Business Continuity Plan - Office of the Information Commissioner
advertisement
BUSINESS CONTINUITY PLAN 1. Introduction The Office of the Information Commissioner (the Office) conducts business continuity planning an annual basis to ensure continuity of service in the event of human, technological or natural disaster. The Business Continuity Plan consists of contingency plans to respond to emergencies, minimise disruption, and to continue to operate the business and recover the infrastructure to resume normal operations. Specifically, the Office Business Continuity Plan (BCP) consists of the: • • • Emergency Response Plan Disaster Recovery Plan Emergency Communication Plan The BCP is closely linked to the Office Risk Management Plan. Collectively these plans are important to achieving business continuity through planning, risk mitigation and the timely response to and recovering from serious incidents. The effective formulation of strategies to identify and treat potential causes of human and technological threat is important to reducing the threat of risk. The plans also provide clear direction to assist the timely restoration of business operations in the event of an unforeseen disaster event. 2. Emergency Response Plan 2.1 Objective The Office’s Emergency Response Plan (ERP) identifies strategies to reduce the impact of a hazardous event on the Office environment by initially containing the incident, then minimising damage to Office resources, such as staff, premises and equipment and setting the Office on the road to recovery. Refer to the separate Emergency Response Plan document for the detailed Office plan. 2.2 Criteria to invoke plan The ERP is to be invoked when the normal functioning of the Office is seriously affected. 2.3 Expected life of plan when invoked The ERP will be in effect until the Information Commissioner has determined that the Office can return to normal functioning. 2.4 Personal responsibilities for implementation of this plan The implementation of this plan is the responsibility of the Information Commissioner the Executive Leadership Team, MCES and floor emergency personnel. 2.5 Personnel to be notified if this plan is invoked All staff of the Office will be notified if this plan is invoked. Subsequent to this, the Minister for Justice and Attorney-General, Director-General for the Department of Justice and Attorney-General, and key staff in the Queensland Parliamentary Service in Information Technology, Finance and Human Resource Management will also be notified as per the Emergency Communication Plan for emergent or disaster planning. Depending on the severity and estimated length of time of the emergency, external stakeholders of the Office will also be notified. Office of the Information Commissioner – Business Continuity Plan Version 3 - 12 December 2011 Page 1 of 7 2.6 Procedures for invoking contingency mode The Information Commissioner may invoke the ERP when she is alerted to, or become aware of serious deficiencies in the normal operating environment for the Office and determines that the ERP requires to be invoked. 2.7 Resource plan for operation The Information Commissioner will determine any necessary alterations to the staff levels of the Office in response to the invoking of the ERP. Other resource issues such as alternative accommodation, equipment and process methods will be determined by the Information Commissioner dependant on the type of incident and situational demands. 2.8 Criteria for returning to normal operating mode The following procedures for returning to a normal operating mode will be initiated when the Information Commissioner is satisfied that the normal operating environment for the Office can be supported: • Procedures for returning to normal operating mode The Information Commissioner will instruct the Manager Corporate & Executive Services (MCES) to initiate the procedures for returning to the normal operating environment by: - Activating Emergency Communication Plan to inform all staff and external stakeholders - Ensuring that the physical environment is safe - Ensuring that technological infrastructure is operational - Advising external stakeholders that the Office is operational (if applicable) • Procedures for recovering lost or damaged data MCES to commence immediate discussions with Parliamentary Services to assess the Information Technology (IT) environment and undertake briefing to the Information Commissioner on recommendations and actions required. This plan assesses risks in the IT environment for the Office and outlines what needs to be done to cover those risks as appropriate. The Service Level agreement between the Office and the Parliamentary Service identifies process and procedure to respond to any interruption of service. 2.9 Estimated cost of incidents The MCES will keep records of the number of days out of office, number of employees affected, and possible destruction/damage to equipment and data (both electronic and paper-based). 2.10 Post contingency actions Within two weeks of returning to normal operating conditions, MCES will debrief the Information Commissioner and Executive Leadership Team to evaluate the effectiveness of the plan and recommend any improvements. Office of the Information Commissioner – Business Continuity Plan Version 3 - 12 December 2011 Page 2 of 7 3. Disaster Recovery Plan 3.1 Objective The Disaster Recovery Plan (DRP) establishes a program for restoring the Office environment and its associated functions, according to their pre-determined priorities and agreed timeframes for restoration. The aim of the DRP is to achieve the continued provision, or immediate resumption, of critical services and the restoration of normal services as soon as possible without unnecessary expenditure. 