Archived - Audit of Business Continuity Planning - Follow-up Report Status Update as of March 31, 2012

Archived information

This Web page has been archived on the Web. Archived information is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

PDF Version (62 Kb, 14 Pages)

Action Plan Implementation Status Update Report to the Audit Committee - As of March 31, 2012

Chief Financial Officer

Audit of Business Continuity Planning
Approval Date: 20/06/2011

Project Recommendations	Action Plan	Expected Completion Date	Program Response
1. Develop a multi-year plan that addresses gaps in the BCP Program and present it to an executive committee for review and approval. The planning process should include a reassessment of the program objectives, establishment of measurable goals and targets, development of fully costed strategies to implement the program, and a reassessment of BCP Program governance.	The Director, ITSD – in collaboration with the DSO – will: Conduct an organizational assessment to determine the best-fit placement of the function, and options for management consideration regarding changes to program governance for improving the effectiveness of the program. Assessment will include capacity options given current state (eg. BCP Coordinator position is currently vacant), and the training requirements associated to BCM-related responsibilities. Develop a 3 year tactical plan which prioritizes and addresses the identified gaps within the Business Continuity Management (BCM) file commensurate with the risk each gap presents, and present the plan to the Departmental Operations Committee (DOC) for approval. This plan will include: i. Establishment of measureable goals/targets ii. Development of fully costed strategies and options for DOC consideration (human resources, systems, etc)		PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: An organizational assessment has been drafted and circulated among key stakeholders within the IMB which identifies that the retention of the program within the IMB as the recommended option for AANDC moving forward. The BCP Coordinator position has been identified as a priority, and a staffing action is nearing completion to have the position re-staffed (AS-5 / deployment). A 3 year tactical plan has been begun, but will not be completed by end of Q4 2011-12. It will be completed in conjunction with other Branch planning exercises through Q1 2012-13. Expected return to OC in mid-to-late Q2 with recommendations of the file moving forward based on strategies developed in the tactical plan.
	Actions Draft of organizational assessment for circulation and comments	End Q2, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: An organizational assessment has been drafted and circulated among key stakeholders within the IMB which identifies that the retention of the program within the IMB as the recommended option for AANDC moving forward. The BCP Coordinator position has been identified as a priority, and a staffing action is nearing completion to have the position re-staffed (AS-5 / deployment).
	Draft of tactical plan for circulation and comments	Mid Q3, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: A 3 year tactical plan has been begun, but will not be completed by end of Q4 2011-12. It will be completed in conjunction with other Branch planning exercises through Q1 2012-13.
	Presentation of organizational assessment and tactical plan including viable options to DOC	End Q3, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: Expected return to OC in mid-to-late Q2 with recommendations of the file moving forward based on strategies developed in the tactical plan. AES: Recommendation is closed.
2. Revise the INAC BCM Policy to ensure that roles and responsibilities for directing and reporting on the BCP Program are clear.	The Director, ITSD – in collaboration with the DSO – will: Consult with key stakeholders, including but not limited to: the three (3) Critical Service program areas, a sample of Critical Support Service program areas and Regions, Communications, and Public Safety Canada to refresh roles and responsibilities pertaining to BCM. Update the BCM Policy to reflect: updated roles and responsibilities, mandatory seniority level of BCM representation in Regions and Sectors, and input from organizational assessment (Item #1 above), including the more explicit definition of the BCP Coordinator's challenge function identified within Item #3.		PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: Multiple requests have been made to Public Safety Canada (PSC) in relation to an updated BCM Operational Security Standard and the associated time lines; however, only a blanket statement of "currently under review" has been provided. Consequently, efforts to revamp the internal BCM policy statement have been deferred until more prescriptive guidance is provided by PSC on potential policy changes that would directly impact the file. A Communications Plan is currently being drafted which will emphasize roles/responsibilities pertaining to the BCM file, and is expected to be completed by mid-Q1 2012-13. This will emphasize the needs for BCM and continue to clarify roles and responsibilities. The annual update and maintenance request – which includes the policy needs for ensuring the completion of BIAs/BCPs and the associated accountability of programs to complete those deliverables – was made to OC in March 2012.
