Académique Documents
Professionnel Documents
Culture Documents
TreasuryBoardofCanadaSecretariat(/tbssct/indexeng.asp)
Home / Reports / AuditofBusinessContinuityPlanning
AuditofBusinessContinuityPlanning
InternalAuditandEvaluationBureau
TableofContents
AssuranceStatement(abcpvpca01eng.asp#as)
ExecutiveSummary(abcpvpca02eng.asp#es)
Preamble(abcpvpca02eng.asp#es1)
Background(abcpvpca02eng.asp#es2)
ObjectiveandScope(abcpvpca02eng.asp#es3)
KeyFindings(abcpvpca02eng.asp#es4)
Conclusion(abcpvpca02eng.asp#es5)
1.Introduction(abcpvpca03eng.asp#s1)
1.1.BusinessContinuityPlanningintheFederalGovernment(abcpvpca03
eng.asp#s11)
1.2.BusinessContinuityPlanningintheTreasuryBoardofCanadaSecretariat
(abcpvpca03eng.asp#s12)
2.AuditDetails(abcpvpca04eng.asp#s2)
2.1.ObjectiveandScope(abcpvpca04eng.asp#s21)
2.2.LinesofEnquiry(abcpvpca04eng.asp#s22)
2.3.ApproachandMethodology(abcpvpca04eng.asp#s23)
3.AuditResults(abcpvpca05eng.asp#s3)
3.1.LineofEnquiry1:ManagementControlFramework(abcpvpca05
eng.asp#s31)
3.2.LineofEnquiry2:BusinessContinuityPlanningReadiness(abcpvpca05
eng.asp#s32)
3.3.OverallConclusion(abcpvpca05eng.asp#s33)
Appendix1AuditCriteria(abcpvpca06eng.asp#app1)
Appendix2ManagementActionPlan(abcpvpca07eng.asp#app2)
AssuranceStatement
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 1/22
2/10/2015 AuditofBusinessContinuityPlanning
TheInternalAuditandEvaluationBureauhascompletedanauditoftheBusiness
ContinuityPlanningProgram(BCPP)fortheTreasuryBoardofCanadaSecretariat
(Secretariat).Theobjectiveoftheauditwastoassesstheadequacyandeffectivenessof
theSecretariat'smanagementcontrolframeworkfortheBCPP,includingcompliancewith
TreasuryBoardpolicies,directives,standards,andinternalpoliciesandprocedures.The
auditapproachandmethodologyconformstotheInternalAuditingStandardsforthe
GovernmentofCanada(/pol/doceng.aspx?id=12344)andtheInstituteofInternalAuditors'
InternationalStandardsfortheProfessionalPracticeofInternalAuditing.
Weconcludewithareasonablelevelofassurancethatthemanagementcontrolframework
oftheSecretariat'sBCPPcomplieswithmostaspectsoftheTreasuryBoard'sPolicyon
GovernmentSecurity(/pol/doceng.aspx?id=16578),DirectiveonDepartmentalSecurity
Management(/pol/doceng.aspx?id=16579)andOperationalSecurityStandardBusiness
ContinuityPlanningProgram(BCP)(/pol/doceng.aspx?id=12324).Improvementis
requiredtoaddresskeyelementsofthemanagementcontrolframeworkfortheBCPP,
specificallywithrespecttorolesandresponsibilities,governance,training,and
mechanismsformonitoringandreporting.ItisalsocriticalthattheSecretariat:
CompletethedevelopmentoftheremainingsectorBusinessImpactAnalysis(BIA)
andBusinessContinuityPlan(BCP)documents
AssessallsectorBIAandBCPdocumentsand
DevelopandimplementatestingcycleforBCPsaswellasaregularmaintenance
cyclefortheBCPPoverall.
TheexaminationwasconductedduringtheperiodofJune2011toJanuary2012and
coveredtheframeworkinplacefortheBCPPuptoAugust2011.Theauditconsistedof
interviews,documentationreview,andanexaminationofsectorBIAandBCPdocuments
usingajudgmentalsamplingmethodology.Theauditevidencegatheredissufficientto
provideseniormanagementwithreasonableassuranceoftheresultsderivedfromthis
audit.
IntheprofessionaljudgmentoftheChiefAuditExecutive,sufficientandappropriateaudit
procedureshavebeenconducted,andevidencehasbeengatheredtosupportthe
accuracyoftheopinionprovidedinthisreport.Theopinionisbasedonacomparisonof
theconditions,astheyexistedatthetimeoftheaudit,againstpreestablishedaudit
criteria.Theopinionisonlyapplicablefortheentitiesexaminedandforthetimeperiod
specified.
ExecutiveSummary
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 2/22
2/10/2015 AuditofBusinessContinuityPlanning
Preamble
Businesscontinuityplanninginafederalgovernmentsettingisacomponentofbaseline
securityrequirementsandformsaprocessthataimstoensurethatcriticalgovernment
servicescanbecontinuallydeliveredintheeventofapotentialdisaster,asecurity
incident,adisruptionoranemergency.Thesesecurityrequirementsarecontainedinthe
EmergencyManagementAct(2007)andtheTreasuryBoardPolicyonGovernment
Security.Businesscontinuityplanningisimportantinordertoprovide"thedevelopment
andtimelyexecutionofplans,measures,proceduresandarrangementstoensureminimal
ornointerruptiontotheavailabilityofcriticalservicesandassets"1(abcpvpca07
eng.asp#ftn1)shouldsuchaneventualityoccur.TheTreasuryBoard'sOperational
SecurityStandardBusinessContinuityPlanning(BCP)Programrequiresdepartmentsto
implementaBusinessContinuityPlanningProgram(BCPP)andtoplanforemergencies
ordisruptionsthatcouldaffectthedeliveryofcriticalgovernmentservices.
