procedures; to involve all levels of management, all departments and where appropriate the community in the planning process; and to make Business Continuity Planning part of what personnel do on a day-to-day basis.
Include the emergency procedures into induction training. Ensure the emergency procedures are discussed at a quarterly management
meeting as an agenda item. Build the process into all project plans.
Test how Completely the Plan has been Integrated by Asking:
How well does senior management support the responsibilities outlined in the plan?
Have emergency planning concepts been fully incorporated into the Department’s accounting, personnel and financial procedures?
How can the Council’s processes for evaluating employees and defining job classifications better address Business Continuity Planning responsibilities?
Are there opportunities for distributing emergency preparedness information through corporate newsletters, employee manuals or employee mailings?
What kinds of safety posters or other visible reminders would be helpful? Do personnel know what they should do in an emergency?
CONDUCT TRAINING, EXERCISES AND EXERCISES
Everyone who works at or visits (Contractors) the site requires some form of training. This could include periodic employee discussion sessions to review procedures, technical training in equipment use for emergency responders, evacuation exercises and full-scale exercises. Below are basic considerations for developing a training plan.
1. Planning Considerations
Assign responsibility for developing a training plan. Consider the training and information needs for employees, contractors, visitors, managers and those with an emergency response role identified in the plan. Determine for a 12 month period:
Who will be trained?
Who will do the training?
What training activities will be used?
When and where each session will take place?
How the session will be evaluated and documented?
Use the Training Exercises and Exercises Chart in the appendix section to schedule training activities or create one of your own.
Consider how to involve community responders in training activities. Conduct reviews after each training activity. Involve both personnel and community responders in the evaluation process.
2. Training Activities
Training can take many forms:
a. Orientation and Education Sessions (Discussion Exercises) These are regularly scheduled discussion sessions to provide information, answer questions and identify needs and concerns.
b. Tabletop Exercise -- Members of the Business Continuity Planning group meet in a conference room setting to discuss their responsibilities and how they would react to emergency scenarios. This is a cost-effective and efficient way to identify areas of overlap and confusion before conducting more demanding training activities.
c. Walk-through Exercise -- The Business Continuity Planning group and response teams actually perform their emergency response functions. This activity generally involves more people and is more thorough than a tabletop
d. Functional Exercises -- These exercises test specific functions such as medical response, emergency notifications, warning and communications procedures and equipment, though not necessarily at the same time. Personnel are asked to evaluate the systems and identify problem areas.
e. Evacuation Exercise -- Personnel walk the evacuation route to a designated area where procedures for accounting for all personnel are tested. Participants are asked to make notes as they go along of what might become a hazard during an emergency, e.g., stairways cluttered with debris, smoke in the hallways. Plans are modified accordingly.
f. Full-scale Exercise -- A real-life emergency situation is simulated as closely as possible. This exercise involves authority emergency response personnel, employees, management and community response organisations.
3. Employee Training
General training for all employees should address:
Individual roles and responsibilities
Information about threats, hazards and protective actions
Notification, warning and communications procedures
Means for locating family members in an emergency
Emergency response procedures
Evacuation, shelter and accountability procedures
Location and use of common emergency equipment
Emergency shutdown procedures
The scenarios developed during the vulnerability analysis can serve as the basis for training events.
4. Evaluate and Modify the Plan
Conduct a formal audit of the entire plan at least once a year. Among the issues to consider are:
How can you involve all levels of management in evaluating and updating the plan?
Are the problem areas and resource shortfalls identified in the vulnerability analysis being sufficiently addressed?
Does the plan reflect lessons learned from exercises and actual events?
Do members of the Business Continuity Planning group and emergency response team understand their respective responsibilities? Have new members been trained?
Does the plan reflect changes in the physical layout of the facility? Does it reflect new facility processes?
Are photographs and other records of facility assets up to date?
Is the facility attaining its training objectives?
Have the hazards in the facility changed? (H&S Risk Assessments)
Are the names, titles and telephone numbers in the plan current?
Are steps being taken to incorporate Business Continuity Planning into the business processes?
Have community agencies and organisations been briefed on the plan? Are they involved in evaluating the plan?
In addition to a yearly audit, evaluate and modify the plan at these times:
After each training exercise
After each emergency
When personnel or their responsibilities change
When the layout or design of the facility changes
When policies or procedures change
Remember to brief personnel on changes to the plan.
