June 2006
Tabled and approved by DAEC on January 9, 2007
This publication is available upon request in accessible formats.
Contact:
Multimedia Services Section
Communications and Marketing Branch
Industry Canada
Room 264D, West Tower
235 Queen Street
Ottawa ON K1A 0H5
Tel.: 613-948-1554
Fax: 613-947-7155
Email: ic.cmb-creative.ic@canada.ca
Permission to Reproduce
Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from Industry Canada, provided that due diligence is exercised in ensuring the accuracy of the information reproduced; that Industry Canada is identified as the source institution; and that the reproduction is not represented as an official version of the information reproduced, nor as having been made in affiliation with, or with the endorsement of, Industry Canada.
For permission to reproduce the information in this publication for commercial redistribution, please email: copyright.droitdauteur@pwgsc.gc.ca
Aussi offert en français sous le titre Vérification de la planification de la continuité des activités (PCA)
Table of Contents
- 1.0 Executive Summary
- 1.1 Introduction
- 1.2 Overall Assessment
- 1.3 Main Findings, Conclusions and Recommendations
- 1.3.1 Business Continuity Plan Governance (See Section 3.1 of the BCP Standard)
- 1.3.2 Business Impact Analysis (See Section 3.2 of the BCP Standard)
- 1.3.3 Business Continuity Action Plans and Arrangements (See Section 3.3)
- 1.3.4 BCP Program Readiness (See Section 3.4 of the BCP Standard)
- 1.3.5 BCP Training and Awareness (See Section 3.4 of the BCP Standard)
- 2.0 Introduction
- 3.0 Detailed Audit Findings and Recommendations
- Appendix A: Management Response and Action Plan
Executive Summary
1.1 Introduction
In accordance with the Treasury Board of Canada Secretariat standards for operational security in the Government Security Policy (GSP), Industry Canada (IC) established a Business Continuity Planning (BCP) Program and identified critical and essential services. Public Safety and Emergency Preparedness Canada (PSEPC) has the mandate to review plans of federal departments to ensure that they are able to continue operating during emergencies and has requested auditors of departments to audit business continuity planning. In accordance with this request by PSEPC, Industry Canada has undertaken an internal audit of its BCP program.
1.2 Overall Assessment
Overall the audit found that the BCP program is built on a solid foundation and provides some assurance that the organization will manage critical and essential services during major disruptions and emergencies. However, the audit found that complete assurance could not be provided because: no comprehensive exercise program exists; and, serious questions remain about the integration of IM/IT for the critical BCP plans.
1.3 Main Findings, Conclusions, and Recommendations
The audit found that Industry Canada has a well administered BCP program overall. In the sectors, some of the essential functions do not give enough priority to their BCP. The audit found serious concerns with the integration of the business continuity plans for critical functions with IT continuity planning and found no comprehensive exercise program.
1.3.1 Business Continuity Plan Governance (See Section 3.1 of the BCP Standard)
The control objective is to ensure that Industry Canada has assigned responsibility for the BCP program in accordance with the standard.
We found that Industry Canada has appointed an effective and efficient BCP coordinator who reports to the Director, Security and Departmental Security Officer (DSO). A BCP Steering Committee meets approximately every 6 months to discuss strategic issues related to BCP. A BCP Working Group includes representatives from the various corporate services and the critical functions.
Conclusion
The essential conditions of stable governance and strategic direction are in place for providing effective business continuity planning, support to the Deputy Minister, and the delivery of results. Several improvements could make the overall governance better as described in the following recommendations:
Recommendation 1:
An effective independent challenge to the sector business continuity plans is needed in order to improve them. Such a challenge should be done every two years in order to respond to rapidly changing risks and circumstances. In addition each sector should include a review of business continuity planning in their annual business planning cycle.
Recommendation 2:
Industry Canada should identify key external dependencies. These dependencies should be assessed as to their significance for the business continuity plan to be successful. A plan should then be developed and documented to minimize any risk exposure. Where appropriate, there should be memoranda of understanding or equivalent agreements negotiated with these external dependencies.
Recommendation 3:
After a thorough challenge to the business continuity plans, internal dependencies (IM/IT services for example) need to be identified and documented. Internal service level agreements, or some equivalent, need to be negotiated in order to ensure that appropriate services are available to support the execution of the sector business continuity plans.
