SERVICE BUSINESS CASE BUSINESS CONTINUITY PLAN TABLE OF CONTENTS EXECUTIVE SUMMARY .............................................................................................................................3 1. Problem Definition ......................................................................................................................4 2. Addressing Problem with CWU existing tools and products (i.e. PeopleSoft) .................................4 3. Organizational Impact .................................................................................................................5 4. Benefits ......................................................................................................................................6 5. Strategic Alignment .....................................................................................................................6 6. Cost ............................................................................................................................................7 7. Alternatives (add lines as necessary) ............................................................................................7 8. Timing / Schedule (add lines as necessary) ...................................................................................7 9. Technology Migration/Resource Identification .............................................................................7 10. Product Life/Application Sunsetting or Decommissioning ............................................................8 11. References .................................................................................................................................8 12. Recommendation .......................................................................................................................8 13. Approvals...................................................................................................................................8 Business Continuity Plan Page 2 of 8 EXECUTIVE SUMMARY Central Washington University currently has an Emergency Operations Plan (EOP) that is designed to maximize human safety and survival, identify and minimize danger, preserve and protect property and critical infrastructure, provide for internal and external communication and restore normal activities after an event or emergency. However, this plan does not address a process for ensuring the continued availability of our critical business processes in the event of a natural or manmade disaster. The continuation of business-critical processes is addressed in a Business Continuity Plan (BCP) EOPs are developed for coordinating the University department’s response to specific types of incidents. The plans and responses are tactical in nature, in that the majority of the incidents will last a very short period of time and are brought under control rather quickly. A more serious incident may require a response from university departments which can last two or three days and may involve outside agencies such as local fire and police. The emergency response plan takes into consideration these possibilities and emergency housing and food provisions are in place to address these types of issues. Emergency response plans addresses the incident and the time period immediately after the incident in order to return critical university operations to a minimum level. In addition, the recovery phase of the EOP begins in close proximity of the response phase, to ensure CWU remain aware of future considerations while dealing with the on-going emergency. BCPs on the other hand are strategic in nature and are concerned with returning the university to full normal operations as soon as possible after an incident. This type of plan addresses the aftermath of a critical incident and ensures the university is in a position to continue to operate and sustain long term recovery. The plan must address the loss of productivity and any physical damage resulting from an incident while normal services and operations are being restored. While departments such as Facilities, Campus Safety and Student Affairs will normally be the lead departments in a critical incident response, Academic Affairs, Finance, Facilities Management, Security Services, Government Relations and Information Technology Services are the university offices most often responsible for carrying out the aspects of the BCP. The primary objective of a Business Continuity Plan is to assess and plan for risks and impacts from the perspective of the business and the critical processes that sustain the life-blood of our institution. Business Continuity Plan Page 3 of 8 Sponsoring Department(s): Security Services Date of Business Case Preparation: 9/24/2013 Contact Person Name/Phone: Andreas Bohman / 2499 New Product/Service If there is a draft or sample contract, please provide a copy. Renewal of Existing Product/Service – if checked, include background information. If there is a site license agreement, existing contract or new contract draft, please provide a copy. 1. Problem Definition Central Washington University does not have a continuity plan for ensuring the availability of its critical business processes in the event of a natural or manmade disaster. 2. Addressing Problem with CWU The following processes and plans were reviewed as part of this business case: 1. Emergency Operations Plan (EOP): The EOP provides the guidelines and directives deemed necessary to aid in the response and recovery of most tactical emergencies that could affect the CWU campus. 2. Disaster Response and Recovery Plan (DRRP): This is a plan that presents the requirements and the steps that will be taken in response to and for the recovery from any disaster affecting IT services at CWU. In reviewing these plans, it was noted that neither of them addressed an emergency from a business perspective. The DRRP states: “…[the DRRP] will only address the recovery of systems under the direct control of the Department of Information Technology Services and that are critical for business continuity.” In addition, the EOP states: “…[the EOP] is designed to maximize human safety and survival, identify and minimize danger, preserve and protect property and critical infrastructure, provide for internal and external communication and restore normal activities after an event or emergency.” These two statements indicate a need for a comprehensive plan that addresses the recovery of business-critical processes from an organizational and business perspective. Business Continuity Plan Page 4 of 8 3. Organizational Impact A Business Continuity Plan (BCP) will impact all aspects of CWU in that our critical business processes a spread across campus and functional areas. The BCP will be complimentary to the current EOP. The EOP is developed and maintained by University Police and Parking Services (UPPS) and they are responsible for briefing staff members concerning their role in emergency