The Western Australian Government ICT Business Continuity and ICT Disaster Recovery Policy (Policy) provides agencies with direction on the establishment of information and communication technology (ICT) business continuity management to ensure continuity of business services across government are delivered.
The objectives of the Policy are to ensure ICT components are incorporated as part of an agency’s wider business continuity management (BCM) framework. Government agencies are to:
- Ensure continuity of critical Western Australian Government business and services.
- Establish a consistent approach to business continuity and disaster recovery across the Western Australian Government.
- Support sector-wide preparedness for recovery during a disaster or severe incident.
- Maintain the confidence of all stakeholders that critical services will be available at all times.
Business Continuity Management is business led. However, in order to ensure critical business and services are maintained with minimal interruption, agencies must meet the following policy obligations.
Governance and Accountability
Agencies must develop and implement a Director General/Chief Executive Officer led governance structure establishing accountability and clear responsibilities for ICT and business service risk identification and management to facilitate business ICT continuity management and disaster recovery planning.
Agencies must undertake a business ICT impact analysis to identify and prioritise critical business ICT services, assets and information exchanges provided by, or to other agencies or external parties.
Planning and Management
Agencies must establish a business ICT continuity plan, business ICT disaster recovery plan and an incident response plan, consistent with the standards set in the Insurance Commission of WA RiskCover’s Business Continuity Management Guidelines and Risk Management Guidelines.
To facilitate ongoing preparedness, these plans must be reviewed, tested (exercised) and updated annually to ensure they remain contemporary and effective. These plans are to be submitted to Office of the Government Chief Information Officer for review and final endorsed by the agency’s Director General/Chief Executive Officer.
In establishing a strategy for business and ICT continuity and disaster recovery, an agency or organisation must consider the aspects of governance, people, process and technology in the following principles recommended by Australian and international standards for business continuity management:
- Effective Risk Management – adopting a risk-based approach to identify and assess the impact of threats affecting critical ICT services
- High Resilience – ensuring that critical business and ICT services are robustly designed, implemented and maintained to minimise occurrences of disruption to agency’s business services and operations
- Rapid Recovery – establishing business and ICT continuity and disaster recovery plans and priorities to enable timely resumption of critical ICT services in the event of disruptions and
- Ongoing Preparedness – continual improvement through periodic reviews of plans, exercises and audit compliance.
Agencies must ensure this Policy is incorporated into existing business processes for continuous improvement and consistent with, and operating within any applicable legislative, policy and strategic frameworks, for example:
- Risk management is essential to the optimal operation of the public sector, as articulated in Treasurer’s Instruction 825 Risk Management and Security.
- Public Sector Commissioner’s Circular 2015-03: Risk Management and Business Continuity Planning.
Risk Management Guidelines and Business Continuity Guidelines are available from the Insurance Commission of Western Australia (ICWA). Contact details are available from ICWA website at https://www.icwa.wa.gov.au/contact-us.
Further information and guidance on ICT Business Continuity and ICT Disaster Recovery is available from the Office of the Chief Information Officer (GCIO) website at www.gcio.wa.gov.au.
Definition of Terms
Business Continuity and Risk management is defined in accordance with RiskCover. The following definitions were extracted from ICWA RiskCover’s Business Continuity Management Guidelines; available from ICWA.
Business Continuity Management (BCM) is a discipline that prepares an organisation for the unexpected. It is a management process that provides the framework for building resilience to business and service interruption risks, responding in a timely and effective manner to ensure continuity of critical business activities, and ensuring the long term viability of the organisation following a disruptive event.
A Business Continuity Plan (BCP) is a treatment plan for certain risks, the consequences of which could disrupt core functions. The plan outlines the actions to be taken and resources to be used before, during and after a disruptive event to ensure the timely resumption of critical business activities and long term recovery of the organisation.
Business Impact Analysis (BIA) is the process of assessing the potential consequences to an organisation of an outage to its key business activities over varying periods of time, and prioritising the timeframes in which these activities must be resumed following a disruptive event.
Disaster recovery Plan (DRP) is the policies, processes and procedures related to preparing for the recovery and restoration of information technology infrastructure required to support critical business activities following an outage of an organisation’s computer centre.
Risk Management is the practice of systematically identifying, understanding, and managing the risks encountered by an organisation.
Risk Management Process is the process of implementing, maintaining and embedding risk management in an organisation, as set out in RiskCover’s Business Continuity Management Guidelines.