TBS Audit of Business Continuity Planning

2/10/2015 AuditofBusinessContinuityPlanning
TreasuryBoardofCanadaSecretariat(/tbssct/indexeng.asp)
Home / Reports / AuditofBusinessContinuityPlanning
AuditofBusinessContinuityPlanning
InternalAuditandEvaluationBureau
TableofContents
AssuranceStatement(abcpvpca01eng.asp#as)
ExecutiveSummary(abcpvpca02eng.asp#es)
Preamble(abcpvpca02eng.asp#es1)
Background(abcpvpca02eng.asp#es2)
ObjectiveandScope(abcpvpca02eng.asp#es3)
KeyFindings(abcpvpca02eng.asp#es4)
Conclusion(abcpvpca02eng.asp#es5)
1.Introduction(abcpvpca03eng.asp#s1)
1.1.BusinessContinuityPlanningintheFederalGovernment(abcpvpca03
eng.asp#s11)
1.2.BusinessContinuityPlanningintheTreasuryBoardofCanadaSecretariat
(abcpvpca03eng.asp#s12)
2.AuditDetails(abcpvpca04eng.asp#s2)
2.1.ObjectiveandScope(abcpvpca04eng.asp#s21)
2.2.LinesofEnquiry(abcpvpca04eng.asp#s22)
2.3.ApproachandMethodology(abcpvpca04eng.asp#s23)
3.AuditResults(abcpvpca05eng.asp#s3)
3.1.LineofEnquiry1:ManagementControlFramework(abcpvpca05
eng.asp#s31)
3.2.LineofEnquiry2:BusinessContinuityPlanningReadiness(abcpvpca05
eng.asp#s32)
3.3.OverallConclusion(abcpvpca05eng.asp#s33)
Appendix1AuditCriteria(abcpvpca06eng.asp#app1)
Appendix2ManagementActionPlan(abcpvpca07eng.asp#app2)
AssuranceStatement
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 1/22
TheInternalAuditandEvaluationBureauhascompletedanauditoftheBusiness
ContinuityPlanningProgram(BCPP)fortheTreasuryBoardofCanadaSecretariat
(Secretariat).Theobjectiveoftheauditwastoassesstheadequacyandeffectivenessof
theSecretariat'smanagementcontrolframeworkfortheBCPP,includingcompliancewith
TreasuryBoardpolicies,directives,standards,andinternalpoliciesandprocedures.The
auditapproachandmethodologyconformstotheInternalAuditingStandardsforthe
GovernmentofCanada(/pol/doceng.aspx?id=12344)andtheInstituteofInternalAuditors'
InternationalStandardsfortheProfessionalPracticeofInternalAuditing.
Weconcludewithareasonablelevelofassurancethatthemanagementcontrolframework
oftheSecretariat'sBCPPcomplieswithmostaspectsoftheTreasuryBoard'sPolicyon
GovernmentSecurity(/pol/doceng.aspx?id=16578),DirectiveonDepartmentalSecurity
Management(/pol/doceng.aspx?id=16579)andOperationalSecurityStandardBusiness
ContinuityPlanningProgram(BCP)(/pol/doceng.aspx?id=12324).Improvementis
requiredtoaddresskeyelementsofthemanagementcontrolframeworkfortheBCPP,
specificallywithrespecttorolesandresponsibilities,governance,training,and
mechanismsformonitoringandreporting.ItisalsocriticalthattheSecretariat:
CompletethedevelopmentoftheremainingsectorBusinessImpactAnalysis(BIA)
andBusinessContinuityPlan(BCP)documents
AssessallsectorBIAandBCPdocumentsand
DevelopandimplementatestingcycleforBCPsaswellasaregularmaintenance
cyclefortheBCPPoverall.
TheexaminationwasconductedduringtheperiodofJune2011toJanuary2012and
coveredtheframeworkinplacefortheBCPPuptoAugust2011.Theauditconsistedof
interviews,documentationreview,andanexaminationofsectorBIAandBCPdocuments
usingajudgmentalsamplingmethodology.Theauditevidencegatheredissufficientto
provideseniormanagementwithreasonableassuranceoftheresultsderivedfromthis
audit.
IntheprofessionaljudgmentoftheChiefAuditExecutive,sufficientandappropriateaudit
procedureshavebeenconducted,andevidencehasbeengatheredtosupportthe
accuracyoftheopinionprovidedinthisreport.Theopinionisbasedonacomparisonof
theconditions,astheyexistedatthetimeoftheaudit,againstpreestablishedaudit
criteria.Theopinionisonlyapplicablefortheentitiesexaminedandforthetimeperiod
specified.
ExecutiveSummary
Preamble
Businesscontinuityplanninginafederalgovernmentsettingisacomponentofbaseline
securityrequirementsandformsaprocessthataimstoensurethatcriticalgovernment
servicescanbecontinuallydeliveredintheeventofapotentialdisaster,asecurity
incident,adisruptionoranemergency.Thesesecurityrequirementsarecontainedinthe
EmergencyManagementAct(2007)andtheTreasuryBoardPolicyonGovernment
Security.Businesscontinuityplanningisimportantinordertoprovide"thedevelopment
andtimelyexecutionofplans,measures,proceduresandarrangementstoensureminimal
ornointerruptiontotheavailabilityofcriticalservicesandassets"1(abcpvpca07
eng.asp#ftn1)shouldsuchaneventualityoccur.TheTreasuryBoard'sOperational
SecurityStandardBusinessContinuityPlanning(BCP)Programrequiresdepartmentsto
implementaBusinessContinuityPlanningProgram(BCPP)andtoplanforemergencies
ordisruptionsthatcouldaffectthedeliveryofcriticalgovernmentservices.
Background
PublicSafetyCanadausestheTreasuryBoardPolicyonGovernmentSecuritydefinition
ofcriticalservice,"Aservicewhosecompromiseintermsofavailabilityorintegritywould
resultinahighdegreeofinjurytothehealth,safety,securityoreconomicwellbeingof
CanadiansortheeffectivefunctioningoftheGovernmentofCanada."2(abcpvpca07
eng.asp#ftn2)Foraservicetobeidentifiedascritical,itmustbeevidentthatinterruptionof
theservicewillbegintocauseinjurywithinaspecificperiodoftime,upto30days.
Basedonthisdefinition,theTreasuryBoardofCanadaSecretariat(Secretariat)
determinedthatitdoesnothavecriticalserviceshowever,anumberofcriticalsupport
functions3(abcpvpca07eng.asp#ftn3)andonecriticaldependency4(abcpvpca07
eng.asp#ftn4)wereidentified.Inordertoensurethatthereisnoconfusionbetweenthe
TreasuryBoardPolicyonGovernmentSecuritydefinitionofacriticalserviceandthe
terminologyusedintheSecretariat'sBCPPdocumentation,theSecretariatusestheterm
"criticaloperation"toidentifyitscriticalsupportfunctionsanddependencies.
ThedepartmentalBCPPisintendedtomanagetemporarybusinessdisruptionslastingup
