| Reference: 01.21-32.45 | Version: 1.2 | Effective Date: Dec 20, 2018 | Revision Date: July 20, 2021 |
| Title: Mortgage Planners – Business Continuity Management Policy |
| DOMAIN: BUSINESS CONTINUITY | DOCUMENT TYPE: SECURITY POLICY |
| SECTION: SECURITY & COMPLIANCE |
Mortgage Planners
1 INTRODUCTION
This document was developed by TCPCOM Inc. and defines the requirements related to the “Business Continuity Management policy (BCM)” applicable to Mortgage Planners.
2 GENERAL INFORMATION
2.1 Revision History
| Version | Date | Summary | Prepared by |
| 1.0 | 2018-12-08 | Initial version | Marc-Andre Heroux |
| 1.1 | 2019-01-23 | Update Security Risk | Marc-Andre Heroux |
| 1.2 | 2021-07-20 | Update Policy Statement | Marc-Andre Heroux |
2.2 Related Documents
| Type | Security Requirements |
| Title | Mortgage Planners – Registry of Security Controls |
2.3 Information Security Responsibility
The senior management is responsible of the enforcement of the security policy. The security officer is responsible for ensuring the proper definition and implementation of the security policy.
3 SECURITY POLICY OBJECTIVE
3.1 Purpose of the Security Policy
Ensure availability of Mortgage Planners infrastructure, services and cyber assets supporting operations and critical processes of Mortgage Planners. Define and adopt controls to reduce the risk of interruption that could create a negative impact to operations, such as an incident related to failures or major disasters (natural, accidental or human error).
3.2 Scope of Security Policy
This policy applies to all employees of Mortgage Planners, services providers and/or employees of third parties performing work related to informational resources of Mortgage Planners.
The scope of cyber assets is as follows: servers and network systems as well as technical security controls and/or utilities supporting business functions and operations.
3.3 Managing Information Security
The senior management must ensure that a senior security officer (ciso, cso) review and defines effective controls. He must also collaborate and validate that controls are in place and properly implemented to limit access to information according to roles, need to know and need to use.
Processes, mechanisms and solutions to prevent the disclosure of information and to maintain the integrity and availability of informational resources must be defined and implemented.
3.4 Breach of Security Policy
An intentional or unintentional violation of policies, procedures, standards or security requirements of Mortgage Planners may be subject to disciplinary action and may result in termination of employment or contract and possibly civil/criminal justice prosecution.
Anyone suspected of a security breach or deviation will be treated fairly and a full investigation will be conducted to protect its legal rights.
3.5 Exceptions to the Policy
Any exceptions related to this security policy must be approved by the senior management.
4 PRINCIPLES OF BUSINESS CONTINUITY MANAGEMENT (BCM)
4.1 Policy Statement
BCM principles and requirements must be defined, applied, maintained and controlled (e.g., policy, requirements, controls in place and periodically verified).
This includes, without limitation, the establishment of a vulnerability and threat management program, adopting adequate continuity and monitoring controls (including auditing / logging) as well as an incident response process with roles and responsibilities clearly understood and defined.
4.2 Security Risks
Without having clearly defined and implemented BCM principles for the entire scope of the infrastructure supporting Mortgage Planners operations, it could be relatively difficult for the organization to provide uninterrupted services.
Without clear requirements and appropriate controls supporting business continuity, an incident that could have been avoided or quickly resolved could create a serious operational impact to the organization, and even cause commercial and/or legal consequences.
Inappropriate or undefined definition of roles regarding business continuity could also lead to an incapacity of properly maintain the continuity of the operations, and lead to an incident and/or cause a disaster.
5 BUSINESS CONTINUITY AND IMPACT ASSESSMENT
5.1 Policy Statement
Risk management activities should be included in architectural documentation, such as architectural decision, solution design, risk analysis, etc. Activities and the documentation regarding the following subjects: technical requirements, IT strategy, impact of change analysis, disaster recovery and test cases/scenarios must be defined, adopted and implemented.
For significant changes, the potential impact must be analyzed and appropriate controls must be adopted (for example, a recovery plan and a recovery procedure to recover in case of failure related to an unsuccessful change).
5.2 Security Risks
If the risk and impact activities and deliverables are not integrated within the architectural work, a decision and/or a direction could be taken and the implementation of the solution could result in serious failures and/or disruptions of the operations.
Without a plan or appropriate recovery procedure, it could prove very difficult to recover in case of failure of a solution or from unsuccessful implementation.