Canada Border Services Agency
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home > About the CBSA > Corporate documents

Institutional links

ARCHIVED - Audit of Business Continuity Plans

Warning This page has been archived.

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Internal Audit Report
November 2009

Table of Contents

Return to Top of Page

Executive Summary

Background

In accordance with the Government Security Policy (GSP), departments must establish a Business Continuity Planning (BCP) Program to provide for the continued availability of critical services and assets supporting these critical services. In July 2009, the new Policy on Government Security (PGS) came into effect and replaced the 2002 Government Security Policy. However, the Operational Security Standard – BCP Program continued as the relevant standard for business continuity management under the new policy.

Business continuity plans, including Information Management (IM) and Information Technology (IT) continuity plans are a key output of the BCP Program. The objective of business continuity plans is to enable the Canada Border Services Agency (CBSA) to deliver critical corporate and front-line border operations in the event of a business disruption.

The CBSA BCP Program is organized along the four elements outlined in the GSP and its related standard:

  1. BCP Program Governance – establish policy direction, authorities, accountabilities and responsibilities for the BCP Program;
  2. Business Impact Analysis – assess the impact of disruptions on the department to identify and prioritize critical services and associated assets;
  3. Continuity Plans and Arrangements – develop the plans, measures, procedures and arrangements to be used to maintain business continuity in the event of a disruption, and deliver the necessary training in the use of these procedures; and
  4. BCP Program Readiness – establish a permanent maintenance cycle for all continuity plans, including regular testing and validation of the plans.

An audit of business continuity plans was included in the Three-year Risk-based Audit Plan (FY 2008/09 – 2010/11) approved by the Audit Committee.

Objective and Scope

The audit objective was to provide assurance regarding the adequacy of the Agency's establishment and management of the CBSA BCP Program.

The audit examined the BCP Program Governance, Continuity Plans and Arrangements, and BCP Program Readiness areas relative to the legacy GSP and related standard. Business Impact Analysis was not included in scope as it was considered low risk during the planning phase.

Statement of Assurance

This audit engagement was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Audit Opinion

The CBSA BCP Program has been established in accordance with the GSP and related standard. CBSA has completed its business impact analysis and business continuity plans for critical services and associated assets. Sustained effort and management attention is required to address gaps identified with the business continuity plans, including IM/IT continuity plans, and to implement a permanent maintenance cycle for all continuity plans, including regular testing, validation and updates of the plans.

Main Observations

A program governance and management structure was in place for the BCP Program. While it was functioning and business continuity plans have been developed, the policy framework was not well integrated and some gaps remain. There is an opportunity to review and update the BCP policy framework at CBSA given the new 2009 Policy on Government Security (PGS).

The CBSA has more than 400 business continuity plans in place. For the most part, regional plans contained the type of information required by the GSP while the plans for the Headquarters branches did not include all the key information. During the course of the audit, work was progressing to complete the plans particularly for the IM/IT components; however, funding for some plans required approval. Further analysis is required by management to determine the adequacy of each plan.

Management had taken steps to implement a maintenance cycle and change management process for BCPs to keep plans and arrangements up-to-date, increase staff awareness and develop regular testing. These were identified as key priorities for FY 2009/10. Some progress was observed to update plans, and to improve employee awareness. Given the magnitude and reach of the BCP Program, it would benefit from a national approach to guide BCP maintenance, training and testing so managers and staff would understand their roles and responsibilities.

Management had taken some initial efforts to monitor the performance of the BCP Program. However, information on performance, resource requirements, costs, and schedules to meet key milestones and deal with risks was fragmented across various components. CBSA management would benefit from a more coordinated approach to report on the BCP Program.

Return to Top of Page

Introduction

Background

The Government Security Policy (GSP) and its associated standards prescribe safeguards designed to support the national interest and the Government of Canada's business objectives by safeguarding employees and assets and assuring the continued delivery of critical services. In accordance with the GSP, departments must establish a Business Continuity Planning (BCP) Program to provide for the continued availability of critical services and assets supporting these critical services. In July 2009, the new Policy on Government Security (PGS) came into effect and replaced the 2002 GSP. However the Operational Security Standard – BCP Program continued as the relevant standard for business continuity management under the new policy.

Business continuity plans, including Information Management (IM) and Information Technology (IT) continuity plans are a key output of the BCP Program. The objective of business continuity plans is to enable the Canada Border Services Agency (CBSA) to deliver critical corporate and front-line border operations in the event of a business disruption.

