Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Annex B: Business Continuity Acronyms

advertisement 
Business Continuity Program
11/30/2012
Table of Contents
I.
Executive Summary ............................................................................................................................... 5
II.
Introduction .......................................................................................................................................... 5
III.
Purpose and Assumptions ................................................................................................................ 6
1.
Purpose ............................................................................................................................................. 6
2.
Assumptions ...................................................................................................................................... 6
IV.
Applicability and Scope ..................................................................................................................... 7
1.
Applicability....................................................................................................................................... 7
2.
Scope ................................................................................................................................................. 7
V.
Essential Functions................................................................................................................................ 8
1.
Risk Assessment ................................................................................................................................ 8
2.
Business Impact Analysis .................................................................................................................. 8
3.
Resource Requirements .................................................................................................................... 8
4.
Function Dependencies..................................................................................................................... 9
VI.
Authorities and References: (Annex A) ............................................................................................. 9
VII.
Concept of Operations ...................................................................................................................... 9
1.
Activation and Relocation ................................................................................................................. 9
2.
Alternate Facility Operations and Recovery Strategies .................................................................. 10
3.
Reconstruction & Resumption Strategies ....................................................................................... 10
VIII.
COOP Planning Responsibilities ...................................................................................................... 11
IX.
Logistics ........................................................................................................................................... 11
X.
1.
BCP Contents................................................................................................................................... 11
2.
BCP Management ........................................................................................................................... 12
1.
Testing Plans ............................................................................................................................... 12
2.
Plan Maintenance ....................................................................................................................... 12
3.
Communication ........................................................................................................................... 12
4.
Training ....................................................................................................................................... 12
5.
Record Retention ........................................................................................................................ 13
Test, Training and Exercises ................................................................................................................ 13
1.
Testing and Exercises .................................................................................................................. 13
2.
Training ....................................................................................................................................... 13
3|P a g e
XI.
Multi-year Strategy Program Management Plan ............................................................................ 13
Annex A: Authorities and References ......................................................................................................... 14
Federal: ............................................................................................................................................... 14
CSU: ..................................................................................................................................................... 14
Cal Poly: ............................................................................................................................................... 14
Associated Business Continuity Planning Documents: ....................................................................... 14
Annex B: Business Continuity Acronyms..................................................................................................... 15
Revisions
11/06/12
11/30/12
:
Troy Weipert
Troy Weipert
Action:
First Draft
Finalized Plan
Signature
_________________________________________
Cal Poly Business Continuity Planning Committee Chair
____________
Date
4|P a g e
I.
Executive Summary
In accordance with EO 1014, Cal Poly must maintain an ongoing program that ensures the continuity of
essential functions and operations following a catastrophic event. This program follows the Federal
Emergency Management Agency’s (FEMA) Continuity of Operations Plan (COOP) template.
To facilitate oversight of the business continuity program, the president designated a Business
Continuity Planning Committee with responsibility for business continuity planning activities. The Cal
Poly Business Continuity Planning Committee (BCPC) includes a cross-section of senior administrative
leaders who have a working knowledge of business continuity processes and are from business units
identified as critical to essential operations. The Business Continuity Committee is responsible for the
central review of all Business Continuity plans in conjunction with each department.
A standard template is used for the consistent development of the University’s Business Continuity
Plans. The template is used to document key information (i.e., staff contact information, critical
functions, critical function recovery procedures, vital records, assets) within a department in order to
ensure the campus’ ability to recover from a catastrophic event.
Each Vice President has the responsibility for the development, testing and maintenance of the Business
Continuity plans within their division. The BCPC is assigned to provide training to each division for plan
creation and to review the plans on an annual basis.
Emergency activities of departments, including requests for resources or services and documentation of
financial impact, are coordinated through the Emergency Operations Center (EOC) and are in
compliance with the Campus Emergency Management Plan.
