Skip to main content
Skip table of contents

Business Continuity Policy

2025.1

Reviewed: 9/20/2024
Updated: 9/20/2024

Purpose and Scope:

  1. The purpose of this policy is to ensure that IMPLAN establishes objectives, plans and procedures such that a major disruption to IMPLAN's key business activities is minimized.
  2. This policy applies to all infrastructure and data within IMPLAN's information security program.
  3. This policy applies to all management, employees, and suppliers that are involved in decisions and processes affecting IMPLAN's business continuity. This policy must be made readily available to all whom it applies to.

Background:

  1. The success of IMPLAN is reliant upon the preservation of critical business operations and essential functions used to deliver key products and services. The purpose of this policy is to define the criteria for continuing business operations for IMPLAN in the event of a disruption. Specifically, this document defines:
    a. The structure and authority to ensure business resilience of key processes and systems.
    b. The requirements for efforts to manage through a disaster or other disruptive event when the need arises.
    c. The criteria to efficiently and effectively resume normal business operations after a disruption.
  2. Within this document, the following definitions apply:
    a. Business impact analysis/assessment - an exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to return to a normal level of operation, and prioritizes recovery of processes and the supporting system.
    b. Disaster recovery plan - a set of human, physical, technical, and procedural resources to return to a normal level of operation, within a defined time and cost, when an activity is interrupted by an emergency or disaster.
    c. Recovery time objective - the amount of time allowed for the recovery of a business function or resource to a normal level after a disaster or disruption occurs.
    d. Recovery point objective - determined based on the acceptable data loss in the case of disruption of operations.

Controls and Procedures

Policy:

  1. Business Risk Assessment and Business Impact Analysis
    a. Each manager is required to perform a business risk assessment and business impact analysis for each key business system within their area of responsibility.
    b. The business risk assessment must identify and define the criticality of key business systems and the repositories that contain the relevant and necessary data for the key business system.
    c. The business risk assessment must define and document the Disaster Recovery Plan (DRP) for their area of responsibility. Each DRP shall include:

    • Key business processes.
    • Applicable risk to availability.
    • Prioritization of recovery.
    • Recovery Time Objectives (RTOs).
    • Recovery Point Objectives (RPOs).
  2. Disaster Recovery Plan
    a. Each key business system must have a documented DRP to provide guidance when hardware, software, or networks become critically dysfunctional or cease to function (short and long term outages).
    b. Each DRP must include an explanation of the magnitude of information or system unavailability in the event of an outage and the process that would be implemented to continue business operations during the outage. Where feasible, the DRP must consider the use of alternative sites or hosting locations.).
    c. Each plan must be reviewed against IMPLAN's strategy, objectives, culture, and ethics, as well as policy, legal, statutory and regulatory requirements.
    d. Each DRP must include:

    • An emergency mode operations plan for continuing operations in the event of temporary hardware, software, or network outages.
    • A recovery plan for returning business functions and services to normal operations.
    • Procedures for periodic testing, review, and revisions of the DRP for all affected business systems, as a group and/or individually.
  3. Data Backup and Restoration Plans
    a. Each system owner must implement a data backup and restoration plan.
    b. Each data backup and restoration plan must identify:

    • The data custodian for the system.
    • The backup schedule of each system.
    • Where digital backups are to be stored and secured, as well as how access is maintained.
    • Appropriate restoration procedures to restore key business system data from digital backup to the system.
    • The restoration testing plan and frequency of testing to confirm the effectiveness of the plan.
    • The method for restoring encrypted backup media.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.