to30days.Businesscontinuityplanningisbasedontwoscenarios:
1. Workforceoutage,wheresufficientstaffmaybeunabletoreportforduty,suchasin
apandemic.
2. Infrastructureoutage,wherepremisesoccupiedbySecretariatpersonnelmaybe
uninhabitableduetodamageorlackofutilities.
ObjectiveandScope
Theobjectiveoftheauditwastoassesstheadequacyandeffectivenessofthe
Secretariat'smanagementcontrolframeworkfortheBCPP,includingcompliancewith
TreasuryBoardpolicies,directives,standards,andinternalpoliciesandprocedures.
TheauditfocusedonthedepartmentalBCPPactivitieswithintheSecretariat.Thereview
ofthemanagementcontrolframeworkincludedthefollowingcomponents:objectives
accountabilities,rolesandresponsibilitiesorganizationalstructureplanningandrisk
managementpoliciesandprocedurestrainingandmonitoringandreporting.
KeyFindings
Sincethefallof2009,theSecretariathasundertakenmanyinitiativestodevelopand
implementtheelementsofasoundmanagementcontrolframeworkfortheBCPP.These
initiativesincluded:
AppointingaDepartmentalSecurityOfficerandacoordinatortoleadtheBCPP
CreatingkeyworkinggroupsrequiredinaBCPPasperstandardsandpolicy
Integratingbusinesscontinuityplanninginthedepartmentalbusinessplanningand
riskmanagementcycles
DraftingandissuingaseriesofdepartmentaldocumentsthatcomplywithTreasury
Boardpoliciesandstandards,anddefineobjectives,roles,responsibilitiesand
departmentalproceduresforBusinessImpactAnalyses(BIAs),BusinessContinuity
Plans(BCPs)andotheractivitiesintheBCPP
CommunicatingmanyoftheelementsandprocessesofBCPPactivitiesonthe
departmentalInfoSiteand
AdhocreportingtoseniormanagementontheactivitiesoftheBCPP,whichincluded
obtainingdecisionsregardingcriticaloperationalprioritiesandtheapprovalofkey
documents.
Notwithstandingtheabove,theauditidentifiedanumberofmanagementcontrol
frameworkelementsforimprovement:
Whilerolesandresponsibilitiesaredefinedinacomprehensivesuiteofdocuments
developedsince2009,theroleofemployeeshasnotbeendefined,andcertain
documentsremainindraftmode.Further,rolesandresponsibilitiesforcertain
stakeholdersaredefinedpartiallyacrossanumberofdocuments,withouta
comprehensivedefinitionatasinglesource.
TheexistingBCPPgovernancestructurerequiresenhancementtoensureongoing
strategicleveldirectionandoversight.
ResponsibilitiesfortrainingandcommunicationoftheBCPParedistributedbetween
thecorporateBCPgroupandthesectorheads.However,communicationand
trainingstrategieshavenotyetbeendevelopedtoensurethatindividualswhoare
involvedintheBCPPhavetheknowledgetoexecutetheirresponsibilitieswhentheir
sectorBCPisactivated.
Theauditfoundthattherewasaneedtofurtherarticulatemeasurableand
quantifiableexpectedresults,beyondtheexistingobjectives,tosupportmonitoring
andreporting.Formalprocessesforregularmonitoringandreportinghavenotbeen
developed.
Theauditalsofoundthatthebusinesscontinuityplanningcycleisstillevolvingwithinthe
Secretariat.Specifically,notallsectorBIAandBCPdocumentshadbeensubmittedtothe
corporateBCPgroup.TheassessmentofsectorBIAsandBCPshadbeeninitiatedduring
thetimeoftheaudit,buthadnotprogressedsufficientlyfortheauditteamtoassessthe
process.Further,thedevelopmentoftestingandmaintenanceprocessesinsupportofthe
BCPPwerenotdevelopedatthetimeoftheaudit.
Conclusion
GovernmentSecurity,DirectiveonDepartmentalSecurityManagementandOperational
SecurityStandardBusinessContinuityPlanningProgram.Improvementisrequiredto
addresskeyelementsofthemanagementcontrolframeworkfortheBCPP.
Specifically,thereisaneedto:
Reviewrolesandresponsibilitiestoensurethattheyarestreamlined,addressall
stakeholdersandareformallyapproved
DefineandformalizetheintegrationoftheBCPPwithinseniormanagement
committeestoensureongoingstrategicleveldirectionandoversight
Developtrainingandcommunicationstrategiesthat,inadditiontootherneeds
identified,servetoincreaseBCPPawarenessforemployeesandforthoseinvolved
incriticaloperationsand
Developandimplementformalprocessesforregularmonitoringandreporting.
ToensurethattheSecretariatisatanappropriatestageofreadinesstoeffectively
respondtoaBCPincident,itisalsocriticalthatremainingworkrelatingtoBCPP
developmentbecompleted.
CompletethedevelopmentofremainingsectorBIAandBCPdocuments
AssessallsectorBIAsandBCPsand
AmanagementactionplanhasbeendevelopedbytheSecretariatandispresentedin
Appendix2.(abcpvpca07eng.asp#app2)
1.Introduction
1.1BusinessContinuityPlanningintheFederalGovernment
Businesscontinuityplanninginafederalgovernmentsettingisacomponentofbaseline
securityrequirementsandformsaprocessthataimstoensurethatcriticalgovernment
servicescanbecontinuallydeliveredintheeventofapotentialdisaster,asecurity
incident,adisruptionoranemergency.Theserequirementsarecontainedinthe
EmergencyManagementAct(2007)andtheTreasuryBoardPolicyonGovernment
Security.Businesscontinuityplanningisimportantinordertoprovidethe"development
andtimelyexecutionofplans,measures,proceduresandarrangementstoensureminimal
ornointerruptiontotheavailabilityofcriticalservicesandassets"5(abcpvpca07
eng.asp#ftn5)shouldsuchaneventualityoccur.TheTreasuryBoard'sOperational
SecurityStandardBusinessContinuityPlanning(BCP)Programrequiresdepartmentsto
implementaBusinessContinuityPlanningProgram(BCPP)andtoplanforemergencies
ordisruptionsthatcouldaffectthedeliveryofcriticalgovernmentservices.
Eventssuchasthe1998icestorm,the2003powerblackout,the2009H1N1pandemic
andthe2010Ottawaearthquakehavehighlightedtheimportanceofbusinesscontinuity
plansacrosstheorganization.
TheBCPPiscomposedoffourelements:
1. TheestablishmentofBCPPgovernance
