IT Service Continuity Management (ITSCM)

Unit 13

IT Service Continuity Management (ITSCM)

Content:

IT Service Continuity Management objectives and overview Responsibilities and obligations Some definitions Important aspects
Business impact Risk analysis Service recovery Continuity plan Continuity plan testing and review

Benefits, risks, costs Summary

ITSCM

Mission Statement
The mission for IT Service Continuity Management (ITSCM) is to support the overall Business
Continuity Management process by managing risks to ensure that IT services (including computer systems, networks, applications, telecommunications, technical support, and service desks) can be

recovered within required, agreed-to business timescales.

Goal of ITSCM: The goal for ITSCM is to support the overall Business Continuity Management process by ensuring that the required IT technical and services facilities, including: computer systems networks applications telecommunications technical support and Service Desk can be recovered within required, and agreed, business timescales.

ITSCM

Why ITSCM

In today's highly competitive and service-oriented business environment,

organizations are judged on their ability to continue to operate and provide a service at all times. ITSCM focus is to: - Increase dependence on IT services and business protection - Reduce cost and time effort for recovery - Ensure survival

Continuity planning is therefore essential. ITSCM ensures that a business is

capable of recovering substantial services and their access in the event of a disaster.

Many businesses do not survive the first year after an IT disaster!

4

ITSCM

Definitions: Business Continuity Management (BCS) and ITSCM

Business Continuity Management (BCM) is concerned with managing

risks to ensure that an organization can continue operating to at least a predetermined minimum level. The BCM process involves: Reducing the risk to an acceptable level Planning for recovery of business processes should a disruption to the business occur IT Service Continuity Management (ITSCM) is a part of the overall BCM process and is dependent on information derived from it. It focuses on the continuity of IT services to the business. Before it is implemented, the minimum business requirements must be determined.

ITSCM

Tasks

ITSCM

Taking requirements from BCM

Making, testing, improving, and maintaining a continuity plan Risk analysis and risk management

ITSCM

Continuity Management Process

Initiate BCM Business Impact Analysis Risk Assessment Business Continuity Strategy
Organizational and Implementation Planning Implement Standby Arrangements Develop Recovery Rules Develop Procedures Initial Testing Implement Risk Reduction Measures

Phase 1: Initiation Phase 2: Requirements and Strategy

Phase 3: Implementation

Education and Awareness Review and Audit Testing Change Management Training Assurance
7

Phase 4: Operational Management

ITSCM

Risk of events that can cause disaster

Event Theft Virus Hacking Hardware / Communication Environment Software Fire / Flood / Force Majeure Other Percent 36% 20% 16% 11% 7% 4% 3% 3%

Gartner Study 2001

ITSCM Some events that have caused problems

Below is a brief list of high-profile events that have caused significant problems to organizations over the years: Technical failure: London Stock Exchange (2000) Poison gas: Tokyo Underground System, Japan (March 1995) Power Loss: Auckland, New Zealand (December 1997)
in 2003 alone: US/Canada, Italy, Sweden/Denmark

Earthquake: Kobe, Japan (January, 1995), Los Angeles, USA (January 1994) Bombing :
World Trade Center, New York, USA (February 1993) Oklahoma City, Oklahoma, USA (April 1995) Docklands, London, England (February 1996) Bishopsgate, London, England (April 1993) Manchester, England (June 1996) World Trade Center, New York, USA (September 2001) Flood: Bangladesh (July 1996), Pakistan (August 1996), Germany/Poland (2002)

Web site denial of service attacks, such as Yahoo (2000), Microsoft (2003), SCO (2004)

ITSCM

Risk Analysis as part of BCM Requirements definition

Assets

Threats

Weaknesses

Risk analysis
Risk management

Risks

Countermeasures

Damage Reduction

Disaster Management

10

ITSCM

The continuity strategy involves the selection of recovery options

Manual workaround
Can be an effective interim measure but mostly not to be used for more complex business processes

Takeover by another organization with similar equipment (reciprocal)

Arrangement with a another organization using similar technology

Gradual recovery (cold standby)

Recovery of service about 72 hours
Provision of empty accommodation is foreseen New Installation

Intermediate recovery (warm standby)

Recovery of service about 24 hours Disaster Recovery center for data recovery only Immediate recovery (hot standby) For immediate restoration of service (seconds) Using internal, external, fixed, portable, mobile centers
11

ITSCM

Continuity Plan Invocation

The invocation is the ultimate test of BCM and ITSCM plans. The following should be known in case of emergency:
- Where the plans are located - The most important actions and points of decision - Contact information of the crisis management team

The plan should contain the following details:

- Where are the backup media? - Where are the essential documentations, procedures, PC images, and so on? - How should the technical staff be mobilized, and which staff? - Contacting and alerting external suppliers (hardware; software if required).

12

ITSCM

Test and Review

Testing of the continuity plan: Should be conducted every 6 to 12 months and after every case of disaster

Should be conducted under realistic conditions

Review of and changes to the continuity plan: Changes of the ITSCM plan due to change in the IT infrastructure Custom / Services / SLRs / Risks Dependencies / Assets / CIs / Personal Contracts / SLAs / Countermeasures / ALL critical and major changes should be approved by the Change Advisory Board (CAB)

13

ITSCM

Benefits and Costs

Benefits Costs

Potential lower insurance premiums Business relationship with the rest of

the enterprise is fostered because IT organization is forced to get a better understanding of the business

Cost of organization Cost of implementation Cost of HW to recover critical IT

services

Positive marketing of contingency

capabilities. Effective ITSCM allows organization to provide high service levels and thus win business

Contracts for offsite storage, recovery

centers, recovery systems

Cost of implementation of
backup/recovery strategy taking ITSCM into account

Organizational credibility is increased

towards customers, business partners, and stakeholders

Cost of testing recovery plans Cost of maintaining recovery plans

Competitive advantage over

organizations without it
14

ITSCM

Risks
Potential problem areas:

No senior management commitment during implementation or ongoing phase No personal resource for creating ITSCM plans Testing of continuity plans only realistic in the live environment

15

ITSCM

Summary

The mission of ITSCM is to support the Business Continuity Management process

by ensuring that the required IT technical and services facilities can be recovered within required and agreed timescales

The dependencies between business processes and technology are now so

intertwined that Contingency Planning (or Business Continuity Management, as it is now sometimes termed) incorporates both a business element (Business Continuity Management) and a technology element (IT Service Continuity Management).

Activities: risk analysis, continuity plan, review and test

16