The CBSA BCP Program is organized along the four elements outlined in the GSP and its related standards:

  1. BCP Program Governance – establish policy direction, authorities, accountabilities and responsibilities for the BCP Program;
  2. Business Impact Analysis – assess the impact of disruptions on the department to identify and prioritize critical services and associated assets;
  3. Continuity Plans and Arrangements – develop the plans, measures, procedures and arrangements to be used to maintain business continuity in the event of a disruption, and deliver the necessary training in the use of these procedures. The scope of plans and arrangements includes IM continuity plans to ensure minimal or no interruption in the availability of information assets, and IT continuity plans to ensure minimal or no interruption to the availability of critical IT services and assets; and
  4. BCP Program Readiness – establish a permanent maintenance cycle for all continuity plans, including regular testing and validation of the plans.

Prior to the start of the audit, the Agency had conducted the business impact analysis and identified its five critical business functions, and the support services that were essential to performing these functions. During the period selected for audit, CBSA BCP Program work was focused on: reviewing and updating the business continuity plans; developing continuity plans for the IT application systems and infrastructure assets; and developing the strategy and guidelines for ongoing maintenance and regular testing of the plans.

CBSA was reviewing its IM Program, and in June 2009 responsibility for the Program transferred from Comptrollership Branch to the Innovation, Science and Technology Branch (ISTB). As a result, ISTB was in the process of developing its approach and strategy for managing IM, including integration of IM continuity plan requirements into continuity plans and arrangements.

In October 2008, the Internal Audit Directorate (IAD) issued the report on the Audit of Emergency Preparedness. The audit found that the Agency had a management and organization structure in place for the Emergency Preparedness Program. Audit recommendations focused on improvements to Program planning and monitoring functions. These included updating the terms of reference for the Program oversight committee, developing a strategic direction for the Program, and implementing work plans, schedules and budget management and reporting processes in line with the approved strategic direction. Management actions were targeted for completion by March 2009, with operational work plans established for Fiscal Year (FY) 2009/10 and beyond. As the BCP Program complements emergency preparedness, these recommendations and management action plans were considered when conducting this audit.

A review of the results of BCP Program audits in other government departments as well as the Treasury Board of Canada Secretariat Management Accountability Framework (MAF) Round V and VI Assessments of business continuity showed that departments had made good progress in establishing BCP governance and in completing business impact analyses. Recommendations for improvement focused on the plans and arrangements and program readiness elements of their BCP programs.

Return to Top of Page

Risk Assessment

A preliminary risk assessment was conducted to assist in audit planning and determine potential priorities and areas for audit. The risk assessment considered status and plans of the CBSA BCP Program for each of the four elements of a BCP Program outlined in the GSP and its related standards. The following risk areas were identified as key for the successful implementation of the Agency's BCP Program:

  1. BCP Program Governance – The BCP Program governance framework may not include all of the components needed to identify and address gaps between the IM/IT infrastructure and tools needed to support delivery of critical services and the availability of these tools.
  2. Continuity Plans and Arrangements – Business continuity recovery plans and procedures may not address all of the dependencies needed to ensure service delivery is maintained at minimum service levels.
  3. BCP Program Readiness – Testing to validate that the plans will meet the business continuity requirements for the Agency's critical services may not be complete, and a maintenance process to keep the continuity plans up-to-date may not be in place.
Return to Top of Page

Audit Objective and Scope

The audit objective was to provide assurance regarding the adequacy of the Agency's establishment and management of the CBSA BCP Program. The audit examined the BCP Program Governance, Continuity Plans and Arrangements, and BCP Program Readiness areas.

Business Impact Analysis was not included in the scope as it was considered low risk during the audit planning phase as the Agency had identified its critical business functions and business services.

As the Agency was in the early stage of developing a BCP readiness initiative, audit examination of the BCP Program Readiness area reviewed the progress in developing plans and schedules for implementing ongoing plan maintenance processes, for staff training and awareness, and for testing and validation of the plans.

Audit work was conducted between April and August 2009 and the period for reviewing documentation was from April 2008 to March 2009. Audit scope included business and IM/IT continuity plans. Sample Headquarters (HQ) and regional continuity plans approved as of March 2009 were selected for audit review.

