- 1. Service Continuity Planning TakingITto the Next Level
September 11, 2007 Infotech Consulting
2. Statistics Disaster recovery, security, and replacing
existing systems are priorities.For 2007 technology-related themes,
61% of our government respondents list significant upgrades of
their disaster recovery capabilities as either a priority or a
critical priority. Fifty-four percent say that upgrading their
organization's security environment is important, and 51% tell us
that replacing or upgrading existing application systems are
importantForrester , April 2007 3. Key Consideration
- There are a number of industry best practice frameworks that
exist for organizations to use when addressing IT continuity
management including:
-
- National Institute of Standards (NIST);
-
- National Fire Protection Association (NFPA);
-
- Disaster Recovery International (DRI);
-
- International Standards Organization (ISO).
- Infotech believes that the best framework for organizations to
utilize is the Information Technology Infrastructure Library (ITIL)
/ ISO 20000. This framework allows organizations the most
flexibility in the implementation and management of a robust
service continuity program.
4. Drivers for Adopting Standards 5. ITSCM
- ITIL defines IT Service Continuity Management (ITSCM) as:
-
- The goal for ITSCM is to support the overall Business
Continuity Management process by ensuring that the required IT
technical and services facilities (including computer systems,
networks, applications, telecommunications, technical support and
service desk) can be recovered within required, and agreed,
business timescales.
- In the broadest terms, ITSCM is defined in terms of business
processes to be covered and their IT support requirements (e.g.
systems, networks, communications, support staff skills, data and
documentation, etc.) and risks that need to be addressed.
6. ITIL Source: Office of Government Commerce Service Support
Service Delivery Security Management The Business Perspective ICT
Infrastructure Management Planning to Implement Service Management
Applications Management The Business The Technology 7. ITIL Service
Delivery * Office of Government Commerce (OGC) 8. The Complete
Service Continuity Lifecycle Phase 2 Requirements and Strategy
Implementation Organization and Implementation Planning Implement
Stand-by Requirements Develop Recovery Plans Implement Risk
Reduction Measures Phase 3 Phase 4 Operational Management Develop
Procedures ProjectKickoff Initial Testing Review and Audit Testing
Change Management Training Education and Awareness Assurance
Business Impact Analysis (BIA) Risk Assessment Service Continuity
Strategy Phase 1 Initiate 9. Where doYOUStart ? Requirements and
Strategy Business Impact Analysis (BIA) Risk Assessment Service
Continuity Strategy Define Your Requirements Define How To Achieve
Them 10. Where doYOUstart?
-
- If your home was on fire, in what order would you begin to
remove the following items from harms way?
-
-
- Lock box with identification and bank information;
-
-
- Mr. Squiggles the Hamster;
-
-
- The complete box set of the I Love Lucy show;
11. How doYOUorganize this?
- Youwalk through your house and create an inventory of your
personal items;
- Youthink through the possible disaster scenarios (e.g. fire,
flood, wind damage, security breach, etc.); that could occur and
define their likelihood of occurrence (e.g. flood threat is high,
located next to a river.);
- Youprioritize, rationalize and assign a criticality to your
items;
- Youthink throughreasonablesolutions based on the criticality
and the recovery time requirements of each individual item;
- Youidentify the elements and the associated costs required to
implement these solutions.
12. What doYOUget?An Actionable Plan 13. Your County Context
- Administration files and records;
- Human Resources and Payroll Systems;
- Internet Accessible and Electronic Commerce Systems ;
- Local and Wide Area Networks.
14. Requirements and Strategy: Business Impact Analysis
- Business Impact Analysis:
-
- This is a key driver for identifying how much the organization
stands to lose as a result of a disaster or other service
disruption. The BIA identifies:
-
-
- Critical Business Processes and the levels of integration
between them;
-
-
- The form that the damage or loss may take including lost
income, additional costs, damaged reputation, etc.;
-
-
- The degree of damage or loss as time progresses;
-
-
- Staffing, skills, facilities and services required to enable
critical and essential business processes to continue;
-
-
- The time within which minimum and maximum levels of services
should be recovered;
-
-
- The time within which all required business processes should be
fully recovered.