2. TheconductofaBusinessImpactAnalysis(BIA)
3. Thedevelopmentofbusinesscontinuityplansandarrangementsand
4. ThemaintenanceofBCPPreadiness.
1.2BusinessContinuityPlanningintheTreasuryBoardof
CanadaSecretariat
TheTreasuryBoardofCanada(Secretariat's)departmentalBusinessContinuityPlan
(BCP)supportstheSecretariatinfulfillingitsmandate,includingitsresponsibilitiesrelating
totheFederalEmergencyResponsePlan,thePublicServiceReadinessPlanandinternal
operations.
Inthefallof2009,theSecretariatdevelopeditsDepartmentalPolicyonBusiness
ContinuityPlanning.Oneyearlater,theSecretariatdevelopeditsdepartmentalBCP,
whichisahighleveloverviewoftheSecretariat'sresponsetoanincident.SectorBCPs,
oncetheyarevalidatedandtested,becomecomponentsofthedepartmentalBCPand
providethedetailonhowasectorwillrespondtoanincident,shouldthesupportofa
sector'scriticaloperationberequired.
PublicSafetyCanadausesthePolicyonGovernmentSecuritydefinitionofacritical
service,"Aservicewhosecompromiseintermsofavailabilityorintegritywouldresultina
highdegreeofinjurytothehealth,safety,securityoreconomicwellbeingofCanadiansor
theeffectivefunctioningoftheGovernmentofCanada."6(abcpvpca07eng.asp#ftn6)For
aservicetobeidentifiedascritical,itmustbeevidentthatinterruptionoftheservicewill
begintocauseinjurywithinaspecificperiodoftime,upto30days.
DuringatabletopexerciseoftheSecretariat'sseniorexecutivesinDecember2010,itwas
determinedthattheSecretariathasnocriticalservices,asdefinedabove.However,they
identifiedanumberofcriticalsupportfunctions7(abcpvpca07eng.asp#ftn7)andone
criticaldependency.8(abcpvpca07eng.asp#ftn8)Inordertoensurethatthereisno
confusionbetweentheTreasuryBoardPolicyonGovernmentSecuritydefinitionofa
criticalserviceandtheterminologyusedintheSecretariat'sBCPPdocumentation,the
Secretariatusestheterm"criticaloperation"toidentifyitscriticalsupportfunctionsand
dependencies.
Asnotedpreviously,theBCPPcomprisesfourkeyelements,includingtheconductofa
BIAandthedevelopmentofaBCP.
ThepurposeofaBIAistoidentifytheorganization'smandateandcriticalservicesor
productsranktheorderofpriorityofservicesorproductsforcontinuousdeliveryorrapid
recoveryandidentifyinternalandexternalimpactsofdisruptions.9(abcpvpca07
eng.asp#ftn9)
ThedepartmentalBCPisintendedtomanagetemporarybusinessdisruptionslastingupto
30days.Businesscontinuityplanningisbasedontwoscenarios:
1. Workforceoutage,wheresufficientstaffmaybeunabletoreportforduty,suchasin
apandemic.
2. Infrastructureoutage,wherepremisesoccupiedbytheSecretariatmaybe
uninhabitableduetodamageorlackofutilities.
TheBCPprovidesforthecontinuedavailabilityofservicesthatarecriticaltothesecurityof
employeesandtheeffectivefunctioningofthedepartmentintimesofanemergency
incidentordisruption.
TheBCPexplainswhatanorganizationhasdevelopedintermsofgovernance,processes
(includingapprovalprocesses)andtoolstomakesureitcanrespondinanemergency
incidentordisruptionwhethertheemergencyincidentordisruptionlastsafewhours,
daysormuchlonger.TheBCPclearlydefinestherolesandresponsibilitiesofkeypeople
andgroups,withaviewtoensuringthatoperationsthatarecriticaltotheeffective
functioningoftheSecretariatwillbemaintained.TheBCPwillbeactivatedwhenacritical
operationisatriskofnotbeingdeliveredandwillprovideforadditionalsupportfrom
employeesinnoncriticaloperations.
OperatingEnvironment
AttheSecretariat,responsibilityfortheBCPPisdistributedbetweenthecorporateBCP
unitintheAdministrationandSecurityDirectorate,CorporateServicesSector,andthe17
Secretariatsectorsandbranches.10(abcpvpca07eng.asp#ftn10)
TheDirectorofSecurity,AdministrationandSecurityDirectorate,hasbeendesignatedas
theDepartmentalSecurityOfficer(DSO),whohastheresponsibilityfordevelopingand
maintainingtheBCPP.
ABCPcoordinator,whoreportstotheDSO,isresponsibleforcoordinatingandsupporting
thedevelopment,management,delivery,andongoingmonitoringandmaintenanceofthe
Secretariat'sBCPs.Inturn,theBCPcoordinatorissupportedbytheBCPworkinggroup.
Sectorheadsandtheirmanagementteamsareaccountableforassessinganincident,
determiningthemostappropriateresponsewithintheirrespectiveareas,anddevelopinga
sectorBIAandBCPtoidentifyanddocumenttheirresponses.Eachsectorappointsa
sectorBCPcoordinatorandanalternatetorepresentthemontheBCPworkinggroupand
tosupportthesectorheadduringanincident.
TheSecretariatBCPworkinggroup,madeupofsectorBCPcoordinatorsandtheir
alternates,coordinatesthedevelopmentandimplementationoftheBCPP.Thisworking
groupischairedbytheDSO.
TheSecretariatIncidentManagementTeam(IMT),madeupofkeystakeholdersin
communications,informationtechnology,humanresourcesandsecurityservices,supports
theDSOandtheBCPcoordinatorintheactivationandcoordinationoftheSecretariat's
departmentalBCPandsectorBCPsduringanincident,inaccordancewiththefollowing:
EmergencyManagementAct
PolicyonGovernmentSecurity
OperationalSecurityStandardBusinessContinuityPlanning(BCP)Programand
Secretariat'sDepartmentalPolicyonBusinessContinuityPlanning.
TheAssistantSecretary,CorporateServicesSector,isthechairoftheIMT.
ActivationoftheSecretariat'sBCPwilloccuruponinstructionfromtheSecretary,orthe
Secretary'salternate,inresponsetoanincidentthatjeopardizestheSecretariat'sabilityto
deliveritscriticaloperations.IntheeventthatboththeSecretaryandthealternatearenot
available,thedecisionwillbetakenbytheIMTchair.SectorBCPs,aswellascomponents
oftheSecretariat'sdepartmentalBCP,willbeactivatedduringanincident,asrequired.
2.AuditDetails
2.1ObjectiveandScope
Theobjectiveoftheauditwastoassesstheadequacyandeffectivenessofthe