3.2 • Criteria to invoke plan The DRP is to be invoked when the normal functioning of the Office is seriously affected (see Attachment A) 3.3 Expected life of plan The DRP will be in effect until the Information Commissioner has determined that the Office can return to normal functioning. 3.4 Personal responsibilities for implementation of this plan The implementation of this plan is the responsibility of the Information Commissioner, the Executive Leadership Team, and MCES. 3.5 Personnel to be notified if this plan is invoked All staff of the Office will be notified if this plan is invoked. Subsequent to this, the Minister for Justice and Attorney-General, Director-General for the Department of Justice and Attorney-General, and key staff from the Queensland Parliamentary Service will be notified as per the Emergency Communication Plan for emergent or disaster planning. Depending on the severity and estimated length of time of the emergency, external stakeholders of the Office may also be notified. The Information Commissioner will also consider notifying the Department of Public Works and the Department of the Premier and Cabinet depending on the status and severity of the incident. 3.6 Procedures for invoking contingency mode The Information Commissioner may invoke the DRP when they are alerted to or become aware of deficiencies in the normal operating environment for the Office and determines that the DRP should be invoked. 3.7 Resource plan for operation The Information Commissioner will determine any necessary amendment to staff levels of the Office in response to the invoking of the DRP. Other resource issues such as alternative accommodation, equipment and process methods will be determined by the Information Commissioner dependant on the type of incident and situational demands. 3.8 Criteria for returning to normal operating mode The following procedures for returning to a normal operating mode will be initiated when the Information Commissioner is satisfied that the normal operating environment for the Office can be supported: 3.9 • Procedures for returning to normal operating mode Procedures for returning to normal operating mode The Information Commissioner will instruct the Manager Corporate & Executive Services (MCES) to initiate the procedures for returning to the normal operating environment by: Office of the Information Commissioner – Business Continuity Plan Version 3 - 12 December 2011 Page 3 of 7 - Activating Emergency Communication Plan to inform all staff and external stakeholders Ensuring that the physical environment is safe Ensuring that technological infrastructure is operational Advising external stakeholders that the Office is operational (if applicable) 3.10 Procedures for recovering lost or damaged data The MCES to conduct immediate discussions with the Parliamentary Service to assess the IT environment and undertake briefing to the Information Commissioner on recommendations and actions required. The briefing is to include a risk assessment of the IT environment for the Office outlining what needs to be done to mitigate identified risks. The Operating Level Agreement between the Office and the Queensland Parliamentary Service identifies process and procedure to respond to any interruption of service. 3.11 Estimated cost of incidents MCES will keep records of the number of days out of office, number of employees affected and possible destruction/damage to equipment and data (both electronic and paper-based). 3.12 Post contingency actions Within two weeks of returning to normal operating conditions, MCES will debrief the Information Commissioner and Executive Leadership Team to evaluate the effectiveness of the plan and recommend any improvements. 4. Emergency Communication Plan The Emergency Communication Plan (ECP) can only be invoked by instruction from the Information Commissioner. The use of the ECP is for emergency or disaster recovery incidents is to ensure communication channels are established and kept open between the staff of the Office of the Information Commissioner (Office) and all key stakeholders, both internal and external. The Information Commissioner is to be advised of an incident (either disaster or emergency incident) and will make a decision whether or not to invoke the ECP. The Information Commissioner will advise staff if the ECP is invoked and provide details of the incident. Staff will also be advised about the anticipated length of time away from workplace (if applicable) and details about an alternative workplace (if applicable). The MCES to contact the Department of Justice Accommodation Unit and/or Department of Public Works to arrange alternative accommodation if required. The Information Commissioner will advise the Minister for Justice and Attorney-General and Director-General Department of Justice and Attorney-General of details of alternative accommodation. The MCES is responsible for: • contacting Key Stakeholders (Attachment B) to notify of the situation and to