Business Continuity Planning Health Check

Survey Form

Note:

  • The information you enter will not be stored and will be fully deleted. Therefore, if you desire a record of your responses to the Business Continuity Health Check questions and the resulting profile, you will need to print them after you complete the survey and before you close your browser. If you decide to print a record, it has been determined that the resulting page(s) may be subject to a FOIL request.
  • Not responding to one or more questions will void the section and you will not receive an assessment for that element of the Business Continuity Health Check.
  • It is likely that, within an organization, multiple people from multiple divisions or bureaus share responsibility for emergency response, business continuity and disaster recovery. For this reason, it may be helpful to engage each of those individuals when answering the Health Check questions. We recommend that you print, review and answer the questions either in a group session where the responsible parties are present or by distributing the questions as an attachment to the various responsible parties.
Question format:
Each question will have three possible answers (Yes, Partial & No). Please select the answer the best fits your situation.
Total number of survey questions: 46
Build the Foundation for Business Continuity Planning
Total number of questions for section: 8
Total possible points for section: 100
  1. Does the business continuity planning function have sponsorship at an executive level?
     
  2. Does your agency have a business continuity coordinator?
     
  3. Does your agency have fiscal resources (other than staff salaries) dedicated to business continuity planning?
     
  4. Has your agency conducted a risk analysis of potential internal and external threats and vulnerabilities?
     
  5. Have you identified your agency's mission critical functions?
     
  6. Have you determined the recovery point objective (RPO's) of the mission critical function (s), and implemented appropriate methods to achieve it?
     
  7. Has your agency identified which people, systems and processes are essential to your agency's ability to deliver its mission critical functions?
     
  8. Has your agency determined Recovery Time Objectives (how quickly essential people, systems and processes need to be back in operation following a disaster) for your mission critical functions?
     
 
Disaster Recovery
Total number of questions for section: 9
Total possible points for section: 100
  1. Is the business continuity and/or disaster recovery responsibility included in the job descriptions for sensitive job functions such as your system administrators, DBAs, department managers, etc.?
     
  2. Are there both primary and secondary personnel (backups) trained on all core and mission critical business and IT functions?
     
  3. Do you have policy and procedures manuals, and critical electronic data storage in an off site location accessible to agency personnel after a disaster such that agency business operations can be restored if lost at the primary site?
     
  4. Do you have an alternate facility equipped with critical equipment specifically for recovering IT functions, or reciprocal agreements with other agencies in the event of a disaster?
     
  5. Is your alternate site located outside the city of your primary site (not on the same geological fault lines, and on different water, power, network/internet and telecommunications infrastructures)?
     
  6. Does your business continuity plan include a backup schedule and media storage strategy that will recover the entire information flow, including applications connectivity and access endpoints?
     
  7. Does your agency have arrangements with vendors for the quick ship and replacement of critical hardware, software and network equipment?
     
  8. Have you considered the implications of long-term operations, e.g. more than 30 days (as an example) at the recovery site?
     
  9. Have you developed formalized processes and procedures to return to the primary site after disaster? For example, do plans include handling backups at the recovery site in the same manner as your primary site such that you can go back to your production site and be current with the processing done in recovery mode?
     
 
Business Resumption Planning
Total number of questions for section: 18
Total possible points for section: 100
  1. Does your agency have an up-to-date business continuity plan (reflects current information on personnel, business processes and emergency contact information)?
     
  2. Is business continuity planning part of your agency culture; for example, does it involve the critical business units and staff on a regular basis?
     
  3. Do your agency emergency plans include an all hazards approach (includes all potential scenarios such as fires, floods, political and terrorist threats)?
     
  4. Has your agency conducted planning to determine how you would continue operation during a pandemic flu or other event resulting in high absenteeism?
     
  5. Do you have plans to relocate personnel to an alternate appropriately fitted location (adequate space, telephones, computers, fax machines etc.) in the event of a disaster at a production work site?
     
  6. Are the paper-based vital records of your agency backed up and stored at an off site location easily accessible by recovery personnel in the event of a disaster?
     
  7. If your vital records are stored at an off site location, do you have a method (way) to get them to your alternate recovery location?
     
  8. When critical applications are unavailable, but the primary work site is available, does your agency have manual work processes to meet functional business requirements?
     
  9. Does your Business Resumption Plan include a phone list of critical internal staff and external business partners?
     
  10. Is your contact list of internal staff and external business partners regularly (for example, every quarter) maintained and tested?
     
  11. Does your agency have a formal testing/exercise program of the following elements of your plan: crisis management, disaster recovery management, business recovery management, business resumption management, contingency management?
     

    If you answered "Yes" or "Partial" to Question 11, please answer 11a through 11d.

    1. Do your tests or /exercises include third parties that integrate with your business systems?
       
    2. Does your agency formally report the status of business continuity readiness and results of exercises to executive management?
       
    3. Are the improvement opportunities identified during tests/exercises acted upon to improve business continuity plans and agency readiness?
       
    4. Is someone responsible for follow-up tracking of outstanding issues from the tests?
       

Business Resumption and External Dependencies

  1. Do your business continuity plans cover outages at key suppliers and external service providers?
     
  2. Do you include your suppliers and service providers in your Business Continuity/Disaster Recovery tests?
     
  3. Do you participate in the Business Continuity/Disaster Recovery tests of your suppliers?
     
 
Crisis Management
Total number of questions for section: 4
Total possible points for section: 100
  1. Does your agency have a crisis management plan in place?
     
  2. Does your agency have an emergency decision making team with alternates when primary members are not available?
     
  3. Does your agency have a program or a process to train personnel to react appropriately during an event, including evacuation and contact procedures?
     
  4. Do you exercise your crisis management plan?
     
 
Security
Total number of questions for section: 5
Total possible points for section: 100
  1. Do you have a method to control access to your work environment?
     
  2. Is there written policy and defined procedures for dealing with physical and information security breaches?
     
  3. Would an employee recognize that a particular event or set of behaviors is a breach of a security policy?
     
  4. If an employee recognized such an event, would they know how to respond to it in accordance with the policy, for example report to their immediate supervisor and ISO?
     
  5. If an employee recognized a security breach, would they follow the policy and procedures?
     
 
Maintain the Plan
Total number of questions for section: 2
Total possible points for section: 100
  1. Have you built business continuity planning into the entire IT project life cycle?
     
  2. Do you have a process in place where your business continuity plan is maintained and updated (reviewed to consider the impact of new personnel, changes in management structure, facility changes, business process changes, and IT changes (network, software, hardware) or other environmental changes)?