SERVICE BUSINESS CASE
BUSINESS CONTINUITY PLAN
TABLE OF CONTENTS
EXECUTIVE SUMMARY .............................................................................................................................3
1.
Problem Definition ......................................................................................................................4
2.
Addressing Problem with CWU existing tools and products (i.e. PeopleSoft) .................................4
3.
Organizational Impact .................................................................................................................5
4.
Benefits ......................................................................................................................................6
5.
Strategic Alignment .....................................................................................................................6
6.
Cost ............................................................................................................................................7
7.
Alternatives (add lines as necessary) ............................................................................................7
8.
Timing / Schedule (add lines as necessary) ...................................................................................7
9.
Technology Migration/Resource Identification .............................................................................7
10. Product Life/Application Sunsetting or Decommissioning ............................................................8
11. References .................................................................................................................................8
12. Recommendation .......................................................................................................................8
13. Approvals...................................................................................................................................8
Business Continuity Plan
Page 2 of 8
EXECUTIVE SUMMARY
Central Washington University currently has an Emergency Operations Plan (EOP) that is designed to
maximize human safety and survival, identify and minimize danger, preserve and protect property
and critical infrastructure, provide for internal and external communication and restore normal
activities after an event or emergency. However, this plan does not address a process for ensuring
the continued availability of our critical business processes in the event of a natural or manmade
disaster. The continuation of business-critical processes is addressed in a Business Continuity Plan
(BCP)
EOPs are developed for coordinating the University department’s response to specific types of
incidents. The plans and responses are tactical in nature, in that the majority of the incidents will
last a very short period of time and are brought under control rather quickly. A more serious
incident may require a response from university departments which can last two or three days and
may involve outside agencies such as local fire and police. The emergency response plan takes into
consideration these possibilities and emergency housing and food provisions are in place to address
these types of issues. Emergency response plans addresses the incident and the time period
immediately after the incident in order to return critical university operations to a minimum level. In
addition, the recovery phase of the EOP begins in close proximity of the response phase, to ensure
CWU remain aware of future considerations while dealing with the on-going emergency.
BCPs on the other hand are strategic in nature and are concerned with returning the university to
full normal operations as soon as possible after an incident. This type of plan addresses the
aftermath of a critical incident and ensures the university is in a position to continue to operate and
sustain long term recovery. The plan must address the loss of productivity and any physical damage
resulting from an incident while normal services and operations are being restored. While
departments such as Facilities, Campus Safety and Student Affairs will normally be the lead
departments in a critical incident response, Academic Affairs, Finance, Facilities Management,
Security Services, Government Relations and Information Technology Services are the university
offices most often responsible for carrying out the aspects of the BCP.
The primary objective of a Business Continuity Plan is to assess and plan for risks and impacts from
the perspective of the business and the critical processes that sustain the life-blood of our
institution.
Business Continuity Plan
Page 3 of 8
Sponsoring Department(s): Security Services
Date of Business Case Preparation:
9/24/2013
Contact Person Name/Phone: Andreas Bohman / 2499
New Product/Service
If there is a draft or sample contract, please provide a copy.
Renewal of Existing Product/Service – if checked, include background information.
If there is a site license agreement, existing contract or new contract draft, please provide a
copy.
1. Problem Definition
Central Washington University does not have a continuity plan for ensuring the availability
of its critical business processes in the event of a natural or manmade disaster.
2.
Addressing Problem with CWU
The following processes and plans were reviewed as part of this business case:
1. Emergency Operations Plan (EOP): The EOP provides the guidelines and directives
deemed necessary to aid in the response and recovery of most tactical emergencies that
could affect the CWU campus.
2. Disaster Response and Recovery Plan (DRRP): This is a plan that presents the
requirements and the steps that will be taken in response to and for the recovery from
any disaster affecting IT services at CWU.
In reviewing these plans, it was noted that neither of them addressed an emergency from a
business perspective. The DRRP states:
“…[the DRRP] will only address the recovery of systems under the direct control of the
Department of Information Technology Services and that are critical for business continuity.”
In addition, the EOP states:
“…[the EOP] is designed to maximize human safety and survival, identify and minimize
danger, preserve and protect property and critical infrastructure, provide for internal and
external communication and restore normal activities after an event or emergency.”
These two statements indicate a need for a comprehensive plan that addresses the recovery
of business-critical processes from an organizational and business perspective.
Business Continuity Plan
Page 4 of 8
3. Organizational Impact
A Business Continuity Plan (BCP) will impact all aspects of CWU in that our critical business
processes a spread across campus and functional areas. The BCP will be complimentary to
the current EOP. The EOP is developed and maintained by University Police and Parking
Services (UPPS) and they are responsible for briefing staff members concerning their role in
emergency management and the contents of the plan.
Organizational Impact: The BCP will be developed by a third-party vendor and only minimal
local resources will be needed to implement the plan. However, certain activities will
require involvement of CWU employees to ensure the third-party vendor can develop and
implement the plan. These activities may include assistance with or participation in:







