Business Continuity. Example Policy. Author: A Heathcote Date: 24/05/2017 Version: 1.0

Transcription

1 Example Policy Author: A Heathcote Date: 24/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

2 Contents 1 Purpose 3 2 Scope 3 3 Applicability 3 4 Guidance 3 Terminology 3 Policy 3 Business Continuity Definition 4 Business Continuity Approach 4 Business Continuity Plan 4 Responsibilities 5 Training and Awareness 5 Management and Implementation 5 Testing 6 5 Key Words 6 Copyright 2017 Health and Social Care Information Centre. 2

3 1 Purpose The purpose of this Business Continuity Example Policy is to provide exemplar guidance in line with HMG and private sector best practice for the production of an organisation wide Business Continuity Policy. This is in order to allow the reader to produce the necessary policy and guidance for their business area and to ensure that the applicable and relevant security controls are set in place in line with the Department for Health, the wider NHS, health and social care and HMG requirements. 2 Scope The drafting of any policy governing the production of a Business Continuity policy for NHS systems, devices or applications and information deployed in support of NHS or health and social care business function. 3 Applicability This Example Policy is applicable to and designed for use by any NHS, health and social care or associated organisations that use or have access to NHS systems and/or information at any level. 4 Guidance This Example Policy provides guidance on the production of a Business Continuity Policy. The Example Policy is in italics with areas for insertion shown as <> and the rationale for each paragraph or section, where required, in [.]. This Example Policy is supported by a more detailed Good Practice Guide on Business Continuity, which can be used to assist in determining what is and what is not required in the exemplar policy shown here. Terminology Term SHALL SHOULD MAY Definition This term is used to state a Mandatory requirement of this policy This term is used to state a Recommended requirement of this policy This term is used to state an Optional requirement Policy The Business Continuity Policy shall be used to enable <insert name of organisation> to produce, implement, test and manage a Business Continuity Plan (management system) on <insert name of organisation> IT systems to enable a structured recovery post an IT or information security incident. This policy relates to the IT and information elements of the overall <insert name of organisation> approach to Business Continuity. Copyright 2017 Health and Social Care Information Centre. 3

4 [The aim of the policy statement is to state the objective(s) of the business continuity approach to be taken, i.e. the formation of a plan. Where applicable this plan for IT/Information Security should be related to the overall business continuity of the organisation.] Business Continuity Definition Business Continuity is defined as the capability of <insert name of organisation> to continue delivery of products or services at acceptable predefined levels following a disruptive incident. [This is just one possible definition; if the organisation has used a different definition or approach to business continuity in its overarching business continuity plan(s) then that should be used.] Business Continuity Approach <Insert name of organisation> shall use the Plan-Do-Check-Act (PDCA) model to plan, establish, implement, operate, monitor, review, maintain and continually improve the effectiveness of its Business Continuity Plan for IT and information. [The PDCA approach is a very common methodology for business continuity planning and its management. However, if the organisation has used a different methodology for its overall business continuity then this should be reflected in this policy.] Business Continuity Plan A Business Continuity Plan shall be produced to enable immediate responses to be made to an information security incident (IT or information). The Plan shall be regularly tested, it is suggested that this is at least annually. The Plan should cover: Ownership which post owns and controls the plan Responsibilities identification of roles and their responsibilities Scope what is in the plan and what is out of the plan Identification of critical assets with priority order for recovery/business functionality Capabilities identified internal and external capabilities Resources allocation of tasks to resources, internal and external Communication process Task flow including: Points of contact Relationship to incident management team Response actions Recovery/restoration of asset or standing up of identified alternate Recording of actions taken and time when assets recovered/restored. Post Action Review lessons learnt. Test Schedule. Copyright 2017 Health and Social Care Information Centre. 4

5 [This section aims to identify what areas the organisation should cover in its business continuity plan. It identifies the minimum; if other elements are considered to be needed the headline should be included here.] Responsibilities The following roles shall undertake the responsibilities listed: Senior Information Risk Owner (SIRO) coordinate the development and maintenance of the Business Continuity Plan ensuring it relates to the overall <insert name of organisation> Business Continuity Strategy. Business Continuity Plan Manager maintains the Plan on behalf of the SIRO ensuring that testing is undertaken. A post shall be allocated for this role. Information Asset Owners (IAOs) ensure that the requirements from the Business Continuity planning are adequately considered and documented for all information assets of which they have ownership; and, enable the recovery to be enacted. Line Managers - ensure that staff follow the <insert name of organisation> Business Continuity Plan procedures. Chief Information Security Officer (CISO) management of business continuity procedures relating to IT and information security. [For smaller organisations, the roles of SIRO and CISO may be undertaken as a secondary role by senior partners or the owners of the business; provided the individual/role identified is one that is in a position to make informed, executive decisions that are appropriate for the SIRO and CISO functions. These roles may be part of the information governance lead; as may be the case for the IAO role(s) where the size does not merit individual SIRO, CISO and IAO roles. In the same manner, the Business Continuity Plan manager may be an additional/secondary role; for smaller organisations external specialist help may be required to set up the plan and processes and then the maintenance of it could return to within the organisation.] Training and Awareness Personnel who are required to undertake specific technical and functional roles associated with business continuity shall be trained and formally qualified to complete this specialist function. All <insert name of organisation> staff, including third parties, shall be made aware of the requirements of the <insert name of organisation> Business Continuity Plan and subsequent Procedures. [A policy should outline the requirement for personnel to be appropriately trained and made aware of the business continuity requirements. The specific training and roles which require it, or the necessity to mandate in third party contracts that the provider (e.g. IT provider) has trained and appropriately skilled people, would be detailed in the actual Business Continuity Plan.] Management and Implementation The Business Continuity Policy and the resulting Business Continuity Plan shall be reviewed and re-issued annually or upon identification of a change in procedure or lesson learnt. Copyright 2017 Health and Social Care Information Centre. 5

6 The effectiveness of the Policy and Plan shall be monitored through audits and tests (external and internal) and from lessons learnt during any business continuity activity. [It is essential that the Plan is reviewed and audited, as well as tested regularly, and the requirement for this should be included in the Policy. The actual processes should be covered in the Business Continuity Plan.] Testing On behalf of the SIRO the Business Continuity Plan Manager shall coordinate and manage testing which should follow the below levels and is recommended to be at least annually at each level: Table Top Walkthrough Real-time Live Test [Testing is critical to ensure that the Plan is fit for purpose; it is recommended that this is mandated in the Policy, or if third party providers are utilised it is mandated as a contractual requirement.] 5 Key Words Business Continuity, CISO, Data Recovery, IAO, SIRO, Copyright 2017 Health and Social Care Information Centre. 6