12 Service Continuity Management (formerly Business Continuity Management)

12-1 Policy

Service Continuity consists of the alignment of Business Continuity Plans (including Emergency Action Plans) and Disaster Recover Plans.

The USPS CISO is responsible for the overall coordination of the USPS CIO Service Continuity (SC) which enhances the operational resilience of CIO partner organizations1, their systems and processes.

This policy develops the management and governance framework for USPS CIO SC organizations to prepare for, respond to, and recover from any event that disrupts, or threatens to disrupt, normal operations. This policy is applicable to all CIO Service Partners and Owners (see Chapter 2, Security Roles and Responsibilities).

This policy ensures that within the CIO organization, the creation of missing, review alignment and/or augmentation of existing; USPS Disaster Recovery (DR), Business Continuity (BC), Functional (FF) and Emergency Action (EAP) Plans as defined and mandated elsewhere in this document (Handbook AS-805) and Management Instruction (MI) AS-280-2018-1, Integrated Emergency Management Supporting Field Business Continuity (published January 2018).

This policy, its recommendations, and resulting products (plans) are in compliance with the following:

  1. The National Institute of Standards and Technology (NIST) SP 800.34.
  2. Homeland Security Exercise and Evaluation Program (HSEEP).
  3. USPS Employee Labor Manual (ELM), 810, Occupational Safety and Health Program; 840, – Safety Awareness Program; and 850, Emergency Action Plans and Fire Prevention and Control.
  4. MI AS-280-2018-1, Integrated Emergency Management Supporting Field Business Continuity.

Specifically, this policy provides for the: identification, prioritization, and vetting of CIO and VP High Value Services (HVS); compliance with Federal and USPS standards and guidelines for recovery plan(s) documentation, maintenance (updating), testing, exercising and evaluation (TT&E); and personnel training.

An Information Security Management System is characterized by (per ISO 27001) the following:

  1. Has a centrally managed framework for keeping information safe.
  2. Protects the confidentiality, availability and integrity of information.
  3. Consists of a set of policies, procedures, and technical and physical controls.
  4. Has a scope that can be applied to the entire organization or only a specific area or department.
  5. Is based on an organization wide risk assessment that considers internal and external risks.
  6. Has had all risks assessed, analyzed, and evaluated against a set of predetermined criteria.
  7. Has controls that are applied to treat risks based on the likelihood and impact of the risks.
  8. Has controls that include technology as well as controls to manage people, resources, assets, and processes.
  9. Helps you control risks that are specific to your own business environment.
  10. Requires support and involvement from the entire business from the cleaner right up to the CEO.
  11. Is not an IT function but a business management process.
  12. Requires constant review, monitoring, audits and continual improvement to be effective.

The CIO Service Continuity (SC) Program Policy develops all USPS CIO organization’s (CISO, EA, ENG, IT, and MEPT) capability to prepare for, respond to, and recover from any event that disrupts, or threatens to disrupt, normal operations which depend on services provided through the CIO organization. The program improves organizational and technical resilience processes and capabilities to ensure critical CIO services continue during and after an incident and applies to all USPS functional organizational elements and personnel.

This is achieved through the establishment and implementation standards and guidelines for CIO Service Continuity, which includes emergency management, service continuity and disaster recovery activities, standards and plans (operational risk). Its focus is based on the identification and prioritization of the CIO’s and VP’s high-value services and their recovery/hardening/resilience through a governance program which ensures maintenance and training on service continuity.

Specifically, through the development, documentation, and implementation of testing, exercising and evaluation processes, and documentation which validate compliance (or noncompliance) to (CIO SC) service continuity standards, guidelines, and processes, and effectively address noncompliance and corrective action.

Service owners develop strategies and plans to sustain functions during a disruption.

Resilience: is the ability to quickly adapt and recover from any known or unknown changes to the environment. Resiliency is not a process, but rather an end-state for organizations. The goal of a resilient organization is to continue mission essential functions at all times during any type of disruption. Resilient organizations continually work to adapt to changes and risks that can affect their ability to continue critical functions. Risk management, contingency, and continuity planning are individual security and emergency management activities that can also be implemented in a holistic manner across an organization as components of a resiliency program.

Contingency planning normally applies to information systems, and provides the steps needed to recover the operation of all or part of designated information systems at an existing or new location in an emergency.

Cyber Incident Response Planning is a type of plan that normally focuses on detection, response, and recovery to a computer security incident or event.

Organizations require a suite of plans to prepare themselves for response, continuity, recovery, and resumption of mission/business processes and information systems in the event of a disruption. Each plan has a specific purpose and scope; however, because of the lack of standard definitions for these types of plans, in some cases, the scope of actual plans developed by organizations may vary from the following basic descriptions.

The goal of a resilient organization is to continue functions at all times during any type of disruption. Resilient organizations continually work to adapt to changes and risks that can affect their ability to sustain operations. Risk management, contingency, and continuity planning are individual security and emergency management activities that can be implemented in a holistic manner across an organization as components of a resiliency program.




Powered By OneLink