Site visits were conducted in the Northern Ontario, Prairie and Pacific regions. Sites visited represented a mix of large and small transaction processing volumes, and provided representation for travellers and commercial goods entry via highway, rail, marine, air, and postal modes of entry.

Return to Top of Page

Approach and Methodology

The auditors gathered evidence through interviews, documentation and direct observation, and analyzed and evaluated the BCP Program against the selected audit criteria.

The auditors:

  • Interviewed representatives from offices of primary interest (OPIs) for business continuity and IM/IT continuity, and BCP coordinators to obtain information on their priorities, plans and processes for further development of the program.
  • Reviewed BCP Program policy, governance, planning, and status documentation to assess processes and outputs for management of the BCP Program, including the Memorandum of Understanding (MOU) between CBSA and its third party IT infrastructure and IT support services provider. This review assessed how CBSA IT availability and continuity requirements were represented in the Service Level Agreements (SLAs).
  • Reviewed a sample of 41 HQ and regional business continuity plans to assess whether contents included the suggested contents described in the GSP and related standards.
  • Compared critical business services documented in the business continuity plans to critical services identified in the new Service Identification Tables (SITs) for 22 operational sites to understand the process followed to approve changes in the list of critical services.
  • Visited Northern Ontario, Prairie and Pacific regions, and interviewed regional and site BCP coordinators to understand the regional process for developing and maintaining their business continuity plans, and to follow up on specific questions noted by the audit after reviewing the regional BCPs.
  • Reviewed budget and expenditure data in the Agency's Corporate Administrative System (CAS) to identify whether budget and actual expenditures related to the BCP Program were recorded in the system.
Return to Top of Page

Audit Criteria

Audit criteria were developed based on a number of authoritative sources. These included the Government of Canada Operational Security Standard – BCP Program, the Control Objectives for Information and related Technology (CobiT), and the National Institute of Standards and Technology (NIST) Contingency Planning Guide for Information Technology Systems - NIST Special Publication 800-34. Detailed criteria are presented in Appendix A of this audit report.

Return to Top of Page

Statement of Assurance

This audit engagement was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Return to Top of Page

Audit Opinion

The CBSA BCP Program has been established in accordance with the GSP and related standards. The CBSA has completed its business impact analysis and business continuity plans for critical services and associated assets. Sustained effort and management attention is required to address gaps identified in the business continuity plans, including IM/IT continuity plans, and to implement a permanent maintenance cycle for all continuity plans, including regular testing, validation and updates of the plans.

Return to Top of Page

Findings, Recommendations and Management Action Plans

A program governance and management structure was in place for the BCP Program. While it was functioning and business continuity plans had been developed, the policy framework was not well integrated and some gaps remain. There is an opportunity to review and update the BCP policy framework at CBSA given the new 2009 Policy on Government Security (PGS).

The CBSA has more than 400 business continuity plans in place. For the most part, regional plans contained the type of information required by the Government Security Policy (GSP) while the plans for the HQ branches did not include all the key information. During the course of the audit, work was progressing to complete the plans particularly for the IM/IT components; however, funding for some plans required approval. Further analysis is required by management to determine the adequacy of each plan.

Management had taken steps to implement a maintenance cycle and change management process for BCPs to keep plans and arrangements up-to-date, increase staff awareness and develop regular testing. These were identified as key priorities for FY 2009/10. Some progress was observed to update plans, and to improve employee awareness. Given the magnitude and reach of the BCP Program, it would benefit from a national approach to guide BCP maintenance, training and testing so managers and staff would understand their roles and responsibilities.

Management had taken some initial efforts to monitor the performance of the BCP Program. However, information on performance, resource requirements, costs, and schedules to meet key milestones and deal with risks was fragmented across various components. CBSA management would benefit from a more coordinated approach to report on the BCP Program.

Return to Top of Page

BCP Program Governance and Management

A program governance and management structure was in place for the BCP Program. While it was functioning and business continuity plans had been developed, the policy framework was not well integrated and some gaps remain. There is an opportunity to review and update the BCP policy framework at CBSA given the new 2009 Policy on Government Security (PGS).

For effective program governance and management, appropriate authorities, accountabilities, and responsibilities should be established, guidance to management and staff should be provided, and resources should be committed to implement the program.