Background
PublicSafetyCanadausestheTreasuryBoardPolicyonGovernmentSecuritydefinition
ofcriticalservice,"Aservicewhosecompromiseintermsofavailabilityorintegritywould
resultinahighdegreeofinjurytothehealth,safety,securityoreconomicwellbeingof
CanadiansortheeffectivefunctioningoftheGovernmentofCanada."2(abcpvpca07
eng.asp#ftn2)Foraservicetobeidentifiedascritical,itmustbeevidentthatinterruptionof
theservicewillbegintocauseinjurywithinaspecificperiodoftime,upto30days.
Basedonthisdefinition,theTreasuryBoardofCanadaSecretariat(Secretariat)
determinedthatitdoesnothavecriticalserviceshowever,anumberofcriticalsupport
functions3(abcpvpca07eng.asp#ftn3)andonecriticaldependency4(abcpvpca07
eng.asp#ftn4)wereidentified.Inordertoensurethatthereisnoconfusionbetweenthe
TreasuryBoardPolicyonGovernmentSecuritydefinitionofacriticalserviceandthe
terminologyusedintheSecretariat'sBCPPdocumentation,theSecretariatusestheterm
"criticaloperation"toidentifyitscriticalsupportfunctionsanddependencies.
ThedepartmentalBCPPisintendedtomanagetemporarybusinessdisruptionslastingup
to30days.Businesscontinuityplanningisbasedontwoscenarios:
1. Workforceoutage,wheresufficientstaffmaybeunabletoreportforduty,suchasin
apandemic.
2. Infrastructureoutage,wherepremisesoccupiedbySecretariatpersonnelmaybe
uninhabitableduetodamageorlackofutilities.
ObjectiveandScope
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 3/22
2/10/2015 AuditofBusinessContinuityPlanning
Theobjectiveoftheauditwastoassesstheadequacyandeffectivenessofthe
Secretariat'smanagementcontrolframeworkfortheBCPP,includingcompliancewith
TreasuryBoardpolicies,directives,standards,andinternalpoliciesandprocedures.
TheauditfocusedonthedepartmentalBCPPactivitieswithintheSecretariat.Thereview
ofthemanagementcontrolframeworkincludedthefollowingcomponents:objectives
accountabilities,rolesandresponsibilitiesorganizationalstructureplanningandrisk
managementpoliciesandprocedurestrainingandmonitoringandreporting.
KeyFindings
Sincethefallof2009,theSecretariathasundertakenmanyinitiativestodevelopand
implementtheelementsofasoundmanagementcontrolframeworkfortheBCPP.These
initiativesincluded:
AppointingaDepartmentalSecurityOfficerandacoordinatortoleadtheBCPP
CreatingkeyworkinggroupsrequiredinaBCPPasperstandardsandpolicy
Integratingbusinesscontinuityplanninginthedepartmentalbusinessplanningand
riskmanagementcycles
DraftingandissuingaseriesofdepartmentaldocumentsthatcomplywithTreasury
Boardpoliciesandstandards,anddefineobjectives,roles,responsibilitiesand
departmentalproceduresforBusinessImpactAnalyses(BIAs),BusinessContinuity
Plans(BCPs)andotheractivitiesintheBCPP
CommunicatingmanyoftheelementsandprocessesofBCPPactivitiesonthe
departmentalInfoSiteand
AdhocreportingtoseniormanagementontheactivitiesoftheBCPP,whichincluded
obtainingdecisionsregardingcriticaloperationalprioritiesandtheapprovalofkey
documents.
Notwithstandingtheabove,theauditidentifiedanumberofmanagementcontrol
frameworkelementsforimprovement:
Whilerolesandresponsibilitiesaredefinedinacomprehensivesuiteofdocuments
developedsince2009,theroleofemployeeshasnotbeendefined,andcertain
documentsremainindraftmode.Further,rolesandresponsibilitiesforcertain
stakeholdersaredefinedpartiallyacrossanumberofdocuments,withouta
comprehensivedefinitionatasinglesource.
TheexistingBCPPgovernancestructurerequiresenhancementtoensureongoing
strategicleveldirectionandoversight.
ResponsibilitiesfortrainingandcommunicationoftheBCPParedistributedbetween
thecorporateBCPgroupandthesectorheads.However,communicationand
trainingstrategieshavenotyetbeendevelopedtoensurethatindividualswhoare
involvedintheBCPPhavetheknowledgetoexecutetheirresponsibilitieswhentheir
sectorBCPisactivated.
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 4/22
2/10/2015 AuditofBusinessContinuityPlanning
Theauditfoundthattherewasaneedtofurtherarticulatemeasurableand
quantifiableexpectedresults,beyondtheexistingobjectives,tosupportmonitoring
andreporting.Formalprocessesforregularmonitoringandreportinghavenotbeen
developed.
Theauditalsofoundthatthebusinesscontinuityplanningcycleisstillevolvingwithinthe
Secretariat.Specifically,notallsectorBIAandBCPdocumentshadbeensubmittedtothe
corporateBCPgroup.TheassessmentofsectorBIAsandBCPshadbeeninitiatedduring
thetimeoftheaudit,buthadnotprogressedsufficientlyfortheauditteamtoassessthe
process.Further,thedevelopmentoftestingandmaintenanceprocessesinsupportofthe
BCPPwerenotdevelopedatthetimeoftheaudit.
Conclusion
Weconcludewithareasonablelevelofassurancethatthemanagementcontrolframework
oftheSecretariat'sBCPPcomplieswithmostaspectsoftheTreasuryBoard'sPolicyon
GovernmentSecurity,DirectiveonDepartmentalSecurityManagementandOperational
SecurityStandardBusinessContinuityPlanningProgram.Improvementisrequiredto
addresskeyelementsofthemanagementcontrolframeworkfortheBCPP.