Secretariat'smanagementcontrolframeworkforbusinesscontinuityplanning,including
compliancewithTreasuryBoardpolicies,directives,standards,andinternalpoliciesand
procedures.
Theauditfocusedonthefollowingelementsofthemanagementcontrolframework:
Objectives
Accountabilities,rolesandresponsibilities
Organizationalstructure
Planningandriskmanagement
Policiesandprocedures
Trainingand
Monitoringandreporting.
TheauditexaminedthedepartmentalBCPPactivitieswithintheSecretariat.
DetailsontheauditcriteriacanbefoundinAppendix1(abcpvpca06eng.asp#app1).
ScopeExclusions
TheauditexcludedtheSecretariat'scentralagencyresponsibilitiesforsupportingthe
PublicServiceReadinessPlan11(abcpvpca07eng.asp#ftn11)andothersecurity
measuresacrossthefederalgovernment.Theseactivitiesaredistinctfromthe
Secretariat'soperationsandaregovernedbydifferentprocessesandprocedures.They
alsoinvolvedifferentdepartmentalstakeholders.
2.2LinesofEnquiry
Theaudithadtwolinesofenquiry:
ManagementcontrolframeworkAmanagementcontrolframeworkisinplaceto
ensurethattheSecretariatisproperlyadministeringitsresponsibilitiesregardingthe
TreasuryBoard'sPolicyonGovernmentSecurity,OperationalSecurityStandard
BusinessContinuityPlanning(BCP)Program,andDirectiveonDepartmental
SecurityManagement.
BusinesscontinuityplanningreadinessBusinesscontinuityplanningispartofa
permanentmaintenancecyclethatincludestheregulartestingandvalidationof
plans.
Theauditassessedwhetherthemanagementcontrolactivitiesandmechanismswere
clearlydefined,whethertheyaddressedknownrisks,weresufficientandeffectively
communicated,wereadequatelymonitored,andwhethertheyreportedrisksandmajor
issuesrelatedtotheBCPP.Theauditalsoassessedthelevelofcompliancewith
applicableauthoritiesthroughadetailedexaminationofasampleofBIAsandBCPs
submittedtotheBCPunitin2011.
2.3ApproachandMethodology
TheauditapproachandmethodologyisriskbasedandconformstotheInternalAuditing
StandardsfortheGovernmentofCanadaandtheInstituteofInternalAuditors'
InternationalStandardsfortheProfessionalPracticeofInternalAuditing.Thesestandards
requirethattheauditbeplannedandperformedinsuchawayastoobtainreasonable
assurancethatauditobjectivesareachieved.
Theauditincludedvarioustestsandproceduresconsiderednecessarytoprovidesuch
assurance,includingthefollowing:
Interviewswithkeypersonnelresearchreviewofkeydocumentsassessmentof
risktoidentifypotentialriskexposureandanalysisofdepartmentalandsectorBIAs
andBCPsforcompliance,trendsandreadiness.
Validationandassessmentofthemanagementcontrolframeworkelements
describedinthescope.Inaddition,thekeydocumentsfortheBCPPwerereviewed
toassessthelevelofcompliancewithapplicableauthorities.Theexaminationphase
ofthisauditwasconductedfromJune2011toJanuary2012,basedonthe
informationanddocumentsobtainedbyAugust2011.
3.AuditResults
3.1LineofEnquiry1:ManagementControlFramework
Itwasexpectedthatasoundmanagementcontrolframeworkwouldbeinplacetofacilitate
managementinachievingtheSecretariat'sobjectivesforbusinesscontinuity,tosupport
effectivedecisionmaking,andtoflagsignificantcontrolissuesonatimelybasis.Itwas
alsoexpectedthattheinformationrequiredtoimplementandmaintaintheBCPPwouldbe
documented,maintainedandeffectivelycommunicatedtoallstakeholdersinvolvedinthe
BCPPactivities.
Sincethefallof2009,theSecretariathasundertakenmanyinitiativestodevelopthe
BCPP.Theseinitiativeshaveincluded:
AppointingaDSOandacoordinatortoleadtheBCPP
CreatingkeyworkinggroupsrequiredinaBCPPasperstandardsandpolicy
Integratingbusinesscontinuityplanninginthedepartmentalbusinessplanningand
riskmanagementcycles
DraftingandissuingaseriesofdepartmentaldocumentsthatcomplywithTreasury
Boardpoliciesandstandards,anddefineobjectives,roles,responsibilitiesand
departmentalproceduresforBIAs,BCPsandotheractivitiesintheBCPP
CommunicatingmanyoftheelementsandprocessesofBCPPactivitiesonthe
departmentalInfoSiteand
AdhocreportingtoseniormanagementontheactivitiesoftheBCPP,including
obtainingdecisionsonkeydocumentsandcriticaloperationalpriorities.
WhiletheSecretariathasputintoplacemanyoftheessentialelementsrequiredforthe
BCPP,theprogramismaturinginitsdevelopmentandimplementation.
Objective
TheobjectiveoftheBCPPhasbeenbroadlydefinedintheDepartmentalPolicyon
BusinessContinuityPlanningaswellasintheSecretariat'sBCP.Thestatedobjective
alignswiththeexpectedresultsoftheTreasuryBoardPolicyonGovernmentSecurity
pertainingtotheBCP.However,thereisaneedtofurtherarticulatemeasurableand
quantifiableexpectedresultstosupportmonitoringandreportingontheBCPP.
OrganizationalStructure
Inlinewiththeaccountabilitiesandresponsibilitiesofindividualsectors,theorganizational
structureoftheBCPPisdecentralized.Aformalanddocumentedorganizationalstructure
isinplacetosupporttheBCPPactivitiesforthecorporateBCPgroupintheCorporate
ServicesSector.However,theseindividualsalsohaveresponsibilitiesforothersecurity
activitiessuchastheDepartmentalSecurityPlan,EmergencyManagement,and
OccupationalHealthandSafety.Astheseadditionalactivitiesfelloutsidethescopeofthe
audit,itwasnotpossibletoassessthesufficiencyofresourcesdedicatedtotheBCPP.
TheorganizationalstructureforotheremployeesperformingBCPactivities,suchasthe
sectorBCPworkinggroupcoordinators,isinformalandemployeesareassignedbasedon
therequirementsofthesector.
Accountabilities,RolesandResponsibilities
Overall,themajorityoftheaccountabilities,rolesandresponsibilitieshavebeenclearly
definedinkeydocuments.Theauditalsofoundthatkeystakeholders,includingthe
membersoftheBCPworkinggroup,theIMTandthecorporateBCPunitofthe
