Cal Maritime and its Auxiliaries follow the CSU Executive Order No. 1014 Business Continuity Program for implementing and maintaining an ongoing program that ensures the continuity of essential functions or operations following a catastrophic event. Cal Maritime will develop, document, test and maintain a Business Continuity Plan. The plan will ensure the continuance of critical campus functions, systems, and services when a disruption to campus operations occurs after a disaster or emergency situation. Cal Maritime's Plan workbook aids with the consistent development of the departmental support plans and is used to document key information within a department in order to ensure the campus' ability to recover from a disruption.
Business Continuity is the ability of an organization to continue operations and services in the face of a disruptive event. It's about understanding, anticipating, and planning for events that threaten our mission, so that Cal Poly Pomona remains viable. Business Continuity is more than just the ability to recover from a disaster; it's the ability to continue operating before, during, and after.
Business continuity planning identifies where we are vulnerable (are our processes too heavily dependent on a specific resource?) and puts alternate plans in place before a disaster. We can cross-train backups now, document our processes now, create backups of critical information now, order extra equipment now, and even create MOUs with other locations to use their facilities in the event we need to relocate. What steps can we take now to better position ourselves to continue.
Cal Maritime's Business Continuity Program is dedicated to preparing the campus to continue its services in the face of disruptive events. To accomplish this effectively, we are committed to assisting the campus in understanding, anticipating, and planning for events that threaten the campus' mission, so that Cal Maritime remains viable.
The Business Continuity Program's Strategic Plan includes:
Campus-level planning and departmental planning
One planning process appropriate for all departments
Prepare campus to continue teaching, conducting research, and carrying out its mission despite adverse events
The goal is readiness, not creating business continuity plans
Total campus participation
Low administrative costs
Provide customers with appropriate resources, training, and user-friendly services
Provide ongoing training, plan testing, and plan maintenance
Emergency Management plans for the protection and survival of individuals, focusing on health and safety. Business Continuity plans for the protection and survival of the university as an organization. Business Continuity is the "now what" that follows a disaster, and is concerned with ensuring that the university is positioned to return to full, normal operations as quickly as possible following an incident.
Think back to the July 29th, 2008 earthquake. Thankfully, emergency planning efforts ensured workplace safety and open communication. But, what if you were told that you could never re-enter your building again? You cannot retrieve any information from your desk or your computer, and you are expected to resume working conditions tomorrow. Where will you physically work if you no longer have workspace? How will you continue working if all of your data is inaccessible? How will you call your staff if all of their home numbers were located on your computer, which you cannot access? Where will your staff report tomorrow morning? The efforts that led you to safety are part of emergency planning. Ensuring your department will be able to resume operations is business continuity planning.
Failure to have an adequate continuity plan could lead to financial disaster, interruptions of academic classes, failure of research projects, delays in completing other mission critical activities, and a reduction in the quality of our university. Getting back to "business as usual" is imperative to protect the students, faculty, and staff that make the business of Cal Maritime so successful.
Business Continuity Planning includes all threats to an organization whether long-term, short-term, isolated, or campus wide. Attempting to identify and plan for each instance is nearly impossible so we have categorized four general scenarios to plan for:
Loss of Facilities and/or Equipment
Loss of Physical Data and/or Information Technology
Loss of People
Loss of Energy (water, electricity, gas)
How Can We Prepare?
Completing a business continuity plan using Department Business Continuity Plan is an excellent first step in the planning process. Because our core activities of teaching, research, and services are performed at the department level, arrangements and procedures enabling each department (or unit) to quickly respond to an event and return to performing its Critical Functions Guidelines must be documented.
To begin identifying your department's functions, consider the following questions:
What activities are normally performed by your department or unit?
In summary, what does your unit do?
What action words accurately describe the purpose for your department?
Your department performs various operations. What is provided to the campus as a result?
In the context of business continuity planning, a critical function may be defined as a collection of activities normally performed by your unit that must resume during the first 30 days, or sooner, following a disruption in service.
A critical function:
enables the University to provide vital services, maintain the safety and well being of the campus community, ensure continuity of administration, and/or protect the University's assets
enables teaching or research to continue
A Critical Function is Not a Process
Processes are the steps needed to accomplish a function. For example, the function "provide meals for residents of university housing" is accomplished through the processes of "food buying, food storage, cooking, serving, and cleanup." We focus on major functions because processes are too specific and detailed for our level of planning. Identify the function, not the process.
