Chapter 14: certifications IT Framework standards ITIL – Information Technology Infrastructure Library ISO – International Standards Organization COBIT – Control Objectives for Information and Related Technologies CMMI – Capability Maturity Model Integration Benefits of certification Companies showcase their certifications as a means to show your plans are tested Certifications build confidence in the plan Increase value for the company to be certified ITIL Information Technology Infrastructure Library was created in 1980s to bring order to its various data operations Eventually evolved into a broad body of knowledge Emphasis on service management Certifies the individual who creates and implements the program ITIL - SLA ITIL is based on service-level agreements (SLAs) SLAs govern IT support for everyday incident resolution SLA are periodically analyzed Periodic performance reports are issued to all parties SLA are updated based upon business needs ITIL – Discipline Areas Business Impact Analysis Business Continuity Strategy Specific recovery actions, written disaster recovery plan, proactive plan of business resilience, testing plan, training plan Manager is appointed to lead the effort Program remains active to keep plans current ISO International Standards Organization contains several standards: ISO22300: Societal security – terminology ISO 22301: Societal security – business ISO 22313: Societal security – business continuity management systems ISO 22317: Societal security – business continuity management systems – guidelines for BIA ISO 22398: Societal security – guidelines for exercises Clause 4: Company’s context Clause 4 requires the company to understand the needs of all critical stakeholders 1. Review with legal advisor what is required to meet regulatory obligations 2. Ask the Board for their guidance for disaster recovery and business continuity planning 3. Review how the DR/BCP program fits with the company’s business strategies and goals 4. Talk to your customers to learn what they expect in a crisis 5. Talk to employees Clause 5: Leadership Examine top management involvement and it the appropriate leadership support is provided at all levels 1. Issue appropriate company policies supporting the program 2. provide the necessary resources for the program 3. Generate company-side support Clause 6: Planning Expands the DR/BCP program scope into specific objectives Well-written objective has measurable criteria Project plan to create DR/BCP is drafter Clause 7: support Identifies the requirements for supporting the ongoing program Ensure that the personnel tasked with supporting the various recovery plans understand their role and responsibilities Ensure that people who run the program have the proper training Create a documented and tested plan to communicated with significant stakeholders Clause 8: Operations Details the basic document ...

1. Chapter 14: certifications
IT Framework standards
ITIL – Information Technology Infrastructure Library
ISO – International Standards Organization
COBIT – Control Objectives for Information and Related
Technologies
CMMI – Capability Maturity Model Integration
Benefits of certification
Companies showcase their certifications as a means to show
your plans are tested
Certifications build confidence in the plan

2. Increase value for the company to be certified
ITIL
Information Technology Infrastructure Library was created in
1980s to bring order to its various data operations
Eventually evolved into a broad body of knowledge
Emphasis on service management
Certifies the individual who creates and implements the
program
ITIL - SLA
ITIL is based on service-level agreements (SLAs)
SLAs govern IT support for everyday incident resolution

3. SLA are periodically analyzed
Periodic performance reports are issued to all parties
SLA are updated based upon business needs
ITIL – Discipline Areas
Business Impact Analysis
Business Continuity Strategy
Specific recovery actions, written disaster recovery plan,
proactive plan of business resilience, testing plan, training plan
Manager is appointed to lead the effort
Program remains active to keep plans current

4. ISO
International Standards Organization contains several standards:
ISO22300: Societal security – terminology
ISO 22301: Societal security – business
ISO 22313: Societal security – business continuity management
systems
ISO 22317: Societal security – business continuity management
systems – guidelines for BIA
ISO 22398: Societal security – guidelines for exercises
Clause 4: Company’s context
Clause 4 requires the company to understand the needs of all
critical stakeholders
1. Review with legal advisor what is required to meet regulatory
obligations
2. Ask the Board for their guidance for disaster recovery and
business continuity planning
3. Review how the DR/BCP program fits with the company’s
business strategies and goals
4. Talk to your customers to learn what they expect in a crisis
5. Talk to employees
Clause 5: Leadership
Examine top management involvement and it the appropriate
leadership support is provided at all levels
1. Issue appropriate company policies supporting the program
2. provide the necessary resources for the program
3. Generate company-side support

5. Clause 6: Planning
Expands the DR/BCP program scope into specific objectives
Well-written objective has measurable criteria
Project plan to create DR/BCP is drafter
Clause 7: support
Identifies the requirements for supporting the ongoing program
Ensure that the personnel tasked with supporting the various
recovery plans understand their role and responsibilities
Ensure that people who run the program have the proper
training
Create a documented and tested plan to communicated with
significant stakeholders
Clause 8: Operations
Details the basic documents of the plan
Conducts a formal Business Impact Analysis (BIA)
Risk assessment is conducted on vital functions
Business Continuity Strategies is developed
Prewritten plan is drafter

6. Clause 9: evaluation
Reviews the plan’s performance against expectations and Key
Process Indicators (KPIs) are identified
Common KPIs are:
Length of time to prepare the recovery site
Amount of time required to recover vital system
Amount of data lost between disaster and last backup
Time required for DR/BCP team members to join the recovery
effort
Clause 10: improvement
Implement a continuous improvement program to enhance the
recovery plan
Similar to ITIL continuous improvement program
Apply Lean/Six Sigma quality improvement approaches
Certifying your plan
ISO 22301 standard is the basis for certifying an organization’s
DR/BCP.
Based on an examination of the program by an ISO-approved
auditor

