Circular 2001-46 requires agencies to establish and implement a risk management based information security management program in accordance with national standards. Ten broad categories of 'management controls' are detailed in these standards. One of these measures is business continuity planning.

Most agencies have been taking regular back-up copies of their information and storing it safely off-site for many years. However, this may be insufficient for business continuity purposes, where the key is being able to resume operations promptly after a disaster.

The speed with which an agency's operations must be resumed depends on the extent of its reliance on information technology, and its criticality to the delivery of public services, the State's infrastructure and government operations. Effective business continuity planning requires that a back-up site is available. Such sites may be 'Cold', 'Warm' or 'Hot' in terms of how quickly they can be activated.

A second issue is how far away a back-up site is from the agency's primary site(s). This is dictated by the nature of the disaster, logistics and utilities' infrastructure. While extremely localised disasters, such as a building fire, mean that a back-up site could be close by, other disasters and their consequences may cover a larger area and last for many days. For example many buildings could be affected by a disaster at an exchange. Disasters that directly or indirectly affect organisations across a wide area may create capacity problems for shared IT facilities being used as back-up.

Agencies are to ensure that:

• business continuity planning has appropriate priority in their electronic information security programs,
• their business continuity measures are appropriate to their role in providing public services, and
• their plans are regularly reviewed in the light of changing circumstances.

More detailed guidance is published by the Department of Information Technology and Management on the Office of Information Technology's web site. A copy of the relevant section is attached.

C Gellatly
Director-General

Builds on Circular 2001-46, superseded by M2007-04