AdministrativeandSecurityDirectorate,CorporateServicesSector,weregenerallyaware
oftheirresponsibilitiesregardingtheBCPP.
However,certaindocumentsthatdefinerolesandresponsibilitieswerenotapprovedasof
thetimeoftheaudit.Also,whileemployeeshaveresponsibilitiesundertheTreasuryBoard
DirectiveonDepartmentalSecurityManagement,thesewerenotdefinedindepartmental
documentation,includingtheDepartmentalPolicyonBusinessContinuityPlanningand
theBCP.Finally,rolesandresponsibilitiesforcertainstakeholdersweredefinedpartially
acrossanumberofdocuments,withoutcomprehensivelydefiningtheminasingle
document.
PlanningandRiskManagement
StrategicdirectionandkeydecisionsrelatedtotheBCPPweremadebysenior
managementthroughvariousmechanismssuchaspresentationstotheSecretariat's
ExecutiveCommitteeandManagementandInfrastructureCommitteesonanadhocbasis.
Similarly,therewasevidencethatBCPPactivitieswereincludedandconsideredinthe
Secretariat'splanningandriskmanagementcycles.
WhileseniormanagementcommitteesdiscussBCPPrelatedtopicsperiodically,thereis
noformalroleforprovidingongoingstrategicleveldirectionandsupport,asrecommended
bytheTreasuryBoardOperationalSecurityStandardBusinessContinuityPlanning
(BCP)Program.ABCPworkinggroupexistsandmeetsatthecallofthechairhowever,
itsmembershipislargelybelowtheexecutivelevel.
DepartmentalPolicies,ProceduresandGuidelines
Substantialeffortshavegoneintothedevelopmentofasuiteofdocumentsthatcontain
thekeypolicy,plans,procedures,templatesandguidelinesexpectedforaBCPP.Thekey
policyandplandocumentsaregenerallycompliantwiththeTreasuryBoard'sPolicyon
GovernmentSecurityandOperationalSecurityStandardBusinessContinuityPlanning.
However,atthetimeoftheaudit,somedocumentswereawaitingformalapprovalbefore
theycouldbeimplementedandcommunicatedtoindividualsintheBCPP.Inaddition,
someofthedocumentsrequirerevisionsinordertoaddresselementsrelatedtotraining
andperformancemonitoring.
Training
ResponsibilitiesfortrainingaredistributedbetweenthecorporateBCPgroupandthe
sectorheads.TraininghasoccurredforsomeoftheBCPworkinggroupmembers,anda
numberofguidancedocumentshavebeenpostedontheSecretariat'sintranetsite.
However,communicationortrainingstrategieshavenotyetbeendevelopedtoensurethat
individualswhoareinvolvedintheBCPPhavetheknowledgetoexecutetheir
responsibilitieswhentheirsectorBCPisactivated.Basedoninterviews,someoftheBCP
workinggroupandIMTmembersreliedonpreviousexperiencesandadhocpracticesin
placethroughouttheSecretariat.GiventhattheSecretariatexperiencedaturnoverof
approximately1,000employeeseachyearinthelasttwoyears,trainingand
communicationstrategiesarecriticaltoensurethatemployeesareawareoftheprogram
detailsandhavetheappropriateinformationtorespondtoaBCPincident.Thecompletion
ofthepreviouslymentionedsuiteofdocumentswouldhelpcreatethefoundationfora
trainingprogram.
MonitoringandReporting
ThePolicyonGovernmentSecurity,theDirectiveonDepartmentalSecurityManagement,
andtheOperationalSecurityStandardBusinessContinuityPlanning(BCP)Program
includerequirementsformonitoringandreportingactivities.Theauditteamtherefore
expectedtofinddocumentationthatidentifiedtheapproachforongoingmonitoringand
reporting,includingthekeyresultsthatwouldbemonitoredandreportedonovertime.In
additiontomeetingpolicyrequirements,suchanapproachhelpsensure,amongother
things,thatmanagementisawareofkeyresultsattainedbytheprogram,aswellas
significantrisksorissuesastheyarise.
Whilemonitoringandreportingprocesseswerenotformallydefined,theauditfoundthat
monitoringofcertainBCPPactivitiesoccurredperiodicallythroughadhocreportingto
seniormanagement.TheseactivitiespertainedtothedevelopmentofBCPdocuments
suchastheDepartmentalPolicyonBusinessContinuityPlanning,thedepartmentalBCP,
thedepartmentalThreatandRiskAssessment,theDisasterRecoveryPlan,thePINto
PINtestingresults,andtheBCPprioritiespresentedtoseniormanagementinFebruary
2011.TherollupofinitialBIAsectorsubmissionswasalsopresentedtosenior
managementandbecameoneofthetriggersforthetabletopexerciseheldwiththe
Secretariat'sExecutiveCommitteeinDecember2010.Trackingofthesectorsubmissions
ofBIAandBCPdocumentswasalsofoundtooccur.
Thelevelofmonitoringandreportingpreviouslynotedrepresentssignificantprogressfor
theSecretariat'sBCPPoverthelasttwofiscalyears.Theformaldefinitionofsuch
processes,includingdetailsonwhatshouldbemonitoredandreportedon,wouldenhance
seniormanagement'sawarenessofcriticalaspectsoftheprogramandwouldfurther
supporttimelydirectionandoversight.
Keyresultsthatcouldbemonitoredandreportedonregularlyinclude:
Trainingandawarenessactivities(e.g.,fornewemployeesandkeyBCPP
stakeholders)
Resultsoftestingandmaintenanceactivities
IssuesandrisksidentifiedviatheBCPP,andtheirdispositionand
StatusandresultsofcriticalBCPPactivities.
Recommendations:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSector,undertakethe
following:
1. ReviewthesuiteofdocumentsdefiningBCPProlesandresponsibilities,witha
viewtoensuringthattheyaddressallstakeholders,arestreamlined,andareformally
approved.
Priorityranking:High
2. FormallyintegratetheBCPPintotheseniormanagementcommitteestructureto
ensureongoingstrategicleveldirectionandoversight.
3. Incollaborationwithsectorheads,developandimplementcommunicationand
trainingstrategiestomeetidentifiedneeds.
4. Formallydefinemonitoringandreportingprocesses,includingkeyexpectedresults,
inordertoeffectivelysupportBCPPactivities.
Priorityranking:Medium
3.2LineofEnquiry2:BusinessContinuityPlanning
Readiness
ItwasexpectedthattheSecretariatwouldhavecompletedthepreparationandvalidation
