Agence spatiale canadienne
Symbol of the Government of Canada

Table of Contents

Audit report

Auditing of Business Continuity Planning
Project # 08/09 01-02

prepared by the
Audit and Evaluation Directorate

January 2009

Table of Contents

Haut de page

1.0 Summary

1.1 Audit Objective

The objective of this audit is to evaluate the compliance of the business continuity planning program (BCPP) intended to maintain essential operations in the event of a disaster at the Canadian Space Agency (CSA).

1.2 Audit Opinion

In our opinion, the BCPP compliance has moderate issues requiring management focus.

1.3 Statement of Assurance

In my professional judgment as Chief Audit and Evaluation Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time of the audit, against pre-established audit criteria, and is only applicable to the particular entity examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards for internal audit. The evidence has been gathered to be sufficient to provide senior management with the proof of the opinion derived from the internal audit.

1.4 Summary of Recommendations

The Security and Facilities Directorate is responsible for directing and coordinating CSA's BCPP in accordance with the Government Security Policy (GSP) and Operational Security Standard (OSS) of the Treasury Board Secretariat (TBS). However, it must also obtain the co-operation of members and replacements of the corporate coordination cell (CCC) and external stakeholders so that action can be taken more efficiently and business continuity plans (BCPs) quickly invoked in the event of a disaster. Having a BCP in effect enhances CSA's image in the eyes of its staff and its local and international clientele.

In general, our audit showed that the governance framework and business impact analysis (BIA) are in accordance with the Treasury Board Secretariat's GSP and OSS.

Moreover, following our review of the compliance of the BCPP intended to maintain essential operations in the event of a disaster at CSA, we recommend that CSA

  • finalize the corporate policy on the BCPP and have it approved by senior management;

  • ensure that the corporate policy is properly promulgated and understood by CCC members and replacements and that Agency staff are made aware of it;

  • ensure the designation of CCC replacements is completed and have it approved by senior management, and see to it that the Corporate Business Continuity Plan (CBCP) is updated periodically;

  • finalize the communication plan by entering contact information for internal and external stakeholders;

  • organize periodic BCP training sessions for all CCC members and replacements;

  • ensure BCPs are finalized by the sectors concerned and that certain elements, such as maintenance of essential operations and business resumption, are included in each BCP in accordance with the Treasury Board Secretariat's OSS, and have these approved by senior management; and

  • ensure that a maintenance cycle for all BCPP preparatory plans, including the analytical report on lessons learned from the trial runs, is available and is validated and updated.

Signature of the Chief Audit and Evaluation Executive

Original signed by Jean-Guy Desrosiers

_________________________________________

Audit team member

Jimmy Cheung

Haut de page

2.0 Audit Report

2.1 Background

The mission of the CSA is to promote the peaceful use and development of space, to advance the knowledge of space through science, and to ensure that space science and technology provide social and economic benefits for Canadians.

CSA conducts most of its activities from the Space Centre in Saint-Hubert. It also has offices in Ottawa and Houston, Texas, and representatives operating from the Canadian embassies in Washington, DC, and Paris. It controls satellites from the Space Centre in Saint-Hubert, providing images to federal and provincial departments in Canada as well as international clients.

It also operates a control centre to support the space missions that use the International Space Station's Mobile Servicing System. That control centre also serves as a backup in case NASA's control centre in Houston should go down during missions to the Space Station. Finally, it manages a world-class laboratory in the Ottawa area that is able to test Canadian or foreign spacecraft.

Business Continuity Planning

The TBS has issued a government-wide GSP that requires critical services and the associated supplies to remain available to ensure Canadians' health, safety, security and economic well-being as well as the effective functioning of the government in the event of a disruption of services, such as during a natural disaster.

Under this policy, departments are required to draw up a BCPP in accordance with the Treasury Board Secretariat's OSS.

Treasury Board Secretariat Definition of a Critical Service

According to the definition in the Treasury Board Secretariat's GSP, a critical service is one whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the efficient functioning of the Government of Canada.

A "high degree of injury" means severe harm related to the provision of sustenance (e.g., food, water, shelter, energy), public order, emergency care and response, a life-sustaining environment, vital communications and transportation, fundamental economic services, continuity of government and territorial integrity, and sovereignty.

Business Impact Analysis

In developing its BCPP, CSA did not identify any qualifying critical services–as defined in the Treasury Board Secretariat's GSP–in the BIA dated February 5, 2007. However, CSA did deem three operations critical in the furtherance of CSA's mission, though they did not qualify as critical services: satellite control, under the auspices of Satellite Operations; the Mobile Servicing System, under the auspices of Operations Engineering; and the David Florida Laboratory. Consequently, these operations should be managed under a BCP with the coordination of all CCC members and replacements so that action can be taken as efficiently as possible and BCPs quickly invoked in the event of a disaster. Having a BCP in effect enhances CSA's image in the eyes of its staff and its local and international clientele.