A Critical Function is Not the Name of an Entire Department
A department is the organization of resources needed to accomplish a function. For example, the function "provide hazardous materials clean up and disposal" is performed by the Environmental Health & Safety Department. This is only one function of the department, and this function has been identified as critical. Because the focus is on continuing a specific function of the department, "Environmental Health and Safety" cannot be listed as the critical function.
A Critical Function is Not an Object
Functions are the activities performed by a department or unit. For example, "protective equipment" is not an activity; it is an object. When listing critical functions, identify the action (verb) associated with the object. In this example, the action is "provide" and the critical function is "providing protective equipment".
Levels of Criticality
Critical 1: Must be continued at normal or increased service load. Cannot pause. Necessary to life, health, security. (Examples: hazardous materials cleanup, police services)
Critical 2: Must be continued if at all possible, perhaps at reduced capacity. Pausing completely will have grave consequences. (Examples: purchasing, functioning of data networks, at-risk research)
Critical 3: May pause if forced to do so, but must resume in 30 days or sooner. (Examples: classroom instruction, research, payroll, student advising)
Deferrable: May pause; resume when conditions permit. (Examples: solicit new grant opportunities, routine building maintenance, training, marketing)
Determine the departmental, operational unit or division Business Continuity Analyst who is available to discuss specific planning for your department, answer questions, and assist with completing your business continuity plan.
Review Tips for Effective Business Continuity Planning and complete , our Department Business Continity Plan packet.
Things to Consider:
Your plan will need to review details on:
Operating in an Alternate Location: Where specifically will you go? What resources (equipment, staff, etc.) will you need when you get there? How have you ensured those resources will be available when you need them? Can you create an MOU for an alternate facility? Can you establish a contract for the replacement of minimum equipment or purchase extra equipment in advance and store it off-site?
Continuing without the Data Network: How, specifically, will you carry out each critical function without IT? If you didn't have PeopleSoft? If you didn't have email or computer access? If you couldn't process credit card transactions? Describe how this function will be performed manually (i.e. create forms for manual processing and perform data entry when network is recovered).
Communication: How do you plan to communicate with staff if CPP email is down (creating free, alternate non-CPP email accounts for your department is a great backup plan)? How will you communicate relocation plans? How will you communicate with each other if you are working from home (can you establish a discussion board or group email account)? How will you communicate special circumstances with vendors and/or the campus community (ex. you can post special instructions on department website, but can this be performed from home)?
Continuing with a Reduced Workforce: If 50% of your staff was unavailable, how, specifically, would each function continue? If performing your department's critical functions requires possession of a special skill, license, or certification (ex. physician, police officer, animal trainer), and this staff is unavailable, how will you continue (can you create MOUs with other universities and/or departments who employ individuals with the required skill set)?
Line of Succession and Delegation of Authority: Who can make on-the-spot decisions for your department? Who is the backup? What policy exceptions might you need to continue operating and who can grant them?
Continuing Instruction and Research (for Academic Departments): How will instruction continue? Where will classes be held if usual space is not available, and who makes this decision? How will student information (roster, contact information, etc.) be obtained without the data network? How will online instruction continue without the data network, and how will you contact the students to communicate your alternate plan to proceed? Can Faculty establish alternate, non-CPP email or virtual classroom environments as a backup measure? How will students be notified if classroom is relocated or if online instruction in unavailable? How will research continue if the lab or data network is unavailable? Can grades be submitted without the data network? If so, describe the process (who grades are manually submitted to, etc).
Special Considerations: Do you store pharmaceuticals or other items that require refrigeration and/or storage within a controlled climate? In the event of a power outage, alternate storage of these items must be thought through and incorporated into your plan.
Departmental review. Put your draft plan through your department's customary process for review, changes, and approval.
Communicate your plan to your staff. Distribute your plan document (electronic or printed) to your leaders/managers, and communicate the essentials of your plan to all of your faculty and staff.
Exercise your plan. Business Continuity Plans should be exercised on an annual basis, or more frequently as needed. The Business Continuity Analyst will assist you with designing exercises to familiarize your department's staff members with their roles and responsibilities as outlined in your plan. Plan testing also helps to ensure that systems and equipment are maintained in a constant state of readiness.