ofsectorBIAsandBCPs.ItwasalsoexpectedthattheseBIAsandBCPswouldbe
compliantwiththeDepartmentalPolicyonBusinessContinuityPlanningandthatatesting
andmaintenancecyclefortheBCPPwouldexist.
ToensurethattheSecretariatispreparedtorespondtoanincidentandtoactivatethe
necessarysectorBCPs,itisnecessarythateverysectorhaveanapprovedBIAandBCP
thatrepresentstheirplannedresponseforbothcriticalandnoncriticaloperations.
Itwasfoundthatthebusinesscontinuityplanningcycleisstillevolvingwithinthe
Secretariat.In200809thefirstsetofsectorBIAswasprepared.Theseweresummarized
intoadepartmentaldocumentthatidentifiedthecriticaloperationsandthenumberof
employeesrequiredduringaBCPincident.Thisreportbecameoneofthetriggersfora
reviewandprioritizationofcriticaloperations,whichwasdonebytheSecretariat's
ExecutiveCommitteeinDecember2010.
Atthattime,thetopsevencriticaloperationsthatneededtobeaddressedwithinthefirst
24hoursofanincidentwereidentified.Anadditionalninecriticaloperationswere
prioritized.In2011,thesectorsBIAswereupdated,andthedevelopmentofthefirstcycle
ofsectorBCPswasinitiated.
Duringthistime,thecorporateBCPgroupintheCorporateServicesSectorprovided
guidanceanddevelopedtoolstoassistthesectorsinthedevelopmentoftheirBIAand
BCPdocuments.
SectorBIAsandBCPswerepreparedandsubmittedbymostsectorshowever,four
sectors,whichcontaincriticaloperations,didnotsubmit.Mostsectorsmadeuseofthe
departmentallydesignedtemplateshowever,informationinmanyofthedocuments
containedgapsandambiguities.
Atthetimeofouraudit,thecorporateBCPunithadinitiatedthereviewandvalidation
processforsectorBIAsandBCPshowever,thishadnotprogressedsufficientlyforthe
auditteamtoassesstheprocess.Thetestingandmaintenancecycleshadnot
commenced.
Furtherworkisrequiredto:
CompletethedevelopmentoftheremainingsectorBIAandBCPdocuments
Duringtheengagement,theauditteamidentifiedapotentialopportunitytofurther
streamlinetheprogramthroughtheuseofgenericBIAandBCPdocumentsthatwould
handlenoncritical,aswellascertaincritical,operations.Theauditfoundthatmostsectors
havenoncriticaloperationsandthattheBCPresponsesareoftenthesameorsimilar.As
such,useofgenericresponses,whilestillallowingforsectorspecificrequirements,has
thepotentialtoreduceoveralleffort.Thispossibleapproachisidentifiedformanagement's
considerationonly,andisthereforenotincludedintherecommendationsthatfollow.
Recommendation:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSector,undertakethe
following:
5. Incollaborationwithsectorheads,completetheremainingworkrelatingtoBCPP
development.
CompleteremainingsectorBIAandBCPdocuments,andensurethatallare
assessedand
DevelopandimplementatestingandmaintenancecycleforBIAandBCP
documentsandactivities.
3.3OverallConclusion
SignificantprogresshasbeenmadebytheSecretariatindevelopingandimplementinga
managementcontrolframeworkfortheBCPPsinceSeptember2009.
GovernmentSecurity,DirectiveonDepartmentalSecurityManagementandOperational
SecurityStandardBusinessContinuityPlanning(BCP)Program.Improvementis
requiredtoaddresskeyelementsofthemanagementcontrolframeworkfortheBCPP.
Reviewcertainrolesandresponsibilitiestoensurethattheyareformallyapproved
andthatallstakeholdersareaddressed
DefineandformalizetheintegrationoftheBCPPwithinseniormanagement
committees,toensureongoingstrategicleveldirectionandoversight
Developtrainingandcommunicationstrategiesthat,inadditiontootherneeds
identified,servetoincreaseBCPPawarenessforemployeesandforthoseinvolved
incriticaloperationsand
Developandimplementformalprocessesforregularmonitoringandreporting.
ToensurethattheSecretariatisatanappropriatestageofreadinesstoeffectively
respondtoaBCPincident,itisalsocriticalthattheremainingworkrelatingtoBCPP
developmentbecompleted.
CompletethedevelopmentofremainingsectorBIAandBCPdocuments
Appendix1AuditCriteria
LineofEnquiry1ManagementControlFramework
AmanagementcontrolframeworkisinplacetoensurethattheSecretariatis
properlyadministeringitsresponsibilitieswithregardtothefollowing:
TreasuryBoardPolicyonGovernmentSecurity
TreasuryBoardOperationalSecurityStandardBusinessContinuityPlanning
(BCP)Programand
TreasuryBoardDirectiveonDepartmentalSecurityManagement.
1. Objectivesandgoalsareclearlydefined,formallyapproved,currentand
communicated.
2. Accountability,rolesandresponsibilitiesareclearlydefined,formallyapprovedand
communicated.
3. Theorganizationalstructureisformalandissupportedbytheappropriateresources.
4. Planningandriskmanagementareundertakenonaregularbasis.
5. Departmentalpolicies,proceduresandguidelinesarecompliantwithapplicable
authoritiesandarecomplete,currentandcommunicated.
6. Trainingofmanagementandstaffwithbusinesscontinuityplanningresponsibilities
forawarenessandcompliancewithapplicablepolicies,directivesandpractices,
effectivelysupportstheBusinessContinuityPlanningProgram(BCPP).
7. Aneffectivemonitoringandreportingmechanismisinplace.
LineofEnquiry2BusinessContinuityPlanningReadiness
Businesscontinuityplanningispartofapermanentmaintenancecyclethatincludes
regulartestingandvalidationofplans.
1. SectorBusinessImpactAnalyses(BIAs)arecompliant,validated,testedand
maintained.
2. DepartmentalandsectorBusinessContinuityPlans(BCPs)arecompliant,validated,
testedandmaintained.
Appendix2ManagementActionPlan
Recommendation1:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSectorreviewthe
suiteofdocumentsdefiningBCPProlesandresponsibilities,withaviewtoensuringthat
theyaddressallstakeholders,arestreamlined,andareformallyapproved.
ManagementAction Completion Office