2.2 Audit Objectives, Scope and Approach

The objective of this audit was to evaluate the compliance of the BCPP intended to maintain essential operations in the event of a disaster at the CSA.

The audit was concerned with the BCPP completed in March 2007. We likewise reviewed two BCP drafts for the Mobile Servicing System and satellite control, dated March and April 2007 respectively.

Various audit processes were employed, including staff interviews and reviews and analyses of documents and records. Audit criteria were set through a review of the Treasury Board Secretariat's GSP and OSS.

2.3 Findings, Recommendations and Management Response

2.3.1 Governance Framework

The Security and Facilities Directorate is responsible for directing and coordinating the Agency's BCPP in accordance with the Treasury Board Secretariat's GSP and OSS. Hence, we expected to find a governance framework in place that includes the following main elements:

  • a corporate BCPP policy approved by senior management;

  • a commitment by senior management to implement the BCPP;

  • an approved governance structure for the BCPP;

  • defined roles and responsibilities for CCC members and replacements; and

  • periodic updating of the CBCP.

In general, management has set up a governance framework in accordance with the Treasury Board Secretariat's policy and standard, based on prudent development under the BCPP. Our review showed that most of the elements required by the Treasury Board Secretariat's OSS were included in the CBCP dated March 2007.

However, we want to point out certain findings that require management attention.

Corporate Policy

CSA should draw up a corporate policy on the BCPP, with senior management approval, that meets the requirements of the Treasury Board Secretariat's GSP and OSS. The corporate policy will also serve to bring consistency to BCP authorization and activation authorities and set out the Program's key responsibilities and its links to other emergency plans already in place. CSA should also ensure that the corporate policy is properly promulgated and understood by CCC members and replacements and that Agency staff are made aware of it.

Our audit revealed that the corporate policy on the BCPP has remained unfinalized since March 2008. The Departmental Security Officer (DSO) has advised us that the failure to complete the policy is due to a lack of staff.

Recommendation

The Security and Facilities Directorate should

i) finalize the corporate policy on the BCPP in accordance with the Treasury Board Secretariat's GSP and OSS and have it approved by senior management; and

ii) ensure that the corporate BCPP policy is properly promulgated and understood by CCC members and replacements and that CSA staff are made aware of it.

Management Response

We agree with the recommendations.

Governance Structure

The aim of the governance structure is, among other things, to define the roles and responsibilities in the CBCP of CCC members and replacements so that they can more efficiently take action in the event of a disaster. Periodic BCP training sessions should be held for all CCC members and replacements. In addition, the communication plan should include contact information for internal and external stakeholders. The CBCP should be updated periodically.

Our audit brought to light the lack of certain elements in the governance structure, such as designated CCC replacements, contact information for internal and external stakeholders, and a means of updating the CBCP so that action can be taken more efficiently in the event of a disaster.

Moreover, we found that members had not received regular BCP training, though they had attended two meetings to discuss, in particular, their BCP roles and responsibilities. It should be noted that the Senior Officer Security Services recently attended BCP training sessions.

Recommendation

The Security and Facilities Directorate should

iii) ensure the designation of CCC replacements is completed and have it approved by senior management. In addition, care should be taken to update the CBCP periodically;

iv) finalize the communication plan by entering contact information for internal and external stakeholders; and

v) organize periodic BCP training sessions for all CCC members and replacements.

Management Response

We agree with the recommendations.

2.3.2 Available, Validated and Updated Plans

We expected to find available, validated and updated plans that include the following main elements:

  • a BIA approved by senior management;

  • a BCP for each of the critical services identified; and

  • a maintenance cycle for all plans.

Management has prepared a BIA in accordance with the Treasury Board Secretariat's GSP and OSS. It should be noted that neither BCPs nor their maintenance cycles are required, since CSA does not provide any qualifying critical services as defined by the Treasury Board Secretariat's GSP.

However, we want to draw attention to certain findings and make management aware that three essential operations have been identified that support the promotion of CSA's mission.

Business Continuity Plan

In the BIA dated February 5, 2007, CSA did not identify any qualifying critical services as defined in the Treasury Board Secretariat's GSP. However, as mentioned previously, CSA did deem three operations essential. Consequently, a BCP should be developed for each critical service identified and approved by senior management. The BCP should describe in detail the ways and means, including a recovery strategy, of ensuring the continuity of critical services in accordance with the Treasury Board Secretariat's GSP and OSS and of quickly invoking the BCP in the event of a disaster. It should also develop a maintenance cycle for all BCPP preparatory plans, including an analytical report on lessons learned from the trial runs.

Our audit revealed that the BCPs for satellite control, under the auspices of Satellite Operations, and for the Mobile Servicing System, under the auspices of Operations Engineering, had not been finalized, in particular as regards a recovery strategy, and that there was no BCP whatever for the David Florida Laboratory. It should be noted that certain emergency measures for the maintenance of critical services are in place, but they are not recorded in detail in each BCP. Moreover, no maintenance cycle has been developed for all BCPP preparatory plans, including an analytical report on lessons learned from the trial runs.