1.3.2 Business Impact Analysis (See Section 3.2 of the BCP Standard)
The control objective is to ensure that an effective BCP program is based on a Business Impact Assessment (BIA). The BIA identifies and quantifies the direct and indirect, quantitative and qualitative impacts on critical and essential services due to disruptions and emergencies.
Industry Canada has used BIAs as a tool for examining essential services but has not done them for all critical services. The information gained by a detailed impact assessment provides management with information helpful to establishing priorities and identifying key services.
Conclusion
The information gained by doing a Business Impact Assessment could contribute value to the business continuity plans. Although the audit is not making a specific recommendation, Industry Canada might consider that Business Impact Assessments be done and maintained for all business functions so as to ensure that the BCP programs for service functions such as CIO, Facilities, and Security are appropriate, responsive and complete.
1.3.3 Business Continuity Action Plans and Arrangements (See Section 3.3)
The control objective is to ensure the completeness of the business continuity plans by encouraging the use of Business Impact Assessments and Threat and Risk Assessments (TRAs). Another control objective is to ensure that recovery options have been thoroughly analyzed so as to provide information to management regarding appropriate choices and priorities.
We noted that the various business continuity plans were developed in parallel in Industry Canada and they have not benefited from a collaborative effort to identify dependencies of one function on another. In particular, dependencies on facilities and on IM/IT tools have been listed in some business continuity plans without corresponding responses from those responsible for those areas. This results in business continuity plans that may not stand up in a real emergency. Also, without good analysis of recovery options accompanied by estimates of costs, management decisions and choices in emergency situations may result in expensive or suboptimal recoveries. We observed also that business continuity recovery strategies were sketchy and left for Response teams to create ad hoc.
Conclusion
BCP programs would benefit if they were completely integrated with respect to support functions and dependencies (see recommendations 2 & 3). They should include recovery options showing detailed steps to provide critical and essential services including full costs and analysis as to risks and threats.
Recommendation 4:
Planning the development of the TRAs should be done jointly by both the DSO & the Chief Information Officer (CIO). The coordinated planning will ensure that both physical and IT related security issues are fully covered and no gaps occur. In addition, any BCP related issues should be considered in the development of the TRAs so the BCP Coordinators can benefit by the results of the TRAs. The results of the data gathered in the TRAs can be shared by the DSO and the CIO.
Recommendation 5:
Business continuity plans should include fully documented business continuity recovery strategies that detail steps to provide critical and essential services. Estimated costs are necessary to identify a viable recovery option such as IM/IT requirements. These costs can then be used for management decisions of priorities and choices made in the plans.
Recommendation 6:
Business continuity plans and associated documents would benefit from a change management control system by providing a reader with information as to the latest update for any significant change (e.g. mandate of the critical and essential functions) to the plan as well as the nature and origin of the changes.
1.3.4 BCP Program Readiness (See Section 3.4 of the BCP Standard)
The control objective is to ensure that Industry Canada has kept its BCP programs up-to-date. Business continuity plans benefit from a regular exercise program. All incidents, disruptions and emergencies provide lessons learned that can result in a more thorough review and update of the plans.
The audit found that Industry Canada did not have a regular exercise program in place and has not developed a way of sharing lessons learned from a database of incidents, disruptions and emergencies.
Conclusion
Industry Canada business continuity plans are updated quarterly or semi-annually when names, roles and/or phone numbers change. There is no change management control system for the business continuity plans (see recommendation 6). We noted that there is no regular test or exercise program. There are no standard templates for capturing lessons learned from real events or from exercises and any information that is kept is not readily accessible to business continuity planners unless they contact the IC BCP coordinator who maintains a file.
Recommendation 7:
An effective annual exercise should be conducted.
Recommendation 8:
Industry Canada should implement a procedure to capture lessons learned from real events and exercises. Lessons learned from exercises and from real disruptions and incidents should be made available to business continuity coordinators so as to provide useful material with which to make substantive changes and improvements to the business continuity plans as required. The captured information of incidents and lessons learned should be used also to create training and awareness materials for managers and senior staff.