advise the current status • liaise with Department of Justice Communications Unit to determine if press release/media alert is required • notifying key stakeholders when the incident (either disaster or emergency) is resolved and normal operating environment is resumed The Information Commissioner is to conduct a review of the ECP within two weeks of resumption of the normal operating environment. Office of the Information Commissioner – Business Continuity Plan Version 3 - 12 December 2011 Page 4 of 7 ATTACHMENT A EMERGENCY/DISASTER/RISK IDENTIFICATION AND TREATMENT PLAN Risk Category Reputation Details of Risk, Emergency or Disaster Risk Level Inappropriate staff performance or conduct Low Office culture Low Confidentiality Low Independence Low Independence Low Information accuracy Low Treatment Actioned By All staff receive training and are aware and compliant with policies and legislation governing their actions and decisions regarding their work undertaken as employees of the Office. Code of Conduct training The Office culture is to openly discuss potential and identified risks and determine the appropriate resolution. Code of Conduct training All staff and external suppliers have signed confidentiality agreements in place prior to work commencing with the Office. Code of Conduct training The Information Commissioner is independent of executive government, reporting to a Parliamentary Committee and cannot be directed as to the functions performed by the Office. The Office does not use any Queensland Government logo in any communications, publications or on the website. Review publications for accuracy • • Staff Meeting Personal Performance Plan Code of Conduct training held annually • Staff Meetings • Senior Corporate and Executive Services Officer Code of Conduct training held annually As required • Information Commissioner Ongoing • • • Quarterly Check • • Communications Officer Office Manager Training and Stakeholder Relations Manager Manager Information and Assistance External Review staff Registry staff • Privacy staff On going • Performance Monitoring and Reporting staff On going • Information Security Information security – External Review Unit Low Information security – Privacy Unit Low Information security – Assistance and Monitoring Unit Low All access application ‘matter in issue’ is stored in the designated secure room with dedicated security access. This secure room is located within the Office premises which have a range of further security protections. All privacy complaint files are stored in the designated secure room with dedicated security access. This secure room is located within the Office premises which have a range of further security protections. All agency access application files and material associated with compliance assessment evaluation by the Performance Monitoring and Reporting Team are stored in the designated access room with dedicated security access. This secure room is located within the Office premises which have a range of further security protections. Office of the Information Commissioner – Business Continuity Plan Version 3 - 12 December 2011 Page 5 of 7 When Quarterly Check On going Risk Category Details of Risk, Emergency or Disaster Risk Level Treatment Actioned By When Information Low Emails, Electronic data and mail is registered and handled in accordance with set procedures. • Registry staff Daily Server failure Low • MCES On occurrence Staff security Low Refer to the Operating Level Agreement between the Office and the Queensland Parliamentary Service for process and procedure to interruption of service. The Office is a secure area except for the reception area. Meetings involving non-Office staff must be held in the conference room or mediation rooms which have two separate lockable entry points and are fitted with duress alarms. The Office electronic security system is connected to the State Government Protective Security Service and on-site security. • All staff On occurrence Dealing with volatile people Low Staff receive training, mentoring and debriefing in relation to interacting with volatile people. An Employee Assistance Scheme (EAS) support service is available. Code of Conduct training Security training at induction • On going • • • Senior Corporate and Executive Services Officer Executive Leadership Team MCES Office Manager Staff Security and Safety Natural disaster Low Treatment strategy to be determined by Information Commissioner and communicated to key stakeholders in accordance with Emergency Communication Plan. • • • Information Commissioner Executive Leadership Team MCES On occurrence Building emergency Low Refer Office Emergency Response Plan Education at staff meetings and induction • • • Floor Wardens MCES First Aid Officers On occurrence Office of the Information Commissioner – Business Continuity Plan Version 3 - 12 December 2011 Page 6 of 7 ATTACHMENT B KEY STAKEHOLDER LIST Stakeholder Staff Minister, Justice and Attorney-General Director-General, Justice and AttorneyGeneral Parliamentary Service: • Information Technology • Finance • Human Resource Management Department of Public Works Building Security Contact Details Accessed during/after hours through Citrix/Aurion system Contact Method Text/phone Managers Phone Office of the Information Commissioner – Business Continuity Plan Version 3 - 12 December 2011 Phone Phone Page 7 of 7