The audit found that there was a CBSA BCP Policy: Chapter 4 of the Comptrollership Manual – Security Volume. It outlines the overall roles and responsibilities of the key branches, regions as well as all CBSA managers. The policy refers to the GSP and other federal government documentation for guidance. In addition to the policy, further guidance was in the process of being finalized during the course of the audit. These included templates to outline the standard format and content of continuity plans, and development of a strategy for continuity plan maintenance, testing and validation. These templates will address an important BCP Program operational security standard of the federal government. Completion of these initiatives will strengthen the overall guidance for the BCP Program.

The Emergency Preparedness and Security Committee (EPSC) is a sub-committee of the Executive Management Committee (EMC) and its role was to provide expert advice and support on emergency preparedness and business continuity issues. In review of its minutes, the ESPC had discussed the BCP Program. The Committee monitored the status of business and IT continuity plan development, liaised with branches to garner support for completion of continuity plans, and discussed priorities for implementing BCP readiness activities.

The audit noted that the policy and guidance documents were not integrated. For example, the policy did not reference an IT Continuity Policy, or the CBSA policies for emergency management and information management, relevant components of the overall policy framework for the BCP Program. Further, the role of the EPSC and the BCP Program Coordinator, key components of the program governance and management structure, were not mentioned in the policy. Comptrollership Branch had developed separate governance documents to address gaps in the policy responsibilities statement, and to more completely describe HQ branch and regional responsibilities for the program. As well, the Branch was planning a policy review which would also address the requirements of the new PGS but their priority had been to finalize the business continuity plans.

Notwithstanding these various documents, audit interviews reflected a lack of understanding in the branches on their roles and responsibilities, especially with respect to plan review and maintenance, and testing. Information sharing and coordination presented challenges among the branches to perform quality review of continuity plans and to validate IT continuity requirements.

The audit found that Comptrollership Branch, in conjunction with the Strategy and Coordination Branch, drafted a BCP Communications Strategy in June 2009, and the strategy was being reviewed. The overall objective of the strategy was to increase CBSA management and employee awareness of how the BCP Program affects them. A subsequent, updated version of the strategy was planned to address BCP communications requirements for CBSA stakeholders. The development of the BCP strategy was coordinated within the Agency's overall emergency communications plan. This meant that the BCP strategy would leverage existing communications products and tools already developed as part of the Agency's emergency preparedness plan.

Regarding the resource commitment to the BCP Program, there was no centralized BCP Program budget. Each branch was responsible for resourcing its BCP responsibilities. Costs had been estimated to address the IT continuity plan. However, management had concluded that resolution was beyond the current resource levels of the Agency, and they were examining options going forward.

Overall, the CBSA has in place a governance and management structure for the BCP Program. All the necessary guidance for the program is not yet complete and the integration of the various policies and other documents for the BCP Program would facilitate managers' understanding of the Program's expectations.

Recommendations

1. The Vice-President of Comptrollership Branch should undertake a review of the BCP Policy and related documents to align BCP guidance with the 2009 Policy on Government Security. The policy framework should be integrated and address the following gaps:

  1. the specific business continuity requirements, including IM and IT continuity requirements of the PGS;
  2. the procedures/guidelines for the administration of the BCP Program; and
  3. a description of all BCP Program roles and responsibilities.
Management Action Plan Completion Date
Comptrollership Branch is in the process of reviewing and updating the CBSA BCP Policy, to ensure it reflects the changes in the July 2009 Policy on Government Security (PGS). Throughout the policy update process, consultations will be undertaken with IST and Operations branches to ensure the specific business continuity requirements of all areas are included and meet the requirements of the PGS. February 2010
IM officials are working with their partners. The IM continuity plan requirements will be integrated with the business and IT plans forming a holistic IM-IT approach to business continuity planning:
  • Forming an IM/CM (Information Management/Content Management) working group with the IT Continuity Division; the first meeting is expected in January 2010.
  • Forming an IM Policy Committee with membership from IT Policy Division to ensure that IM policies account for, and are integrated with, the policies in other areas (which includes business continuity), with the first meeting in January 2010.
 January 2010
Procedures and guidelines for the administration of the program have been developed and will continue to be reviewed and updated to ensure the existence of an effective administration of the BCP Program for the Agency. Ongoing
BCP Program roles and responsibilities are identified in the BCP HQ and Regional Governance documents which were developed to complement the existing BCP Policy. These were developed in June 2008 and are being reviewed to include IT continuity roles and responsibilities. Once reviewed and completed, management will ensure the roles and responsibilities are highlighted in all policies and framework documents. ISTB will be consulted throughout the amendment process. December 2009

2. The Vice-President of Comptrollership Branch should finalize the BCP Communications strategy, and establish a plan and schedule for extending the strategy to include stakeholders.