The Departmental Business Continuity Plans (BCP), Department Emergency Plans, and the Campus
Emergency Management Plan are interrelated and together provide for preparation, response and
recovery to a campus emergency.
II.
Introduction
The Business Continuity Program provides management framework for resuming critical functions and
operations after a disaster or emergency that may threaten the health and safety of the campus
community and/or disrupt its essential programs and operations. It is an ongoing program designed to
effectively coordinate the use of University resources immediately following a major disaster, in order to
restore essential operations. This differs from the Campus Emergency Plan which provides emergency
response in order to protect life, safety and campus facilities.
The BCPs ensure the continuance of critical campus functions, systems, and services when a disruption
to campus operations occurs after a disaster or emergency situation. The BCP also endeavor to identify
and mitigate risks in advance through Risk and Business Impact planning. The BCP is activated whenever
an emergency affecting the campus cannot be managed through normal channels. Examples of the
types of emergencies where plans may be activated include:
5|P a g e
a.
b.
c.
d.
e.
f.
Earthquakes
Hazardous materials releases
Floods
Fires and explosions
Extended power outages or systems failure
Pandemic Flu
The CPBCP outlines the overall University Continuity direction, provides a framework for ongoing
preparation, and contains detailed planning and analysis to assure campus readiness for any eventuality.
III.
Purpose and Assumptions
1. Purpose
The CPBCP has been structured so that it is consistent with the Continuity of Operations (COOP)
template developed by the Federal Emergency Management Agency (FEMA). It also follows the
Continuity Guidance Circular 1 from FEMA for more detailed planning.
The program is designed to address continuance of Mission Essential Functions (MEF) for Cal Poly
University. These include providing life and safety for all campus constituents (Faculty, Staff and
Students) while also continuing to support the University mission of student success through balanced
education in a Learn by Doing environment.
Although there may be other important functions, the plan only covers those that are mission and time
critical. An essential or critical function is defined in the Federal Preparedness Circular 65 as a function
that enables an organization to:
a.
b.
c.
d.
Provide vital or “mission critical” services;
Exercise civil authority;
Maintain the safety of the general public; or
Sustain the industrial or economic base during an emergency.
Critical functions shall use priority classifications that are based on recovery time objectives (time in
which this function must be resumed). BCP shall use the priority categories listed below, along with a
brief description of that function, and the position that has lead responsibility.
a.
b.
c.
d.
Priority 1 - Critical: first 24 hours
Priority 2 –Essential: 72 hours
Priority 3 – 4-15 days
Priority 4 – All other functions
2. Assumptions
6|P a g e
The CPBCP is based on a set of assumptions that, if not true, will render the plan ineffective. For Cal
Poly, requirements include:






Adequate staff to carry out operations
Access to campus within 30 days
Essential utilities are functional
Available student housing is available within commuting range
Essential City of San Luis Obispo resources are intact
Identified remote facilities are available
If any of these assumptions are not met, the CPBCP may not have adequate resources to address and
restore the MEF of the University.
IV.
Applicability and Scope
1. Applicability
The CPBCP is designed to operate in conjunction with other campus plans as necessary. These include
the Emergency Management Plan (EOP) and unit Business Continuity Plans (BCP.) These plans are
interrelated but serve different functions.
The EMP is activated at the point of emergency and is designed to provide command communication to
the campus and ensure that health, safety and campus integrity are maintained directly after an
initiating emergency. If that emergency is great enough to cause interruptions of significance to campus
operations, the CPBCP will be activated to bring those operations back on line. This is accomplished by
each affected unit activating their individual BCP.
There is also the possibility that there is an outage to MEF that was not sufficient to activate the EOP. In
this case, the CPBCP and affected BCP will be activated to address the impacts.
2. Scope
The scope of the CPBCP strives to map out how to restore MEF with limited equipment and manpower.
The program addresses overall campus requirements, risks and impacts. Bringing individual
department’s operations on-line are defined within each business unit’s BCP.
