Commissioner's Directive

Business Continuity Program

PURPOSE

APPLICATION

Applies to all CSC employees assigned responsibility for Business Continuity Plans (BCPs)

RESPONSIBILITIES

  1. The Executive Committee members will:
    1. approve the National Business Continuity Program policy and governance
    2. review and approve identified critical services and associated assets
    3. approve Business Continuity Plans and activities
    4. ensure regular training, review, testing and audit
    5. ensure Business Continuity Program activities are supported by Information Management/Information Technology and other continuity plans and arrangements, as required.
  2. The Assistant Commissioner, Correctional Operations and Programs, will:
    1. oversee the Business Continuity Program as champion of emergency management through ensuring regular maintenance, training, testing and internal and external audits
    2. appoint a National Business Continuity Program Coordinator
    3. approve methodologies and guidelines for implementing the Business Continuity Program policy
    4. ensure that National and Regional Headquarters establish a Crisis Centre/Emergency Operations Centre in order to ensure that accurate, up-to-date information is disseminated
    5. ensure that information released to the public through the media is accurate, coordinated and consistent at all levels, and that it takes into consideration those factors which may be beyond the resolution of the emergency itself. No statement regarding the situation may be released unless it has been so coordinated
    6. coordinate the obtaining of funding and required resources.
  3. The Assistant Deputy Commissioner, Integrated Services/sector head will:
    1. ensure the timely completion of their sector or branch Business Continuity Plans
    2. approve, review and update plans annually or whenever there are significant changes to the organization, functions or service levels in order to maintain program readiness
    3. approve Business Continuity Plans, training and exercises
    4. participate in training and exercises to ensure the plans remain current and effective
    5. direct the development, implementation and testing of regional and local contingency plans including emergency and Business Continuity Plans
    6. report results to the National Business Continuity Program Coordinator
    7. provide strategic advice and guidance during a crisis.
  4. The Director General, Security Branch, will:
    1. manage the National Headquarters Crisis Centre/Emergency Operations Centre
    2. provide strategic advice and guidance during a crisis to ensure that accurate, up-to-date information is available to the Assistant Commissioner, Correctional Operations and Programs
    3. ensure that all Business Continuity Plans (e.g. contingency plans, disaster recovery plans, emergency plans) are reviewed, updated and approved, that they are inserted into the Crisis Response and Security Information Management System (CRSIMS), and that a signed paper copy is located in the National Headquarters Crisis Centre/Emergency Operations Centre by September 30th of every year
    4. ensure Business Continuity Plans in each sector are exercised at least every 12 months and report the results via email to GEN-NHQ Business Continuity Program.
  5. The Departmental Security Officer will:
    1. direct the national Business Continuity Program by developing and publishing policies, requirements and guidelines on Business Continuity Plans
    2. implement a National Business Continuity Program which falls under the authority of the Treasury Board Policy on Government Security
    3. provide strategic direction and advice and ensure that accurate, up-to-date information is available to the Director General, Security Branch
    4. provide annual progress report with regard to the Business Continuity Program to the Executive Committee.
  6. The National Business Continuity Program Coordinator will:
    1. develop National Business Continuity Program policies, requirements, guidelines and governance
    2. provide advice and assistance to various sectors and regions in developing and implementing their Business Continuity Plan
    3. communicate business continuity program activities to employees and stakeholders
    4. establish committees, working groups and teams with defined roles and responsibilities to meet program requirements and effectively respond to emergencies and service disruptions
    5. ensure the completion of the business impact analysis and maintaining an inventory of CSC’s critical business functions
    6. ensure that Information Management/Information Technology and other continuity plans and arrangements are fully integrated into the Business Continuity Program
    7. provide for regular training for employees having responsibilities in dealing with emergency situations, review, testing and audit of Business Continuity Plans for branches and sectors
    8. liaise with other departments and agencies as necessary to coordinate Business Continuity Plans
    9. direct the business continuity exercise program.
  7. The Chief Information Officer and the Manager, Information Technology Security, will ensure that the Information Management Services Branch carries out the Business Continuity Program requirements pursuant to CD 225 – Information Technology Security.
  8. CSC’s Information Technology Continuity team, in partnership with business function managers, is responsible for ensuring that a comprehensive Information Technology Continuity Plan is developed, implemented and tested for all critical business functions. Responsibilities include:
    1. developing Disaster Recovery Plan standards, guidelines, models, processes and tools
    2. supporting the Business Continuity Program
    3. providing training to support the Disaster Recovery Plan
    4. maintaining a database of completed Disaster Recovery Plans
    5. executing information systems infrastructure recovery.
  9. The Institutional Head/District Director will:
    1. manage the Crisis Centre/Emergency Operations Centre
    2. provide strategic advice and guidance during a crisis to ensure that accurate, up-to-date information is available to the Assistant Deputy Commissioner, Integrated Services
    3. ensure that all Business Continuity Plans (e.g. contingency plans, disaster recovery plans, emergency plans) are reviewed, updated and approved, that they are inserted into the CRSIMS, and that a signed paper copy is sent to National Headquarters, Business Continuity Program, by September 30th of every year
    4. ensure regional Business Continuity Plans are exercised at least every 12 months and report the results via email to GEN-NHQ Business Continuity Program
    5. participate in training and exercises to ensure the plans remain current and effective.
  10. The designated Regional Business Continuity Program Coordinator will:
    1. collaborate with the National Business Continuity Program Coordinator
    2. provide awareness/training sessions as well as advice and guidance
    3. review the format and content of all Business Continuity Plans for regional sites
    4. provide annually and as required, an electronic copy of regional Business Continuity Plans (e.g. contingency plans, disaster recovery plans, emergency plans) in CRSIMS, and a hard copy to the National Business Continuity Program Coordinator at National Headquarters.