1.3.5 BCP Training and Awareness (See Section 3.4 of the BCP Standard)
The control objective is to ensure that training and instruction has been developed, funded and used to support the BCP program. Specialized training is required for security specialists and for business continuity planners. General awareness programs are needed to sensitize staff to emergency planning and to create an environment where people have confidence that their managers will act correctly with respect to health and safety, and protection of assets.
The audit found that the BCP coordinator has received annual training. However, we did not find that all other BCP coordinators and key managers attended annual BCP-related training and some have not had any external BCP training courses.
Conclusion
We noted that the Industry Canada BCP coordinator and some of the sector BCP coordinators have been trained and have kept up their awareness through attendance at conferences. Others have received only in-house presentations and lack practical experience in handling emergencies. In addition, general awareness amongst management and senior staff of business continuity planning and emergency planning could be improved.
Recommendation 9:
Industry Canada could improve the education of sector and regional business continuity and emergency planners by ensuring that their annual career development plan includes the appropriate business continuity and emergency planning courses and seminars based on the scope of their BCP responsibilities.
Recommendation 10:
Industry Canada should ensure that its BCP policy is well communicated and understood.
The following suggestion may be considered:
Industry Canada could improve general awareness of business continuity and emergency planning issues by taking advantage of the intranet, by having a program during the annual BCP awareness week, and by promoting on site presentations by the BCP coordinator.
2.0 Introduction
2.1 Background
2.1.1 Treasury Board of Canada Secretariat (TBS) Policy
From the Treasury Board of Canada Secretariat 'Operational Security Standard—Business Continuity Planning Program':
In accordance with sections 10.1, 10.14 and 10.12.4 of the Government Security Policy (GSP), the continued delivery of government services must be assured through baseline security requirements, business continuity planning, including Information Management (IM) and Information Technology (IT) continuity planning, and continuous risk management. The GSP and its associated standards describe these baseline security requirements. They are based on a government-wide threat and risk assessment and are designed to protect the resources on which the government relies to deliver services: employees, information and other assets.
As part of baseline security requirements, departments must establish a Business Continuity Planning (BCP) Program to provide for the continued availability of:
- Services and associated assets that are critical to the health, safety, security or economic well-being of Canadians, or the effective functioning of government. Unavailability would result in a high degree of injury to Canadians and government.
- Other services and assets when warranted by a threat and risk assessment.
The BCP Program complements emergency preparedness that is mandated by legislation or government policy (e.g. fire and building evacuation plans; civil emergency plans). It also supports planning that is necessary to restore other-than-critical services and their associated assets and resources; departments should use this program to incorporate their planning for other-than-critical services.
Operational Security Standard—Business Continuity Planning Program, Treasury Board of Canada Secretariat
2.1.2 Industry Canada Policy
In accordance with the above Standard, Industry Canada set out the following Policy Statement:
In order to support the national interest and the Government of Canada's business objectives for safeguarding employees and assets and assuring the continued delivery of services, Industry Canada is establishing a business continuity planning program to provide for the continued availability of critical services and assets, and other services when warranted by a threat and risk assessment and will ensure that business continuity plans are developed, implemented and maintained.
Policy Statement, Industry Canada
2.1.3 Industry Canada's Identification of Critical and Essential Services
Based on the Treasury Board definition of 'critical services', Industry Canada has identified its critical and essential services.
2.1.4 Public Safety and Emergency Preparedness Canada (PSEPC) Role
Under the National Security Policy of 2004, Public Safety and Emergency Preparedness Canada (PSEPC) has the responsibility for "strengthening, testing and auditing of key capabilities and conducting assessments of other departments. This will include a review of the plans of federal departments to ensure they are able to continue operating during emergencies."
This direction is further amplified by providing direction to Government of Canada departments under "The Way Forward—Strategic Coordination". The relevant paragraph reads as follows:
The Government needs to be able to continue to provide core services to Canadians during emergencies. Building on existing work in this regard, federal departments will ensure that they can continue to serve Canadians regardless of the circumstances by strengthening their continuity planning process and requiring regular exercise to test these plans.
The Way Forward—Strategic Coordination
The internal auditors of departments are requested to collaborate with PSEPC to ensure that, as a first step, BCP Programs are audited by departments. At a later stage PSEPC will begin an independent third-party BCP audit and examination program.
