IT Service Continuity PlanningPresentation Transcript
Service Continuity Planning Taking IT to the Next Level… September 11, 2007 Infotech Consulting
Statistics Disaster recovery, security, and replacing existing systems are priorities. For 2007 technology-related themes, 61% of our government respondents list significant upgrades of their disaster recovery capabilities as either a priority or a critical priority. Fifty-four percent say that upgrading their organization's security environment is important, and 51% tell us that replacing or upgrading existing application systems are important Forrester , April 2007
There are a number of industry best practice frameworks that exist for organizations to use when addressing IT continuity management including:
National Institute of Standards (NIST);
National Fire Protection Association (NFPA);
Disaster Recovery International (DRI);
International Standards Organization (ISO).
Infotech believes that the best framework for organizations to utilize is the Information Technology Infrastructure Library (ITIL) / ISO 20000. This framework allows organizations the most flexibility in the implementation and management of a robust service continuity program.
Drivers for Adopting Standards
ITIL defines IT Service Continuity Management (ITSCM) as:
The goal for ITSCM is to support the overall Business Continuity Management process by ensuring that the required IT technical and services facilities (including computer systems, networks, applications, telecommunications, technical support and service desk) can be recovered within required, and agreed, business timescales.
In the broadest terms, ITSCM is defined in terms of business processes to be covered and their IT support requirements (e.g. systems, networks, communications, support staff skills, data and documentation, etc.) and risks that need to be addressed.
ITIL Source: Office of Government Commerce Service Support Service Delivery Security Management The Business Perspective ICT Infrastructure Management Planning to Implement Service Management Applications Management The Business The Technology
ITIL Service Delivery * Office of Government Commerce (OGC)
The Complete Service Continuity Lifecycle Phase 2 Requirements and Strategy Implementation Organization and Implementation Planning Implement Stand-by Requirements Develop Recovery Plans Implement Risk Reduction Measures Phase 3 Phase 4 Operational Management Develop Procedures Project Kickoff Initial Testing Review and Audit Testing Change Management Training Education and Awareness Assurance Business Impact Analysis (BIA) Risk Assessment Service Continuity Strategy Phase 1 Initiate
Where do YOU Start ? Requirements and Strategy Business Impact Analysis (BIA) Risk Assessment Service Continuity Strategy Define Your Requirements Define How To Achieve Them
Where do YOU start?
A simple analogy:
If your home was on fire, in what order would you begin to remove the following items from harms way?
Big Screen TV;
Lock box with identification and bank information;
Mr. Squiggles the Hamster;
The complete box set of the “I Love Lucy” show;
How do YOU organize this?
You walk through your house and create an inventory of your personal items;
You think through the possible disaster scenarios (e.g. fire, flood, wind damage, security breach, etc.); that could occur and define their likelihood of occurrence (e.g. flood threat is high, located next to a river.);
You prioritize, rationalize and assign a criticality to your items;
You think through reasonable solutions based on the criticality and the recovery time requirements of each individual item;
You identify the elements and the associated costs required to implement these solutions.
What do YOU get? An Actionable Plan
Your County Context
Administration files and records;
Human Resources and Payroll Systems;
Internet Accessible and Electronic Commerce Systems ;
Local and Wide Area Networks.
Requirements and Strategy: Business Impact Analysis
Business Impact Analysis:
This is a key driver for identifying how much the organization stands to lose as a result of a disaster or other service disruption. The BIA identifies:
Critical Business Processes and the levels of integration between them;
The form that the damage or loss may take including lost income, additional costs, damaged reputation, etc.;
The degree of damage or loss as time progresses;
Staffing, skills, facilities and services required to enable critical and essential business processes to continue;
The time within which minimum and maximum levels of services should be recovered;
The time within which all required business processes should be fully recovered.
These inputs allow for a mapping of critical service, application and infrastructure components to critical business processes.
Requirements and Strategy: Risk Assessment
Understanding the likelihood that a disaster or other service disruption will actually occur. The Risk Assessment identifies:
Risks to particular services or processes;
Threat and vulnerability levels (e.g. motivation, available resources, single points of failure);
Levels of risk;
Initial risk reduction measures.
Failure to assess all relevant risks leaves the organization open to possible disruptions;
These inputs allow for a foundational understanding of risks and potential risk reduction measures across the entire infrastructure.
Requirements and Strategy: Service Continuity Strategy
Service Continuity Strategy
Defining the appropriate risk reduction measures and continuity of operations plan:
Address availability management options including the elimination of single points of failure;
Considerations around outsourcing services to more than one provider;
Greater security controls;
Appropriate backup and recovery tools and methodologies;
Further defined recovery options:
The plan provides for a balance between the cost of risk reduction measures and recovery options.
Business Impact Analysis Document
Documents the mission critical processes that are supported by the current Information Systems, the level of disruption experienced in the event of a disaster and the overall recovery time requirements. These elements assist in defining the appropriate strategies for system recovery and resumption purposes. In addition, this document will identify the threats, risks and likelihood of a serious disruption to services.
This model provides the organization with a graphical representation of the identified threats and vulnerabilities including the likelihood of occurrence. This assists in obtaining “buy in” from the organization in terms of setting priority and criticality to affected systems as well as the priority of remediation activities.
Service Continuity Plan
The Service Continuity Plan defines the most appropriate methods of service recovery options and risk reduction measures. In addition, cost estimates, levels of efforts, and defined roles and responsibilities to execute are defined to implement the appropriate solutions.
Service Continuity Kick Start Templates
Business Impact Analysis approach for future assessments;
Systems documentation template;
Crash kit contents;
Communication Plans (notification procedures);
Roles and responsibilities template;
Risk Analysis approach.
Key Activities Business Impact Analysis (BIA) Risk Assessment Service Continuity Strategy
High Level overall ITIL and ISO 17799 assessments;
Execute Systems Inventory;
Interviews with Key IT Personnel; Application Owners and Business Administrators;
Document findings, requirements.
Project Kick Off
Review project scope, work plan and charter;
Identify key personnel, roles and responsibilities.
Develop Risk Model;
Facilitated risk review meeting with Organization Stakeholders;
Develop preliminary list of risk reduction measures.
Develop risk reduction and recovery options for appropriate systems or IT processes;
Review strategy with Organization Stakeholders;
Review appropriate “Kick Start” templates with Organization IT personnel.
Sample Tools Outage Impacts and Allowable Outage Times Recovery Priority Business Impact Analysis Components
Sample Tools Impact Time 1 day 2 days 1 week 2 days 1 Month Very High High Medium Low Very Low Email Impact by length of disruption Graph Vulnerability Threat High Medium Low High Medium Low Risk Measurement Table Risk weighting and prioritization based on threats and likelihood of occurrence Business Impact Analysis Components ERP Line of Business Web Site Custom SQL e Commerce
Sample Tools Business Impact Analysis Components
Sample Tools Service Continuity Strategy Components
Typical Supporting Materials and Tools
The following documentation and / or materials are being requested in advance to the start of the engagement:
Organizational roles and responsibilities;
Risk management plans;
Policies, procedures, standards, and guidelines;
General network and system documentation;
System inventories by network segment including criticality;