Specifically,thereisaneedto:
Reviewrolesandresponsibilitiestoensurethattheyarestreamlined,addressall
stakeholdersandareformallyapproved
DefineandformalizetheintegrationoftheBCPPwithinseniormanagement
committeestoensureongoingstrategicleveldirectionandoversight
Developtrainingandcommunicationstrategiesthat,inadditiontootherneeds
identified,servetoincreaseBCPPawarenessforemployeesandforthoseinvolved
incriticaloperationsand
Developandimplementformalprocessesforregularmonitoringandreporting.
ToensurethattheSecretariatisatanappropriatestageofreadinesstoeffectively
respondtoaBCPincident,itisalsocriticalthatremainingworkrelatingtoBCPP
developmentbecompleted.
Specifically,thereisaneedto:
CompletethedevelopmentofremainingsectorBIAandBCPdocuments
AssessallsectorBIAsandBCPsand
DevelopandimplementatestingcycleforBCPsaswellasaregularmaintenance
cyclefortheBCPPoverall.
AmanagementactionplanhasbeendevelopedbytheSecretariatandispresentedin
Appendix2.(abcpvpca07eng.asp#app2)
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 5/22
2/10/2015 AuditofBusinessContinuityPlanning
1.Introduction
1.1BusinessContinuityPlanningintheFederalGovernment
Businesscontinuityplanninginafederalgovernmentsettingisacomponentofbaseline
securityrequirementsandformsaprocessthataimstoensurethatcriticalgovernment
servicescanbecontinuallydeliveredintheeventofapotentialdisaster,asecurity
incident,adisruptionoranemergency.Theserequirementsarecontainedinthe
EmergencyManagementAct(2007)andtheTreasuryBoardPolicyonGovernment
Security.Businesscontinuityplanningisimportantinordertoprovidethe"development
andtimelyexecutionofplans,measures,proceduresandarrangementstoensureminimal
ornointerruptiontotheavailabilityofcriticalservicesandassets"5(abcpvpca07
eng.asp#ftn5)shouldsuchaneventualityoccur.TheTreasuryBoard'sOperational
SecurityStandardBusinessContinuityPlanning(BCP)Programrequiresdepartmentsto
implementaBusinessContinuityPlanningProgram(BCPP)andtoplanforemergencies
ordisruptionsthatcouldaffectthedeliveryofcriticalgovernmentservices.
Eventssuchasthe1998icestorm,the2003powerblackout,the2009H1N1pandemic
andthe2010Ottawaearthquakehavehighlightedtheimportanceofbusinesscontinuity
plansacrosstheorganization.
TheBCPPiscomposedoffourelements:
1. TheestablishmentofBCPPgovernance
2. TheconductofaBusinessImpactAnalysis(BIA)
3. Thedevelopmentofbusinesscontinuityplansandarrangementsand
4. ThemaintenanceofBCPPreadiness.
1.2BusinessContinuityPlanningintheTreasuryBoardof
CanadaSecretariat
TheTreasuryBoardofCanada(Secretariat's)departmentalBusinessContinuityPlan
(BCP)supportstheSecretariatinfulfillingitsmandate,includingitsresponsibilitiesrelating
totheFederalEmergencyResponsePlan,thePublicServiceReadinessPlanandinternal
operations.
Inthefallof2009,theSecretariatdevelopeditsDepartmentalPolicyonBusiness
ContinuityPlanning.Oneyearlater,theSecretariatdevelopeditsdepartmentalBCP,
whichisahighleveloverviewoftheSecretariat'sresponsetoanincident.SectorBCPs,
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 6/22
2/10/2015 AuditofBusinessContinuityPlanning
oncetheyarevalidatedandtested,becomecomponentsofthedepartmentalBCPand
providethedetailonhowasectorwillrespondtoanincident,shouldthesupportofa
sector'scriticaloperationberequired.
PublicSafetyCanadausesthePolicyonGovernmentSecuritydefinitionofacritical
service,"Aservicewhosecompromiseintermsofavailabilityorintegritywouldresultina
highdegreeofinjurytothehealth,safety,securityoreconomicwellbeingofCanadiansor
theeffectivefunctioningoftheGovernmentofCanada."6(abcpvpca07eng.asp#ftn6)For
aservicetobeidentifiedascritical,itmustbeevidentthatinterruptionoftheservicewill
begintocauseinjurywithinaspecificperiodoftime,upto30days.
DuringatabletopexerciseoftheSecretariat'sseniorexecutivesinDecember2010,itwas
determinedthattheSecretariathasnocriticalservices,asdefinedabove.However,they
identifiedanumberofcriticalsupportfunctions7(abcpvpca07eng.asp#ftn7)andone
criticaldependency.8(abcpvpca07eng.asp#ftn8)Inordertoensurethatthereisno
confusionbetweentheTreasuryBoardPolicyonGovernmentSecuritydefinitionofa
criticalserviceandtheterminologyusedintheSecretariat'sBCPPdocumentation,the
Secretariatusestheterm"criticaloperation"toidentifyitscriticalsupportfunctionsand
dependencies.
Asnotedpreviously,theBCPPcomprisesfourkeyelements,includingtheconductofa
BIAandthedevelopmentofaBCP.
ThepurposeofaBIAistoidentifytheorganization'smandateandcriticalservicesor
productsranktheorderofpriorityofservicesorproductsforcontinuousdeliveryorrapid
recoveryandidentifyinternalandexternalimpactsofdisruptions.9(abcpvpca07
eng.asp#ftn9)
ThedepartmentalBCPisintendedtomanagetemporarybusinessdisruptionslastingupto
30days.Businesscontinuityplanningisbasedontwoscenarios:
1. Workforceoutage,wheresufficientstaffmaybeunabletoreportforduty,suchasin
apandemic.