In accordance with the above request by PSEPC, Industry Canada has undertaken an internal audit of its BCP Programs.
2.2 Audit Objectives
The following audit objectives are grouped based on the BCP Standard:
- BCP Governance (Section 3.1 of the BCP standard)
Ensure the department has established a governance structure for the BCP Program. - Business Impact Analysis (Section 3.2 of the BCP standard)
Ensure the department has completed a business impact analysis to select and prioritize its critical services and to identify the impacts of disruptions on the department. - Plans and Arrangements (Section 3.3 of the BCP standard)
Ensure the department has developed plans and arrangements to provide for the continuous availability of critical services. This includes putting teams into place for recovering the services and if necessary, when warranted, identifying an alternate site from which to deliver critical services. - BCP Readiness (Section 3.4 of the BCP standard)
Ensure the department has put in place a regime of continuous maintenance, training, testing, audit and exercises to keep the BCP program up-to-date and ready to be deployed when a disruption occurs. - BCP Training and Awareness (Section 3.5 of the BCP standard)
Ensure that appropriate security and business continuity training has been provided to security and BCP specialists and emergency planners. Ensure that training, instruction and awareness programs are in place within the department so that staff, who have been given a full or part-time role performing BCP-related duties, is able to support the BCP program appropriately.
2.3 Audit Scope
The audit examined the business continuity planning of Industry Canada in place as of March 31, 2006.
2.4 Audit Approach
The audit was performed following a standard audit process based on professional standards that are in compliance with Standards for the Professional Practice of Internal Auditing (Institute of Internal Audit).
2.5 Audit Criteria
Detailed audit criteria used during this audit were drawn from the 'Guide to the Audit of Business Continuity Planning Programs' Draft dated June 2004 and published by Public Safety and Emergency Preparedness Canada.
2.6 Appreciation
The audit team wishes to express their appreciation to the Industry Canada managers and staff that made themselves available and provided all requested documentation. Our special thanks to the BCP coordinator for her support and work.
3.0 Detailed Audit Findings and Recommendations
3.1 Business Continuity Plan Governance
Industry Canada has a governance structure in place for the BCP program. Responsibility has been delegated from the Deputy Minister to the Senior Associate Deputy Minister and to the ADM, Comptrollership and Administration. The DSO for the department has administrative responsibility for the program. The departmental BCP coordinator reports to the DSO.
A BCP Steering Committee is chaired by the ADM and has representatives of the Industry Canada Sectors that manage critical functions and includes representatives from various corporate services. The Steering Committee is the decision-making body regarding BCP. A Business Continuity Working Group handles coordination and support issues. The Working Group has key operational managers in its membership. Sectors that manage critical functions have full-time BCP and emergency planning coordinators. Sectors that manage essential services have part-time BCP and emergency coordinators. Response teams have been identified and lists of relevant contact information have been created and are regularly maintained.
Although Industry Canada contracted with outside experts to assist in creating its BCP program originally, we found that no independent challenge or evaluation of the plans has occurred since. In particular an independent evaluation could clarify and identify assumptions, inter-relationships, dependencies and service requirements in the plans that require careful negotiation between the organizations and business units involved.
Recommendation 1:
An effective independent challenge to the sector business continuity plans is needed in order to improve them. Such a challenge should be done every two years in order to respond to rapidly changing risks and circumstances. In addition each sector should include a review of business continuity planning in their annual business planning cycle.
Industry Canada sectors and service functions have focused inwardly in their BCP programs. Hence, Industry Canada has not thoroughly examined external dependencies for successful execution of the plans. Where key dependencies exist, their significance to the BCP needs to be assessed and a plan developed and documented to minimize the exposure.
Recommendation 2:
Industry Canada should identify key external dependencies. These dependencies should be assessed as to their significance for the business continuity plan to be successful. A plan should then be developed and documented to minimize any risk exposure. Where appropriate, there should be memoranda of understanding or equivalent agreements negotiated with these external dependencies.
There are assumptions made and requirements identified in the plans for levels of service needed internally for successful responses to emergencies. Where these internal service requirements have been identified there are no service level agreements in place to assure the business units that the required priority and levels of service will be provided in an emergency.
