CEI 2.3 ICT Services Continuity Plan

1. Scope of these instructions

These Chief Executive Instructions (CEI) outline the Department of Agriculture, Fisheries and Forestry's (department) approach to information and communication technology (ICT) services continuity planning.

The ICT services continuity planning aims to ensure that information systems can be recovered, in the event of a disruption, within the maximum allowable outage times identified for specific critical departmental services.

2. Policy principles

• ICT continuity planning must be undertaken to enable the continued provision of critical services and the restoration of computer services in the event of a non-routine disruption to computer services.
• The requirement for an ICT continuity plan applies to all computer and communication installations.

3. Target audience

This CEI is applicable to all officials (as defined in the 'Definitions' section) in the department.

4. Departmental instructions

4.1. Responsibilities

Executive Management Team (EMT) must:

• review and monitor the department's critical functions, the business continuity framework and ensure that the business continuity strategies are implemented.

Risk management audit committee must:

• provide advice on whether DAFF has in place a comprehensive business continuity plan and strategy.

Chief Information Officer must:

• ensure the ICT continuity plan is in place for the department
• review the plan as necessary following an ICT incident or at least once per year
• advise the EMT and provide regular updates on the effects on operational functionality of ICT services when an incident occurs
• act as the ICT Critical Incident Manager as specified in the plan
• act as the ICT Incident Response Team Leader as specified in the plan
• in the event of an incident, manage, control and coordinate the recovery of ICT services that support the department's critical business functions.

Executive managers and directors must:

• appoint divisional ICT system owners for their critical business information systems and ensure the implementation of business continuity strategies for key business processes.

Divisional system owners must:

• undertake the development and readiness testing of divisional ICT services continuity strategies and procedures for their systems
• ensure divisional business continuity plans are regularly exercised, reviewed and updated
• coordinate divisional responses and report to the ICT Critical Incident Manager on divisional operational issues in the event of a significant ICT business disruption.

Officials must:

• carry responsibility for the identification and management of risk that impact on their work areas as it relates to business continuity
• recognise, communicate and respond to expected, emerging or changing risks and contribute to the development and implementation of business continuity treatments in their area of responsibility.

4.2. Reporting

• The Chief Information Officer must report to the EMT on the implementation of the ICT Services Continuity Plan.
• All delegations and associated limitations will be recorded in i-Delegate.

5. Breaches

• Officials are bound by section 13 of the Public Service Act 1999 (the PS Act Code of Conduct) and section 44 of the Financial Management and Accountability Act 1997 (FMA Act) to use Commonwealth resources in an efficient, effective and ethical manner. Officials who do not comply with this CEI may be found to be in breach of these provisions and sanctions may apply.

6. References

6.1. Legislation

• Financial Management and Accountability Act 1997
• Public Service Act 1999

6.2. Internal guidance/instruction

• ICT Services Continuity Plan

6.3. External guidance/instruction

• Finance Circular 2011/05 – Chief Executive's Instructions
• ANAO Better Practice Guide – Business Continuity Management – Building resilience in public sector entities – 4 June 2009

6.4. Related CEIs

• CEI 2.1 – Risk Management
• CEI 2.2 – Business Continuity

7. Definitions and Acronyms

Change History