Date of
Primary
Interest
(OPI)
Weagreewiththerecommendation
CSSwillreviewandrevisetheDepartmentalBCPpolicyto Q3201213 CSS

clarifyrolesandresponsibilitiesofallindividualsinvolvedinthe
BCPprocess.
Allsupportingdocumentationwillbeupdatedandstreamlined, Q3201213 CSS

whereappropriate
DocumentswithimplicationsexternaltoCSS,includingpolicies, Q4201213 CSS

willbeapprovedbytheSecretarysubsequenttoreviewbythe
ManagementandInfrastructureCommittee(MIC).
Recommendation2:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSectorformally
integratetheBCPPintotheseniormanagementcommitteestructuretoensureongoing
strategicleveldirectionandoversight.

Date of
Primary
Interest
(OPI)
Weagreewiththerecommendation.
CSSwillreviewandrevisecurrentgovernancefortheBCP October CSS

Programtoensureformalintegrationofstrategicleveldirection 2012
andoversightintotheseniormanagementcommitteestructure.
RevisedgovernancestructuretobepresentedtoEXCOfor November CSS

reviewpriortoapproval. 2012
NOTE:TheStrategicEmergencyManagementPlan(SEMP)will December CSS/

beapprovedbytheSecretarybyDecember2012.TheSEMP 2012 IASJ12
willintegratealllevelsofemergencyresponseandwill
incorporatebuildingemergencies,BCPconsiderationsandthe
centralagencyrolethatTBSleadswithrespecttotheFederal
EmergencyResponsePlan(FERP)
Recommendation3:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSector,in
collaborationwithsectorheads,developandimplementcommunicationandtraining
strategiestomeetidentifiedneeds.

Date of
Primary
Interest
(OPI)
CSSandtheStrategicCommunicationandMinisterialAffairs January31, CSS/

sector(SCMA)willdevelopacommunicationstrategyaspartof 2013 SCMA
the201213BCPWGworkplan.
CSSwillobtainapprovalfromtheAssistantSecretaryCSS,for March31, CSS

thecommunicationstrategy. 2013
Thecommunicationsstrategywillbeimplemented. May2013 CSS/

SCMA
CSSwilldevelop,obtainapprovalfromtheAssistantSecretary March31, CSS

CSS,andcommenceathreeyeartrainingstrategytotargetboth 2013
sectorandcorporateengagement.
CSSwilldevelopgenerictoolsandtrainingtobeprovidedtothe September CSS

BCPWGtoassistwithBCPexercisesforsectorsin201213. 2012
UsingthegenerictoolsdevelopedbyCSS,andwithassistancefromCSS(ifrequired),
sectorswill:
Holdinformationtrainingsessionsforallemployees,criticalor December Sector

noncritical,withinthesector,inaccordancewiththeneeds 2012 Heads
outlinedinthesectorplan. CSS/
SCMA
Provideadditionaltrainingtostaffwithdutiesrelatingtothe March2013 Sector

Sector'scriticaloperationstoensureadequateknowledgeof Heads
BCPrequirements,inaccordancewiththeneedsoutlinedin CSS/
thesectorplan. SCMA
Recommendation4:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSectorformallydefine
monitoringandreportingprocesses,includingkeyexpectedresults,inordertoeffectively
supportBCPPactivities.
Priorityranking:Medium

Date of
Primary
Interest
(OPI)
CSSwilldevelopamonitoringprocess.Thisprocesswillprovide Q4201213 CSS

aframeworktooverseethedevelopmentofstrategicobjectives,
formalreportingmechanisms,andprovideclearmeasures
consistentwiththemonitoringprocess.
ThismonitoringprocesswillbeapprovedbytheAssistant March31, CSS