Commissioner,

Original Signed by:
Don Head

ANNEX A

CROSS REFERENCES AND DEFINITIONS

CROSS-REFERENCES

CD 225 – Information Technology Security
GL 318-3 – Environmental Emergency Plan
CD 345 – Fire Safety
CD 600 – Management of Emergencies
CD 800 – Health Services

Tabletop Exercise Guide for the Correctional Service of Canada

Canada Labour Code

Treasury Board Directive on Departmental Security Management
Treasury Board Fire Protection Standard
Treasury Board Operational Security Standard – Business Continuity Planning (BCP) Program
Treasury Board Policy on Government Security
Treasury Board Standard for Fire Safety Planning and Fire Emergency Organization – Chapter 3-1
Public Safety Canada Federal Emergency Response Plan
Public Safety Canada Emergency Management Planning Guide
Public Safety Canada All Hazards Risk Assessment Methodology Guidelines
Public Works and Government Services Canada Emergency Management Vocabulary

DEFINITIONS

Assets: tangible or intangible things of the Government of Canada. Assets include but are not limited to information in all forms and media, networks, systems, materiel, real property, financial resources, employee trust, public confidence and international reputation.

Business Continuity Plan (BCP): a plan developed to provide procedures and information for the continuity and/or recovery of critical service delivery and business operations in the event of a disruption.

Business Continuity Program: an integrated management process involving the development and implementation of activities that provides for the continuity and/or recovery of critical service delivery and business operations in the event of a disruption.

Business Impact Analysis: the process of determining the impact on an organization should a potential loss identified by the risk analysis actually occur. The business impact analysis should quantify, where possible, the loss impact from both a business interruption (number of days) and a financial, loss of life or other standpoint.

Contingency Plan: a plan developed for a specific event or incident.

Crisis: a situation that threatens public safety and security, the public’s sense of tradition and values or the integrity of the government.
Note: The terms "crisis" and "emergency" are not interchangeable. However, a crisis may become an emergency. For example, civil unrest over an unpopular government policy may spark widespread riots.

Critical Services: services whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the effective functioning of the Government of Canada.

Emergency: a present or imminent event that requires prompt coordination of actions concerning persons or property to protect the health, safety or welfare of people, or to limit damage to property or the environment.
Note: The terms "crisis" and "emergency" are not interchangeable. However, a crisis may become an emergency. For example, civil unrest over an unpopular government policy may spark widespread riots.

Exercise: a simulated scenario or live situation in which an organization practises its response activities to test its contingency plan and Business Continuity Plan (BCP). The annual exercises will be carried out in order to randomly test, in a non-repetitive manner, each contingency plan and Business Continuity Plan. The outcome of an exercise is to allow an organization to reveal planning weaknesses or gaps in resources, improve organizational coordination and communications, clarify roles and responsibilities, improve individual performance and satisfy regulatory requirements.

*For additional definitions, refer to the Public Works and Government Services Canada Emergency Management Vocabulary which lists over 200 terms and definitions for concepts used in emergency management.

For more information

To learn about upcoming or ongoing consultations on proposed federal regulations, visit the Canada Gazette and Consulting with Canadians websites.