2. Infrastructureoutage,wherepremisesoccupiedbytheSecretariatmaybe
uninhabitableduetodamageorlackofutilities.
TheBCPprovidesforthecontinuedavailabilityofservicesthatarecriticaltothesecurityof
employeesandtheeffectivefunctioningofthedepartmentintimesofanemergency
incidentordisruption.
TheBCPexplainswhatanorganizationhasdevelopedintermsofgovernance,processes
(includingapprovalprocesses)andtoolstomakesureitcanrespondinanemergency
incidentordisruptionwhethertheemergencyincidentordisruptionlastsafewhours,
daysormuchlonger.TheBCPclearlydefinestherolesandresponsibilitiesofkeypeople
andgroups,withaviewtoensuringthatoperationsthatarecriticaltotheeffective
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 7/22
2/10/2015 AuditofBusinessContinuityPlanning
functioningoftheSecretariatwillbemaintained.TheBCPwillbeactivatedwhenacritical
operationisatriskofnotbeingdeliveredandwillprovideforadditionalsupportfrom
employeesinnoncriticaloperations.
OperatingEnvironment
AttheSecretariat,responsibilityfortheBCPPisdistributedbetweenthecorporateBCP
unitintheAdministrationandSecurityDirectorate,CorporateServicesSector,andthe17
Secretariatsectorsandbranches.10(abcpvpca07eng.asp#ftn10)
TheDirectorofSecurity,AdministrationandSecurityDirectorate,hasbeendesignatedas
theDepartmentalSecurityOfficer(DSO),whohastheresponsibilityfordevelopingand
maintainingtheBCPP.
ABCPcoordinator,whoreportstotheDSO,isresponsibleforcoordinatingandsupporting
thedevelopment,management,delivery,andongoingmonitoringandmaintenanceofthe
Secretariat'sBCPs.Inturn,theBCPcoordinatorissupportedbytheBCPworkinggroup.
Sectorheadsandtheirmanagementteamsareaccountableforassessinganincident,
determiningthemostappropriateresponsewithintheirrespectiveareas,anddevelopinga
sectorBIAandBCPtoidentifyanddocumenttheirresponses.Eachsectorappointsa
sectorBCPcoordinatorandanalternatetorepresentthemontheBCPworkinggroupand
tosupportthesectorheadduringanincident.
TheSecretariatBCPworkinggroup,madeupofsectorBCPcoordinatorsandtheir
alternates,coordinatesthedevelopmentandimplementationoftheBCPP.Thisworking
groupischairedbytheDSO.
TheSecretariatIncidentManagementTeam(IMT),madeupofkeystakeholdersin
communications,informationtechnology,humanresourcesandsecurityservices,supports
theDSOandtheBCPcoordinatorintheactivationandcoordinationoftheSecretariat's
departmentalBCPandsectorBCPsduringanincident,inaccordancewiththefollowing:
EmergencyManagementAct
PolicyonGovernmentSecurity
OperationalSecurityStandardBusinessContinuityPlanning(BCP)Programand
Secretariat'sDepartmentalPolicyonBusinessContinuityPlanning.
TheAssistantSecretary,CorporateServicesSector,isthechairoftheIMT.
ActivationoftheSecretariat'sBCPwilloccuruponinstructionfromtheSecretary,orthe
Secretary'salternate,inresponsetoanincidentthatjeopardizestheSecretariat'sabilityto
deliveritscriticaloperations.IntheeventthatboththeSecretaryandthealternatearenot
available,thedecisionwillbetakenbytheIMTchair.SectorBCPs,aswellascomponents
oftheSecretariat'sdepartmentalBCP,willbeactivatedduringanincident,asrequired.
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 8/22
2/10/2015 AuditofBusinessContinuityPlanning
2.AuditDetails
2.1ObjectiveandScope
Theobjectiveoftheauditwastoassesstheadequacyandeffectivenessofthe
Secretariat'smanagementcontrolframeworkforbusinesscontinuityplanning,including
compliancewithTreasuryBoardpolicies,directives,standards,andinternalpoliciesand
procedures.
Theauditfocusedonthefollowingelementsofthemanagementcontrolframework:
Objectives
Accountabilities,rolesandresponsibilities
Organizationalstructure
Planningandriskmanagement
Policiesandprocedures
Trainingand
Monitoringandreporting.
TheauditexaminedthedepartmentalBCPPactivitieswithintheSecretariat.
DetailsontheauditcriteriacanbefoundinAppendix1(abcpvpca06eng.asp#app1).
ScopeExclusions
TheauditexcludedtheSecretariat'scentralagencyresponsibilitiesforsupportingthe
PublicServiceReadinessPlan11(abcpvpca07eng.asp#ftn11)andothersecurity
measuresacrossthefederalgovernment.Theseactivitiesaredistinctfromthe
Secretariat'soperationsandaregovernedbydifferentprocessesandprocedures.They
alsoinvolvedifferentdepartmentalstakeholders.
2.2LinesofEnquiry
Theaudithadtwolinesofenquiry:
ManagementcontrolframeworkAmanagementcontrolframeworkisinplaceto
ensurethattheSecretariatisproperlyadministeringitsresponsibilitiesregardingthe
TreasuryBoard'sPolicyonGovernmentSecurity,OperationalSecurityStandard
BusinessContinuityPlanning(BCP)Program,andDirectiveonDepartmental
SecurityManagement.
BusinesscontinuityplanningreadinessBusinesscontinuityplanningispartofa
permanentmaintenancecyclethatincludestheregulartestingandvalidationof
plans.
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 9/22
2/10/2015 AuditofBusinessContinuityPlanning
Theauditassessedwhetherthemanagementcontrolactivitiesandmechanismswere
clearlydefined,whethertheyaddressedknownrisks,weresufficientandeffectively
communicated,wereadequatelymonitored,andwhethertheyreportedrisksandmajor
issuesrelatedtotheBCPP.Theauditalsoassessedthelevelofcompliancewith
applicableauthoritiesthroughadetailedexaminationofasampleofBIAsandBCPs
submittedtotheBCPunitin2011.