Management Action Plan Completion Date
In spring 2009, an internal communications strategy was developed with the goal of advising CBSA employees about the BCP Program and promoting its importance within the Agency. It was approved by Emergency Preparedness and Security Committee members in fall 2009. Completed
Ongoing communications have been undertaken with various federal government organizations and external organizations and we will continue to meet with and brief our partners and stakeholders on an ongoing basis. Ongoing
In light of the current pandemic situation with the H1N1 virus, it was decided that the existing pandemic communications plan would be expanded to include an external component which addresses reassuring key stakeholders that the CBSA is prepared in the event of a business disruption. The CBSA-approved pandemic communications plan (which specifically addresses the H1N1 virus flu pandemic) will form the framework for the larger external BCP communications strategy which will be developed in collaboration with Public Safety Canada and serve as a framework or guideline for communications for events such as business disruptions. Ongoing
Return to Top of Page

BCP Plans and Arrangements

The CBSA has more than 400 business continuity plans in place. For the most part, regional plans contained the type of information required by the GSP while the plans for the HQ branches did not include all the key information. During the course of the audit, work was progressing to complete the plans particularly for the IM/IT components; however, funding for some plans require approval. Further analysis is required by management to determine the adequacy of each plan.

Business continuity plans (BCPs), including IM/IT continuity plans, must be developed for critical business services. These plans should document the responsibilities, procedures, resources, and coordination mechanisms to manage the steps to recovery, and arrangements should be in place to put plans into effect. Given the Agency's dependency on IT to deliver its critical services, IM/IT continuity plans are an integral part of the BCP Program. As well, continuity plans should be reviewed to identify any changes required due to high absenteeism levels during a pandemic.

The Agency has over 400 business continuity plans in place. In the regions, there are approximately 260 plans that are updated plans from the former Canada Customs and Revenue Agency (CCRA). For Headquarters, which did not have legacy BCPs, approximately 140 BCPs were developed based on a template provided by the BCP Program. In September 2008, CBSA senior management approved business continuity plans, including plans for critical IT services. At that time, further work was required to complete plan development for HQ policy and program functions. Approval for these remaining plans was obtained in December 2008.

A sample of 41 regional and HQ business continuity plans were reviewed. For the most part, the contents of the regional plans contained the types of information recommended in the GSP and related BCP standards. There were examples of good practices in individual plans reviewed, including the identification of short- and long-term recovery strategies, identification of the recovery priority of critical services, and identification of recovery strategies for an incident that affected a single site or a wider geographic area.

The BCPs for HQ were not as complete as the regions. They included critical services, recovery strategies, maximum allowable downtime, contact lists, minimum service levels and skill sets, external dependencies, and essential assets and records, including IT. The BCPs did not define roles, responsibilities and steps to manage recovery from a business disruption. The audit noted that the template used to document the plans for Headquarters did not require this information even though it is a requirement under the GSP. ISTB was in the process of completing this information for the approximately 83 critical IT services the Branch delivers.

In some regional and HQ business continuity plans, the audit noted instances of incomplete information on the arrangements to put plans into effect. Identification of dependencies with shared service delivery organizations was not complete in all plans reviewed, and arrangements for access to alternate recovery sites, especially non-CBSA sites, were not formalized. Many of the MOUs, SLAs or other arrangements with external organizations had been negotiated centrally; however, local sites did not necessarily have the information about these arrangements in order to fully complete their business continuity plans.

The audit noted that work was underway to review the plans to identify and address content gaps and inconsistencies. This work was dependent, in part, on the availability of a CBSA standard template for plan format and content, which had not yet been finalized. This was confirmed in interviews with BCP coordinators who indicated that program functional guidance was needed to assist them in their review and update of plan contents.

With respect to the IM/IT component of the business continuity plans, the audit found that the arrangements were at various stages of completion. ISTB HQ site requirements had been confirmed, validation work was in progress for a subset of regional sites, and the schedule for work to complete the remaining sites was to be determined. A key component of this validation was the prioritization of IT recovery time objectives for critical business services having the highest dependency on IT services. Implementation of the IM/IT component of the BCPs for a subset of sites was scheduled for March 2010, and implementation dates for remaining sites were to be determined. Funds for the recovery strategies identified in the plans needed to be approved, and implementation dates were dependent on the timing of these decisions.

