12 Service Continuity Plan

12-1 Service Continuity Policy

Service Continuity (SC) consists of the alignment of Business Continuity Plans (including Emergency Action Plans) and Disaster Recover Plans. CIO SC enhances the operational resilience of CIO organizations, their systems, and processes.

The Service Continuity Plan develops the management and governance framework for Postal Service CIO organizations to prepare for, respond to, and recover from any event that disrupts, or threatens to disrupt, normal operations. This policy is applicable to all CIO Service Partners and Owners (see Chapter 2, Security Roles and Responsibilities).

This policy ensures creation of missing plans (including Postal Service Disaster Recovery (DR) Plans, Business Continuity (BC) Plans, Functional (FF) Plans, and Emergency Action Plans (EAP), as well as review of alignment or augmentation of existing plans, by the CIO organizations as defined and mandated elsewhere in this document (Handbook AS-805) and Management Instruction (MI) AS-280-2018-1, Integrated Emergency Management Supporting Field Business Continuity, (published January 2018).

This policy, its recommendations, and resulting products (plans) are in compliance with the following:

  1. The National Institute of Standards and Technology (NIST) SP 800.34.
  2. Homeland Security Exercise and Evaluation Program (HSEEP).
  3. Postal Service Employee Labor Manual (ELM), 810, Occupational Safety and Health Program; 840, – Safety Awareness Program; and 850, Emergency Action Plans and Fire Prevention and Control.
  4. MI AS-280-2018-1, Integrated Emergency Management Supporting Field Business Continuity.

Specifically, this policy provides for the: identification, prioritization, vetting, and approval of CIO VP High-Value Services (HVS); compliance with Federal and Postal Service standards and guidelines for recovery plan(s) documentation, maintenance (updating), testing, exercising, and evaluation (TT&E); and personnel training.

The CIO SC policy ensures development of all Postal Service CIO organization’s (CIO, Business Services Organization (BSO), Corporate Information Security Office (CISO), Enterprise Analytics (EA), Engineering (ENG), Information Technology (IT), and Mail Entry and Payment Technology (MEPT)) capability to prepare for, respond to, and recover from any event that disrupts, or threatens to disrupt, normal operations which depend on services provided through the CIO organization. The program improves organizational and technology resilience processes and capabilities to ensure critical CIO services continue during and after an incident and applies to all Postal Service functional organizational elements and personnel.

This is achieved through the establishment and implementation of standards and guidelines for CIO SC including emergency management, service continuity and disaster recovery activities, and standards and plans (operational risk). Its focus is based on the identification and prioritization of the CIO’s and VP’s high-value services and their recovery/hardening/resilience through a governance program which ensures maintenance and training on service continuity.

Specifically, through the development, documentation, and implementation of testing, exercising and evaluation processes, and documentation which validate compliance (or noncompliance) to CIO service continuity standards, guidelines, and processes, and effectively address noncompliance and corrective action the developed strategies and plans to sustain functions during a disruption can be practiced.

Service Continuity Management (formerly Business Continuity Management) focuses on resilience. Resiliency is not a process, but rather an end-state for organizations in which the organizations have the ability to quickly adapt and recover from any known or unknown changes to the environment. The goal of a resilient organization is to continue mission essential functions at all times during any type of disruption. Resilient organizations continually work to adapt to changes and risks that can affect their ability to continue critical functions. Risk management, contingency, and continuity planning are individual security and emergency management activities that can also be implemented in a holistic manner across an organization as components of a resiliency program.

Organizations require a suite of plans to prepare themselves for response, continuity, recovery, and resumption of mission/business processes and information systems in the event of a disruption. Each plan has a specific purpose and scope; however, because of the lack of standard definitions for these types of plans, in some cases, the scope of actual plans developed by organizations may vary from the following basic descriptions:

  1. Business Continuity Plan (BCP) is the documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption. https://csrc.nist.gov/glossary/term/business-continuity-plan
  2. Contingency plan normally applies to information systems, and provides the steps needed to recover the operation of all or part of designated information systems at an existing or new location in an emergency.
  3. Emergency Response (ER) Plan serves as a documented, organized process to manage an unexpected or dangerous occurrence and limit negative impact.
  4. Incident Response (IR): IR serves as a documented organized process to manage the aftermath of any incident. The goal is to limit negative consequences of the event.
  5. IT Incident Response Plan (IT-IRP) serves as a process to address the aftermath of any technology event or incident and at a minimum includes: Incident Severity definitions, IT IR Procedure, Contact Information and Communications expectations.
  6. Cyber Incident Response Plan (C-IRP normally focuses on detection, response, and recovery to a computer security incident or event.
  7. Disaster Recovery (DR) Plan defines how work can be resumed after a disaster.