2.3ApproachandMethodology
TheauditapproachandmethodologyisriskbasedandconformstotheInternalAuditing
StandardsfortheGovernmentofCanadaandtheInstituteofInternalAuditors'
InternationalStandardsfortheProfessionalPracticeofInternalAuditing.Thesestandards
requirethattheauditbeplannedandperformedinsuchawayastoobtainreasonable
assurancethatauditobjectivesareachieved.
Theauditincludedvarioustestsandproceduresconsiderednecessarytoprovidesuch
assurance,includingthefollowing:
Interviewswithkeypersonnelresearchreviewofkeydocumentsassessmentof
risktoidentifypotentialriskexposureandanalysisofdepartmentalandsectorBIAs
andBCPsforcompliance,trendsandreadiness.
Validationandassessmentofthemanagementcontrolframeworkelements
describedinthescope.Inaddition,thekeydocumentsfortheBCPPwerereviewed
toassessthelevelofcompliancewithapplicableauthorities.Theexaminationphase
ofthisauditwasconductedfromJune2011toJanuary2012,basedonthe
informationanddocumentsobtainedbyAugust2011.
3.AuditResults
3.1LineofEnquiry1:ManagementControlFramework
Itwasexpectedthatasoundmanagementcontrolframeworkwouldbeinplacetofacilitate
managementinachievingtheSecretariat'sobjectivesforbusinesscontinuity,tosupport
effectivedecisionmaking,andtoflagsignificantcontrolissuesonatimelybasis.Itwas
alsoexpectedthattheinformationrequiredtoimplementandmaintaintheBCPPwouldbe
documented,maintainedandeffectivelycommunicatedtoallstakeholdersinvolvedinthe
BCPPactivities.
Sincethefallof2009,theSecretariathasundertakenmanyinitiativestodevelopthe
BCPP.Theseinitiativeshaveincluded:
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 10/22
2/10/2015 AuditofBusinessContinuityPlanning
AppointingaDSOandacoordinatortoleadtheBCPP
CreatingkeyworkinggroupsrequiredinaBCPPasperstandardsandpolicy
Integratingbusinesscontinuityplanninginthedepartmentalbusinessplanningand
riskmanagementcycles
DraftingandissuingaseriesofdepartmentaldocumentsthatcomplywithTreasury
Boardpoliciesandstandards,anddefineobjectives,roles,responsibilitiesand
departmentalproceduresforBIAs,BCPsandotheractivitiesintheBCPP
CommunicatingmanyoftheelementsandprocessesofBCPPactivitiesonthe
departmentalInfoSiteand
AdhocreportingtoseniormanagementontheactivitiesoftheBCPP,including
obtainingdecisionsonkeydocumentsandcriticaloperationalpriorities.
WhiletheSecretariathasputintoplacemanyoftheessentialelementsrequiredforthe
BCPP,theprogramismaturinginitsdevelopmentandimplementation.
Objective
TheobjectiveoftheBCPPhasbeenbroadlydefinedintheDepartmentalPolicyon
BusinessContinuityPlanningaswellasintheSecretariat'sBCP.Thestatedobjective
alignswiththeexpectedresultsoftheTreasuryBoardPolicyonGovernmentSecurity
pertainingtotheBCP.However,thereisaneedtofurtherarticulatemeasurableand
quantifiableexpectedresultstosupportmonitoringandreportingontheBCPP.
OrganizationalStructure
Inlinewiththeaccountabilitiesandresponsibilitiesofindividualsectors,theorganizational
structureoftheBCPPisdecentralized.Aformalanddocumentedorganizationalstructure
isinplacetosupporttheBCPPactivitiesforthecorporateBCPgroupintheCorporate
ServicesSector.However,theseindividualsalsohaveresponsibilitiesforothersecurity
activitiessuchastheDepartmentalSecurityPlan,EmergencyManagement,and
OccupationalHealthandSafety.Astheseadditionalactivitiesfelloutsidethescopeofthe
audit,itwasnotpossibletoassessthesufficiencyofresourcesdedicatedtotheBCPP.
TheorganizationalstructureforotheremployeesperformingBCPactivities,suchasthe
sectorBCPworkinggroupcoordinators,isinformalandemployeesareassignedbasedon
therequirementsofthesector.
Accountabilities,RolesandResponsibilities
Overall,themajorityoftheaccountabilities,rolesandresponsibilitieshavebeenclearly
definedinkeydocuments.Theauditalsofoundthatkeystakeholders,includingthe
membersoftheBCPworkinggroup,theIMTandthecorporateBCPunitofthe
AdministrativeandSecurityDirectorate,CorporateServicesSector,weregenerallyaware
oftheirresponsibilitiesregardingtheBCPP.
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 11/22
2/10/2015 AuditofBusinessContinuityPlanning
However,certaindocumentsthatdefinerolesandresponsibilitieswerenotapprovedasof
thetimeoftheaudit.Also,whileemployeeshaveresponsibilitiesundertheTreasuryBoard
DirectiveonDepartmentalSecurityManagement,thesewerenotdefinedindepartmental
documentation,includingtheDepartmentalPolicyonBusinessContinuityPlanningand
theBCP.Finally,rolesandresponsibilitiesforcertainstakeholdersweredefinedpartially
acrossanumberofdocuments,withoutcomprehensivelydefiningtheminasingle
document.
PlanningandRiskManagement
StrategicdirectionandkeydecisionsrelatedtotheBCPPweremadebysenior
managementthroughvariousmechanismssuchaspresentationstotheSecretariat's
ExecutiveCommitteeandManagementandInfrastructureCommitteesonanadhocbasis.