Essential records needed to perform critical services were specified in the business continuity plans. However, ISTB work to validate IT requirements identified that this list was incomplete and did not identify those instances where access to archived e-mail data was required in addition to basic e-mail communications services. In the current IT environment, e-mail was not identified as a high availability service, and the Agency was examining options to provide continuity of the full range of e-mail services needed to support critical services delivery during a business disruption.

With respect to pandemic planning, work to review and update continuity plans to maintain business continuity during a pandemic was at an early stage. The final draft of the CBSA Pandemic Plan was issued in May 2009, and interviews with BCP coordinators indicated that they were waiting for specific guidance on the steps and timing to review and update their business continuity plans.

The observations noted in the audit may hinder the ability to put continuity plans into effect, and there may be a risk that maximum allowable downtimes identified for critical services will be exceeded.

Recommendation

3. The Vice-President of Comptrollership Branch, in coordination with the Vice-President of Innovation, Science and Technology Branch and the Vice-Presidents of the other branches, should establish a process to review and update the existing business continuity plans in line with all the requirements of the Policy on Government Security. This should also include the confirmation of acceptable IT recovery time objectives for implementation of the IT continuity plans, and ensure that the regions complete steps to meet their requirements for regional IT services.

Management Action Plan Completion Date
A BCP maintenance cycle to ensure the ongoing review, updating, and approval of BCPs has been developed for the Agency, approved by Emergency Preparedness and Security Committee (EPSC) and distributed to all BCP coordinators. This cycle will ensure that plans are reviewed and updated to reflect ongoing program changes within the CBSA business environment, as well as in the areas of IT technical support and systems recovery. Regular sign off by vice-presidents also forms part of the maintenance cycle. Completed
Once Comptrollership Branch has identified the requirements of the Policy on Government Security, the Innovation Science and Technology Branch (ISTB) will make the necessary adjustments to its business continuity plans. Ongoing
The ISTB will also work with the Comptrollership and the Operations branches in determining, confirming and mitigating current gaps in IT recovery time objectives both for HQ and for the regions. Ongoing
Return to Top of Page

BCP Readiness

Management had taken steps to implement a maintenance cycle and change management process for BCPs to keep plans and arrangements up-to-date, increase staff awareness and develop regular testing. These were identified as key priorities for FY 2009/10. Some progress was observed to update plans, and to improve employee awareness. Given the magnitude and reach of the BCP Program, it would benefit from a national approach to guide BCP maintenance, training and testing so managers and staff would understand their roles and responsibilities.

Once developed, continuity plans should be maintained in a state of readiness. This includes implementing a maintenance and change management process to keep plans and arrangements up-to-date, providing additional training to keep employees informed of their BCP responsibilities, and regular testing and validation of all plans. Given that the Agency was at the early stages of developing a BCP readiness initiative, it was determined during the audit planning phase to limit the examination to the Agency's progress in developing plans and schedules for implementing ongoing plan maintenance processes, for staff training and awareness, and for testing and validation of the plans.

BCP Program activities had been focused on developing business continuity plans. With business continuity plans developed as of December 2008, attention shifted to the steps required to further strengthen business continuity plans and maintain readiness. Key priorities identified for FY 2009/10 were the implementation of the maintenance cycle, delivery of BCP awareness sessions, and development of a testing and evaluation strategy, including the requirement to prepare lessons learned reports.

Management had taken steps to operationalize the Agency's BCP maintenance cycle. Until these steps are fully in place, BCP updates were being managed according to local schedules and requirements. The audit found that contact information, in particular, was becoming out of date in the BCPs due to staff changes. The Departmental Security Officer (DSO) had taken action to advise branches to update BCPs in May 2009 in response to the heightened H1N1 pandemic alert.

However, maintenance of the BCPs, particularly in the regions, was complicated by the fact that the same data was being maintained in both the business continuity plans and the Service Identification Tables (SITs). The SITs were being prepared as a transition to the Agency's final format for business continuity plans. In some cases, services deemed critical under the original BCP process had been reclassified as non-critical as part of the SIT process. Within the Agency's BCP Program process, this reclassification meant that these services would no longer be considered a priority service for continued operation during a business disruption. However, these changes were not validated relative to the Agency's inventory of critical business functions, and services and a formal change management process to validate changes to the Agency's critical services list had not yet been implemented.