-
- These inputs allow for a mapping of critical service,
application and infrastructure components to critical business
processes.
15. Requirements and Strategy: Risk Assessment
-
- Understanding the likelihood that a disaster or other service
disruption will actually occur. The Risk Assessment
identifies:
-
-
- Risks to particular services or processes;
-
-
- Threat and vulnerability levels (e.g. motivation, available
resources, single points of failure);
-
-
- Initial risk reduction measures.
-
- Failure to assess all relevant risks leaves the organization
open to possible disruptions;
-
- These inputs allow for a foundational understanding of risks
and potential risk reduction measures across the entire
infrastructure.
16. Requirements and Strategy: Service Continuity Strategy
- Service Continuity Strategy
-
- Defining the appropriate risk reduction measures and continuity
of operations plan:
-
-
- Address availability management options including the
elimination of single points of failure;
-
-
- Considerations around outsourcing services to more than one
provider;
-
-
- Greater security controls;
-
-
- Appropriate backup and recovery tools and methodologies;
-
- Further defined recovery options:
-
- The plan provides for a balance between the cost of risk
reduction measures and recovery options.
17. Tools
- Business Impact Analysis Document
-
- Documents the mission critical processes that are supported by
the current Information Systems, the level of disruption
experienced in the event of a disaster and the overall recovery
time requirements. These elements assist in defining the
appropriate strategies for system recovery and resumption purposes.
In addition, this document will identify the threats, risks and
likelihood of a serious disruption to services.
-
- This model provides the organization with a graphical
representation of the identified threats and vulnerabilities
including the likelihood of occurrence. This assists in obtaining
buy in from the organization in terms of setting priority and
criticality to affected systems as well as the priority of
remediation activities.
-
- The Service Continuity Plan defines the most appropriate
methods of service recovery options and risk reduction measures. In
addition, cost estimates, levels of efforts,and defined roles and
responsibilities to execute are defined to implement the
appropriate solutions.
- Service Continuity Kick Start Templates
-
- Business Impact Analysis approach for future assessments;
-
- Systems documentation template;
-
- Communication Plans (notification procedures);
-
- Roles and responsibilities template;
18. Key ActivitiesBusiness Impact Analysis (BIA) Risk Assessment
Service Continuity Strategy
- High Level overall ITIL and ISO 17799 assessments;
- Execute Systems Inventory;
- Interviews with Key IT Personnel;Application Owners and
Business Administrators;
- Document findings, requirements.
Project Kick Off
- Review project scope, work plan and charter;
- Identify key personnel, roles and responsibilities.
- Facilitated risk review meeting with Organization
Stakeholders;
- Develop preliminary list of risk reduction measures.
- Develop risk reduction and recovery options for appropriate
systems or IT processes;
- Review strategy with Organization Stakeholders;
- Review appropriate Kick Start templates with Organization IT
personnel.
19. Sample Tools Outage Impacts and Allowable Outage Times
Recovery Priority Business Impact Analysis Components 20. Sample
Tools Impact Time 1 day 2 days 1 week 2 days 1 Month Very High High
Medium Low Very Low Email Impact by length of disruption Graph
Vulnerability Threat High Medium Low High Medium Low Risk
Measurement Table Risk weighting and prioritization basedon threats
and likelihood of occurrence Business Impact Analysis Components
ERP Line of Business Web Site Custom SQL e Commerce 21. Sample
Tools Business Impact Analysis Components 22. Sample Tools Service
Continuity Strategy Components 23. Typical Supporting Materials and
Tools
- The following documentation and / or materials are being
requested in advance to the start of the engagement:
-
- Organizational roles and responsibilities;
-
- Policies, procedures, standards, and guidelines;
-
- General network and system documentation;
-
- System inventories by network segment including
criticality;
-
- Prior security assessment findings;
-
- Disaster recovery invocation procedures (with decision
tree);
-
- Application inventory with criticality;
-
- Backup and Recovery plans per application or service;
-
- Recovery testing procedures and most recent testing
results;
24.
25. Contact
- Director, Security and Infrastructure Practice
26.