Similarly,therewasevidencethatBCPPactivitieswereincludedandconsideredinthe
Secretariat'splanningandriskmanagementcycles.
WhileseniormanagementcommitteesdiscussBCPPrelatedtopicsperiodically,thereis
noformalroleforprovidingongoingstrategicleveldirectionandsupport,asrecommended
bytheTreasuryBoardOperationalSecurityStandardBusinessContinuityPlanning
(BCP)Program.ABCPworkinggroupexistsandmeetsatthecallofthechairhowever,
itsmembershipislargelybelowtheexecutivelevel.
DepartmentalPolicies,ProceduresandGuidelines
Substantialeffortshavegoneintothedevelopmentofasuiteofdocumentsthatcontain
thekeypolicy,plans,procedures,templatesandguidelinesexpectedforaBCPP.Thekey
policyandplandocumentsaregenerallycompliantwiththeTreasuryBoard'sPolicyon
GovernmentSecurityandOperationalSecurityStandardBusinessContinuityPlanning.
However,atthetimeoftheaudit,somedocumentswereawaitingformalapprovalbefore
theycouldbeimplementedandcommunicatedtoindividualsintheBCPP.Inaddition,
someofthedocumentsrequirerevisionsinordertoaddresselementsrelatedtotraining
andperformancemonitoring.
Training
ResponsibilitiesfortrainingaredistributedbetweenthecorporateBCPgroupandthe
sectorheads.TraininghasoccurredforsomeoftheBCPworkinggroupmembers,anda
numberofguidancedocumentshavebeenpostedontheSecretariat'sintranetsite.
However,communicationortrainingstrategieshavenotyetbeendevelopedtoensurethat
individualswhoareinvolvedintheBCPPhavetheknowledgetoexecutetheir
responsibilitieswhentheirsectorBCPisactivated.Basedoninterviews,someoftheBCP
workinggroupandIMTmembersreliedonpreviousexperiencesandadhocpracticesin
placethroughouttheSecretariat.GiventhattheSecretariatexperiencedaturnoverof
approximately1,000employeeseachyearinthelasttwoyears,trainingand
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 12/22
2/10/2015 AuditofBusinessContinuityPlanning
communicationstrategiesarecriticaltoensurethatemployeesareawareoftheprogram
detailsandhavetheappropriateinformationtorespondtoaBCPincident.Thecompletion
ofthepreviouslymentionedsuiteofdocumentswouldhelpcreatethefoundationfora
trainingprogram.
MonitoringandReporting
ThePolicyonGovernmentSecurity,theDirectiveonDepartmentalSecurityManagement,
andtheOperationalSecurityStandardBusinessContinuityPlanning(BCP)Program
includerequirementsformonitoringandreportingactivities.Theauditteamtherefore
expectedtofinddocumentationthatidentifiedtheapproachforongoingmonitoringand
reporting,includingthekeyresultsthatwouldbemonitoredandreportedonovertime.In
additiontomeetingpolicyrequirements,suchanapproachhelpsensure,amongother
things,thatmanagementisawareofkeyresultsattainedbytheprogram,aswellas
significantrisksorissuesastheyarise.
Whilemonitoringandreportingprocesseswerenotformallydefined,theauditfoundthat
monitoringofcertainBCPPactivitiesoccurredperiodicallythroughadhocreportingto
seniormanagement.TheseactivitiespertainedtothedevelopmentofBCPdocuments
suchastheDepartmentalPolicyonBusinessContinuityPlanning,thedepartmentalBCP,
thedepartmentalThreatandRiskAssessment,theDisasterRecoveryPlan,thePINto
PINtestingresults,andtheBCPprioritiespresentedtoseniormanagementinFebruary
2011.TherollupofinitialBIAsectorsubmissionswasalsopresentedtosenior
managementandbecameoneofthetriggersforthetabletopexerciseheldwiththe
Secretariat'sExecutiveCommitteeinDecember2010.Trackingofthesectorsubmissions
ofBIAandBCPdocumentswasalsofoundtooccur.
Thelevelofmonitoringandreportingpreviouslynotedrepresentssignificantprogressfor
theSecretariat'sBCPPoverthelasttwofiscalyears.Theformaldefinitionofsuch
processes,includingdetailsonwhatshouldbemonitoredandreportedon,wouldenhance
seniormanagement'sawarenessofcriticalaspectsoftheprogramandwouldfurther
supporttimelydirectionandoversight.
Keyresultsthatcouldbemonitoredandreportedonregularlyinclude:
Trainingandawarenessactivities(e.g.,fornewemployeesandkeyBCPP
stakeholders)
Resultsoftestingandmaintenanceactivities
IssuesandrisksidentifiedviatheBCPP,andtheirdispositionand
StatusandresultsofcriticalBCPPactivities.
Recommendations:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSector,undertakethe
following:
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 13/22
2/10/2015 AuditofBusinessContinuityPlanning
1. ReviewthesuiteofdocumentsdefiningBCPProlesandresponsibilities,witha
viewtoensuringthattheyaddressallstakeholders,arestreamlined,andareformally
approved.
Priorityranking:High
2. FormallyintegratetheBCPPintotheseniormanagementcommitteestructureto
ensureongoingstrategicleveldirectionandoversight.
Priorityranking:High
3. Incollaborationwithsectorheads,developandimplementcommunicationand
trainingstrategiestomeetidentifiedneeds.
Priorityranking:High
4. Formallydefinemonitoringandreportingprocesses,includingkeyexpectedresults,
inordertoeffectivelysupportBCPPactivities.