The CPBCP attempts to address all campus services (utility, IT, communications) that each business unit
will rely on while attempting to restore operations after an event causing the initiation of their
individual plans. Prioritization of service restoral to each area (in order of importance) is contained
within the unit BCP plans that provide those core campus services.
The scope is also designed to address interruption to MEFs based on types of outages. Broadly, outage
types are for building outages and campus-wide outages for periods up to 30 days.
7|P a g e
V.
Essential Functions
The CPBCP is designed to identify and address all high level campus MEF. Business units will have
operations that are necessary to maintain campus functions. Each business unit shall identify and list
their critical operations in their BCP, along with a brief description of that operation, and the position
within the organization that has lead responsibility for it. The list should be based on the prioritization
strategies introduced in Section III: Purpose.
1. Risk Assessment
The Risk Assessment (RA) identifies possible risks or hazards that may threaten the continuance of
essential functions. The purpose of the risk analysis is to develop a list of hazards that are of such
significance that they are reasonably likely to cause devastating harm to the agency if they are not
effectively controlled. The objective of this analysis is to identify vulnerabilities in operations and take
steps to mitigate losses and/or develop recovery strategies. In completing the Cal Poly RA, the following
objectives were followed.
a. List all the threats that may potentially have an impact on the organization's ability to deliver its
essential functions.
b. Assess the impact of the risk based on the severity of the impact of the threat and the
probability of occurrence.
c. Assess whether the organization has implemented effective control measure or other
procedures that mitigate the occurrence of loss or damage resulting from this event.
d. Determine if the likelihood or occurrence of this threat is substantial enough to be included in
the organization's Business Continuity Plan.
The RA is reviewed and approved annually by the BCPC and is managed and retained following the
standards per EO1014.
2. Business Impact Analysis
The Business Impact Analysis (BIA) identifies essential functions and workflow; determines the
qualitative and quantitative impacts of a vulnerability/threat to essential functions,
prioritizes/establishes recovery time objectives for the essential functions, and where appropriate,
establishes recovery point objectives for essential functions.
The RA is reviewed and approved annually by the BCPC and is managed and retained following the
standards per EO1014.
3. Resource Requirements
Each business unit identifies the minimum resource requirements needed to support each essential
function in their BCP. After these resources have been identified, the business units are responsible for
ensuring that the resources are protected at all times. For those resources that cannot be adequately
safeguarded, the business unit must select alternate or back-up resources in order to ensure that
essential functions are available at all times. These resources may include:
8|P a g e
a.
b.
c.
d.
e.
f.
g.
Facilities or work-sites
Communication systems
Key personnel
Vital records and databases
Vital systems and equipment and utility systems
Key vendors
Contact information for supporting government agencies or departments
4. Function Dependencies
Many of the business units’ essential functions rely on the availability of resources or functions
controlled by another organization, including other campus business units, outside agencies including
federal, state and/or local governments, and private entities. Business units should identify these
dependencies and link them to the essential function(s) they support when completing the BCP. The
CPBCP will help address inconsistencies to assure inter-campus services are restored to individual units
based on importance. As noted, these requirements will be reflected in both the dependent and
supporting department’s BCP.
VI.
Authorities and References: (Annex A)
The CPBCP has been authored and updated based on Federal, CSU, and Cal Poly documents and
standards. These are listed in Annex A for reference.
VII.
Continuity of Operations
Business units should develop an executive decision process that would allow for a review of the nature
and extent of the emergency to determine the best course of action for response and recovery. This
process will preclude premature or inappropriate activation of a business unit’s BCP.
