Industry Canada / Industrie Canada
MenuSkip first menuSkip all menus
FrançaisContact UsHelpSearchCanada Site
HomeWhat's NewFrequently Asked QuestionsA-Z IndexSite MapPublications
The Department
Media Room
Information by Subject
Programs and Services
Online Forms
Publications
Catalogue of Published Materials
Corporate Publications
Special Reports
Newsletters
Publishing Toolbox
Industry Portfolio
Access to Information
Acronyms
Careers
Proactive Disclosure

Canada Business - Services for entrepreneurs Canadian Consumer Information Gateway Strategis

Industry Canada Business Continuity
Plan Methodology Audit
October 1999

Executive Summary

Background

On March 1, 1999, Industry Canada's Year 2000 (Y2K) Project Office initiated a business impact analysis process to determine the departmental business functions requiring a Year 2000 Business Continuity Plan (BCP). A senior departmental committee was formed called the Year 2000 BCP Steering Group. It was co-chaired by the Corporate Secretary and the Associate Assistant Deputy Minister, Operations Sector. This business impact analysis process initially identified 59 critical functions that were subsequently reduced to 28 as approved by the Year 2000 BCP Steering Group.

On April 7, 1999, the co-chairs of the Year 2000 BCP Steering Group asked managers of the 28 critical business functions to each complete a BCP template by April 30, 1999 designed for this second phase of the BCP process. All 28 BCPs were fundamentally completed by May 30, 1999 except for the validation phase that includes modules on testing, training and plan maintenance. This validation phase is scheduled to be completed by October 15, 1999.

Audit Objectives

The objectives of the Audit and Evaluation Branch audit of the BCP methodology were to determine that the:

  • process used to identify critical functions is reasonable;
  • methodology and templates developed are effective;
  • approach is comprehensive and does not include any gaps; and
  • BCPs have been prepared by properly applying the methodology.

The report presents the findings of the audit of the first three objectives. The audit of the last objective to be conducted after October 15, 1999 when the validation phase has been completed.

Findings

The Year 2000 BCP Steering Group and the Y2K Project Office are commended for the process to identify critical functions and for the development of effective templates. The planning and conducting of training and information workshops to guide BCP managers during the validation phase of the BCP are also effective measures.

Objective 1: Determine that the process used to identify critical functions is reasonable.

Auditors found that the process used by Industry Canada to identify critical functions was reasonable. There are no recommendations.

Objective 2: Determine that the methodology and templates are effective.

There are two templates: the critical function template and BCP template. The findings regarding each follows.

Critical Function Template

Auditors found that the template used by Industry Canada to determine its critical functions was appropriate. There are no recommendations.

Business Continuity Plan (BCP) Template

The BCP template used by Industry Canada meets requirements and includes essential information needed to build an effective business continuity plan.

Two observations and their related recommendation resulted from the audit of this template.

The Year 2000 BCP Steering Group should ensure that the 28 critical function managers know how to react and understand the reporting and escalation procedures should a Y2K crisis arise.

It is our understanding that this escalation process will be contained in the validation phase of the BCP process. When auditing the completed BCPs in October, 1999, we will include an assessment of the escalation process planned.

Since critical business function managers are accountable for the maintenance and implementation of their plans, it is recommended that the Year 2000 Project Office continue to remind BCP managers regularly to report to the Y2K Project Office the current status of their critical suppliers and dependencies. The Y2K Project Office sent an e-mail to BCP managers on September 16, 1999 concerning this follow-up with critical suppliers and dependencies.

Objective 3: Determine that the approach is comprehensive and does not contain any gaps.

When comparing best practice and Y2K resource information with the work planned at Industry Canada, auditors found three significant issues that did not appear to be fully covered at the time of this audit. These issues are described below.

It is recommended that the BCP Steering Group plan, document and test aY2K 'command centre' BCP that would serve as a centre for BCP critical managers to contact should a crisis arise as the date rollover period approaches. This 'command centre' could serve to monitor the activities during this period. Best practices indicate that a BCP devoted to a 'command centre' will minimize the risk during the rollover period.

Secondly, the BCP Steering Group should evaluate whether to clarify, document and consolidate human resource, communications, decision-making and zero-day policies and procedures in one document and then distribute these to BCP and senior managers. This document could serve as a guide, responsibility and accountability resource. It should be continually updated and maintained.

Thirdly, Y2K resource information indicate that during the date rollover period, there may be increased incidences of hackers attempting to infiltrate potentially vulnerable mission-critical information systems and introduce new viruses to exploit any system vulnerability. Since Industry Canada is heavily dependent on several key systems, it is recommended that the department review security measures to assess how the department can minimize the risk of these vulnerabilities. The Chief Information Officer has already begun planning for these possible hacking and virus intrusions.

Y2K BCP Steering Group Response to Audit Recommendations

During the October 1, 1999 Year 2000 BCP Steering Group meeting, the findings and recommendations of this audit report were presented.

The Year 2000 BCP Steering Group agreed to recommendation 1 (re: the 28 critical function managers knowing how to react and understand the reporting and escalation procedures); recommendation 2 (re: BCP managers to monitor regularly the status of their suppliers and dependencies); and recommendation 3 (re: planning, documenting and testing a Y2K 'command centre' BCP.

With regard to recommendation 4 (re: the evaluation of whether to clarify, document and consolidate human resources, communications, decision-making and zero-day policies and procedures in one document), the Y2K BCP Steering Group agreed to review similar policies from other entities and then decide on the necessity of this document.

Chief Information Officer

As for recommendation 5 (re: the assessment of the risk of hacking and virus intrusions), this recommendation will be communicated to the Chief Information Officer. As indicated in the report, The Chief Information Officer has already begun the planning to protect the department regarding this risk.

Management Action Taken

Action was taken to address all recommendations (see related Phase II Report).

Adobe Acrobat Version (PDF - 68KB - 17 pages)

Note: to read the PDF version, you need Adobe Acrobat Reader on your system. If the Adobe download site is not accessible to you, you can download Acrobat Reader from an accessible page. If the accessibility of PDF is a concern, you can have the file converted to HTML or ASCII text by using one of the access services provide by Adobe.



Date Created: 2000-04-26


Printer-friendly VersionPrinter-friendly Version
Date Modified: 2005-12-13 Top of Page Important Notices