Policy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018

Similar documents
NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Business Continuity Policy

Policy. Business Resilience MB2010.P.119

Global Statement of Business Continuity

The Metropolitan Police Service Approach to Corporate Resiliency

Business Continuity and Disaster Recovery

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Information Security Policy

Director, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014

Information Security Strategy

Business Continuity Management Program Overview

Use of Personal Mobile Phone Whilst on Duty

Risk Management. Continuity Management

POWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

INFORMATION SECURITY AND RISK POLICY

Business continuity management and cyber resiliency

Canada Life Cyber Security Statement 2018

POSITION DESCRIPTION

INTERNAL AUDIT DIVISION REPORT 2017/138

Driving Global Resilience

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

National Policing Community Security Policy

Information Security Incident

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

Policing our Roads Together

Security Director - VisionFund International

Building resilience. Delivering assurance.

Sample Exam Privacy & Data Protection Foundation

GRAMPIAN SCG PUBLIC COMMUNICATIONS PLAN

Manchester Metropolitan University Information Security Strategy

TSC Business Continuity & Disaster Recovery Session

1. To provide an update on the development of the SPA Assurance Map.

THE STRATEGIC POLICING REQUIREMENT. July 2012

Public Safety Canada. Audit of the Business Continuity Planning Program

Facilities Management and Business Continuity. 10 May 2017

Information Governance Incident Reporting Policy

Version 1/2018. GDPR Processor Security Controls

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Security Management Models And Practices Feb 5, 2008

INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

Member of the County or municipal emergency management organization

Unclassified. Date Monday 24 September Business Continuity Plan Review - Mission Critical Activities

Global Security Advisor

C106: DEMO OF THE INFORMATION SECURITY MANAGEMENT SYSTEM - ISO: 27001:2005 AWARENESS TRAINING PRESENTATION KIT

TEL2813/IS2820 Security Management

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

BUSINESS CONTINUITY MANAGEMENT. A short guide 2017

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

PS 176 Removable Media Policy

CYBER RESILIENCE & INCIDENT RESPONSE

How to Conduct a Business Impact Analysis and Risk Assessment

Introduction to ISO/IEC 27001:2005

Why you should adopt the NIST Cybersecurity Framework

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Enterprise resilience and the role of Standards

Sussex Police Business Crime Strategy

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Access to personal accounts and lawful business monitoring

BCM s Role in Effective Risk Management: A Risk Manager s Point of View

MRC Information Security Policy (IT_pg_003)

Using International Standards to Implement a Business Continuity Management System (BCMS)

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Building a BC/DR Control Library and Regulatory Response Program

Mobile Communication Policy

ENISA s Position on the NIS Directive

MNsure Privacy Program Strategic Plan FY

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

BCP At Bangkok Bank, Thailand

Information Security Controls Policy

Implementing a Global Business

Information Security Management System

Planning and Implementing ITIL in ICT Organisations

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

Information Security Data Classification Procedure

ISAO SO Product Outline

Malpractice and Maladministration Policy

Privacy Impact Assessment

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Promoting the Art and Science of Business Continuity Management Worldwide. Partner of the DRJ

THE LINK BETWEEN ENTERPRISE RISK MANAGEMENT AND DISASTER MANAGEMENT

Resilience in London

Cyber Risks in the Boardroom Conference

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Corporate Information Security Policy

General Data Protection Regulation

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Data Processor Agreement

Directive on Security of Network and Information Systems

Principles for BCM requirements for the Dutch financial sector and its providers.

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Delivery Plan Working together to make our communities safer. transform. innovate. efficient. police. public. effective

The Science and Technology Roadmap to Support the Implementation of the Sendai Framework for Disaster Risk Reduction

BT Business Continuity Quick Start Service

POSITION DESCRIPTION

The General Data Protection Regulation

Transcription:

Policy Title; Business Continuity Management Policy Date Published/Reviewed; February 2018 Business Lead; Head of Strategic Governance CCMT sponsor; Deputy Chief Constable Thames Valley Police ensures that all policies have been assessed and comply with MoPI Guidance, and the Data Protection 1998. In addition this Policy has been reviewed by The Force Head of Health, Safety and Environment and has undergone an Equality Impact Assessment. About this Policy Rationale Thames Valley Police (TVP), as a Category One responder, is required by the Civil Contingencies Act 2004 to have business continuity management arrangements in place. TVP must be able to continue to exercise its civil protection functions as well as, where possible, continuing to perform its ordinary functions in the event of an emergency or a disruption. Business Continuity is defined in the International Standard Organisation (ISO) 22301:2012 as the capability of the organisation to continue delivery of products and services at acceptable redefined levels following a disruptive incident (paragraph. 3.3) Intention This policy, along with the supporting documents, will provide details of the business continuity management process. This process aims to deliver the following outcomes: Ensure that TVP can continue to deliver critical services to the public in the event of a disruption Improve organisational resilience by developing strategies and adaptable and usable plans to minimise the impact of any emergency or disruption from identified threats and risks Ensure resources are used more effectively in order to ensure that duties to the public are met, particularly when resources are diminished Protect against reputational damage and increase public confidence Support the organisation s recovery following a disruption.