Recommendation 3:
After a thorough challenge to the business continuity plans, internal dependencies (IM/IT services for example) need to be identified and documented. Internal service level agreements, or some equivalent, need to be negotiated in order to ensure that appropriate services are available to support the execution of the sector business continuity plans.
3.2 Business Impact Analysis
Industry Canada has not completed business impact analyses for all of its business lines although this is recommended by PSEPC. In the case of critical services, for example, senior management identified the critical services and made the decision to proceed with creation of BCP plans without first completing business impact analyses. Although the audit is not making a specific recommendation, Industry Canada might consider that Business Impact Assessments be done and maintained for all business functions so as to ensure that the BCP programs for service functions such as CIO, Facilities, and Security are appropriate, responsive and complete.
3.3 BCP Action Plans and Arrangements
Threat and Risk Assessments (TRAs) are a valuable source of information, and complemented by business impact assessments can be used to ensure that business continuity planning includes consideration of all possible factors affecting services to the Canadian public. We found that two types of threat and risk assessments are done at Industry Canada, one for physical security and the other for security of information technology. The two types are not linked but are done independently of each other. While some BCP related questions were added to the physical security questionnaire recently, we noted that the questions could be improved. The IT TRA does not include questions related to business continuity or emergency planning.
Recommendation 4:
Planning the development of the TRAs should be done jointly by both the DSO & the CIO. The coordinated planning will ensure that both physical and IT related security issues are fully covered and no gaps occur. In addition, any BCP related issues should be considered in the development of the TRAs so the BCP Coordinators can benefit by the results of the TRAs. The results of the data gathered in the TRAs can be shared by the DSO and CIO.
The Operational Security Standard—Business Continuity Planning Program requires departments to include instructions describing how critical and essential business services are to be recovered in an emergency. The Standard calls for the development of recovery options from which a recovery strategy may be selected. Recovery options are to be estimated as to costs. Risks and benefits are to be identified, and impacts are to be assessed. The selected strategies are to be approved and funded by senior management. We noted that some plans, such as the BCP for Canadian Intellectual Property Office (CIPO), have such detailed recovery instructions. The other business continuity plans need some improvement as they do not document in detail how to recover critical and essential business functions, or appear to be copied from some other source.
Recommendation 5:
Business continuity plans should include fully documented business continuity recovery strategies that detail steps to provide critical and essential services. Estimated costs are necessary to identify a viable recovery option such as IT/IM requirements. These costs can then be used for management decisions of priorities and choices made in the plans.
Recommendation 6:
Business continuity plans and associated documents would benefit from a change management control system by providing a reader with information as to the latest update for any significant change (e.g. mandate of the critical and essential functions) to the plan as well as the nature and origin of the changes.
3.4 BCP Readiness
The Operational Security Standard—Business Continuity Planning (BCP) Program requires regular testing and validation of all plans including capture of lessons learned. Our audit found that, although some exercises had been done, in most cases the business continuity plans had not been exercised at all. No plans for an annual exercise exist for the sector business continuity plans.
Recommendation 7:
An effective annual exercise should be conducted.
Recommendation 8:
Industry Canada should implement a procedure to capture lessons learned from real events and exercises. Lessons learned from exercises and from real disruptions and incidents should be made available to business continuity coordinators so as to provide useful material with which to make substantive changes and improvements to the business continuity plans as required. The captured information of incidents and lessons learned should be used also to create training and awareness materials for managers and senior staff.
3.5 BCP Training and Awareness
Although the BCP coordinator and the BCP planners for the critical services have received formal training, the regional planners and sector planners generally have only had internal orientation and training sessions.
Recommendation 9:
Industry Canada could improve the education of sector and regional business continuity and emergency planners by ensuring that their annual career development plan includes the appropriate business continuity and emergency planning courses and seminars based on the scope of their BCP responsibilities.
The audit found that the Industry Canada BCP policy has not been made available to all staff and some business continuity planners were unaware of the policy.
Recommendation 10:
Industry Canada should ensure that its BCP policy is well communicated and understood.
Industry Canada does not have a general awareness program for business continuity planning that takes advantage of various methodologies for reaching Industry Canada staff.
The following suggestion may be considered:
Industry Canada could improve general awareness of business continuity and emergency planning issues by taking advantage of the intranet, by having a program during the annual BCP awareness week, and by promoting on site presentations by the BCP coordinator.