BCP training is a shared responsibility; however, the audit found that there was no overall training strategy and plan to develop and maintain BCP skills for key BCP staff and employees with BCP responsibilities. Comptrollership Branch had provided training and awareness information to Branch BCP coordinators. However, there continued to be a lack of knowledge on the continuity planning process which contributed to the gaps and inconsistencies in the business continuity plans that were previously noted.

To date, there had not been any regular testing and validation of the business continuity plans. Some exercises had occurred and provided insight on how components of the business continuity plan would work. However, these exercises did not require activation of the plans. Until regular BCP testing is implemented, there may be a risk that weaknesses in the plans and employee readiness to implement the plans will not be identified.

Recommendations

4. The Vice-President of Comptrollership Branch, in coordination with the Vice-Presidents of Innovation, Science and Technology, and Operations branches, should develop and implement a national strategy and guidelines to define business continuity plan updates, maintenance and testing, including a change management process to validate changes to the list of critical services.

Management Action Plan Completion Date
A BCP maintenance cycle has been developed for the Agency to ensure ongoing BCP updates, including a change management process to validate changes to the list of critical services. This maintenance cycle was approved by EPSC and distributed to all BCP coordinators and members of Branch Management Teams (BMT). Completed
A change management process is being developed for the BCP Program in consultation with ISTB and Operations Branch and will be included in Standard Operating Procedures, which will be shared with BCP coordinators. Information regarding the process has been disseminated to key individuals within the Agency via e-mail when questions have been raised. January 2010

Comptrollership will continue to develop a comprehensive testing and exercise strategy for BCPs and will consult with Operations Branch to incorporate the BCP testing and exercise strategy into the broader Agency comprehensive Emergency Planning Exercise Program.

Comptrollership Branch will also work with ISTB on the development of the testing and exercise strategy, specifically to ensure the scope of the strategy includes IM/IT continuity.

 March 2010

A national framework and guidelines to define business continuity plan updates, maintenance and testing and a change management process to validate changes to the list of critical services will be developed in consultation with IST and Operations branches.

ISTB will support the Comptrollership Branch's efforts to develop and implement a national strategy and guidelines. ISTB will work with Comptrollership Branch to develop a change management process to validate changes to the list of critical services.

 July 2010

5. The Vice-President of Comptrollership Branch, in coordination with the Vice-Presidents of Human Resources, Operations, and Innovation, Science and Technology branches, should develop and implement a training strategy and plan for managers and staff who have responsibilities under the BCP Program.

Management Action Plan Completion Date
In consultation with Human Resources Branch (HRB), a reference to the purpose of BCPs has been included in the Online Security Awareness Training package. A further reference to seek managers' direction for specific questions related to BCPs is also included. Similar information on the BCP Program will also be included in the Online Security Awareness Training package for managers that will be rolled out in spring 2010. June 2010
Since all employees are not required to receive BCP awareness and training, awareness throughout the Agency is delivered in a tiered approach. It consists of awareness sessions delivered to impacted/involved employees and managers in joint forums between branches and on an individual basis. In addition, Branch Management Teams are receiving awareness sessions to ensure understanding of the importance of BCPs and of roles and responsibilities. Key individuals within the branches are responsible for providing awareness within their respective branches and regions to those who have responsibilities under the BCP Program. Ongoing
Comptrollership Branch will work with ISTB and Operations Branch to develop a comprehensive training and awareness strategy and plan for employees and managers who have responsibilities under the BCP Program. ISTB will support the Comptrollership Branch in its efforts to develop a national training strategy and plan. June 2010
Return to Top of Page

BCP Program Monitoring and Reporting

Management had taken some initial efforts to monitor the performance of the BCP Program. However, information on performance, resource requirements, costs, and schedules to meet key milestones and deal with risks was fragmented across various components. CBSA management would benefit from a more coordinated approach to report on the BCP Program.

Integration of the BCP Program into the Agency's strategic and operational planning framework would enable the identification and commitment of financial and other resources needed to implement and maintain the BCP Program. A monitoring and reporting process would provide information for status updates on the BCP Program and make visible key milestones, variance from program expectations and resource plans, and risks facing the Program. CBSA management requires this information to measure program performance, resource use and success toward achieving expected results.