1. Activation and Relocation
Business Continuity Plans should include activation procedures and relocation procedures from the
primary facility to the alternate facility. This section should also address procedures and guidance for
non-relocating personnel.
a. Decision Process: Explains the incident escalation process; who will activate the plan and under
what circumstances will the plan be initiated? The roles and responsibilities of key personnel
should be included.
b. Alert Notification and Implementation Process: Includes employee alert and notification
procedures, and the BCP implementation process. List tools to be used for the alert and
notification process.
c. Leadership: Identifies lines of succession (LOS) to key positions within the business unit. The
LOS should be of sufficient depth to ensure the business unit’s ability to manage and direct its
essential functions and operations. The conditions under which succession will take place, the
9|P a g e
method of notification, and any temporal, geographical, or organizational limitations of
authority should also be identified in this section.
d. Relocation: includes procedures for relocating essential functions, including required resources,
to an alternate facility. This section should also include procedures for dealing with personnel
who are not to be relocated to the alternate facility. If an organization has existing emergency
relocation plans, they may be incorporated by reference.
2. Alternate Facility Operations and Recovery Strategies
Business Continuity Plans should identify initial arrival procedures, as well as operational procedures, for
the continuation of essential functions at an alternative facility. Steps may include:
a. Identifying alternate locations/ facilities capable of supporting essential operations, positions,
and personnel is critical. These facilities must be capable of supporting operations in a threatfree environment, as determined by the geographical location of the facility and the collective
protective characteristics of the facility.
b. Documenting mission critical systems and equipment necessary to perform essential functions
and activities. Business units must define these systems and equipment and address the method
of transferring/replicating them at an alternate site.
c. Identify vital files, records, and databases, including classified or sensitive data, which are
necessary to perform essential functions and activities, and to reconstruct normal operations
after the emergency ceases.
d. Identifying the critical communication systems necessary to perform essential functions and
activities. Business units must define these systems and address the method of
transferring/replicating them at an alternate site. Examples of such equipment include the
following:
i. Mobile phones
ii. Two-way radios
iii. Internet connections
iv. Facsimile
e. Documenting existing procedures that are in place to protect an organization’s resources, with
an emphasis on personnel. This section should specify the resources and personnel to be
transferred to the alternate site and the methods for safely transporting them to the site.
f. Identifying required vendor support at alternate sites.
3. Reconstruction & Resumption Strategies
Business Continuity Plans should explain the procedures for resuming normal operations – a time
phased approach may be most appropriate. This section may include procedures for returning to the
primary facility, if available, or procedures for acquiring a new facility. Notification procedures for all
employees returning to work must also be addressed. Business units should also anticipate developing
an After Action Report (AAR) to determine the effectiveness of their BCP. Depending on the nature of
the event causing the disruption, procedures for returning to primary facilities may be included in the
campus emergency plan.
10 | P a g e
VIII.
COOP Planning Responsibilities
Primary responsibility for COOP falls to the BCPC per Executive order 1014. The committee membership
is reviewed annually and maintained in the Business Continuity Planning Committee reference.
Additional responsibility is held by each department required to create and maintain a BCP. These
departments are listed in the BCP Required Departments reference. Each division on campus also
reports Business Continuity Planning activities via the annual IT Self-Assessment.
IX.
Logistics
The core of logistical planning is contained in each unit’s Business Continuity Plan (BCP.) As noted, each
business unit that is determined by the university to provide essential functions shall develop,
document, test, and maintain a Business Continuity Plan (BCP). The plan will ensure the continuance of
critical campus functions, systems, and services when a disruption to campus operations occurs after a
disaster or emergency situation for that unit.
1. BCP Contents
The Cal Poly Business Continuity template should be used for the consistent development of the
University’s BCP. The template will be used to document key information (i.e., staff contact information,
critical functions, critical function recovery procedures, vital records, assets) within a department in
order to ensure the campus’ ability to recover from a disruption. Elements of the BCP should include,
but are not limited to:
I.
II.
III.
IV.
V.
VI.
Listing and prioritization of essential functions, including the identification of staffing
and resource requirements, mission critical systems and equipment, and support
activities for each essential function.
Lines of Succession/Delegation of Authority for key campus positions, including
guidance for the delegation of emergency authorities.
I.
Organizational charts or similar documentation.
II.