Recommendations

The Security and Facilities Directorate should

i) ensure the BCPs for satellite control and Mobile Servicing System are finalized by the sectors concerned under the direction and coordination of DSO;

ii) ensure BCP for the David Florida Laboratory is developed and finalized by the sector concerned under the direction and coordination of DSO;

iii) ensure that certain elements, such as maintenance of essential operations and business resumption, are included in each BCP in accordance with the Treasury Board Secretariat's GSP and OSS, and have these approved by senior management; and

iv) ensure that a maintenance cycle for all BCPP preparatory plans, including the analytical report on lessons learned from the trial runs, is available and is validated and updated.

Management Response

We agree with the recommendations.

Haut de page

Appendix 1 - Management Action Plan

Ref. Recommendations Responsibility Identified Details of Action Plan Timetable
Organization Function
2.3.1 Governance framework
i) The Security and Facilities Directorate should finalize the corporate policy on the BCPP in accordance with the Treasury Board Secretariat's GSP and OSS and have it approved by senior management. Security and Facilities Directorate DSO The corporate policy will be finalized and submitted to senior management for approval. 2010/03/31
ii) The Security and Facilities Directorate should ensure that the corporate BCPP policy is properly promulgated and understood by CCC members and replacements and that CSA staff are made aware of it. Security and Facilities Directorate DSO Awareness sessions will be held with the CCC as well as with CSA staff after the policy is approved. 2011/03/31
iii) The Security and Facilities Directorate should ensure the designation of CCC replacements is completed and have it approved by senior management. In addition, care should be taken to update the CBCP periodically. Security and Facilities Directorate DSO The Security and Facilities Directorate will co-ordinate the designation of replacements on the CCC and request their approval by senior management.

The Security and Facilities Directorate plans to update the CBCP every three months and/or as required.
2010/03/31






Continuous after 2010/03/31
iv) The Security and Facilities Directorate should finalize the communication plan by entering contact information for internal and external stakeholders. Security and Facilities Directorate DSO The Security and Facilities Directorate plans to finalize the communication plan once the policy is approved. 2011/03/31
v) The Security and Facilities Directorate should organize periodic BCP training sessions for all CCC members and replacements. Security and Facilities Directorate DSO Periodic training sessions will be required once the CBCP is approved by senior management. Periodic, beginning in 2010/2011
2.3.2 Available, validated and updated plans
i) The Security and Facilities Directorate should ensure the BCPs for satellite control and Mobile Servicing System are finalized by the sectors concerned under the direction and coordination of DSO. Security and Facilities Directorate

Satellite Operation Directorate

Operation Engineering Directorate
DSO



Director General


Director General
The Security and Facilities Directorate will co-ordinate activities and will assist directorates to develop BCPs for satellite control under the auspices of Satellite Operations and the Mobile Servicing System under the auspices of Operations Engineering, but responsibility for finalizing BCPs remains with the directorates concerned. 2010/03/31
ii) The Security and Facilities Directorate should ensure BCP for the David Florida Laboratory is developed and finalized by the sector concerned under the direction and coordination of DSO. Security and Facilities Directorate

David Florida Laboratory Directorate
DSO



Director General
The Security and Facilities Directorate will co-ordinate activities and will assist David Florida Laboratory management develop its BCP, but responsibility for drawing up devise and finalizing the BCP remains with the directorate concerned. 2010/03/31
iii) The Security and Facilities Directorate should ensure that certain elements, such as maintenance of essential operations and business resumption, are included in each BCP in accordance with the Treasury Board Secretariat's GSP and OSS, and have these approved by senior management. Security and Facilities Directorate DSO The Security and Facilities Directorate will co-ordinate the contents of BCPs so that they all contain the elements required by the GSP and its standards. The Security and Facilities Directorate will co-ordinate the approval of the various plans by senior management. Continuously after CBCP approval, expected by 2010/03/31
iv) The Security and Facilities Directorate should ensure that a maintenance cycle for all BCPP preparatory plans, including the analytical report on lessons learned from the trial runs, is available and is validated and updated. Security and Facilities Directorate DSO In accordance with the GSP, the Security and Facilities Directorate will ensure that a maintenance cycle for all BCPP preparatory plans, including the analytical report on lessons learned from the trial runs, is available and is validated and updated. Continuously after CBCP approval, expected by 2010/03/31

Haut de page

Appendix 2 - List of Acronyms

BCP Business Continuity Plan
BCPP Business Continuity Planning Program
BIA Business Impact Analysis
CBCP Corporate Business Continuity Plan
CCC Corporate Coordination Cell
CSA Canadian Space Agency
DSO Departmental Security Officer
GSP Government Security Policy
NASA National Aeronautics and Space Administration
OSS Operational Security Standard
TBS Treasury Board Secretariat