Audit:
Conduct a formal audit of the entire plan at least once a year
Appendix A
Business Continuity Planning Toolkit with Risk Assessment diagnostics
Organisation Name [BUSINESS CONTINUITY PLAN COMPONENTS]
[Change all headings as required]
Directorate / Department:
Contact Name:
E-Mail:
Business Continuity Planning Outline
Business Continuity Plan Template
III. Business Continuity Plan Worksheets A. Checklist
B. Business Process Template C. Recovery Procedures Template D. Risk Assessment Worksheets
Date Completed:
Phone:
Written by: _____________________________________Date:____________ Written by: _____________________________________Date:____________
Review Date: [. ]
Identify Current Mission-Critical Business Processes (See Operations Plan for starting point)
Assess Impact or Importance of Business Processes, considering:
Health and Safety
Revenue or Cash Flow (Treasury) implications
Number of Citizens, Businesses, or Employees Impacted
Central Government Reporting Requirements
Public Perception
Identify Resources and Dependencies
Evaluate Risk or Likelihood of Failure
Application Systems and Interfaces
IT Infrastructure
Third Party Products
Supply Chain
Infrastructure (Facilities, Telecom, Utilities)
Establish Priority Based upon Impact and Risk
Develop Business Continuity Plan Based upon Available Resources and Time Make Assumptions to Focus Plan
Devise Alternatives to Complete Core Business Processes, considering: Roles & Responsibilities Communication Channels Manual Work arounds
Triggering Events Who Invokes the Plan Required Training & Preparation How & Who Maintains the Plan Needed Supplies & Equipment Additional Staffing Needs What Ends the Plan Clean-Up
Review for Completeness
Exercise the Plan Make Modifications as Needed
II. Business Continuity Plan Template
The following sections are included in a Contingency Plan Template. It is a sample template, therefore, sections may be added or deleted as appropriate.
Phase I
PROCESS: Provide the name and a brief overview of the critical business function as it
currently exists. PRIORITY:
Determine the priority of this contingency plan relative to the other contingency plans, if multiple failures occur within an authority. Use this section if applicable.
RISK DESCRIPTION:
Describe in simple terms the risk concern and the impact to the authority. Include the nature and likelihood of expected disruptions or impacts. For example:- Electrical power is unavailable. If processing cannot be resumed within 3 days, Client checks will be late.
Describe briefly any significant dependencies or linkages of the business process with programs within the authority, with other authorities, or with other parties either inside or outside of central or regional or place based partnership
State explicitly any assumptions, which your Directorate or Business Unit is making in this contingency plan. MITIGATING STRATEGIES:
Provide a brief conceptual description of how the contingency plan for the business process is intended to work.
For example:- Conduct additional quality assurance review of documents prior to mailing.
Set up account in advance with alternate supplier(s) and establish procedures for using the alternate supplier.
Investigate feasibility and cost of an uninterruptible power supply.
Describe the level of services to be provided during the disruption.
For example:
Provide continuation of normal operations.
Provide continuation of service in a degraded mode.
Provide complete departure from normal functions as quickly
Business Continuity Planning Guide
Phase 2
ACTIVATION TRIGGER(S): Describe the specific events or conditions that will trigger or invoke the plan.
For example:
Employees can’t access building entry via electronic access cards or tokens.
RECOVERY PROCEDURES:
Describe the expected life or duration of the contingency plan. For example: How long it might be necessary to operate under the plan. Any special timing-related constraints, e.g., back-up batteries need re-charging after 10 hours.
Provide detailed, step-by-step procedures for initiating and executing contingency operations, and for transitioning back to normal (non-contingency) operations with the names of the persons who are to serve specific roles regarding the plan. For example: Initiate internal and vendor list notification procedures – Responsibility: Ms. X Get backup listings from off-site storage – Responsibility: Mr. Y Contact alternate supplier to provide needed supplies – Responsibility:
IMPLEMENTATION:
Name BCP Coordinator and Team
Provide the name and contact information of the person who will give the order to invoke the plan.
Provide the name of the person who will give the order to return to normal operations.
Provide a brief description of significant resources needed to implement, execute, and transition out of contingency operation. Also identify the person who is responsible for acquiring these resources, as events may warrant.