7. ISO audits can be expensive
Other actions:
Start a formal project to prepare
Standarize the DR/BCP documentation format
Document and findings from your internal audit
Fully inform auditor of scope
cobit
Control Objectives for Information and Related Technologies
(COBIT)
Provided by the Information Systems Audit and Control
Associated (ISACA)
Originally designed to audit data systems – evolved to include
set of controls and processes for IT systems

8. ISACA provides training and support for COBIT
CMMI
Capability Maturity Model Integration (CMMI)
Developed by Carnegie Mellon University to improve
development of software
Expanded to provide a process improvement model for all
aspects of an organization
Uses appraisals by third-party evaluators
summary
Building a DR/BCP is a lot of work
Published standards assemble best practices into one document
for comparison purposes
Find the right standard for your business

9. Rubic_Print_FormatCourse CodeClass CodeAssignment
TitleTotal PointsNRS-493NRS-493-O504Literature
Review50.0CriteriaPercentage1: Unsatisfactory (0.00%)2: Less
Than Satisfactory (75.00%)3: Satisfactory (79.00%)4: Good
(89.00%)5: Excellent (100.00%)CommentsPoints
EarnedContent80.0%Literature Review10.0%An introduction is
not present.An introduction is present, but it does not relate to
the body of the paper.An introduction is present, and it relates
to the body of the paper. There is nothing in the introduction to
entice the reader to continue reading.An introduction is present,
and it relates to the body of the paper. Information presented in
the introduction provides incentive for the reader to continue
reading.An introduction is present, and it relates to the body of
the paper. Information presented in the introduction is
intriguing and encourages the reader to continue
reading.Comparison of Research Questions20.0%No comparison
of research questions is presented.A comparison of research
questions is presented, but it is not valid.A cursory though valid
comparison of research questions is presented.A moderately
thorough and valid comparison of research questions is
presented.A reflective and insightful comparison of research
questions is presented.Comparison of Sample
Populations20.0%No comparison of sample populations is
presented.A comparison of sample populations is presented, but
it is not valid.A cursory though valid comparison of sample
populations is presented.A moderately thorough and valid
comparison of sample populations is presented.A reflective and
insightful comparison of sample populations is
presented.Comparison of the Limitations of the Study20.0%No
comparison of the limitations of the study is presented.A
comparison of the limitations of the study is presented, but it is
not valid.A cursory though valid comparison of the limitations
of the study is presented.A moderately thorough and valid

10. comparison of the limitations of the study is presented.A
reflective and insightful comparison of the limitations of the
study is presented.Conclusion and Recommendations for Further
Research10.0%No conclusion and recommendations for further
research are presented.A conclusion and recommendations for
further research are presented, but they are not valid.A
conclusion and recommendations for further research are valid,
but they are cursory.A conclusion and recommendations for
further research are valid and moderately thorough.A conclusion
and recommendations for further research are reflective and
insightful.Organization and Effectiveness15.0%Thesis
Development and Purpose5.0%Paper lacks any discernible
overall purpose or organizing claim.Thesis is insufficiently
developed or vague. Purpose is not clear.Thesis is apparent and
appropriate to purpose.Thesis is clear and forecasts the
development of the paper. Thesis is descriptive and reflective of
the arguments and appropriate to the purpose.Thesis is
comprehensive and contains the essence of the paper. Thesis
statement makes the purpose of the paper clear.Argument Logic
and Construction5.0%Statement of purpose is not justified by
the conclusion. The conclusion does not support the claim
made. Argument is incoherent and uses noncredible
sources.Sufficient justification of claims is lacking. Argument
lacks consistent unity. There are obvious flaws in the logic.
Some sources have questionable credibility.Argument is
orderly, but may have a few inconsistencies. The argument
presents minimal justification of claims. Argument logically,
but not thoroughly, supports the purpose. Sources used are
credible. Introduction and conclusion bracket the
thesis.Argument shows logical progressions. Techniques of
argumentation are evident. There is a smooth progression of
claims from introduction to conclusion. Most sources are
authoritative.Clear and convincing argument that presents a
persuasive claim in a distinctive and compelling manner. All
sources are authoritative.Criteria 3Mechanics of Writing
(includes spelling, punctuation, grammar, language

11. use)5.0%Surface errors are pervasive enough that they impede
communication of meaning. Inappropriate word choice or
sentence construction is used.Frequent and repetitive
mechanical errors distract the reader. Inconsistencies in
language choice (register), sentence structure, or word choice
are present.Some mechanical errors or typos are present, but
they are not overly distracting to the reader. Correct sentence
structure and audience-appropriate language are used.Prose is
largely free of mechanical errors, although a few may be
present. A variety of sentence structures and effective figures of
speech are used.Writer is clearly in command of standard,
written, academic English.Format5.0%Paper Format (use of
appropriate style for the major and assignment)2.0%Template is
not used appropriately or documentation format is rarely
followed correctly.Template is used, but some elements are
missing or mistaken; lack of control with formatting is
apparent.Template is used, and formatting is correct, although
some minor errors may be present.Template is fully used; There
are virtually no errors in formatting style.All format elements
are correct.Documentation of Sources (citations, footnotes,
references, bibliography, etc., as appropriate to assignment and
style)3.0%Sources are not documented.Documentation of
sources is inconsistent or incorrect, as appropriate to
assignment and style, with numerous formatting errors.Sources
are documented, as appropriate to assignment and style,
although some formatting errors may be present.Sources are
documented, as appropriate to assignment and style, and format
is mostly correct.Sources are completely and correctly
documented, as appropriate to assignment and style, and format
is free of error.Total Weightage100%