Comptrollership Branch had the overall accountability for the BCP Program with strong support from ISTB, Operations and other branches with respect to the development, testing and maintenance of plans. Comptrollership Branch had developed a high-level BCP Program work plan for FY 2009/10; the Branch was developing schedule milestone information, and there was limited information on key activities relating to management of the Program. As part of the work plan, the Branch was establishing a capability to evaluate risks, and monitor and report on the performance of the BCP Program.

ISTB had included in its draft FY 2009/10 Operational Plan the goals and objectives for IT continuity, developed performance expectations for its IT continuity management team in 2008/09, and prepared a task list and schedule for development of the plans.

Executive management had discussed and reviewed the BCPs and IT continuity plans on separate occasions. However, they were not provided with the opportunity to discuss the items together to assess the overall picture of the BCP Program and make informed decisions, taking into consideration all the factors.

The costs incurred by the BCP Program were not available. A review of the financial records in the Corporate Administrative System (CAS) indicated that BCP Program budget, costs and time spent were not tracked. Without capturing actual resources used for BCP activities, the Agency is unable to roll up BCP expenditures for planning and reporting purposes. The Audit of Emergency Preparedness included a recommendation that Comptrollership Branch explore the use of CAS to manage and report on the Agency's resources and activities. The management action targeted for March 2009 had not been implemented.

Recommendation

6. The Vice-President of Comptrollership Branch should develop a performance monitoring and reporting framework for the BCP Program and report program results at least annually to the governance committee.

Management Action Plan Completion Date
A Quality Assurance Program is in place within the BCP Program for monitoring and reporting on BCP Program performance. Ongoing reporting to senior management will take place. Ongoing
In addition a Program Monitoring and Risk Evaluation Section has been created within the Security and Professional Standards Directorate and is expected to implement comprehensive monitoring, reporting and risk analysis on the Security Program as well as BCPs in the coming year. December 2010
Return to Top of Page

Appendix A: Audit Criteria

Line of Enquiry Audit Criteria
1.0 BCP Program Governance and Management

1.1 There is a CBSA BCP policy to apply GSP requirements to new and existing Agency programs and operations.

1.2 The CBSA BCP Program includes all components needed to ensure CBSA compliance with the GSP requirement to develop Information Technology (IT) and Information Management (IM) Continuity plans as part of the Agency's Business Continuity Plans.

1.3 CBSA Management integrates the BCP Program into the Agency's strategic and operational planning framework, ensures compliance with government policy, and commits financial and other resources.

1.4 A BCP communications strategy exists.
2.0 Business Continuity Plans and Arrangements

2.1 Business continuity plans, including IM and IT continuity plans have been developed.

2.2 Completed plans have been approved by senior management.

2.3 Where other departments share delivery of a CBSA critical service, plans of the sharing departments are coordinated.

2.4 Staff are briefed and trained on the plans.

2.5 Criteria used to implement and terminate continuity procedures and arrangements are identified and defined for each plan.

2.6 Alternate sites for all business continuity plans are identified.

2.7 IT recovery strategies are identified to address disruption impacts and allowable outage times in the Business Impact Analysis.
3.0 Maintain BCP Program Readiness

3.1 There is a continuous maintenance and change management process to keep BCP plans and arrangements up-to-date.

3.2 Personnel are knowledgeable and kept informed of their BCP responsibilities through management direction, exercises, or training and awareness programs.

3.3 There is regular testing and validation of all plans, including the preparation of a lessons learned report after testing activities or actual events.
Return to Top of Page

Appendix B: List of Acronyms

Acronym Description
BCP Business Continuity Planning
BCPs Business Continuity Plans
CAS Corporate Administrative System
CBSA Canada Border Services Agency
CobiT Control Objectives for Information and related Technology
CCRA Canada Customs and Revenue Agency
DSO Departmental Security Officer
EMC Executive Management Committee
EPSC Emergency Preparedness and Security Committee
FY Fiscal Year
GSP Government Security Policy
HQ Headquarters
IAD Internal Audit Directorate
IM Information Management
ISTB Innovation, Science and Technology Branch
IT Information Technology
MAF Management Accountability Framework
MOU Memorandum of Understanding
NIST National Institute of Standards and Technology
PGS Policy on Government Security
SIT Service Identification Table
SLA Service Level Agreement

Return to Top of Page
Date Modified: 2010-02-09

Top of Page
Important Notices