Documented delegation of authority (DOA) for decision making as needed.
Alternate Operating Facilities, including provisions to sustain operations for a period of
up to thirty days (or other time frame as determined by the campus)
Communications, including procedures and plans for communicating with internal
personnel, other agencies, and emergency personnel.
Protection and safeguarding of vital records and databases.
Tests, Training, and Exercises to familiarize staff members with their roles and
responsibilities during an emergency, ensure that systems and equipment are
maintained in a constant state of readiness, and validate certain aspects of the Business
Continuity Plan.
The Business Continuity plan contains confidential information that should not be shared publicly. It is
the responsibility of each department to ensure that the plan be held, developed, and reviewed by
11 | P a g e
designated individuals only. Business Continuity Plans shall be approved/signed-off by the head of the
business unit and the BCPC annually and retained as indicated in Record Retention Section.
2. BCP Management
Business Continuity Plans must be managed consistently in order to assure accuracy and compliance.
1. Testing Plans
Business units shall test some part of their Business Continuity Plan once a year, with all
parts tested every seven years. An actual event necessitating activation of the Business
Continuity Plan will meet this requirement. At the completion of each test or review, full
documentation of test results and lessons learned shall be recorded in the “testing section”
of the BCP. Approval of the testing phase will be included with the BCP approval/sign-off
process. Upon request, such documentation shall also be made available to the System wide
Office of Risk Management.
2. Plan Maintenance
Business units shall review their Business Continuity Plan and tests at least annually or more
frequently as needed and update the plans whenever changes occur in their operating
procedures, processes, or key personnel. Plans must be updated to maintain accurate lists
of key personnel, telephone numbers, and plan elements that may be affected by changes
in unit structure or functions. The updated Business Continuity Plans shall be
approved/signed-off by the head of the business unit and the Business Continuity Planning
Committee and following the standards per EO1014
3. Communication
Ongoing communications of business continuity activities to the campus community will be
provided by:
a.
b.
c.
d.
e.
Email correspondence to committee members
Committee meetings to meet at least twice annually
Plan testing should include staff members of each business unit; required annually
Notifications issued by the EOC
Business Continuity Website
The full BC communication plan is outlined in the CP Business Continuity Communication
Plan reference.
4. Training
Initial training on conducting business continuity planning shall be provided to all individuals
responsible for developing and implementing plans. Additional and/or repeat training shall
be provided as determined necessary by the Business Continuity Planning Committee
following the review of written plans and plan testing. Each business unit shall provide
training to all personnel involved in the execution of their BCP during plan testing.
12 | P a g e
5. Record Retention
Campus shall retain business continuity records, including BCP, RA and BIA documentation,
for a period of not less than five years.
X.
Test, Training and Exercises
1. Testing and Exercises
Testing and exercise Plans (TEP) are a critical part of effective Business Continuity planning. Regular tests
are required to assure business unit plan’s effectiveness in the case of an outage. Due to the amount of
change in environments, technology, staff and procedures, testing the procedures is essential to assure
plans are kept up to date with relevant information and processes. Assumptions of plans should be
tested to assure that all of the steps of the plan are valid. In testing, it is also necessary to inform other
groups and/or agencies if the plans require their services for completion.
Per BCP maintenance, portions of plans are to be tested by each business unit once a year with a full
test at least every 7 years. Yearly testing could be physical or paper tests of the procedures. Testing
response is recorded in two areas. As noted, the testing results are placed on the annual submission of
the BCP to the BCPC for approval. Additionally, units will fill out a corrective action plan (CAP), and
participants are encouraged to complete Participant Evaluation Surveys (PES) in order to provide
accurate feedback on the plan’s effectiveness.
2. Training
Training is also critical to Business Continuity as part of the planning process and in the case of an event.
Training is provided to business units by the BCPC to assure that each unit completes their plans, testing,
and departmental training effectively. This is covered in the Business Continuity Training plan BCTP.