Priorityranking:Medium
3.2LineofEnquiry2:BusinessContinuityPlanning
Readiness
ItwasexpectedthattheSecretariatwouldhavecompletedthepreparationandvalidation
ofsectorBIAsandBCPs.ItwasalsoexpectedthattheseBIAsandBCPswouldbe
compliantwiththeDepartmentalPolicyonBusinessContinuityPlanningandthatatesting
andmaintenancecyclefortheBCPPwouldexist.
ToensurethattheSecretariatispreparedtorespondtoanincidentandtoactivatethe
necessarysectorBCPs,itisnecessarythateverysectorhaveanapprovedBIAandBCP
thatrepresentstheirplannedresponseforbothcriticalandnoncriticaloperations.
Itwasfoundthatthebusinesscontinuityplanningcycleisstillevolvingwithinthe
Secretariat.In200809thefirstsetofsectorBIAswasprepared.Theseweresummarized
intoadepartmentaldocumentthatidentifiedthecriticaloperationsandthenumberof
employeesrequiredduringaBCPincident.Thisreportbecameoneofthetriggersfora
reviewandprioritizationofcriticaloperations,whichwasdonebytheSecretariat's
ExecutiveCommitteeinDecember2010.
Atthattime,thetopsevencriticaloperationsthatneededtobeaddressedwithinthefirst
24hoursofanincidentwereidentified.Anadditionalninecriticaloperationswere
prioritized.In2011,thesectorsBIAswereupdated,andthedevelopmentofthefirstcycle
ofsectorBCPswasinitiated.
Duringthistime,thecorporateBCPgroupintheCorporateServicesSectorprovided
guidanceanddevelopedtoolstoassistthesectorsinthedevelopmentoftheirBIAand
BCPdocuments.
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 14/22
2/10/2015 AuditofBusinessContinuityPlanning
SectorBIAsandBCPswerepreparedandsubmittedbymostsectorshowever,four
sectors,whichcontaincriticaloperations,didnotsubmit.Mostsectorsmadeuseofthe
departmentallydesignedtemplateshowever,informationinmanyofthedocuments
containedgapsandambiguities.
Atthetimeofouraudit,thecorporateBCPunithadinitiatedthereviewandvalidation
processforsectorBIAsandBCPshowever,thishadnotprogressedsufficientlyforthe
auditteamtoassesstheprocess.Thetestingandmaintenancecycleshadnot
commenced.
Furtherworkisrequiredto:
CompletethedevelopmentoftheremainingsectorBIAandBCPdocuments
AssessallsectorBIAsandBCPsand
DevelopandimplementatestingcycleforBCPsaswellasaregularmaintenance
cyclefortheBCPPoverall.
Duringtheengagement,theauditteamidentifiedapotentialopportunitytofurther
streamlinetheprogramthroughtheuseofgenericBIAandBCPdocumentsthatwould
handlenoncritical,aswellascertaincritical,operations.Theauditfoundthatmostsectors
havenoncriticaloperationsandthattheBCPresponsesareoftenthesameorsimilar.As
such,useofgenericresponses,whilestillallowingforsectorspecificrequirements,has
thepotentialtoreduceoveralleffort.Thispossibleapproachisidentifiedformanagement's
considerationonly,andisthereforenotincludedintherecommendationsthatfollow.
Recommendation:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSector,undertakethe
following:
5. Incollaborationwithsectorheads,completetheremainingworkrelatingtoBCPP
development.
Specifically,thereisaneedto:
CompleteremainingsectorBIAandBCPdocuments,andensurethatallare
assessedand
DevelopandimplementatestingandmaintenancecycleforBIAandBCP
documentsandactivities.
Priorityranking:High
3.3OverallConclusion
SignificantprogresshasbeenmadebytheSecretariatindevelopingandimplementinga
managementcontrolframeworkfortheBCPPsinceSeptember2009.
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 15/22
2/10/2015 AuditofBusinessContinuityPlanning
Weconcludewithareasonablelevelofassurancethatthemanagementcontrolframework
oftheSecretariat'sBCPPcomplieswithmostaspectsoftheTreasuryBoard'sPolicyon
GovernmentSecurity,DirectiveonDepartmentalSecurityManagementandOperational
SecurityStandardBusinessContinuityPlanning(BCP)Program.Improvementis
requiredtoaddresskeyelementsofthemanagementcontrolframeworkfortheBCPP.
Specifically,thereisaneedto:
Reviewcertainrolesandresponsibilitiestoensurethattheyareformallyapproved
andthatallstakeholdersareaddressed
DefineandformalizetheintegrationoftheBCPPwithinseniormanagement
committees,toensureongoingstrategicleveldirectionandoversight
Developtrainingandcommunicationstrategiesthat,inadditiontootherneeds
identified,servetoincreaseBCPPawarenessforemployeesandforthoseinvolved
incriticaloperationsand
Developandimplementformalprocessesforregularmonitoringandreporting.
ToensurethattheSecretariatisatanappropriatestageofreadinesstoeffectively
respondtoaBCPincident,itisalsocriticalthattheremainingworkrelatingtoBCPP
developmentbecompleted.
Specifically,thereisaneedto:
CompletethedevelopmentofremainingsectorBIAandBCPdocuments
AssessallsectorBIAsandBCPsand
DevelopandimplementatestingcycleforBCPsaswellasaregularmaintenance
cyclefortheBCPPoverall.
Appendix1AuditCriteria
LineofEnquiry1ManagementControlFramework
AmanagementcontrolframeworkisinplacetoensurethattheSecretariatis
properlyadministeringitsresponsibilitieswithregardtothefollowing:
TreasuryBoardPolicyonGovernmentSecurity
TreasuryBoardOperationalSecurityStandardBusinessContinuityPlanning
(BCP)Programand
TreasuryBoardDirectiveonDepartmentalSecurityManagement.
1. Objectivesandgoalsareclearlydefined,formallyapproved,currentand
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 16/22
2/10/2015 AuditofBusinessContinuityPlanning
communicated.