SecretaryCSS,andimplemented 2013
FormalreportingonBCPactivitieswillbeimplemented Q3201314 CSS
Recommendation5:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSector,in
collaborationwithsectorheads,completetheremainingworkrelatingtoBCPP
development.
CompleteremainingsectorBIAandBCPdocuments,andensurethatallare
assessedand
DevelopandimplementatestingandmaintenancecycleforBIAandBCP
documentsandactivities.
ManagementAction Completion Officeof

Date Primary
Interest(OPI)
Allcompleted2011/12sectorBCPandBIAplanswere Completed CSS

assessedinJanuary2012.Sectorswereprovidedwith
writtenfeedbackontheirplansandwereencouragedto
meetwithCSSforfurtherdiscussion.
SectorswillberequiredtosubmitapprovedBCPplans June29, SectorHeads

andBusinessImpactAnalysisfor2012/13onorbefore 2012
thedeadlineprovidedbyCSS.
Assessmentsofthe2012/13planswillbecompletedby October CSS

CSS. 2012
Atestingcyclewillbedevelopedandapprovedbythe March31, CSS

AssistantSecretary,CSS. 2013
Thetestingcyclewillbeimplemented Q1201314 CSS
Amaintenancecyclewillbedevelopedandapprovedby March31, CSS

theAssistantSecretary,CSS. 2013
Themaintenancecyclewillbeimplementedand Q1201314 CSS/Sector

monitoredbyCSS.Sectorrepresentativeswillcontribute representatives
totheimplementationofmaintenanceactivities.
Footnotes
1(abcpvpca02eng.asp#ftnref1).PolicyonGovernmentSecurity,AppendixA
Definitions,effectiveJuly1,2009.
2(abcpvpca02eng.asp#ftnref2).Ibid.
3(abcpvpca02eng.asp#ftnref3).Acriticalsupportfunctionisaninterdepartmentalor
intradepartmentalpolicyorservicethatsupportsacriticalservice.
4(abcpvpca02eng.asp#ftnref4).Acriticaldependencyisabusinessprocess
arrangementwhereonedepartmentisresponsibleforacriticalservicebutdependson
anotherdepartmentforcompletion,productionordeliveryoftheoutput.
7(abcpvpca03eng.asp#ftnref7).Acriticalsupportfunctionisaninterdepartmentalor
intradepartmentalpolicyorservicethatsupportsacriticalservice.
8(abcpvpca03eng.asp#ftnref8).Acriticaldependencyisabusinessprocess
arrangementwhereonedepartmentisresponsibleforacriticalservicebutdependson
anotherdepartmentforcompletion,productionordeliveryoftheoutput.
9(abcpvpca03eng.asp#ftnref9).PublicSafetyCanada,AGuidetoBusinessContinuity
Planning(http://www.publicsafety.gc.ca/prg/em/gds/bcpeng.aspx).
10(abcpvpca03eng.asp#ftnref10).Forpurposesofthisreport,allSecretariatsectorsand
brancheswillbereferredtoas"sectors."
11(abcpvpca04eng.asp#ftnref11).ThepurposeofthePublicServiceReadinessPlan
(PSRP)istoprovidetheplanningarchitecture,processesandguidancerequiredfor
deputyheadstohorizontallymanagethecrosscutting,publicservicewideconsequences
ofanemergency.ThePSRPmaybeactivatedwhenemergenciesresultinworkforceand
servicedeliveryissuesimpactinganumberofdepartmentsandagenciesthatcannotbe
effectivelymanagedwithinthescopeofindividualdepartmentalBusinessContinuityPlan.
ThePSRPengagesasmallgroupofdeputyheads,whowillconsiderinterdepartmental
solutionstofacilitatethedeliveryofcriticalservices.
12InternationalAffairs,SecurityandJusticeSector(IASJ)
Datemodified:
20120820

TBS Audit of Business Continuity Planning

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TBS Audit of Business Continuity Planning

Uploaded by

Copyright:

Available Formats

2/10/2015 AuditofBusinessContinuityPlanning

ManagementAction Completion Office

CSSwillreviewandrevisetheDepartmentalBCPpolicyto Q3201213 CSS

Allsupportingdocumentationwillbeupdatedandstreamlined, Q3201213 CSS

DocumentswithimplicationsexternaltoCSS,includingpolicies, Q4201213 CSS

ManagementAction Completion Office

CSSwillreviewandrevisecurrentgovernancefortheBCP October CSS

RevisedgovernancestructuretobepresentedtoEXCOfor November CSS

NOTE:TheStrategicEmergencyManagementPlan(SEMP)will December CSS/

ManagementAction Completion Office

CSSandtheStrategicCommunicationandMinisterialAffairs January31, CSS/

CSSwillobtainapprovalfromtheAssistantSecretaryCSS,for March31, CSS

Thecommunicationsstrategywillbeimplemented. May2013 CSS/

CSSwilldevelop,obtainapprovalfromtheAssistantSecretary March31, CSS

CSSwilldevelopgenerictoolsandtrainingtobeprovidedtothe September CSS

Holdinformationtrainingsessionsforallemployees,criticalor December Sector

Provideadditionaltrainingtostaffwithdutiesrelatingtothe March2013 Sector

ManagementAction Completion Office

CSSwilldevelopamonitoringprocess.Thisprocesswillprovide Q4201213 CSS

ThismonitoringprocesswillbeapprovedbytheAssistant March31, CSS

FormalreportingonBCPactivitieswillbeimplemented Q3201314 CSS

ManagementAction Completion Officeof

Allcompleted2011/12sectorBCPandBIAplanswere Completed CSS

SectorswillberequiredtosubmitapprovedBCPplans June29, SectorHeads

Assessmentsofthe2012/13planswillbecompletedby October CSS

Atestingcyclewillbedevelopedandapprovedbythe March31, CSS

Thetestingcyclewillbeimplemented Q1201314 CSS

Amaintenancecyclewillbedevelopedandapprovedby March31, CSS

Themaintenancecyclewillbeimplementedand Q1201314 CSS/Sector

You might also like