Business Continuity Plans should be reviewed at least annually and updated as frequently as needed. Changes to your operating procedures, processes, and key personnel should be reflected in your Business Continuity Plan as they occur.
Kuali Ready is an on line Business Continuity Planning tool that many Campuses in the CSU-Systemwide utilizes. Cal Maritime does not currently carry a subscription to this software program, but the core process of capturing information to prepare for business interruption is the same.
Sample IT Continuity Plans by Kuali Ready
Instructions to fill-out : Information Technology Section in Kuali Ready
IT Criticality Levels
a) Criticality1: Systems related to vital functions which cannot pause for more than 4 hours due to their direct effect on the university populous (students, faculty, staff, visitors, surrounding community) in terms of loss of life, personal injury, loss of property and/or security.
b) Criticality2: Systems related to key functions which are to be restored within 7 days. These functions include Education, Research and Business Support services. Education and Research- Activities which are critical to carrying out and/or directly support the academic mission of the university. Business Support- Services that are central to the university to maintain necessary business operations, safeguard assets and if not restored will lead to financial and/or reputational loss to the university.
c) Criticality3: Systems related functions that can endure a pause, but should be recovered within a period not to exceed 30 days. These functions are NOT mission critical to the university's immediate recovery following an incident.
d) Criticality4/Deferrable: Systems that are not needed for the daily operations of the university and do not require restoration within the first 30 days following an incident.
Instructions to fill-out: Information Technology Section - How to Restart / Recovery Strategies
Question 1: Where will you quickly purchase new workstations, servers, or other hardware?
Response: If your workstations, servers or other hardware are funded or supported by the Division of Information Technology (Central IT), you will contact the Emergency Operations Center / Division of Information Technology in the event of a disaster regarding your hardware needs.
Question 2: When your support technicians rebuild your workstations or servers in the new location (on the new hardware), where will they find the systems software, applications software, and related documentation that they will need?
Response: If your workstations, servers or other hardware are funded or supported by the Division of Information Technology (Central IT), the Division of Information Technology maintains system software, application software and related documentation & licenses. Additionally, the Division of Information Technology is in the process of evaluating/purchasing a cloud-based product, which will store and capture images of desktop computers to assist in the recovery of computers.
Question 3 Does your IT equipment have any environmental requirements (air conditioning, high power consumption, unusual physical security, etc.?)
Response: If your workstations, servers or other hardware are funded or supported by the Division of Information Technology (Central IT), the Division of Information Technology will be responsible for identifying and planning for any specialized environment requirements as part of DR planning with facilities management and Emergency Operations Center.
Question 4: Will your technical support staff be adequate in numbers & skills to rebuild your systems quickly? Will they be available? Do they have other clients to serve?
Response: If your workstations, servers or other hardware are funded or supported by the Division of Information Technology (Central IT), the criticality ratings will be used to prioritize recovery and staff deployment. The campus Emergency Operations Center overall prioritizes the campus needs and resources in the event of a disaster.
Question 5: Are there any other obstacles that could hinder the quick re-establishment of your critical IT services?
Response: The Division of Information Technology documents a Disaster Recovery Plan and tests on a periodic basis. The Division of Information Technology will work closely with Institutional Risk Management and the Emergency Operations Center to prioritize and restore critical IT services.
Question 6: Visualize now a flu pandemic. If all staff were requested to work from home (where possible) for a couple of months to minimize contagion, what would you have to do to enable & support their IT? (Presume the users all have adequate computers at home, plus broadband connections.) Be specific, and estimate how long it would take to get them set up & running.
Response: The Division of Information Technology will provide capacity planning for remote connectivity to campus, including VPN and multifactor authentication for critical/sensitive system.
Question 7: When IT systems become unavailable for an extended time, people use workarounds – paper forms to gather data, snail-mail, chalkboard instead of PowerPoint. In the collection of IT applications & systems that you support, are there any that could not somehow be "worked around" for a few weeks or months? Explain.
Response: ‘Rephrasing this question for better understanding'
Instructions to be added to Kuali Ready: When IT systems become unavailable for an extended time (weeks or months), whether supported by the Division of Information Technology or your department,