We have developed the following Business Continuity Plan to respond to business interruptions and explain how we will recover operations. CAN is committed to serving our clients and responding quickly to business interruptions.
All employees receive training on CAN’s Business Continuity Plan. Training is conducted during new employee orientation and quarterly security training. Additional training is provided as necessary.
Our goal is that all employees understand how CAN will respond to and recover from disaster or interruption. We expect all department heads to be capable of leading a recovery. During an interruption, recovery activities will be lead by the highest-ranking officer available.
CAN’s Continuity plan is designed to be easy to remember, follow, and implement. It covers:
- What resources can be interrupted and need to be restored,[MG1]
- Possible threats to business continuity
- How to triage interruptions using CAN’s Priority Ratings
- Plans for responding and recovering from interruptions
These 4 variables are used to prepare, prevent, and respond to possible business interruptions.
CAN’s Primary Resources are sorted by importance. Importance is determined by their possible impact to CAN’s clients.
- Critical Records and Data
We work to make decisions that protect our primary resources and make sure that secondary resources are available when needed. This includes, but is not limited to, maintaining redundancies in our data center, keeping backups of our files in offsite locations, and maintaining relationships with possible employees.
Possible Threats to Business Continuity
Possible and realistic threats to CAN’s business continuity include, but are not limited to: power loss, data breach, data corruption, riot, looting, robbery, shootings, loss of building services, flood, blizzard, loss of key executives, and/or health epidemic. During training we discuss how to prevent these threats and discuss scenarios based on possible events.
We use the following standards to triage interruptions. CAN uses the same standards to prioritize response to emergencies, privacy breaches, security vulnerabilities, and business interruptions. Standards ensure consistent and predictable responses, and help coordinate responses to multiple types and combinations of issues.
- Critical: Impact or possible impact to many clients
- High: Impact or possible impact to a small number of clients
- Moderate: No impact to clients, but possible impact if combined with another breach, vulnerability, loss, or disaster.
- Low: Possible hindrance to CAN’s operations, but no immediate impact to CAN’s clients or their data.
- Other: These are issues that CAN’s is having difficulty verifying or reproducing. Once CAN has been able to verify the issue it will be prioritized or dismissed.
Responding and Recovering from Interruptions
CAN responds to interruptions using a 4-step plan that is outlined below. Due to the complex nature of business interruptions the exact responses are left to the judgment of the available team.
- Communication: Once the situation has been triaged CAN will notify impacted parties immediately. All other stakeholders that have not been impacted will be notified once the situation has been remedied. This follows CAN’s “Responsible Disclosure” protocol and is designed to limit exposure and focus resources on recovery. Possible stakeholders include employees, families of employees, shareholders, customers, partners, governments, non-customers, and the press.
- Teams, Responsibilities and Tasks: Once the impacted stakeholders have been notified, the Recovery Leader will create recovery teams and assign people, tasks, resources, responsibilities, and timelines. The first response will be to secure resources from highest priority to lowest priority.
- Assessments: Once the situation has been stabilized, CAN’s recovery teams will evaluate the damages, check systems, assure the access rights are appropriate, and determine if any data is missing or has been corrupted.
- Recovery and Progress: During the recovery the Leader will monitor the progress of the Recovery Teams based on their ability to execute their tasks. The Recovery Leader will communicate progress with stakeholders, and make announcements when the situation has been stabilized, primary resources have been restored, and secondary resources have been replenished. The Recovery is complete once primary resources are restored and secondary resources have been replenished.
Our Business Continuity Plan is built on a model with 4 variables. In combination, these 4 variables allow us to respond quickly to business interruptions, recover operations, and prepare for possible threat.