General Principles This policy defines the methodology by which TVP will meet its statutory duties. The continuity management lifecycle (see diagram below) for British Standard (BS) 25999 has been taken into account. However, Thames Valley Police will align with ISO 22301 where possible and therefore will use the Plan, Do, Check, Act (PDCA) structure. The business continuity management process is a continual cycle of activity that is maintained and reviewed to reflect changes in Force priorities and lessons learned from incidents and exercises. Continual improvement in business continuity management pro-actively aims to embed it into the organisation s culture. TVP business continuity management process activity aligns and includes: Identification of critical functions and prioritisation of all associated activities Conducting threat and risk assessments Conducting a Business Impact Analysis Development and maintenance of business continuity plans and network of points of contact / plan owners Exercising business continuity plans to validate and ensure effectiveness Audit, maintenance and review of business continuity arrangements Training and awareness of business continuity plans and requirements Learning from incidents, disruptions and exercises Monitoring standards and compliance with all related legislation, standards, policies and good practice.

Statement of Policy Business Continuity is a force-wide responsibility. All staff and officers have a role to play in the effective embedding of BCM into the culture of Thames Valley Police. The Civil Contingency Act 2004 (CCA) provides that Category 1 responders may use generic plans, specific plans or a combination of the two. The guidance for TVP is this Policy. Procedures and Tactics are contained in the Force Business Continuity Plan / Management Framework and a set of specific Local Policing Area (LPA), Operational Command Unit (OCU), and Departmental Business Continuity Plans complement this. The TVP business continuity strategy provides strategic actions planned for the next three years. A strategic business continuity plan will also be in place for the large non-operational / limited operational sites. This will set out the Force response to any disruption, including activation procedures and action checklists for the command structure. These plans will be supported by the more detailed plans in place within the Local Policing Areas, Operational Command Units and Departments. The Civil Contingencies Act 2004 requires that arrangements are to be reviewed regularly to ensure validity in the event of any changes. All plans will be developed, maintained and exercised in accordance with the CCA 2004. All Business Continuity Plans should be based on a Business Impact Analysis (BIA) and will be coordinated centrally, to manage interdependencies and ensure a common approach. This Policy, the TVP Business Continuity Strategy and the supporting documents and the Local Policing Area/Operational Command Units/Departmental Business Continuity Plans, as well as Business Impact Analyses, exercises, training and all related activity, form the overall arrangements for Thames Valley Police to fulfil its statutory duty. The requirements of the Civil Contingencies Act 2004 are that Category 1 responders may enter into collaborative arrangements with other responders but Business Continuity Management must be owned and driven within the organisation itself in order to be effective. All employees need to understand their responsibilities in a disruption and this should be encapsulated within the activity to embed the process into the organisation. The knowledge to provide this understanding to staff as well as training and support for those with specific responsibilities around writing plans will be developed. This will be disseminated via a network of business continuity contacts. Critical activities As category 1 responders Thames Valley Police will continue to deliver our civil protection functions. These functions and supporting activities are prioritised according to statutory requirements and by force objectives determined by the Strategic Planning Process. The Business Impact Analysis process requires all activities to be prioritised based on a threat and risk assessment. Each critical activity identified in this process requires a recovery time to be set and resources and interdependencies to be recorded. The Force s critical activities, endorsed by the Chief Constable are:

Emergency Response Crime Investigation Custody Management Managing High Risk Threats to service delivery BCM arrangements take into account the threat and risks identified at a national, regional and community level. They will also take into account those risks identified through the internal Business Impact Analysis process and the organisational Risk Management process. The National Decision Model (NDM) is a key part of the approach to the management of risk within TVP, and in particular recognises the need to take account of the Code of Ethics BCM in TVP aims to address the impact of any incident in the following four areas: People: Loss of Staff/Officers (severe weather, disease pandemic, industrial action, abstractions) Premises: Denial of access or damage to premises (due to fire, flooding, police cordon/operational activity, power failure etc) ICT/Communications: Loss of critical systems (Local Area Network/Telephony failure, power or system failure or essential maintenance disruption) Suppliers/Stakeholders: Loss or failure of internal or external stakeholders/suppliers (LPAs / OCUs /departments, partner agencies, utilities, etc) In most circumstances the identification of a disruption is clear, such as denial of access to a building due to a fire or flood, but any incident identified as having an impact on service delivery or the potential to impact on service delivery should be notified according to the procedure set out in the Force Business Continuity Plan. Some disruptions may be more difficult to identify, such as the impact of a failure of a key supplier, system failure, lack of key staff.