management and the contents of the plan. Organizational Impact: The BCP will be developed by a third-party vendor and only minimal local resources will be needed to implement the plan. However, certain activities will require involvement of CWU employees to ensure the third-party vendor can develop and implement the plan. These activities may include assistance with or participation in: Request and review relevant documentation. Perform an onsite walkthrough of the network, systems, and ITS operations. Conduct onsite interviews with select personnel and technical staff. Interview department managers and staff about their operations and critical functions. Identify operational dependencies for each essential service. Identify key business partners and external connections necessary to conduct University business. Identify vital records used at the University. The development of the BCP is done in four stages: 1. Conduct a business impact analysis (BIA) to identify time-sensitive or critical business functions and processes and the resources that support them. 2. Identify, document, and implement to recover critical business functions and processes. 3. Organize a business continuity team and compile a business continuity plan to manage a business disruption. 4. Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan. Business continuity impact analysis identifies the effects resulting from disruption of business functions and processes. It also uses information to make decisions about recovery priorities and strategies. It is expected that the third-party vendor will be responsible for stages 1 – 3 and CWU will be responsible for stage 4. Stakeholders: All functional areas of University are stakeholders in the BCP. The key personnel critical to the execution of the BCP will be identified as part of the development and implementation of the plan. Training and Testing: To ensure the feasibility of the BCP and the timeliness of its execution, it is recommended that the BCP be tested shortly after completion. Testing can uncover issues that may not have been considered during the BCP creation. Therefore, the testing phase is highly recommended. In addition, frequent and recurring training is required to ensure all key personnel are familiar with the plan and its implementation. Business Continuity Plan Page 5 of 8 4. Benefits A clear process for ensuring the availability of CWU critical business processes in the event of a natural or manmade disaster. Increased protection of CWU personnel and information infrastructure. Personnel will be informed and rehearsed as to what actions to take to immediately start the recovery process and ensure business continuity if disaster strikes. An unexpected event will not severely disrupt the operation, continuity, and effectiveness of our institution. 5. Strategic Alignment Core Theme: Student success is the highest priority of the university, and achievement of programmatic student learning outcomes is the prime measure of that priority. CWU therefore works to provide its students with accessible, diverse, personalized, distinctive, and rigorous curricular, co-curricular, and extra-curricular programs. Strategic Alignment: Since student success is our highest priority, we have to ensure we can recover the critical business-processes identified in this statement in a controlled and efficient manner. Shared Value: CWU believes that student success is best achieved by providing supportive learning and living environments that encourage intellectual inquiry, exploration, and application. CWU believes that learning is best achieved in small classroom or group settings with ample opportunities for individualized instruction, mentoring, advising, and programming. Strategic Alignment: Without the means to restore services for our students in the event of a disaster, we will not be able to operate the business processes that support student success. Business Continuity Plan Page 6 of 8 6. Cost There is currently no funding for the business case. Cost Breakdown: The cost breakdown is based on the responses to the Request For Information (RFI) that was used to solicit feedback from third-party vendors. Based on these responses, the cost breakdown is as follows: Vendor Name BOLD Planning Base2 Solutions Wordsworth & Associates Moss-Adams BDA Global, LLC Covestic AGC Estimated Cost $136,500.00 $75,000.00 $90,000.00 $70,000.00 $184,000.00 $30,000.00 $120,000.00 Average Cost: $100,785.00 7. Alternatives (add lines as necessary) Alternative Reasons For Not Selecting Alternative Do Nothing We currently do not have a plan in place that focuses on continuation of operations from a business perspective. Incorporate DRRP into EOP While the EOP is a good tool for managing tactical threats against our employees it does not look at business-critical operations. Similarly, the DRRP only addresses disruption of service from a technology perspective. 8. Timing / Schedule (add lines as necessary) Task Target Date Project Initiation Management 03/01/2014 Data Gathering 04/01/2014 Conduct a Business Impact Analysis 04/15/2014 Business Continuity Plan Development 06/01/2014 Testing and Training 07/01/2014 9. Technology Migration/Resource Identification Business Continuity Plan Page 7 of 8 Technology Migration: There is no new technology to implement. Resource Identification: The key personnel critical to the execution of the BCP will be identified as part of the development and implementation of the plan. 10. Product Life/Application Sunsetting or Decommissioning Not Applicable. 11. References University Police and Parking Services (UPPS) Organizational Effectiveness (OE) Security Services Department Information Technology Services (ITS) Ready.gov Federal Emergency Management Agency (FEMA) 12. Recommendation In order to ensure the continued operation of CWY critical business processes, a Business Continuity Plan (BCP) has to be developed. While current plans address employee safety and technological considerations, there is no overall plan that focuses on continuity of operations from a business perspective. Therefore, It is recommended that CWU allocates funds for issuing a Request For Proposal (RFP) to start the development of a BCP. 13. Approvals The following actions have been taken by the appropriate Sub-Council (ATAC or NonAcademic Sub-Council) and Enterprise Information Systems Committee: Date Action By 9/26/13 Approved to be Reviewed by EISC Non-Academic Sub-Council 9/30/2013 Presented to EISC Andreas Bohman, CISO 9/30/2013 Approved to be Reviewed by Cabinet EISC Upon approval by the Enterprise Information Systems Committee (EISC) or one of the two SubCouncils (Academic or Non-Academic), CWU procurement policies and procedures should be used to initiate a purchase. Please contact the Purchasing office at x1001 with any questions regarding the procurement process. If you have any questions, please contact Sue Noce 963-2927 or Tina Short 963-2910. Business Continuity Plan Page 8 of 8