Head of Security and Business Continuity

Similar documents
Introducing ISO 22301

Business Continuity Planning and Disaster Recovery Planning

Risk Management Strategy

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Business Continuity Management for Singapore s Logistics Sector. By Singapore Business Federation and Singapore Logistics Association

Business Continuity Management Policy and Procedure

The Sector Skills Council for the Financial Services Industry. National Occupational Standards. Risk Management for the Financial Sector

US Business Continuity Safeguarding Your Business from a Disaster

Bowmer. & Kirkland. Kirkland. & Accommodation. Health & Safety Policy.

Corporate policy. Business Continuity Management Policy. Issue sheet

Essential Concepts. For Effective. Business Continuity Planning

BUSINESS CONTINUITY MANAGEMENT POLICY. Organisational

Draft Internal Audit Plan for Institute of Technology Blanchardstown 2017

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Minimum Standard- Work Health and Safety (WHS) Management Review. October, 2014

ISO 28002: RESILIENCE IN THE SUPPLY CHAIN: REQUIREMENTS WITH GUIDANCE FOR USE

INTERNAL AUDIT CHARTER

Incident/ Issue. Department/Work Area School/College University. Notify Secretary or Dept Sec of Court.

12.0 Business Continuity Management

METROPOLITAN TRANSPORTATION AUTHORITY

2016 Business Continuity / Disaster Recovery Internal Audit Report

COMPETENCE & COMMITMENT STATEMENTS

Area Manager, Protection

Internal Audit of ICT Governance in WFP. Office of the Inspector General Internal Audit Report AR/15/11

BUSINESS CONTINUITY AS A SERVICE

The Newcastle upon Tyne Hospitals NHS Foundation Trust. Business Continuity Management Policy

SARBANES-OXLEY INTERNAL CONTROL PROVISIONS: FILE NUMBER 4-511

Equality and Diversity Policy

Job Description: CMAT Chief Operating Officer

Business Continuity & Disaster Recovery

National Ambulance Service 1 of 21 NAS Headquarters Version th September 2011 Authorised by NAS Leadership Team

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

BUSINESS CONTINUITY MANAGEMENT POLICY

RISK MANAGEMENT POLICY

Guidelines for Information Asset Management: Roles and Responsibilities

MANUAL HANDLING PROCEDURE

Position Description. Position Title: Program Leader Auslan. Position Reports to: Manager Bridging and Preparatory Direct Reports:

Health and Safety Management Standards

Manchester Children s Social Care Workforce Strategy. - building a stable, skilled and confident workforce

Records Management Plan

An introduction to business continuity planning

Information Governance Policy

Final Report. Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP) EBA/GL/2017/05.

ISO Business Continuity Management. Your implementation guide

Update from the Business Continuity Working Group

DAAWS PROJECT OFFICER

Book A : REFERENCE DOCUMENTS

JOB DESCRIPTION SECOND IN CHARGE OF SCIENCE Science Teacher SECOND IN CHARGE OF SCIENCE

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

RISK MANAGEMENT STRATEGY

JOB DESCRIPTION. Ambulance Operations Manager. EMS Area Manager

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

GOVERNANCE STRATEGY October 2013

15. Building management

37 HOURS PER WEEK (NOTIONAL) FIXED TERM UNTIL DECEMBER ,004* * Incremental progression up to 36,001

BUSINESS CONTINUITY MANAGEMENT POLICY

Bank of Botswana Internal Audit Charter March 18, 2013 INTERNAL AUDIT CHARTER BANK OF BOTSWANA

JOB DESCRIPTION SALARY: 36,004

Global Crises: What We Really Need to Do to Be Prepared. Day One / Session C5

Ministerial Review - Better Responses to Natural Disasters and Other Emergencies in New Zealand. Submission by the Engineering Leadership Forum

Business Principles. Business Principles

Uniwersytet Mikołaja Kopernika w Toruniu (Nicolaus Copernicus University in Toruń)

ISO whitepaper, January Inspiring Business Confidence.

COCA-COLA HELLENIC BOTTLING COMPANY RISK MANAGEMENT POLICY

Good Practice Guidelines 2013 Global Edition Edited Highlights

Data Protection: It s getting personal

Humber Information Sharing Charter

Health, Safety and Environmental Manager

MANCHESTER METROPOLITAN UNIVERSITY GENDER EQUALITY SCHEME & ACTION PLAN

The Organisation of Nuclear Installations ENSI-G07. Guideline for Swiss Nuclear Installations. July 2013 Edition

Business Resilience: Proactive measures for forward-looking enterprises

Strategic Planning for Recovery Director s Guideline for Civil Defence Emergency Management Groups [DGL 20/17]

HSBC HOLDINGS PLC GROUP AUDIT COMMITTEE. Terms of Reference

Basel Committee on Banking Supervision. Consultative Document. External audits of banks. Issued for comment by 21 June 2013

Loch Lomond & The Trossachs National Park Authority. Annual internal audit report Year ended 31 March 2015

1. INTERNAL AUDIT CHARTER (PDF)

How can you improve your ability to identify, respond and adapt to significant operational interruptions?

Employment status: Fixed term maternity cover (until 30 June 2019)

Alfa Financial Software Holdings PLC Terms of Reference of The Audit and Risk Committee of The Board of Directors of The Company

COLLEGE OF PHYSICIANS AND SURGEONS OF ONTARIO GOVERNANCE PROCESS MANUAL

Business Resilience They Cannot Do This Without You!

Business Resilience: Equipping the FM for Success

Environment and Sustainability Policy

NARU. NHS Ambulance Services Emergency Preparedness, Resilience & Response. Quality Assurance Framework. National Ambulance Resilience Unit

The Merlin Principles. The Elements of each Principle

KTH's sustainable development objectives

Enterprise Risk Management

Job Description: Strategic Business Manager

From its adoption as a discipline in the 1980s,

Please complete all accessible boxes and refer to the guidance on writing Job Descriptions

Professional Capability Framework Social Work Level Capabilities:

REPORT 2014/115 INTERNAL AUDIT DIVISION. Audit of information and communications technology management at the United Nations Office at Geneva

Audit of Departmental Security

Information Governance Policy

Procurement Policy. November Also available in large print (16pt) and electronic format. Ask Student Services for details.

JOB DESCRIPTION FACILITIES MANAGER

UNIVERSITY OF ST ANDREWS POLICY ON WORK PLACEMENTS. Applies to all Undergraduate and Taught Postgraduate Students

Chair Job Description and Person Specification

ISO/TS 22317: How to Use ISO s Newest BC Standard to Develop Real BC Requirements

Audit report VET Quality Framework

Transcription:

Services Security and Business Continuity Ser-Sec-003 07/11/2017 Author Name Author Job Title Alan Cain Head of Security and Business Continuity Version No. 1.1 EIA Approval Date 28/06/2017 Committee Recommend for Approval Final Approval Review Date 07/11/2018 Business Continuity Steering Group 06/09/2017 University Executive Group 07/11/2017 Draft Document Sensitivity No PUBLIC

Table of Contents Glossary / List of Acronyms 3 Background 5 Policy statement 6 Business Continuity Objectives 6 Business Continuity Management System (BCMS) Objectives 7 BCMS Requirements 8 Legal and Regulatory Requirements 9 Scope 9 Governance 10 BC Roles and Responsibilities 10 2

Glossary / List of Acronyms Term Abbreviation Definition Source Business Continuity BC The capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. 22300 Business Continuity Management BCM A holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Business Continuity Management System BCMS Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. Business Continuity Plan BCP Documented procedures that guide organisations to respond, recover, resume and restore to a predefined level of operation following disruption. Business Impact Analysis BIA Process of analysing activities and the effect that a business disruption might have on them. 3

Term Abbreviation Definition Source Crisis - A situation with a high level of uncertainty that disrupts the core activities and/or credibility of an organisation and requires urgent action. 22300:2012 Incident - A situation that might be, or could lead to, a disruption, loss, emergency or crisis. 22300:2012 Maximum Acceptable Outage MAO The time it would take for adverse impacts, which might arise as a result of not providing a product / service or performing an activity, to become unacceptable. The university requires that business processes should be fully recovered within the MAO. Recovery Time Objective RTO The period of time following an incident within which a product or activity must be resumed or resources must be recovered to a minimal level of operation. Risk - Effect of uncertainty on objectives. Guide 73 Risk Assessment - Overall process of risk identification, risk analysis and risk evaluation. Guide 73 Risk Management RM Coordinated activities to direct and control the organisation with regard to risk. Guide 73 4

1. Background Manchester Metropolitan University is one of the most extensive higher education centres in Europe with 36,000 students and more than 1,000 undergraduate, postgraduate and professional courses. The University educates and trains large numbers of legal and business professionals, scientists, engineers, teachers, health workers and creative professionals. The University is in the top three nationally for environmental sustainability, in the top 3% of global universities as ranked by the Times Higher Education and has an 85% research impact rated world-leading and internationally excellent. The University is arranged into six faculties; Faculty of Business & Law, Faculty of Education, Faculty of Health, Psychology & Social Care, Faculty of Arts & Humanities, Faculty of Science & Engineering and the Cheshire Campus. The University engages in a number of activities including teaching, research & knowledge exchange, consultancy, training & CPD, halls of residence, sports centres, catering and conferencing. The University works closely with various internal and external stakeholders including students, staff, government departments, funding councils, research councils, research sponsors, employers and local communities. Each of these stakeholder groups will be included within the BCMS. 5

2. Policy Statement Business Continuity Management (BCM) is the holistic management process that identifies potential threats to the University and the impacts to its operations those threats, if realised, might cause. It provides a framework for building organisational resilience, thereby safeguarding the interests of its students, alumni, staff and external stakeholders and protecting its reputation as the leading modern university of the future. Continuity of business is a key priority for the University. It is the responsibility of anybody working for or on behalf of the University to take all reasonable steps to avoid any incident that may require a business continuity response. In addition individuals must maintain and improve the BCMS in accordance with their role within it. In the event that such an incident does occur, anybody working for or on behalf of the University must take all reasonable steps to minimise any disruption to the University and its stakeholders. The University s strategy for business continuity management represents the practical implementation of this Policy. This Policy Statement has been approved by the University Executive Group (UEG). It has been communicated to all staff and will be communicated to other parties as appropriate. 3. Business Continuity Objectives The objectives of business continuity are to ensure that the University: Understands its critical activities and maintains the capability to resume operations within agreed timeframes, following the deployment of a business continuity response. Increases resilience by protecting critical assets and data (electronic and otherwise) through a co-ordinated approach to risk and business management and recovery. Minimises impacts using a focused, well-managed response activity. 6

4. Business Continuity Management System (BCMS) Objectives The objectives of the BCMS are to ensure that, in the context of business continuity, the University: Maintains the safety and security of its staff, students and visitors. Safeguards the interests of students, alumni, staff and external stakeholders by ensuring that urgent or priority activities continue in the event of a disruptive incident. Maintains the reputational integrity of Manchester Metropolitan University. Complies with legal and regulatory requirements. Aligns with best practice as outlined in the Business Continuity Institute (BCI) Good Practice Guidelines 2013 and the International Standard. Deploys adequate resources to maintain the BCMS. Can deploy the required resources to implement the Business Continuity Plan in the event that an incident occurs. Responds to issues and risks arising that affect the BCMS or ongoing operations in a timely and appropriate manner. Ensures that all employees receive appropriate awareness training in business continuity matters, ensuring that they are aware of their responsibilities and able to make informed decisions relating to business continuity issues. Via a management review process, identifies weaknesses in the BCMS and implements improvements wherever possible. Ensures that relevant interested parties are aware of the BCMS and any requirements / obligations arising from it. 7