Training is also provided by business units to all of their employees who are essential to the planning
and enactment of BCP. This training can be provided by classes, on-line or as part of each unit’s TEP.
XI.
Multi-year Strategy Program Management Plan
In order to provide consistency, relevance and compliance, all Business Continuity activities are to be
reviewed and approved as part of a Multi-year Strategy Program Management Plan (MYSPMP.) The
MYSPMP defines the schedule for review and ongoing maintenance of Business Continuity planning,
testing, documentation, strategy, and leadership for Cal Poly. The goal is to improve processes, plans
and awareness as an ongoing basis to assure campus is in the best possible position in the event of an
emergency.
13 | P a g e
Annex A: Authorities and References
Federal:



Continuity of Operations (COOP) Plan Template, FEMA:
http://www.fema.gov/doc/about/org/ncp/coop_plan_template.rtf
Continuity of Operations (COOP), FEMA:
http://www.fema.gov/pdf/about/org/ncp/coop_multi_year_plan_guide.pdf
Continuity Guidance Circular 1 (CGC 1), FEMA:
http://www.fema.gov/pdf/about/org/ncp/cont_guidance1.pdf
CSU:

CSU Executive Order 1014: http://www.calstate.edu/EO/EO-1014.html
Cal Poly:



Campus Emergency Management: http://www.afd.calpoly.edu/ehs/emergency.asp
Campus Emergency Management Plan:
http://www.afd.calpoly.edu/ehs/docs/emergencyplan.pdf
Information Security Self-Assessment:
http://www.security.calpoly.edu/content/policies/standards/risk/index
Associated Business Continuity Planning Documents:










BC Planning Committee
BCP Required departments
Business Continuity Plan Template
Business Continuity Risk Assessment
Business Impact Analysis
Corrective Action Plan
Participant Evaluation Survey
Business Continuity Communications Plan
Business Continuity Training Plan (TBD)
Multi-year Strategy Program Management Plan (TBD)
14 | P a g e
Annex B: Business Continuity Acronyms
AA
AFD
BC
BCP
BCPC
BCTP
BIA
BU
CAP
COG
COOP
CP
CPBCP
CSU
DOA
DRP
EO1014
EOC
EMP
FEMA
IT
ITS
LOS
MEF
MOA
MOU
MYSPMP
ORP
PES
RA
SLO
TEP
Academic Affairs
Administration and Finance Division
Business Continuity
Business Continuity Plan
Business Continuity Planning Committee
Business Continuity Training Plan
Business Impact Analysis
Business Unit
Corrective Action Plan
Continuity of Government
Continuity of Operations
Cal Poly
Cal Poly Business Continuity Program
California State University
Delegations of Authority
Disaster Recovery Plan
CSU Executive Order 1014
Emergency Operations Center
Emergency Management Plan
Federal Emergency Management Agency
Information Technology
Information Technology Services
Lines of Succession
Mission Essential Function
Memorandum of Agreement
Memorandum of Understanding
Multi-year Strategy Program Management Plan
Operation Recovery Plan
Participant Evaluation Survey
Risk Assessment
San Luis Obispo
Testing and Exercise Plan
15 | P a g e
Related documents
Unit 10: Course Summary and Final Exam
Unit 10: Course Summary and Final Exam
Continuity Formal Approach
Continuity Formal Approach
Business Continuity Plan and Disaster Recovery Plan
Business Continuity Plan and Disaster Recovery Plan
Crisis Management/ Business Continuity
Crisis Management/ Business Continuity
Business Continuity Planning in the Mountain Parks
Business Continuity Planning in the Mountain Parks
Battle Box - ABC Solutions
Battle Box - ABC Solutions
Business Continuity Plan
Business Continuity Plan
Continuity of Operations Planning Training Recommendations Lee
Continuity of Operations Planning Training Recommendations Lee
Business Continuity Management
Business Continuity Management
Download
advertisement