For example: Staffing and scheduling of personnel. Equipment, temporary hardware and software, forms and supplies, etc. Possible temporary working facilities. Communications, both verbal and data.
Phase 3
Provide a brief description of any training or exercising of the plan that will be necessary.
For example: Perform a structured walk-through to ensure that all the processes will work as expected.
Perform an exercise or “dry-run” to ensure that all the processes work.
Perform a “mock” exercise with required staff and vendors on a non-work day.
In continuity planning, the maintenance process ensures that people and process aspects of the plan which need additional work are properly addressed and corrected.
The following types of maintenance should be conducted for every business continuity plan in your Directorate or Business Unit:
o Scheduled o Unscheduled o Post exercised
A. Checklist
B. Business Process Template
C. Recovery Procedures Template
D. Risk Assessment Worksheets
COMPONENTS OF A Cyber Resilience Plan
CHECKLIST
Checklist Components
AUTHORITY: Authority Name * PROCESS: Business Process Name * Business Process Overview PRIORITY:
Priority within authority
RISK DESCRIPTION:
Risk Description Impact of Risk on Authority Nature and likelihood of disruptions Dependencies upon business process Assumptions MITIGATING STRATEGIES: Mitigating Strategies description Level of service to be provided
ACTIVATION TRIGGER(S): Activation Trigger(s) *
RECOVERY PROCEDURES: Duration of contingency plan Recovery Procedures/Work-Around * Responsible person for each action
IMPLEMENTATION: Person invoking plan Person ordering return to normal operations Resources Required *
MAINTAINING/EXERCISING PLAN Training Required Exercising Required Person responsible to obtain resources Maintenance Required
Business Process [Title]
Process:
Priority:
Risk Description:
Mitigating Strategies:
Activation Trigger(s):
CONTINGENCY PLAN
RECOVERY PROCEDURE ACTION PLAN Recovery Procedures (Action Plan):
Duration:
Implementation: Person Responsible:
Invokes Plan:
Return to Normal Operations:
Resources Required:
(Staff, supplies, etc.)
Procedures Responsibility |
1. |
2. |
3. |
4. |
Purpose and Directions Purpose:
This worksheet is intended to provide a framework for answering the following questions for a particular business process:
Where could a potential failure occur?
Does it impact this business process? If so, how much?
What has been done or is in progress to mitigate the threat of a failure?
Based on the answers to the above questions: 4. What is the remaining risk?
By answering the last question, you should be in a better position to focus your contingency planning efforts, particularly which business processes are most in need of contingency planning and what specific failures do the contingency plans need to address and at what level of detail.
Directions:
1.
2.
3.
4.
5.
6.
Choose a particular business process.
Review the areas of concern to determine if any need to be added or expanded upon that are specific to the business process. Modify spreadsheet as
appropriate. Note: the Remediation or Mitigation Status Values are stored in columns E-I, which are hidden.
For each area of concern, assign a level of dependency of High, Medium, Low, or Not Applicable (or blank).
Choose from the drop-down list of choices for the Remediation or Mitigation Status. This information will most likely come from the individuals within your authority that are responsible for status reports. If the choices do not properly reflect your status, type in your own status description.
Based on the level of dependency and the remediation or mitigation status, assess the remaining risk and assign a value of High, Medium, or Low. Alternatively, you may choose to comment on your analysis rather than assign a specific level of risk.
Once you have determined the highest remaining risk areas, focus your Contingency Planning initiative to address the risk areas. This would include which business processes need contingency plans, how detailed the plans should be, and
RISK ASSESSMENT WORKSHEET
Directorate/ Business Unit
Business Process:
Areas of Concern Mitigation status
Risk Assessment (H/M/L)
Level of Dependency (H/M/L)
APPLICATION SYSTEMS |
Hardware Operating System
Third Party Software
Utilities/Macros Date-Impacted
Custom Source Code/SCL
Internal Interfaces
External Interfaces (Banks, Government Agencies, Other NC)
Shared Data Communications/Network
Hardware Operating System Third Party Software
Telephone Switches
Voice Mail Voice Response Units Customer Service Centre reliance Mobile Phones Pagers Fax
Power Water/Sewer Fire Alarm Systems Security Systems Building Control Systems Parking Control Systems
Application Interfaces Hardware Infrastructure Supplier Support
PC/LAN
COMMUNICATIONS
FACILITIES
DEPENDENCIES