Request and review relevant documentation.
Perform an onsite walkthrough of the network, systems, and ITS operations.
Conduct onsite interviews with select personnel and technical staff.
Interview department managers and staff about their operations and critical
functions.
Identify operational dependencies for each essential service.
Identify key business partners and external connections necessary to conduct
University business.
Identify vital records used at the University.
The development of the BCP is done in four stages:
1. Conduct a business impact analysis (BIA) to identify time-sensitive or critical
business functions and processes and the resources that support them.
2. Identify, document, and implement to recover critical business functions and
processes.
3. Organize a business continuity team and compile a business continuity plan to
manage a business disruption.
4. Conduct training for the business continuity team and testing and exercises to
evaluate recovery strategies and the plan.
Business continuity impact analysis identifies the effects resulting from disruption of
business functions and processes. It also uses information to make decisions about recovery
priorities and strategies.
It is expected that the third-party vendor will be responsible for stages 1 – 3 and CWU will
be responsible for stage 4.
Stakeholders: All functional areas of University are stakeholders in the BCP. The key
personnel critical to the execution of the BCP will be identified as part of the development
and implementation of the plan.
Training and Testing: To ensure the feasibility of the BCP and the timeliness of its execution,
it is recommended that the BCP be tested shortly after completion. Testing can uncover
issues that may not have been considered during the BCP creation. Therefore, the testing
phase is highly recommended. In addition, frequent and recurring training is required to
ensure all key personnel are familiar with the plan and its implementation.
Business Continuity Plan
Page 5 of 8
4. Benefits

A clear process for ensuring the availability of CWU critical business processes in the
event of a natural or manmade disaster.

Increased protection of CWU personnel and information infrastructure.

Personnel will be informed and rehearsed as to what actions to take to immediately
start the recovery process and ensure business continuity if disaster strikes.

An unexpected event will not severely disrupt the operation, continuity, and
effectiveness of our institution.
5. Strategic Alignment
Core Theme: Student success is the highest priority of the university, and achievement of
programmatic student learning outcomes is the prime measure of that priority. CWU
therefore works to provide its students with accessible, diverse, personalized, distinctive,
and rigorous curricular, co-curricular, and extra-curricular programs.
Strategic Alignment: Since student success is our highest priority, we have to ensure we can
recover the critical business-processes identified in this statement in a controlled and
efficient manner.
Shared Value: CWU believes that student success is best achieved by providing supportive
learning and living environments that encourage intellectual inquiry, exploration, and
application. CWU believes that learning is best achieved in small classroom or group settings
with ample opportunities for individualized instruction, mentoring, advising, and
programming.
Strategic Alignment: Without the means to restore services for our students in the event of
a disaster, we will not be able to operate the business processes that support student
success.
Business Continuity Plan
Page 6 of 8
6. Cost
There is currently no funding for the business case.
Cost Breakdown: The cost breakdown is based on the responses to the Request For
Information (RFI) that was used to solicit feedback from third-party vendors. Based on these
responses, the cost breakdown is as follows:
Vendor Name
BOLD Planning
Base2 Solutions
Wordsworth & Associates
Moss-Adams
BDA Global, LLC
Covestic
AGC
Estimated Cost
$136,500.00
$75,000.00
$90,000.00
$70,000.00
$184,000.00
$30,000.00
$120,000.00
Average Cost:
$100,785.00
7. Alternatives (add lines as necessary)
Alternative
Reasons For Not Selecting Alternative
Do Nothing
We currently do not have a plan in place
that focuses on continuation of operations
from a business perspective.
Incorporate DRRP into EOP
While the EOP is a good tool for managing
tactical threats against our employees it
does not look at business-critical
operations. Similarly, the DRRP only
addresses disruption of service from a
technology perspective.
8. Timing / Schedule (add lines as necessary)
Task
Target Date
Project Initiation Management
03/01/2014
Data Gathering
04/01/2014
Conduct a Business Impact Analysis
04/15/2014
Business Continuity Plan Development
06/01/2014
Testing and Training
07/01/2014
9. Technology Migration/Resource Identification
Business Continuity Plan
Page 7 of 8
Technology Migration: There is no new technology to implement.
Resource Identification: The key personnel critical to the execution of the BCP will be
identified as part of the development and implementation of the plan.
10. Product Life/Application Sunsetting or Decommissioning
Not Applicable.
11. References






University Police and Parking Services (UPPS)
Organizational Effectiveness (OE)
Security Services Department
Information Technology Services (ITS)
Ready.gov
Federal Emergency Management Agency (FEMA)
12. Recommendation
In order to ensure the continued operation of CWY critical business processes, a Business
Continuity Plan (BCP) has to be developed. While current plans address employee safety and
technological considerations, there is no overall plan that focuses on continuity of
operations from a business perspective. Therefore, It is recommended that CWU allocates
funds for issuing a Request For Proposal (RFP) to start the development of a BCP.
13. Approvals
The following actions have been taken by the appropriate Sub-Council (ATAC or NonAcademic Sub-Council) and Enterprise Information Systems Committee:
Date
Action
By
9/26/13
Approved to be Reviewed by EISC
Non-Academic Sub-Council
9/30/2013
Presented to EISC
Andreas Bohman, CISO
9/30/2013
Approved to be Reviewed by Cabinet
EISC
Upon approval by the Enterprise Information Systems Committee (EISC) or one of the two SubCouncils (Academic or Non-Academic), CWU procurement policies and procedures should be
used to initiate a purchase. Please contact the Purchasing office at x1001 with any questions
regarding the procurement process.
If you have any questions, please contact Sue Noce 963-2927 or Tina Short 963-2910.
Business Continuity Plan
Page 8 of 8