• Section 1 - Preamble
• Section 2 - Purpose
• Section 3 - Scope
• Section 4 - Policy
• Section 5 - Procedure
• Business Impact Analysis
• Business continuity plan development and maintenance
• Exercising
• Activation
• ICT recovery
• Accountability and responsibilities
• Section 6 - Definitions

Section 1 - Preamble

(1) This Procedure was approved by the Vice-Chancellor on 27 August 2014.

(2) This Procedure is pursuant to the Business Continuity Policy and includes the following schedule:

1. Schedule A: Business Continuity Glossary.

Section 2 - Purpose

(3) This Procedure outlines the steps required to comply with the Business Continuity Policy.

Section 3 - Scope

(4) This Procedure applies across the University.

Section 4 - Policy

(5) Refer to the Business Continuity Policy.

Section 5 - Procedure

(6) This Procedure outlines the methodology that will be utilised to design, develop, implement and manage business continuity across the University. This methodology aligns with the international standard AS/NZ ISO022301:2012 Societal security - Business continuity management systems and best practice for business continuity. Guidance documents, templates and training materials will be provided by the Business Continuity Advisor for each step outlined in this procedure.

Business Impact Analysis

(7) A Business Impact Analysis (BIA) will be the primary information collection and assessment tool in the development of Business Continuity Plans (BCP). The BIA process:

1. identifies critical activities performed
2. identifies any third parties that may be involved or impacted by an incident
3. identifies the resources (people, information and communications technology (ICT) services, facilities, equipment) required to perform critical activities
4. prioritises restoration of critical activities using recovery time objectives (RTO).

(8) The information captured and assessed via the BIA process is then used to develop BCPs with ICT requirements provided to Deakin eSolutions for ICT Recovery analysis and planning.

Business continuity plan development and maintenance

(9) Development of BCPs provides a pre-defined and management approved course of action to be initiated in response to an operational disruption.

(10) BCPs should document the information required to perform critical activities should the normal operating environment be unavailable and must include:

1. local response team members' names (including the identification of a primary and secondary contacts)and contact information
2. critical activities in order of restoration priority according to RTOs
3. targeted communication strategies for all stakeholders including Executive, senior management, staff, students and others in the University community
4. workaround strategies to implement whilst resources are recovered or alternatives sourced
5. linkages with BCPs for other faculties, institutes or other areas (FIOA) that may be impacted.

(11) BCPs should:

1. use plain English where possible
2. be accessible to all response and Local Business Recovery Team members
3. be reviewed and updated at least once annually, following significant organisational change or plan activation
4. be exercised with all Local Business Recovery Team members
5. outline roles and responsibilities.

Exercising

(12) Exercising BCPs provides training and management assurance of continuity capability. No matter how well designed and thought-out the business continuity or ICT Recovery Plan may seem, realistic and robust exercising will reveal areas requiring attention.

(13) Exercises can be used for: validating policies, plans, procedures, RTOs, training, equipment, and inter-organisational agreements; clarifying and training personnel in roles and responsibilities; improving inter-organisation coordination and communications; identifying gaps in resources and ICT services; improving individual performance; identifying opportunities for improvement and controlled opportunity to practice improvisation.

(14) Exercising of business continuity and ICT Recovery Plans will be scheduled to occur annually. A debrief session will be held following each exercise with results and recommendations to address issues documented for action.

Activation

(15) A disruption to operations could result in activation of one or multiple plans affecting one or more locations.

(16) The Business Continuity System coordinates the activation of the BCP, and directs the communications, response and recovery process required to return to normal business.

(17) BCPs could be activated in isolation from other emergency management processes; this will depend on the extent and geographical spread of the incident.

(18) The University will utilise emergency and crisis management procedures and protocols for command, coordination and communication of emergencies.

ICT recovery

(19) ICT Recovery is a component of the University's overall business continuity capability; it provides for the timely recovery and restoration of ICT systems, including applications and data resources that support critical activities should the primary data centre experience a significant disruption.

(20) ICT Recovery will utilise the Deakin eSolutions IT Critical Incident Process to manage all critical incidents including escalation to ICT Recovery events.

(21) ICT Recovery is managed in accordance with the Business Continuity Policy and Deakin eSolutions ICT Recovery framework and guidelines. The ICT Recovery Framework includes:

1. a process for managing the continuity, recovery and restoration of ICT services identified as critical via the BIA process. The process and supporting procedures are to be reviewed annually, following significant change or activation
2. planning actions to reduce the likelihood of ICT service failure and to minimise impacts if they occur. ICT Recovery development and management occurs in line with the University's Business Continuity Policy and priorities for investment as advised by FIOA.
3. regular testing to validate recovery capability for critical ICT infrastructure and applications
4. reporting of ICT impacts to the Business Continuity Advisor and the Emergency Management Committee.

(22) ICT Recovery Plans must be:

1. developed for all eSolutions' systems, including infrastructure, applications, data and telecommunications deemed as critical via the BIA process
2. reviewed annually and following significant change or activation with approval of reviews provided by the ICT Service Continuity Working Group
3. exercised regularly to provide assurance of recovery capability. The regularity and complexity of testing will be dependent on the criticality of, and changes to, the technology.

Accountability and responsibilities

(23) In addition to the Accountabilities listed in the Business Continuity Policy,

1. the Business Continuity Advisor will:
   1. increase business continuity awareness and understanding and develop the capacity to manage a business continuity response through identification and skilling of response team participants
   2. facilitate the BIA process and documentation
   3. facilitate the development of BCPs
   4. provide support, advice and guidance to stakeholders in FIOA
   5. provide annual attestation to the Executive on the University's continuity preparedness through Emergency Management Committee reporting
   6. attend internal and external meetings as the University's business continuity subject matter expert.
2. Faculties, institutes and other areas are the custodians of their business continuity preparedness and recovery capability and as such must:
   1. participate in the BIA process to identify and agree on critical activities and the resources required to support them
   2. develop BCPs based on BIA information
   3. nominate members to the Local Business Recovery Team
   4. review and update BIA and BCPs annually, following significant organisation change or plan activation
   5. actively participate in exercises and training and awareness sessions
   6. adequately address business continuity requirements for services and resources provided by an third party
   7. ensure that personnel in their areas are familiar with continuity requirements, responsibilities and the response process to disruptions.
3. Local Business Recovery Team will be made up of members of each FIOA that has a BCP. They will work with the Business Continuity Advisor to:
   1. participate in the BIA, the development of the BCP and exercising of the BCP for their FIOA
   2. carry out the actions, according to the BCP, to recover from an incident that has caused a disruption to a critical activity or process as advised by the Business Continuity Advisor and/or Critical Incident Management Team.

Section 6 - Definitions

(24) For the purpose of this Procedure:

1. Definitions relevant to this procedure are listed in the Business Continuity Policy and in more detail in Schedule A: Business Continuity Glossary.