2. Accountability,rolesandresponsibilitiesareclearlydefined,formallyapprovedand
communicated.
3. Theorganizationalstructureisformalandissupportedbytheappropriateresources.
4. Planningandriskmanagementareundertakenonaregularbasis.
5. Departmentalpolicies,proceduresandguidelinesarecompliantwithapplicable
authoritiesandarecomplete,currentandcommunicated.
6. Trainingofmanagementandstaffwithbusinesscontinuityplanningresponsibilities
forawarenessandcompliancewithapplicablepolicies,directivesandpractices,
effectivelysupportstheBusinessContinuityPlanningProgram(BCPP).
7. Aneffectivemonitoringandreportingmechanismisinplace.
LineofEnquiry2BusinessContinuityPlanningReadiness
Businesscontinuityplanningispartofapermanentmaintenancecyclethatincludes
regulartestingandvalidationofplans.
1. SectorBusinessImpactAnalyses(BIAs)arecompliant,validated,testedand
maintained.
2. DepartmentalandsectorBusinessContinuityPlans(BCPs)arecompliant,validated,
testedandmaintained.
Appendix2ManagementActionPlan
Recommendation1:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSectorreviewthe
suiteofdocumentsdefiningBCPProlesandresponsibilities,withaviewtoensuringthat
theyaddressallstakeholders,arestreamlined,andareformallyapproved.
Priorityranking:High
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 17/22
2/10/2015 AuditofBusinessContinuityPlanning
Weagreewiththerecommendation
Recommendation2:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSectorformally
integratetheBCPPintotheseniormanagementcommitteestructuretoensureongoing
strategicleveldirectionandoversight.
Priorityranking:High
Weagreewiththerecommendation.
Recommendation3:
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 18/22
2/10/2015 AuditofBusinessContinuityPlanning
ItisrecommendedthattheAssistantSecretary,CorporateServicesSector,in
collaborationwithsectorheads,developandimplementcommunicationandtraining
strategiestomeetidentifiedneeds.
Priorityranking:High
Weagreewiththerecommendation.
UsingthegenerictoolsdevelopedbyCSS,andwithassistancefromCSS(ifrequired),
sectorswill:
Recommendation4:
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 19/22
2/10/2015 AuditofBusinessContinuityPlanning
ItisrecommendedthattheAssistantSecretary,CorporateServicesSectorformallydefine
monitoringandreportingprocesses,includingkeyexpectedresults,inordertoeffectively
supportBCPPactivities.
Priorityranking:Medium
Weagreewiththerecommendation.
Recommendation5:
ItisrecommendedthattheAssistantSecretary,CorporateServicesSector,in
collaborationwithsectorheads,completetheremainingworkrelatingtoBCPP
development.
Specifically,thereisaneedto:
CompleteremainingsectorBIAandBCPdocuments,andensurethatallare
assessedand
DevelopandimplementatestingandmaintenancecycleforBIAandBCP
documentsandactivities.
Priorityranking:High
Weagreewiththerecommendation.
meetwithCSSforfurtherdiscussion.
Footnotes
1(abcpvpca02eng.asp#ftnref1).PolicyonGovernmentSecurity,AppendixA
Definitions,effectiveJuly1,2009.
2(abcpvpca02eng.asp#ftnref2).Ibid.
3(abcpvpca02eng.asp#ftnref3).Acriticalsupportfunctionisaninterdepartmentalor
intradepartmentalpolicyorservicethatsupportsacriticalservice.
4(abcpvpca02eng.asp#ftnref4).Acriticaldependencyisabusinessprocess
arrangementwhereonedepartmentisresponsibleforacriticalservicebutdependson
anotherdepartmentforcompletion,productionordeliveryoftheoutput.
5(abcpvpca03eng.asp#ftnref5).PolicyonGovernmentSecurity,AppendixA
Definitions,effectiveJuly1,2009.
6(abcpvpca03eng.asp#ftnref6).PolicyonGovernmentSecurity,AppendixA
Definitions,effectiveJuly1,2009.
7(abcpvpca03eng.asp#ftnref7).Acriticalsupportfunctionisaninterdepartmentalor
intradepartmentalpolicyorservicethatsupportsacriticalservice.
8(abcpvpca03eng.asp#ftnref8).Acriticaldependencyisabusinessprocess
arrangementwhereonedepartmentisresponsibleforacriticalservicebutdependson
anotherdepartmentforcompletion,productionordeliveryoftheoutput.
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 21/22
2/10/2015 AuditofBusinessContinuityPlanning
9(abcpvpca03eng.asp#ftnref9).PublicSafetyCanada,AGuidetoBusinessContinuity
Planning(http://www.publicsafety.gc.ca/prg/em/gds/bcpeng.aspx).
10(abcpvpca03eng.asp#ftnref10).Forpurposesofthisreport,allSecretariatsectorsand
brancheswillbereferredtoas"sectors."
11(abcpvpca04eng.asp#ftnref11).ThepurposeofthePublicServiceReadinessPlan
(PSRP)istoprovidetheplanningarchitecture,processesandguidancerequiredfor
deputyheadstohorizontallymanagethecrosscutting,publicservicewideconsequences
ofanemergency.ThePSRPmaybeactivatedwhenemergenciesresultinworkforceand
servicedeliveryissuesimpactinganumberofdepartmentsandagenciesthatcannotbe
effectivelymanagedwithinthescopeofindividualdepartmentalBusinessContinuityPlan.
ThePSRPengagesasmallgroupofdeputyheads,whowillconsiderinterdepartmental
solutionstofacilitatethedeliveryofcriticalservices.
12InternationalAffairs,SecurityandJusticeSector(IASJ)
Datemodified:
20120820
http://www.tbssct.gc.ca/report/orp/2012/abcpvpca/abcpvpcapreng.asp 22/22