Incident classification The BCM arrangements in place for TVP should be considered in the planning, response and recovery to any incident or emergency. When an incident is identified by any officer or staff member or stakeholder, that could adversely affect the capability of TVP to maintain normal service delivery, BCM plans should be activated in support of any operational response. In a similar way to when a Critical Incident is identified, any incident which requires a Business Continuity response can be categorised as defined in the Force Business Continuity Plan. Plan activation LPA / OCU / department BCPs should be activated by the Commander or Head of Department in consultation with the Gold Commander following identification of a High or Medium impact incident. The following incident grid follows the APP Tier 1 to 3 High Impact (Tier 3) A tier three incident is when any incident, or preplanned event, has significantly impacted or has the potential to significantly impact on the force as a whole, across forces, or nationally, and Thames Valley Police s ability to perform its critical activities. This is managed at a GOLD level Medium Impact (Tier 2) A tier two incident is when any incident, or pre-planned event, has impacted or has the potential to impact Thames Valley Police s ability to deliver its critical functions across multiple LPAs or Departments. This is managed by an LPA Commander or Department Head nominated by GOLD Low Impact (Tier1) Potential A tier one incident is when any incident, or pre-planned event, has impacted the Force s ability to deliver its critical activities across a single LPA or Department. This is managed by an LPA Commander or Department Head An issue is identified that it is believed could potentially impact on critical activities the issue requires assessing and monitoring (e.g. industrial action, severe weather, a major event, building work etc) The activation process is detailed in the Business Continuity Management Framework. This activation process is compatible with the process used by Hampshire Constabulary ensuring ease of use within Collaborated areas such as the Joint Operations Unit.

Roles and Responsibilities The ultimate responsibility of ensuring Thames Valley Police complies with the Business Continuity requirements of the Civil Contingencies Act 2004 remains with the Chief Constable. All staff, officers and volunteers are responsible for being aware of the Business Continuity arrangements for their area in the event of a disruption. Specific roles are identified in the table below: Role Deputy Chief Constable (DCC) Responsibility Overall Force lead on Business Continuity Head of Strategic Governance Unit Corporate Governance Manager Corporate Governance Officer Senior Management Teams / Business Continuity single points of contact (and Deputies) Senior Information Risk Owner (SIRO) Human Rights Articles Engaged Responsible at strategic level for Business Continuity Responsible for all business continuity management activity in the Force. Support/advise in a disruption when required. Must ensure a tactical log of decisions and actions during any disruption is captured. Responsible for implementation, coordination and support of all business continuity activity at a tactical force level. Support/advisor in a disruption when required. Must ensure a log of any disruption is captured and debriefed. Responsible for the LPA / OCU / Departmental business continuity activity at an operational / departmental level. Support / advise in a disruption when required. Must ensure a log of any disruption is captured and reported to the Strategic Governance Unit. In the event of a disruption, there may be a requirement to work outside normal information security policies and procedures. The SIRO should be responsible for authorisation. The policy does not invoke Human Rights Articles. Health and Safety at Work The Health and Safety at Work Act imposes a duty of care upon the Chief Constable to ensure, as far as is reasonably practicable, the health, safety and welfare of all staff. There is a legal requirement to conduct a risk assessment based on the individual s role and capabilities, which should include

consideration of assessments under specific legislation e.g. Manual Handling Regulations. Communications, Challenges and Representations - Communication Deputy Chief Constable Thames Valley Police Oxford Road Kidlington Oxon OX5 2NX - Review This policy document will be reviewed as and when necessary (e.g. following a tier 3 incident) and in any event every 12 months following the sign off of this review. The review will be carried out by the Strategic Governance Unit and will examine: Changes in legislation Court rulings Domestic, European and Human Rights Examples of good practice from other Forces or other organisations Changes in Home Office Circulars NPCC policy and Authorised Professional Practice Representations made by individuals and relevant organisations Relevant Equality data The policy will next be reviewed in February 2019 - FOI status and protective marking This policy is suitable to be made available to the public and can be published on the Thames Valley Police Freedom of Information Publication Scheme. Government Security Classification Policy (GSCP) This policy has been assessed as OFFICIAL however the supporting documents have been assessed as OFFICIAL SENSITIVE and will therefore not be published as above. All policies will be published on the Policy Management Unit Intranet site. New and reviewed policies will be promoted in Managers Briefing Related Legislation and guidance Civil Contingencies Act 2004 Human Rights Act 1998 Equality Act 2010 (section 149) Freedom of Information Act 2000

Health and Safety at Work Act Government Classification Scheme ISO 22301:2012 Societal Security Business Continuity Management Systems BS 25999 Business Continuity Management Part 1 2006 Code of Practice and Part 2 Specification 2007 BS 65000: 2014 Guidance on Organisation Resilience Business Continuity Institutes (BCI) Good Practice Guidelines 2013 National Decision Making Model (NDM) Code of Ethics MOPI: Code of Practice For use by the Policy Management Unit Only Chief Officer Policy Authorisation Policy signed off by: Name of relevant ACC Date Version Date Author Reason Reviewed 2.0 June 2018 Sarah Holland Updated to new policy template and low level contextual and grammatical changes.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback