(PDF) Local Authority Cyber Resilience Planning Guide

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

1"

Local Authority Cyber Resilience Planning Guide

Author: Mark Brett

June 2021 Version 3

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

2"

Background

Following the events of 11th September 2001, and the London bombings of 7th July 2005,

and the WannaCry malware incidents across the NHS, have caused many organisations

to consider an annual review process for their Business Continuity Planning.

This guide is to assist managers in preparing and implementing Business Continuity

Plans, to aid Cyber Resilience.

The guide aims to mitigate the impact of unforeseen events on the business.

Subsequently, the Civil Contingencies Act 2004 and the events of 7thJuly 2005 have also

heightened the need for a robust Business Continuity planning framework. In todays

interconnected Internet driven world such planning is even more important. The shift to

Cloud computing is making this even more difficult.

This guide was originally written in 2003 and has been updated over the years. The

approach is still sound and this is continued work in progress.

Mark Brett MRes CITP CMngr FICPEM FBCS FCMI MCIIS MEPS MSyI

Honorary Visiting Fellow (Cyber Security)

Cyber Centre London Metropolitan University

Your welcome to make use of the contents of this document for non-commercial

purposes including Public Sector use. However I would ask that you acknowledge the

fact in your derived work.

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

3"

INTRODUCTION

Every year unforeseen emergencies take their toll on business and industry -- in lost

business and escalated costs. Something can be done. Business and industry can limit

the impact and losses, returning quickly to normal operations if they plan ahead.

This guide provides step-by-step advice on how to create and maintain a comprehensive

Business Continuity Planning Programme.

To begin, you need not have in-depth knowledge of Cyber Resilience. What you need is

the authority to create a plan and a commitment from the Chief Officer to make

Business Continuity Planning part of the corporate culture If you already have a plan,

use this guide as a resource to assess and update your plan. The guide is organised as

follows:

Section 1: 4 Steps in the Planning Process -- how to form a planning team; how to

conduct a vulnerability analysis; how to develop a plan; and how to implement the plan.

The information can be applied to virtually any type of business or industry.

Section 2: Business Continuity Planning Considerations -- how to build such Business

Continuity Planning capabilities as Health & Safety, Property Protection,

Communications and Community Outreach.

Section 3: Hazard-Specific Information -- technical information about specific hazards

your building or site may face.

Section 4: Information Sources -- where to turn for additional information.

Appendix A BCM plan and risk assessment toolkit

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

4"

What Is an Emergency?

An emergency is any unplanned event that can cause disruption or significant injuries to

employees, customers or the public; or that can shut down your business, disrupt

operations, cause physical or environmental damage, or threaten the facility's financial

standing or public image. Obviously, numerous events can be "emergencies," including:

1.Fire!

2.Hazardous materials incident!

3.Flood or flash flood!

4.Terrorist Incident!

5. Malicious Incident (public or Employee)

6.Winter storm (Weather)!

7.Communications failure!

8.Civil disturbance (Transport strikes)!

9.Loss of key supplier or customer!

10.Explosion (Gas etc)

The term "disaster" has been left out of this document because it lends itself to a

preconceived notion of a large-scale event, usually a "natural disaster." In fact, each

event must be addressed within the context of the impact it has on the authority and

the community. What might constitute a nuisance to the Council in general could be a

"disaster" to a section or department.

What Is Cyber Resilience?

Cyber Resilience is the process of ; preparing for, mitigating, responding to and

recovering from an emergency, which involves Cyber, that is a system or service, which

is delivered by a network or the Internet, to a remote device, often through a web

browser.

Business Continuity Planning is a dynamic process. Planning, though critical, is not the

only component. Training, conducting exercises, testing equipment and co-ordinating

activities with the community are other important functions.

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

5"

Making the "Case" for Cyber Resilience

To be successful, Business Continuity Planning requires senior management support.

The chief executive sets the tone by authorising planning to take place and directing

senior management to get involved.

When presenting the "case" for Cyber Resilience, avoid dwelling on the negative effects

of an emergency (e.g., deaths, fines, and criminal prosecution) and emphasise the

positive aspects of preparedness. For example:

1. It helps the Council fulfill its’ moral responsibility to protect employees, the

community and the environment.

2. It facilitates compliance with regulatory requirements such as Health & Safety.

3. It enhances the Council’s ability to recover from financial losses, regulatory fines,

complaints from members and the public, damage to equipment and business

interruption.

4. It reduces exposure to civil or criminal liability in the event of an incident.

5. It enhances the Council’s image and credibility with employees, customers, suppliers

and the community.

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

6"

SECTION 1

4 STEPS IN THE PLANNING PROCESS

Having established what your planning for (the scope)

Step 1 -- Establish a Planning Team

!

Step 2 -- Analyse Capabilities and Hazards

Step 3 -- Develop the Plan

!

Step 4 -- Implement the Plan

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

7"

STEP 1 -- ESTABLISH A PLANNING TEAM.

There must be an individual or group in charge of developing the Business Continuity

Plan. The following is guidance for making the appointment.

1. Form the Team.

The size of the planning team will depend on the department’s operations,

requirements and resources. Usually involving a group of people is best because:

a. It encourages participation and gets more people invested in the process. b. It

increases the amount of time and energy participants are able to give. c. It enhances the

visibility and stature of the planning process.!d. It provides for a broad perspective on

the issues.

Determine who can be an active member and who can serve in an advisory capacity. In

most cases, one or two people will be doing the bulk of the work.

Some of the planning and co-ordination, could be out sourced to the Emergency

Planning .At the very least, you should obtain input from all functional areas.

Remember:

a. Senior management !

b. Line management !

c. Personnel and Occupational Health !

d. Engineering and maintenance !

e. Health & Safety !

f. Public information officer (Press & Publicity)

g. Security !

h. Community relations and groups !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

8"

i. Councillors as appropriate !

j. Departmental Representatives (Operational Service Delivery) !

k. Legal Services !

l. Finance and purchasing !

Have participants appointed in writing by senior management. Their job descriptions

could also reflect this assignment and extra duties.

2. Establish Authority.

Demonstrate management's commitment and promote an atmosphere of

empowerment by "authorising" the planning group to take the steps necessary to

develop a plan. The Chief Officer or the Business Unit Manager should lead the group.

Establish a clear line of authority between group members and the group leader, though

not so rigid as to prevent the free flow of ideas.

3. Issue a Mission Statement – Which quantifies the purpose and scope of the plan.

Have the Chief Executive or Service/Business Unit Manager issue a mission statement to

demonstrate the authority’s commitment to Cyber Resilience. The statement should:

Define the purpose of the plan and indicate that it will involve the entire organisation.

Define the authority and structure of the planning group

4. Establish a Schedule and Budget

Establish a work schedule and planning deadlines. Timelines can be modified as

priorities become more clearly defined.

Develop an initial budget for such things as research, printing, seminars, consulting

services and other expenses that may be necessary during the development process.

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

9"

STEP 2 -- ANALYSE CAPABILITIES AND HAZARDS.

This step entails gathering information about current capabilities and about possible

hazards and emergencies, and then conducting a vulnerability analysis to determine the

facility's capabilities for handling emergencies.

1. WHERE DO YOU STAND RIGHT NOW? Establishing a baseline

Review Internal Plans and Policies. Documents to look for include:

a. Evacuation plan

b. Fire protection plan !

c. Health &Safety procedures !

d Environmental policies

e. Security procedures !

f. Insurance programs !

g. Finance and purchasing procedures !

h. Quality Procedures !

i. Personnel Handbook !

j. Internal SLAs and External Contracts. !

k. Health & Safety risk assessments !

l. Risk management plan !

m Capital improvement program n. Mutual aid agreements

Business Continuity Planning Guide

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

10"

2. Establish Partnerships

Meet with external agencies, community organisations and utilities. Ask about potential

emergencies and about their plans and available resources for responding

Sources of information include:

• Local Resilience Forum Cooridnator

• Emergency Planning Officer

• Local Hospital!

• Local Community

• Liaison Groups Fire Brigade

• Local Police!Ambulance Emergency Planning Officer!

• Telecommunications Companies

• Cellular providers

• Electric,

• Gas and Water Utilities!

• Neighbouring Authorities!

Web sites see: http://www.ukresilience.info/contingencies/cont_index.htm Business

Continuity Institute see: www.thebci.org!Association of Local Authority Risk Managers

http://www.alarm-uk.com/ Society of Information Technology Management SOCITM:

www.socitm.net

Emergency Planning Society :http://www.emergplansoc.org.uk/

3. Identify Codes and Regulations

Identify applicable legislation and local regulations such as:

Occupational Health & Safety regulations Environmental regulations!Fire procedure

codes!Corporate policies

4. Identify Critical Services and Operations

You'll need this information to assess the impact of potential emergencies and to

determine the need for backup systems. Areas to review include:

a. Council services and the facilities and equipment needed to produce them !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

11"

b. Products and services provided by suppliers, especially sole source vendors !

c. Lifeline services such as electrical power, water, sewer, gas, telecommunications !and

transportation !

d. Operations, equipment and personnel vital to the continued functioning of the !

facility !

5. Identify Internal Resources and Capabilities

Resources and capabilities that could be needed in an emergency include:

a. Personnel -- Fire, Police and Ambulance Council Emergency services response team,

security, Business Continuity Planning group, Fire wardens, First Aid, Public Information

Officers. Computer Emergency Response Team

b. Equipment -- fire protection and suppression equipment, communications

equipment, first aid supplies, emergency supplies, warning systems, emergency power

equipment.

c. Facilities – Establish a Crisis Management Centre (, media briefing area, survivor

reception centres, first-aid stations. Communications point, internal and external.!An

emergency website, either part of the corporate one or separate. Make sure people

know the address of it.

d. Organisational capabilities -- training, evacuation plan, employee support system

(Counselling)

e. Backup systems -- arrangements with other facilities to provide for: Identify your

Business critical processes and systems.

. (1) Payroll !

. (2) Communications !

. (3) Production !

. (4) Customer services !

. (5) Post room services and receiving i.e. CFM print runs !

. (6) Information systems support !

. (7) Emergency power !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

12"

. (8) Recovery support !

6. Identify External Resources

There are many external resources that could be needed in an emergency. In some

cases, formal agreements may be necessary to define the facility's relationship with the

following:

A. Local Resilience Forum (LRF)!

B. Fire Brigade !

C. Hazardous materials Health & Safety Executive !

D. Emergency medical services

E. Hospitals !

F. Local Police liaison

G. Community service organisations !

H. Utilities !

I. Key Contractors & Suppliers

7. Suppliers of emergency equipment

Insurance companies

Do an Insurance Review

Meet with Insurance Officer (Finance Dept) to review all policies and cover. (See Section

2: Recovery and Restoration.) Insurance is not a substitution to proper planning and

preparedness.

8. Conduct A Vulnerability (Risk) Analysis

The next step is to assess the vulnerability of your site -- the probability and potential

impact of each emergency. Use the Vulnerability (Risk) Analysis Chart in the appendix

section to guide the process, which entails assigning probabilities, estimating impact and

assessing resources, using a numerical system. The lower the score the better.

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

13"

9. Brainstorm Potential Emergencies & Scenarios to plan for

In the first column of the chart, list all emergencies that could affect your department,

including those identified by the Emergency Planning officer. Consider both:

a. Emergencies that could occur within your Site / Department b. Emergencies that

could occur in your community

Historical -- What types of emergencies have occurred in the community, at this facility

and at other facilities in the area?

a. b. c. d. e. f. g. h.

Fires!Severe weather Hazardous material spills Transportation accidents Bomb threats

Transport strikes!Terrorism and Industrial action

Utility outages

Geographic -- What can happen as a result of the facility's location?

Keep in mind:

a. Proximity to flood spots, electrical lines, railways, major roads etc. !

b. Proximity to companies that produce, store, use or transport hazardous material !

c. Proximity to major transportation routes and airports !

d. Proximity to terrorist targets. !

Technological -- What could result from a process or system failure? Possibilities

include:

a. Fire, explosion, hazardous materials incident - storage batteries !

b. Safety system failure !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

14"

c. Telecommunications failure !

e. Computer system failure !

f. Power failure !

g. Heating/cooling system failure !

h. Emergency notification system failure !

Human Error -- What emergencies can be caused by employee error? Are employees

trained to work safely? Do they know what to do in an emergency? Human error is the

single largest cause of workplace emergencies and can result from:

a. Poor training !

b. Poor maintenance !

c. Carelessness !

d. Misconduct !

e. Substance abuse !

f. Fatigue

Physical -- What types of emergencies could result from the design or construction of

the facility? Does the physical facility enhance safety? Consider:

a. The physical construction of the facility b. Hazardous processes or by-products c.

Facilities for storing combustibles!

d. Layout of equipment

e. Lighting

f. Evacuation routes and exits !

g. Proximity of survivor reception centres !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

15"

Regulatory -- What emergencies or hazards are you regulated to deal with? Analyse

each potential emergency from beginning to end. Consider what could happen as a

result of:

a. Prohibited access to the facility !

b. Loss of electric power !

c. Communication lines down !

e. Ruptured gas mains !

f. Water damage !

g. Smoke damage !

h. Structural damage !

i. Air or water contamination !

j. Explosion !

k. Building collapse !

l. Trapped persons !

m. Chemical release !

10. Estimate Probability

In the Probability column, rate the likelihood of each emergency's occurrence. This is a

subjective consideration, but useful nonetheless.!Use a simple scale of 1 to 5, with 1 as

the lowest probability and 5 as the highest.

11. Assess the Potential Human Impact (HARM Modelling)

Analyse the potential human impact of each emergency -- the possibility of death or

injury.

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

16"

Assign a rating in the Human Impact column of the Vulnerability Analysis Chart. Use a 1

to 5 scale with 1 as the lowest impact and 5 as the highest.

12. Assess the Potential Property Impact

Consider the potential property for losses and damages. Again, assign a rating in the

Property Impact column, 1 being the lowest impact and 5 being the highest. Consider:

a. Cost to replace !

b. Cost to set up temporary replacement !

c. Cost to repair !

13. Assess the Potential Business Impact

Consider the potential loss of market share. Assign a rating in the Business Impact

column. Again, 1 is the lowest impact and 5 the highest. Assess the impact of the

following. This applies to your Department and your external (CCT) suppliers if

applicable. Check your SLA’s and Contracts.

a. Business interruption !

b. Employees unable to report to work !

c. Customers unable to reach facility !

d. Authority in violation of contractual agreements !

e. Imposition of fines and penalties or legal costs !

f. Interruption of critical supplies !

g. Interruption of Service Delivery !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

17"

14. Assess Internal and External Resources

Next assess your resources and ability to respond. Assign a score to your Internal

Resources and External Resources. The lower the score the better.!To help you do this,

consider each potential emergency from beginning to end and each resource that would

be needed to respond. For each emergency ask these questions:

Do we have the needed resources and capabilities to respond?

Will external resources be able to respond to us for this emergency as quickly as we may

need them, or will they have other priority areas to serve?

If the answers are yes, move on to the next assessment. If the answers are no, identify

what can be done to correct the problem. For example, you may need to:

a. Develop additional emergency procedures !

b. Conduct additional training !

c. Acquire additional equipment !

d. Establish mutual aid agreements !

e. Establish agreements with specialised contractors

!

15. Add the Columns

Total the scores for each emergency. The lower the score the better. While this is a

subjective rating, the comparisons will help determine planning and resource priorities -

- the subject of the pages to follow.

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

18"

STEP 3 -- DEVELOP THE PLAN

You are now ready to develop a Business Continuity Planning plan. This section

describes how.

PLAN COMPONENTS

Your plan should include the following basic components.

1. Executive Summary

The executive summary

Gives management a brief overview of the purpose of the plan Details the Business

Continuity Planning policy!Authorises the facilities and responsibilities of key personnel;

Details the types of emergencies that could occur

Explains how and where response operations will be managed.

!2. Business Continuity Planning Elements

!

This section of the plan briefly describes the

facility's approach to the core elements

Cyber Resilience, which are:

Command and control!Communications!Life and Limb - protecting your staff and the

public. Property protection!Community outreach!Recovery and restoration!

Administration and logistics.

These elements, which are described in detail in Section 2, are the foundation for the

emergency procedures that your facility will follow to protect personnel and equipment

and resume operations.

3. Emergency Response Procedures

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

19"

The procedures spell out how the facility will respond to emergencies. Whenever

possible, develop them as a series of checklists that can be quickly accessed by Senior

Management, Department heads, response personnel and employees.

Determine what actions would be necessary to:

a. Assess the situation !

b. Protect employees, customers, visitors, equipment, vital records and other !assets,

particularly during the first phase of the emergency !

c. Get the business back up and running. !

Specific procedures might be needed for any number of situations such as bomb threats

or fire, and for such functions as:

Warning employees and customers!Communicating with personnel and community

responders Conducting an evacuation and accounting for all persons in the facility

Managing response activities!Activating and operating an emergency operations centre

!Fighting fires!Shutting down operations!Protecting vital records!Restoring operations

4. Support Documents

Documents that could be needed in an emergency include:

Emergency call lists -- lists (wallet sized if possible) of all persons on and off site who

would be involved in responding to an emergency, their responsibilities and their 24-

hour telephone numbers.

Building and site maps that indicate:

a. Utility shutoffs !

b. Water hydrants !

c. Water main valves !

d. Water lines !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

20"

e. Gas main valves !

f. Gas lines !

g. Electrical cut-offs !

h. Electrical substations !

i. Storm drains !

j. Sewer lines !

k. Location of each building (include name of building, street name and number) !

l. Floor plans !

m. Alarm and communicators !

n. Fire extinguishers !

o. Fire suppression systems !

p. Exits !

q. Stairways !

r. Designated escape routes !

s. Restricted areas !

t. Hazardous Materials (including cleaning supplies and chemicals) !

u. Copies of building plans !

v. Copies of telecommunication route plans (Telephone and fibre cables) !

w. Location of High-value items; (Deeds, Bonds, Contracts, evidence etc.) !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

21"

5.Resource lists

Lists of major resources (equipment, supplies, and services) that could be needed in an

emergency; mutual aid agreements with other companies and government agencies.

1. Emergency escape procedures and routes !

2. Procedures for employees who perform or shut down critical operations before an

evacuation !

3. Procedures to account for all employees, visitors and contractors after an evacuation

is completed !

4. Rescue and medical duties for assigned employees !

5. Procedures for reporting emergencies !

6. Names of persons or departments to be contacted for

THE DEVELOPMENT PROCESS

The following is guidance for developing the plan.

1. Identify Challenges and Prioritise Activities

Determine specific goals and milestones. Make a list of tasks to be performed, by whom

and when. Determine how you will address the problem areas and resource shortfalls

that were identified in the vulnerability analysis.

2. Write the Plan

Assign each member of the planning group a section to write. Determine the most

appropriate format for each section.

Establish an aggressive timeline with specific goals. Provide enough time for completion

of work, but not so much as to allow assignments to linger. Establish a schedule for:

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

22"

a. First draft !

b. Peer review (include other sections) !

c. Second draft !

d. Tabletop exercise (invite other sections/departments to participate) !

e. Final draft !

f. Printing !

g. Distribution publish widely including intranet – share best practise !

h. Amendments procedures !

3. Establish a Training Schedule

Have one person or department responsible for developing a training schedule for your

facility. For specific ideas about training, refer to Step 4.

4. Coordinate with Outside Agencies and Organisations

Meet periodically with other government agencies and community organisations.

Inform appropriate government agencies that you are creating a Business Continuity

plan. While their official approval may not be required, they will likely have valuable

insights and information to offer.

Determine central government and local requirements for reporting emergencies, and

incorporate them into your procedures. Appoint a ‘logist’ to keep detailed records of all

executive orders, actions and operations. Number and time record all options. This will

include actions, outcomes and costs incurred, along with details of who authorised the

actions.

Trigger Points and Protocols

The CRASH Gates Protocol Trigger Points can be thought of a pre-defined Consequence

Relevance Acceleration Severity and Harm (CRASH) Gates.

The CRASH Gate model for assessing Cyber incident trigger points;

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

23"

Consequence Scaling

1) Locally contained within the Organisation at a Sub-Departmental / Directorate

Level

2) Locally contained within the Organisation at Departmental / Directorate Level

3) Local contained within the Organisation

4) Affecting multiple Organisations Sub-Regionally

5) Affecting multiple Organisations Regionally

6) Affecting multiple Organisations Nationally

Relevance Scoring

1) We do not have this technology in our infrastructure

2) We have this technology, we are fully patched.

3) We have this technology, we are partially patched

4) We have this technology, we are not patched

5) We have this technology, we are compromised

Severity Scoring

1) Not affecting our infrastructure directly

2) Affecting some of our infrastructure

3) Affecting most of our infrastructure

4) Affecting all of our infrastructure

5) Our infrastructure is over run and non-functioning

HARM Levels

1) The organisation is unaffected

2) The organisation is affected, but fully operational

3) The organisation is affected, and is partially operational

4) The organisation is compromised essential services still functioning

5) The organisation is compromised essential services lost.

Determine protocols and trigger points for turning command and control of a

response over to outside agencies.

Some details that may need to be worked out are:

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

24"

a. Which gate or entrance will responding emergency service units use? !

b. Where and to whom will they report? !

c. How will they be identified? How will they know you? (tabards/ID) !

d. How will facility personnel communicate with outside responders? !

e. Who will be in charge of response activities? !

Determine what kind of identification authorities (Police/Fire) will require to allow your

key personnel into your facility during an emergency. Develop and agree special ID cards

and tabards etc. Ensure everyone is thoroughly briefed.

Produce A4 laminated cards which detail the key roles and responsibilities for each job.

Produce a pocket size card, with emergency contact numbers, and the five major points

of the job role, where to report to etc.

Determine the needs of disabled persons and non-English-speaking personnel. For

example, a blind employee could be assigned a partner in case an evacuation is

necessary.

A disabled person is anyone who has a physical or mental impairment that substantially

limits one or more major life activities, such as seeing, hearing, walking, breathing,

performing manual tasks, learning, caring for oneself or working.

Be mindful of language barriers, written and verbal.

Your emergency planning priorities may be influenced by government regulation. To

remain in compliance you may be required to address specific Business Continuity

Planning functions that might otherwise be a lower priority activity for that given year.

5. Maintain Contact with Other Departments

Communicate with other offices and departments within the authority to learn:

a. Their emergency notification requirements!

b. The conditions where mutual assistance would be necessary!

c. How offices will support each other in an emergency!

d. Names, email, telephone numbers and mobile numbers of key personnel

Incorporate this information into your procedures.

6. Conduct Training and Revise plans and procedures as necessary.

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

25"

Share review information with other Departmental representatives. Use the Intranet

server to publish timely information

Distribute the first draft to group members for review. Revise as needed.

For a second review, conduct a tabletop exercise with management and personnel who

have a key Business Continuity Planning responsibility. In a conference room setting,

describe an emergency scenario and have participants discuss their responsibilities and

how they would react to the situation. Based on this discussion, identify areas of

confusion and overlap, and modify the plan accordingly.

7. Seek Final Approval

Arrange a briefing for the Chief Officer and Senior Management and obtain written

approval.

8. Distribute the Plan

Place the final plan in four-ring binders and number all copies and pages. Document

control procedures are essential for quality and auditing.

Each individual who receives a copy should be required to sign for it and be responsible

for posting subsequent changes.

Ensure the plan is published on the Intranet and kept up to date. Consider storing the

plan on a secure Internet facility, this will ensure authorised people can access the plan

from anywhere.

Determine which sections of the plan would be appropriate to show to other agencies

(some sections may refer to Confidential Corporate or Departmental Information or

include private listings of names, telephone numbers or access codes and passwords).

Distribute the final plan to:

a. Chief Officers and Senior Managers !

b. Key members of the authority's emergency response organisation !

c. Chief Executives Office, !

d. Emergency Planning Unit. !

e. Community emergency response agencies (appropriate sections) !

f. Key external suppliers. Ensure you figure in their emergency plans. !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

26"

Have key personnel keep a copy (paper or electronic) of the plan in their homes? Inform

employees about the plan and

Consolidate emergency plans for better co-ordination. Stand-alone plans, such as

Computer Disaster Recovery Plans, Fire Protection plan or Health and Safety plan,

should be incorporated into one comprehensive plan.

STEP 4 -- IMPLEMENT THE PLAN

Implementation means more than simply exercising the plan during an emergency. It

means acting on recommendations made during the vulnerability analysis, integrating

the plan into authority operations, training employees and evaluating the plan.

INTEGRATE THE PLAN INTO DEPARTMENTAL OPERATIONS

Emergency planning must become part of the corporate culture.

Look for opportunities to build awareness; to educate and train personnel; to test

procedures; to involve all levels of management, all departments and where appropriate

the community in the planning process; and to make Business Continuity Planning part

of what personnel do on a day-to-day basis.

Include the emergency procedures into induction training.!Ensure the emergency

procedures are discussed at a quarterly management

meeting as an agenda item.!Build the process into all project plans.

Test how Completely the Plan has been Integrated by Asking:

How well does senior management support the responsibilities outlined in the plan?

Have emergency planning concepts been fully incorporated into the Department’s

accounting, personnel and financial procedures?

How can the Council’s processes for evaluating employees and defining job

classifications better address Business Continuity Planning responsibilities?

Are there opportunities for distributing emergency preparedness information through

corporate newsletters, employee manuals or employee mailings?

What kinds of safety posters or other visible reminders would be helpful?!Do personnel

know what they should do in an emergency?!

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

27"

CONDUCT TRAINING, EXERCISES AND EXERCISES

Everyone who works at or visits (Contractors) the site requires some form of training.

This could include periodic employee discussion sessions to review procedures,

technical training in equipment use for emergency responders, evacuation exercises and

full-scale exercises. Below are basic considerations for developing a training plan.

1. Planning Considerations

Assign responsibility for developing a training plan. Consider the training and

information needs for employees, contractors, visitors, managers and those with an

emergency response role identified in the plan.!Determine for a 12 month period:

a. Who will be trained? !

b. Who will do the training? !

c. What training activities will be used? !

d. When and where each session will take place? !

e. How the session will be evaluated and documented? !

Use the Training Exercises and Exercises Chart in the appendix section to schedule

training activities or create one of your own.

Consider how to involve community responders in training activities.!Conduct reviews

after each training activity. Involve both personnel and community responders in the

evaluation process.

2. Training Activities

Training can take many forms:

a. Orientation and Education Sessions (Discussion Exercises) These are regularly

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

28"

scheduled discussion sessions to provide information, answer questions and identify

needs and concerns.

b. Tabletop Exercise -- Members of the Business Continuity Planning group meet in a

conference room setting to discuss their responsibilities and how they would react to

emergency scenarios. This is a cost-effective and efficient way to identify areas of

overlap and confusion before conducting more demanding training activities.

c. Walk-through Exercise -- The Business Continuity Planning group and response teams

actually perform their emergency response functions. This activity generally involves

more people and is more thorough than a tabletop

d. Functional Exercises -- These exercises test specific functions such as medical

response, emergency notifications, warning and communications procedures and

equipment, though not necessarily at the same time. Personnel are asked to evaluate

the systems and identify problem areas.

e. Evacuation Exercise -- Personnel walk the evacuation route to a designated area

where procedures for accounting for all personnel are tested. Participants are asked to

make notes as they go along of what might become a hazard during an emergency, e.g.,

stairways cluttered with debris, smoke in the hallways. Plans are modified accordingly.

f. Full-scale Exercise -- A real-life emergency situation is simulated as closely as possible.

This exercise involves authority emergency response personnel, employees,

management and community response organisations.

3. Employee Training

General training for all employees should address:

a. Individual roles and responsibilities !

b. Information about threats, hazards and protective actions !

c. Notification, warning and communications procedures !

d. Means for locating family members in an emergency !

e. Emergency response procedures !

f. Evacuation, shelter and accountability procedures !

g. Location and use of common emergency equipment !

©"Mark"Brett"2021.""Cyber"Resilience"Guide"Version"3.0""June"2021.""""""""""-"""

29"

h. Emergency shutdown procedures !

The scenarios developed during the vulnerability analysis can serve as the basis for

training events.

4. Evaluate and Modify the Plan

Conduct a formal audit of the entire plan at least once a year. Among the issues to

consider are:

a. How can you involve all levels of management in evaluating and updating the plan? !

b. Are the problem areas and resource shortfalls identified in the vulnerability analysis

being sufficiently addressed? !

c. Does the plan reflect lessons learned from exercises and actual events? !

d. Do members of the Business Continuity Planning group and emergency response

team understand their respective responsibilities? Have new members been

trained? !

e. Does the plan reflect changes in the physical layout of the facility? Does it !reflect

new facility processes?

f. Are photographs and other records of facility assets up to date? !

g. Is the facility attaining its training objectives? !

h. Have the hazards in the facility changed? (H&S Risk Assessments) !

i. Are the names, titles and telephone numbers in the plan current? !

j. Are steps being taken to incorporate Business Continuity Planning into the business

processes? !

k. Have community agencies and organisations been briefed on the plan? Are they

involved in evaluating the plan? !

In addition to a yearly audit, evaluate and modify the plan at these times:

a. After each training exercise !

30"

b. After each emergency !

c. When personnel or their responsibilities change !

d. When the layout or design of the facility changes !

e. When policies or procedures change !

f. Remember to brief personnel on changes to the plan. !

Audit:

Conduct a formal audit of the entire plan at least once a year

31"

Appendix A

Business Continuity Planning Toolkit with Risk Assessment diagnostics

Organisation Name

!

[BUSINESS CONTINUITY PLAN COMPONENTS]

[Change all headings as required]

Directorate / Department:

Contact Name:

!

E-Mail:

I. Business Continuity Planning Outline

!

II. Business Continuity Plan Template

!

III. Business Continuity Plan Worksheets A. Checklist

B. Business Process Template

!

C. Recovery Procedures Template D. Risk Assessment

Worksheets

Date Completed:

Phone:

Written by: _____________________________________Date:____________ Written

by: _____________________________________Date:____________

Review Date: [. ]

32"

I. Business Continuity Planning Outline Phase One

Identify Current Mission-Critical Business Processes (See Operations Plan

for starting point) !

Assess Impact or Importance of Business Processes, considering: !

Health and Safety !

Revenue or Cash Flow (Treasury) implications !

Number of Citizens, Businesses, or Employees Impacted !

Central Government Reporting Requirements !

Public Perception

Identify Resources and Dependencies !

Evaluate Risk or Likelihood of Failure !

Application Systems and Interfaces !

IT Infrastructure !

Third Party Products

Supply Chain !

Infrastructure (Facilities, Telecom, Utilities) !

Establish Priority Based upon Impact and Risk

33"

Phase Two

Develop Business Continuity Plan Based upon Available Resources and Time Make

Assumptions to Focus Plan

Devise Alternatives to Complete Core Business Processes, considering: Roles &

Responsibilities!Communication Channels!Manual Work arounds

Triggering Events!Who Invokes the Plan!Required Training & Preparation How & Who

Maintains the Plan Needed Supplies & Equipment Additional Staffing Needs!What Ends

the Plan!Clean-Up

Review for Completeness

Phase Three

Exercise the Plan!Make Modifications as Needed

II. Business Continuity Plan Template

The following sections are included in a Contingency Plan Template. It is a sample

template, therefore, sections may be added or deleted as appropriate.

Phase I

PROCESS:!Provide the name and a brief overview of the critical business function as it

currently exists. PRIORITY:

Determine the priority of this contingency plan relative to the other contingency plans,

if multiple failures occur within an authority. Use this section if applicable.

RISK DESCRIPTION:

Describe in simple terms the risk concern and the impact to the

authority. Include the nature and likelihood of expected disruptions or impacts.!

For example:-!Electrical power is unavailable. If processing cannot be resumed

within 3 days, Client checks will be late. !

Describe briefly any significant dependencies or linkages of the business

process with programs within the authority, with other authorities, or with other

parties either inside or outside of central or regional or place based partnership

!

34"

State explicitly any assumptions, which your Directorate or Business Unit

is making in this contingency plan. !MITIGATING STRATEGIES: !

Provide a brief conceptual description of how the contingency plan for the business

process is intended to work.

For example:-

!

Conduct additional quality assurance review of documents prior to

mailing.

Set up account in advance with alternate supplier(s) and establish procedures for using

the alternate supplier.

Investigate feasibility and cost of an uninterruptible power supply.

Describe the level of services to be provided during the disruption.

For example:

Provide continuation of normal operations.

Provide continuation of service in a degraded mode.

Provide complete departure from normal functions as quickly

Business Continuity Planning Guide

Phase 2

ACTIVATION TRIGGER(S):

!

Describe the specific events or conditions that will trigger or

invoke the plan.

For example:

Employees can’t access building entry via electronic access cards or tokens.

RECOVERY PROCEDURES:

Describe the expected life or duration of the contingency plan. !For

example:

!

How long it might be necessary to operate under the plan. !Any special

timing-related constraints, e.g., back-up batteries need re-charging after 10

hours. !

35"

Provide detailed, step-by-step procedures for initiating and executing

contingency operations, and for transitioning back to normal (non-contingency)

operations with the names of the persons who are to serve specific roles

regarding the plan. !For example:

!

Initiate internal and vendor list notification

procedures – Responsibility: Ms. X Get backup listings from off-site storage –

Responsibility: Mr. Y

!

Contact alternate supplier to provide needed supplies –

Responsibility: !

IMPLEMENTATION:

Name BCP Coordinator and Team

Provide the name and contact information of the person who will give the order to

invoke the plan.

Provide the name of the person who will give the order to return to normal operations.

Provide a brief description of significant resources needed to implement, execute, and

transition out of contingency operation. Also identify the person who is responsible for

acquiring these resources, as events may warrant.

For example:

!

Staffing and scheduling of personnel.

!

Equipment, temporary hardware

and software, forms and supplies, etc. Possible temporary working facilities.

!

Communications, both verbal and data.

Phase 3

Provide a brief description of any training or exercising of the plan that will be

necessary.

For example:

!

Perform a structured walk-through to ensure that all the processes will

work as expected.

Perform an exercise or “dry-run” to ensure that all the processes work.

Perform a “mock” exercise with required staff and vendors on a non-work day.

In continuity planning, the maintenance process ensures that people and process

aspects of the plan which need additional work are properly addressed and corrected.

The following types of maintenance should be conducted for every business continuity

plan in your Directorate or Business Unit:

o Scheduled!o Unscheduled o Post exercised

36"

37"

III. BUSINESS CONTINUITY PLANNING WORKSHEETS

IV.

A. Checklist

!

B. Business Process Template

!

C. Recovery Procedures Template

D. Risk Assessment Worksheets

COMPONENTS OF A Cyber Resilience Plan

CHECKLIST

Checklist Components

AUTHORITY:

!

Authority Name * PROCESS:

!

Business Process Name * Business Process

Overview PRIORITY:

Priority within authority

RISK DESCRIPTION:

Risk Description!Impact of Risk on Authority!Nature and likelihood of disruptions

Dependencies upon business process Assumptions!MITIGATING STRATEGIES:

!

Mitigating Strategies description!Level of service to be provided

ACTIVATION TRIGGER(S):

!

Activation Trigger(s) *

!

RECOVERY PROCEDURES:

!

Duration of contingency plan!Recovery Procedures/Work-

Around * Responsible person for each action

IMPLEMENTATION:

!

Person invoking plan!Person ordering return to normal operations

Resources Required *

MAINTAINING/EXERCISING PLAN Training Required!Exercising Required!Person

responsible to obtain resources Maintenance Required

38"

39"

Business Process [Title]

Process:

Priority:

Risk Description:

Mitigating Strategies:

Activation Trigger(s):

CONTINGENCY PLAN

40"

RECOVERY PROCEDURE ACTION PLAN Recovery Procedures (Action Plan):

Duration:

Implementation: Person Responsible:

Invokes Plan:

Return to Normal Operations:

Resources Required:

(Staff, supplies, etc.)

Procedures Responsibility

1.

2.

3.

4.

41"

Sample Risk Assessment Worksheet

Purpose and Directions Purpose:

This worksheet is intended to provide a framework for answering the following

questions for a particular business process:

1. Where could a potential failure occur? !

2. Does it impact this business process? If so, how much? !

3. What has been done or is in progress to mitigate the threat of a failure? !

Based on the answers to the above questions: 4. What is the remaining risk?

By answering the last question, you should be in a better position to focus your

contingency planning efforts, particularly which business processes are most in need of

contingency planning and what specific failures do the contingency plans need to

address and at what level of detail.

Directions:

1.

2.

3.

4.

5.

6.

Choose a particular business process.

Review the areas of concern to determine if any need to be added or expanded upon

that are specific to the business process. Modify spreadsheet as

appropriate. Note: the Remediation or Mitigation Status Values are stored in columns E-

I, which are hidden.

For each area of concern, assign a level of dependency of High, Medium, Low, or Not

Applicable (or blank).

42"

Choose from the drop-down list of choices for the Remediation or Mitigation Status.

This information will most likely come from the individuals within your authority that

are responsible for status reports. If the choices do not properly reflect your status, type

in your own status description.

Based on the level of dependency and the remediation or mitigation status, assess the

remaining risk and assign a value of High, Medium, or Low. Alternatively, you may

choose to comment on your analysis rather than assign a specific level of risk.

Once you have determined the highest remaining risk areas, focus your Contingency

Planning initiative to address the risk areas. This would include which business

processes need contingency plans, how detailed the plans should be, and

43"

RISK ASSESSMENT WORKSHEET

Directorate/ Business Unit

Business Process:

Areas of Concern Mitigation status

Risk Assessment (H/M/L)

Level of Dependency (H/M/L)

44"

APPLICATION SYSTEMS

Hardware!Operating System!

Third Party Software!

Utilities/Macros!Date-Impacted

Custom Source Code/SCL!

Internal Interfaces!

External Interfaces (Banks, Government Agencies, Other NC)

Shared Data! Communications/Network

Hardware!Operating System Third Party Software

Telephone Switches

Voice Mail!Voice Response Units!Customer Service Centre reliance Mobile Phones!

Pagers!Fax

Power!Water/Sewer!Fire Alarm Systems Security Systems Building Control Systems

Parking Control Systems

Application Interfaces Hardware Infrastructure Supplier Support

PC/LAN

COMMUNICATIONS

45"

FACILITIES

DEPENDENCIES

Local Authority Cyber Resilience Planning Guide

Abstract

Recommended publications

Exercising cyber resilience: The Finnish experience

An overview of current issues and practice relating to local government cyber security in England an...

Cyber Incident Response -Working Paper

Cyber Incidents AI & Ethics in Context

Cyber Incident Approach Framework for Local Government - Cyber Incident Approach Framework for Local...