	Actions Begin consultations with key stakeholders	Mid Q2, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: Public Safety Canada was engaged via the BCP Helpdesk twice during 2011-12; their operational security standard (OSS) is currently under review with no established date for publication.
	Updated BCM policy presented to DOC for approval	Mid Q4, 2011-12	PROGRAM RESPONSE: Status: On Hold Update/Rationale: As of 31/03/2012: Waiting for prescriptive guidance from PSC as to contents of new OSS on BCP so that effort is not duplicated, and departmental efforts are aligned with Centre. AES: Implementation on-going.
3. Ensure that the Departmental BCP Coordinator plays a more active role in advising and challenging managers of critical services and critical support services throughout the process of developing, testing and updating BIAs and BCPs.	Director, ITSD – in collaboration with the DSO – will: Working with Communications, develop a communication plan to ensure that the authority of the new BCP Coordinator is readily shared with all stakeholders in the department. Emphasis will be placed on the advisory services provided by the BCP Coordinator. Implement operationalized processes based on new BCM policy similar to IT Security Certification and Accreditation process (CIO, DSO, and DG of responsible program area will need to formally sign off on yearly BIA/BCP updates) for existing Critical Services and Critical Support Services. This process will include a provision by which the CIO and DSO will not endorse the signoff of BIA/BCP without appropriate endorsement by BCP Coordinator. Other actions as necessary will be developed and implemented, based on direction set by DOC as related to organizational assessment and tactical plan options outlined in Item #1.		PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: A Communications Plan is currently being drafted which will emphasize roles/responsibilities pertaining to the BCM file, and is expected to be completed by mid-Q1 2012-13. New endorsement process has been developed for updating and recording progress of BIA/BCP updates on an annual basis, with initial focus on Level 1 and Level 2 services. This process has been initially shared with the Regional/Sector BCP Coordinators and has been approved by the OC (March 2012). Consultation with the DSO was done to ensure alignment, and to help inform the Departmental Security Plan update process in future years. The process will be updated as necessary for the next cycle, as lessons learned are recorded and addressed.
	Actions Communication Plan developed	End Q3, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: A Communications Plan is currently being drafted which will emphasize roles/ responsibilities pertaining to the BCM file, and is expected to be completed by mid-Q1 2012-13.
	Updated BIA/BCP sign off process designed and developed, presented in conjunction with BCM refreshed policy to DOC.	Mid Q4, 2011-12	PROGRAM RESPONSE: Status: Request to Close (completed) Update/Rationale: As of 31/03/2012: New endorsement process has been developed for updating and recording progress of BIA/BCP updates on an annual basis, with initial focus on Level 1 and Level 2 services. This process has been initially shared with the Regional/Sector BCP Coordinators and has been approved by the OC (March 2012). Consultation with the DSO was done to ensure alignment, and to help inform the Departmental Security Plan update process in future years. The process will be updated as necessary for the next cycle, as lessons learned are recorded and addressed. AES: Implementation on-going.
4. Develop a formal training and awareness program for BCP Coordinators and managers of critical services (and critical support services). The level of formal training should consider the extent to which the Departmental BCP Coordinator also provides advice and hands-on support throughout the process of developing and testing BIAs and BCPs.	Director, ITSD – in collaboration with the DSO – will: Consult with Public Safety to determine if new training and awareness products are available for use by client departments. Review existing BCM-related material available to the department (such as the Institute for Continuity Management or the Canada School of Public Service) and establish baseline mandatory and/or recommended training for BCM-related roles, in consideration of DOC guidance provided regarding Item #1. Other actions as necessary will be developed and implemented, based on direction set by DOC as related to organizational assessment and tactical plan options outlined in Item #1. Note: INAC's BCP Awareness/Training approach was approved by Public Safety during H1N1 – ie. providing templates and being available for consultation on an "as needed basis". However, we do agree with the audit results that a more comprehensive approach, particularly for Critical Services and Critical Support Services would continue to mature the BCM function and increase the effectiveness of BCP-efforts.		PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: Public Safety Canada was engaged, and no training materials for use by client departments are available at this time. The ITSD is currently looking at alternate vehicles for providing training to resources with BCP responsibilities, and will include these options within the 3 year tactical plan currently being drafted (please refer to #1 above), including a review of material from the CSPS (only 1 course offering currently exists). As an interim measure, Microsoft PowerPoint presentations have been developed and will be approved in Q1 for use informing both the BIA and BCP processes. The ITSD remains available to provide support services to Regional / Sectoral staff with BCM responsibilities.
	Actions Consultation with Public Safety	End Q1, 2011-12	PROGRAM RESPONSE: Status: Request to Close (completed) Update/Rationale: As of 31/03/2012: Public Safety Canada was engaged, and no training materials for use by client departments are available at this time.
	Formalize training material for managers of Critical Services and Critical Support Services	Beginning Q4, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: The ITSD is currently looking at alternate vehicles for providing training to resources with BCP responsibilities, and will include these options within the 3 year tactical plan currently being drafted (please refer to #1 above), including a review of material from the CSPS (only 1 course offering currently exists).
	Integrate training coverage as part of reporting process implemented for Item #5.	Beginning Q4, 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: As an interim measure, Microsoft PowerPoint presentations have been developed and will be approved in Q1 for use informing both the BIA and BCP processes. The ITSD remains available to provide support services to Regional / Sectoral staff with BCM responsibilities. AES: Implementation on-going.
5. Improve monitoring and reporting of the effectiveness of the BCP Program in regions and sectors to support continuous improvement and oversight (e.g., semi-annual reporting to an executive committee on the state of the BCP Program, including significant program gaps, resolution rates for issues identified through BCP testing and disruptions, completion rates for various levels of BCP testing, completion rates for BCP training, etc.).	Director, ITSD – in collaboration with the DSO – will: Build upon the policy update (Item #2) and operationalized process development (Item #3) to ensure that biannual updates are provided across Regions and Sectors which are signed off at a sufficiently senior level (DG or above), including training coverage. Develop a "scorecard" for Critical Services and Critical Support Services (NCR and Regionally) and provide to responsible DGs on a biannual basis, which considers: Existing BCM gaps – BIA/BCP completion rates and completeness of plans Status of testing (exercises) Post mortems (both testing and post-events)		PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: The score-carding / report process has been developed and was presented to OC in March 2012. It will be used for Level 1 and Level 2 services through the Q1/Q2, with a presentation at OC with results in Q3.
	Actions Pilot Critical Service is identified, with review in Q1 2012	Mid Q4 , 2011-12	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: The score-carding / report process has been developed and was presented to OC in March 2012. It will be used for Level 1 and Level 2 services through the Q1/Q2, with a presentation at OC with results in Q3.
	Rollout to remaining Critical Services and Critical Support Services throughout 2012	FY 2012	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: The score-carding / report process has been developed and was presented to OC in March 2012. It will be used for Level 1 and Level 2 services through the Q1/Q2, with a presentation at OC with results in Q3.
	Aggregation of scorecards presented to DOC biannually, beginning in early 2012.	FY 2012	PROGRAM RESPONSE: Status: Underway Update/Rationale: As of 31/03/2012: The score-carding / report process has been developed and was presented to OC in March 2012. It will be used for Level 1 and Level 2 services through the Q1/Q2, with a presentation at OC with results in Q3. AES: Implementation on-going.

Did you find what you were looking for?

What was wrong?

I can't find the information

The information is hard to understand

There was an error or something didn't work

Other reason

Please provide more details

You will not receive a reply. Don't include personal information (telephone, email, SIN, financial, medical, or work details).
Maximum 300 characters

Date modified:: 2012-09-06