5. BCMS Requirements In order to implement the Policy, persons working for or on behalf of the University are required to assist as appropriate in: Taking all reasonable measures to prevent and avoid any disruption to normal operations. The preparation and maintenance of the Business Continuity Plans, to promote an effective and timely response to incidents caused by vulnerabilities to people, processes or the operating infrastructure. Considering business continuity and resilience implications in all processes, projects and IT developments. Where necessary, making arrangements for the recovery of infrastructure components (e.g. accommodation, IT, communications, equipment and supplies). Making arrangements to re-locate or re-organise operations to allow critical processes to continue within their defined recovery time. Protecting the welfare of people during and following an incident. Ensuring the effectiveness of the Business Continuity Plans and recovery arrangements through robust and regular testing, awareness and training. Updating the Business Continuity Plans on an annual basis, or following significant changes to requirements. Ensuring that information security controls and procedures are not materially diminished in the event of an emergency or business continuity response. Ensuring that management and staff comply with the requirements of this policy and any other supporting policies. Training all employees in the business continuity issues that are relevant to their role. Define a systematic approach to risk management and deploy a method suitable to the BCMS and business requirements. Determine criteria for accepting risks and set policies and objectives to reduce business continuity risks to an acceptable level. Review the risk assessment and adequacy of implemented controls at least annually, to ensure that they remain effective. Implement and maintain a system to detect and respond to potential weaknesses in the BCMS. Conduct regular reviews of the BCMS and implement improvements wherever possible. The Business Continuity Manager has direct responsibility for maintaining this Policy and providing advice and guidance on its implementation. 8

6. Legal and Regulatory Requirements Manchester Metropolitan University has a duty of care to its students and staff, as well as those visiting the University. Some specific duties are set out in statute, examples being; Health and Safety at Work Act 1974. Human Rights Act 1998. Corporate Manslaughter and Corporate Homicide Act 2007. Additionally, the University could be subject to action through the civil courts were it found to have been negligent in its emergency planning arrangements or duty of care. Failure to put in place and implement appropriate risk management and business continuity management may also compromise the University s insurance cover. Associated university policies include the Risk Management Policy, Health and Safety Policy and Environmental Policy. 7. Scope The BCMS will include the activities of teaching, research & knowledge exchange, consultancy, training & CPD, halls of residence, sports centres, catering and conferencing conducted in both the Manchester and Cheshire campuses. In addition, the University s supporting services that enable the delivery of core services will be within the scope of the BCMS. Excluded from scope are exhibitions, events and performances, whether permanent or temporary, conducted within or on behalf of the University, failure of which would not be expected to materially affect the reputation of the University. The University also works with a number of partner institutions to deliver its activities and a risk-based approach will be adopted in terms of the expectations of these organisations having their own Business Continuity Plans in place. 9

8. Governance The Business Continuity Steering Group is responsible for Committee level approval of the. The University Executive Group (UEG) is responsible for final approval and sign off. An annual review of the BCMS will be carried out by the Business Continuity Lead (Chief Operating Officer); the BCMS will also be reviewed following any Business Impact Analysis (BIA) or Risk Assessment revision which identifies substantive changes in either process or priorities or when significant changes occur within the University. A validation exercise will be carried out every 18 months by the Head of Security and Business Continuity and be designed so as to confirm that the BCM programme meets the objectives set in the BC policy and that the University s Incident Response & Crisis Management and Business Continuity Plans are fit for purpose. Additional governance shall be provided in the form of a three yearly full audit planned and implemented by UNIAC, the shared internal audit and assurance service for Universities. The overall objective of both the UNIAC audit shall be to determine that the BCMS meets the key objectives as outlined in the Policy Objectives (above). 9. BC Roles and Responsibilities Successful BCM is dependent upon the early identification of clearly defined roles and the associated responsibilities, behaviours and authorities to manage the BCMS throughout the University. The following principal roles have been specified. Business Continuity Lead The Chief Operating Officer is the senior executive lead for BCM across the University. 10

Business Continuity Steering Group The Business Continuity Steering Group is the senior decision making group for BCM across the University. Head of Security and Business Continuity The Head of Security and Business Continuity is the Business Continuity Manager responsible for the operation and maintenance of the BCMS. Business Continuity Co-Ordinator The Business Continuity Co-Ordinator assists the Business Continuity Manager and has day-to-day responsibility for operation of the BCMS. Staff All staff doing work under the University s control shall be aware of this policy, their role within the Business Continuity Plans and their own role during disruptive incidents. 11

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback