Understanding and documenting how your department/unit operates under normal conditions will help you understand and plan efficiently how to recovery ‘temporarily’ -- and then permanently. The following information identifies important, specific activities to help departments/units in their preparedness efforts.
Create a Continuity Plan
- Determine a project lead or coordinator
Each area, unit, department or division should appoint a Business Continuity Planning Coordinator (BCC) and alternate (ABCC). The BCC will facilitate and assign employees to certain sections within the IU READY tool based on employees’ area of expertise. The BCC’s responsibilities:
- Coordinate the development of departmental plan(s)
- Act as liaison between Business Continuity Assurance Analyst, Emergency Operation
- Center representatives and departmental recovery team leads.
- Coordinate departmental efforts during recovery.
- Assign an alternate BCC to serve as a backup and assist BCC
- Consider assembling a departmental continuity committee (DCC) that includes a cross-section of the department.
- Obtain input from outside of the department/unit regarding plan development and resource allocation. Good sources of feedback and consultation could include an IT manager, security staff, building coordinators, physical plant staff, insurance, legal counsel, human resources, procurement, etc.
- Assumptions related to Business Continuity Planning
Assumptions, coupled with the risk analysis findings, define the boundaries around the BCP process. These assumptions will be refined, deleted, or new assumptions added as planning progresses:
- Recovery for anything less than complete destruction will be achievable by using the plan.
- Normally available staff members may be rendered unavailable by an illness, disaster orits aftermath, or may be otherwise unable to participate in the recovery.
- Normally available space (and the information stored in that space) may be unavailable. Procedures should be sufficiently detailed so someone other than the person primarily responsible for the work can follow them.
- Recovery of a critical subset (recovery workload) of the unit's critical functions during the recovery period will allow the unit to continue critical operations adequately.
- A data center disaster may require departments/units to function with limited automated support and some degradation of service.
- For critical computer systems, the writing of special purpose programs may be required to enable the university department/unit to effectively return to normal conditions. That is to say departments/units may need to first rebuild and/or re-enter data that was lost between the time of the last off-site backup and the time of the disaster/disruption; and secondly, enter transactions that accumulate during the
period of "no automated support."
- Unit plans typically will not need to deal with the availability of electrical power and other utilities. Physical Plant handles this level of planning for the campus.
- Unit plans typically will not need to deal with campus-level networking issues.
- University Information Technology Services (UITS) handles this level of planning for the campus.
- Unit plans typically will not need to deal with temporary or permanent space availability. University Real Estate and/or campus Space Management will have to find temporary space. However, unit plans must consider the fact that normal space (and data, files, computers in that space) may be unavailable.
- Unit plans typically will not need to deal with process and procedure planning requirements for global university services including but not limited to (i.e. FMS – payroll, accounts receivable/payable; HR – benefits/employment, etc.). Financial Management Services and IU Human Resources will handle this level of planning for the campus.
- Conducting the planning project
Information gathering can come from all members of the office – after all, they are the folks that do the detailed work day in and day out. The Business Continuity Coordinator (BCC) will organize the project and develop the strategy to outline all the needed resources for recovery. Recovery strategies address:
- How the critical functions will be recovered and to what level of resources will be required
- the period in which they will be recovered
- the role central university resources will play in augmenting or assisting unit resources in affecting timely recovery
- Writing the business continuity plan
The IU READY website, found on one.iu.edu, provides intuitive software where questions are asked, and detailed answers are given. The developing business continuity plan allows many people to work in the plan at the same time. Capture the specifics regarding equipment, staffing, processes, and dependencies needed for each critical service or function.
List necessary resources and reference materials
- Facility and infrastructure requirements (data connections, wattage requirements, space) by person; by location; by overall needs
- Equipment list (hardware, software, specialty equipment, phones, faxes, etc.)
- Minimum supplies lists (office, lab, production materials, etc.)
- Specialized/custom forms
- Off-site storage materials
- Vital records lists: Lists should include the name/type of document, person responsible and location. The list should include records necessary to support resumption of services and disaster recovery documentation (mutual aid agreements, memo of understanding for services and products, and contracts)
- Include procedures and checklists to reference during recovery
- Other information as needed
- Communicate your plan to employees
- Provide access to the plan (paper and electronic) to appropriate personnel
- Inform team leaders of responsibilities
- Inform employees of existing university protocols including emergency response, evacuation and shelter-in-place procedures
- Coordinate with external departments/units
- Inform other university departments/unit of your dependency
- Request coordination and understanding of their BCP
- Ensure that external departments can meet the needs based on your recovery and resumption plans (including turn-around time, physical needs and supplies, etc.)
- Testing and maintaining the business continuity plan
When the entire BCP is complete, it is important to test the content of the plan – is it useful, accurate, and complete; what is missing, what is no longer relevant?
- Test the newly developed plan upon completion and on an annual basis.Validation provides training and the best assessment of the plan’s viability. Examples include tabletops, notification drills, simulations, full rehearsal, etc.
- Evaluate test outcomes and incorporate "lessons learned"
- Maintaining and auditing the plan annually
Annual maintenance is required so that business continuity plans continue to be relevant. This annual review will capture any changes to environment, personnel procedures and/or practices. It also ensures that the plan continues to reflect the organization’s needs.
- Keep the plan current through periodic review and updates. Assign responsibility for periodic review. Update plan for major changes in the department such as changes in services, location, or organization structure.
- Ensure appropriate personnel review and approve plan updates. Include the BCC and Department Head within the review and approval process
- Communicate plan changes to affected personnel
- Store plans in a manner that allows access by BCC, alternate and other key personnel if the department's facility or network is NOT available. The manner in which business continuity plans are stored should reflect the sensitivity of the data the plans contain (Location of vital records, personal data, etc.).