IT Service Continuity Management Tutorial

4.1 IT Service Continuity Management

Welcome to learning unit 4 on IT Service Continuity Management process. Let us look at the agenda in the next slide.

4.2 IT Service Continuity Management

Here we will discuss about the purposes, objectives, scope, activities, key concepts, triggers, inputs & outputs, challenges , risks, CSFs and KPIs of IT Service Continuity Management process. Let’s start with the purpose and objectives in the next slide.

4.3 IT Service Continuity Management - Purpose and Objectives

The purpose of the IT service continuity management process is to support the overall business continuity management (BCM) process by ensuring that, by managing the risks that could seriously affect IT services, the IT service provider can always provide minimum agreed business continuity-related service levels. In support of and alignment with the BCM process, ITSCM uses formal risk assessment and management techniques to Reduce risks to IT services to agreed acceptable levels and Plan and prepare for the recovery of IT services. ITSCM is one of the very important process in the service lifecycle. It is of such an importance that there is a specific standard defined for it. It is BSI 25999 The objectives of ITSCM are to produce and maintain a set of IT service continuity plans that support the overall business continuity plans of the organization, Complete regular BIA exercises to ensure that all continuity plans are maintained in line with changing business impacts and requirements, to conduct regular risk assessment and management exercises to manage IT services within an agreed level of business risk in conjunction with the business and the availability management and information security management processes. Other objectives would be to Provide advice and guidance to all other areas of the business and IT on all continuity-related issues, Ensuring that appropriate continuity mechanisms are put in place to meet or exceed the agreed business continuity targets, to assess the impact of all changes on the IT service continuity plans and supporting methods and procedures, to ensure that proactive measures to improve the availability of services are implemented wherever it is cost-justifiable to do so and to negotiate and agree contracts with suppliers for the provision of the necessary recovery capability to support all continuity plans in conjunction with the supplier management process. Let us look at the scope of this process in the next slide.

4.4 IT Service Continuity Management - Scope

ITSCM focuses on those events that the business considers significant enough to be treated as a ‘disaster’. Less significant events will be dealt with as part of the incident management process. What constitutes a disaster will vary from organization to organization. The impact of a loss of a business process, such as financial loss, damage to reputation or regulatory breach, is measured through a BIA exercise, which determines the minimum critical requirements. The specific IT technical and service requirements are supported by ITSCM. The scope of ITSCM within an organization is determined by the organizational structure, culture and strategic direction (both business and technology) in terms of the services provided and how these develop and change over time. ITSCM primarily considers the IT assets and configurations that support the business processes. If (following a disaster) it is necessary to relocate to an alternative working location, provision will also be required for items such as office and personnel accommodation, copies of critical paper records, courier services and telephone facilities to communicate with customers and third parties. The scope will need to take into account the number and location of the organization’s offices and the services performed in each. ITSCM does not usually directly cover longer term risks such as those from changes in business direction, diversification, restructuring, major competitor failure, and so on. While these risks can have a significant impact on IT service elements and their continuity mechanisms, there is usually time to identify and evaluate the risk and include risk mitigation through changes or shifts in business and IT strategies, thereby becoming part of the overall business and IT change management programme. Similarly, ITSCM does not usually cover minor technical faults (for example, non-critical disk failure), unless there is a possibility that the impact could have a major impact on the business. These risks would be expected to be covered mainly through the service desk and the incident management process, or resolved through the planning associated with the processes of availability management, problem management, change management, service asset and configuration management and ‘business as usual’ operational management. So far, we have looked at the purpose, objective and scope of ITSCM. Let us now look at ITSCM as value to the business.

4.5 IT Service Continuity Management - Value to the Business

ITSCM provides an invaluable role in supporting the Business Continuity Planning process. In many organizations, ITSCM is used to raise awareness of continuity and recovery requirements and is often used to justify and implement a Business Continuity Planning process and Business Continuity Plans. The ITSCM should be driven by business risk as identified by Business Continuity Planning, and ensures that the recovery arrangements for IT services are aligned to identify business impacts, risks and needs. Let’s look at the policies of this process in the next slide.

4.6 IT Service Continuity Management - Policies

Policies are nothing but set of rules. Scope defines the boundary for the process and at the same time policies defines the rules you need to abide with while implementing the process. Let us discuss different policies of ITSCM A lifecycle approach should be adopted as per the set up and operation of an ITSCM process. ITSCM is a cyclic process through the lifecycle to ensure that once service continuity plans have been developed they are kept aligned with business continuity plans and business priorities. ITSCM should only be involved in these lifecycle stages to support the BCM activities and to understand the relationship between the business processes and the impacts caused on them by loss of IT service. As a result of these initial BIA and risk assessment activities, BCM should produce a business continuity strategy, and the first real ITSCM task is to produce an ITSCM strategy that underpins the BCM strategy and its needs. The business continuity strategy should principally focus on business processes and associated issues (e.g. business process continuity, staff continuity, buildings continuity). Once the business continuity strategy has been produced, and the role that IT services has to fulfil within the strategy has been determined, an ITSCM strategy can be produced that supports and enables the business continuity strategy. This ensures that cost-effective decisions can be made, considering all the ‘resources’ to deliver a business process. Failure to do this tends to encourage ITSCM options that are faster, more elaborate and more expensive than actually needed. The activities to be considered during initiation depend on the extent to which continuity facilities have been applied within the organization. Some parts of the business may have established individual business continuity plans based around manual workarounds, and IT may have developed continuity plans for systems perceived to be critical. This is good input to the process. However, effective ITSCM depends on supporting vital business functions. The only way of implementing effective ITSCM is through the identification of critical business processes and the analysis and coordination of the required technology and supporting IT services. This situation may be even more complicated in outsourcing situations where an ITSCM process within an external service provider or outsourcer organization has to meet the needs not only of the customer BCM process and strategy, but also of the outsourcer’s own BCM process and strategy. These needs may be in conflict with one another, or may conflict with the BCM needs of one or the other outsourcing organization’s customers. However, in many organizations BCM is absent or has very little focus, and often ITSCM is required to fulfil many of the requirements and activities of BCM. Where a BCM process is established with business continuity strategies and plans in place, these documents should provide the focus and drive for establishing ITSCM. In the next slide we will discuss about the ITSCM lifecycle with the help of a diagram.

4.7 IT Service Continuity Management - Lifecycle

As mentioned in the policies in the previous slide, a lifecycle approach should be adopted as per the set up and operation of an ITSCM process. Let’s understand this with the figure on the slide. The figure depicts the lifecycle of ITSCM, from initiation through to continual assurance that the protection provided by plan is current and reflects all changes to services and service levels. ITSCM is a cyclic process through the lifecycle to ensure that once service continuity plans have been developed they are kept aligned with business continuity plans and business priorities. This figure also shows the role played within the ITSCM process of BCM. Details of these activities are discussed in the subsequent slides.

4.8 IT Service Continuity Management - Activities 1of11

Let us understand the different phase of the ITSCM lifecycle one by one. Following 11 slides we will discuss about different activities of the lifecycle of ITSCM. The first stage is Initiation Stage 1 – Initiation The initiation process covers the whole of the organization and consists of the following activities. First being Policy setting. This should be established and communicated as soon as possible so that all members of the organization involved in, or affected by, business continuity issues are aware of their responsibilities to comply with and support ITSCM. As a minimum, the policy should set out management intention and objectives. Second Activity would be to Define scope and specify terms of reference. This includes defining the scope and responsibilities of all staff in the organization. It covers tasks such as undertaking a risk assessment and business impact analysis and determination of the command and control structure required to support a business interruption. There is also a need to take into account such issues as outstanding audit points, regulatory or client requirements and insurance organization stipulations, and compliance with standards such as ISO/IEC 27001, the standard on information security management, which also addresses service continuity requirements. The initiation of formal IT service continuity management is best organized into a project. The project can be used to bring ITSCM to the ‘ongoing operation’ stage and Setting up the project leads to the subsequent activities.: Allocating resources is the third activity. The establishment of an effective business continuity environment requires considerable resource in terms of both money and personnel. Depending on the maturity of the organization with respect to ITSCM, there may be a requirement to familiarize andor train staff to accomplish stage 2 tasks. Alternatively, the use of experienced external consultants may assist in completing the analysis more quickly. However, it is important that the organization can then maintain the process going forward without the need to rely totally on external support. Then the next activity is Defining the project organization and control structure. ITSCM and BCM projects are potentially complex and need to be well organized and controlled. It is strongly advisable to use a recognized standard project planning methodology such as Projects IN Controlled Environments (PRINCE2) or Project Management Body of Knowledge (PMBOK). Lastly Agreeing project and quality plans. Plans enable the project to be controlled and variances addressed. Quality plans ensure that the deliverables are achieved and to an acceptable level of quality. They also provide a mechanism for communicating project resource requirements and deliverables, thereby obtaining ‘buy-in’ from all necessary parties. Let us look at the second phase of the lifecycle in the next slide.

4.9 IT Service Continuity Management - Activities 2of11

This slide talks about the second phase of the lifecycle which is Stage 2 – Requirements and strategy Ascertaining the business requirements for IT service continuity is a critical component in order to determine how well an organization will survive a business interruption or disaster and the costs that will be incurred. If the requirements analysis is incorrect, or key information has been missed, this could have serious consequences on the effectiveness of ITSCM mechanisms. This stage can effectively be split into two sections: • Requirements which talks about Performing BIA and risk assessment • Strategy states following the requirements analysis, the strategy should document how the risks will be managed through risk reduction measures and recovery options required to support the business. Requirements – business impact analysis The purpose of a BIA is to quantify the impact to the business that loss of service would have. This impact could be a ‘hard’ impact that can be precisely identified – such as financial loss – or ‘soft’ impact – such as public relations, moral, health and safety or loss of competitive advantage. The BIA will identify the most important services to the organization and will therefore be a key Input to the strategy. The BIA identifies: • The form that the damage or loss may take – for example: • Lost income • Additional costs • Damaged reputation • Loss of goodwill • Loss of competitive advantage • Breach of law, health and safety regulations • Risk to personal safety • Immediate and long-term loss of market share • Political, corporate or personal embarrassment • Loss of operational capability, for example, in a command and control environment • How the degree of damage or loss is likely to escalate after a service disruption, and the times of the day, week, month or year when disruption will be most severe • The staffing, skills, facilities and services (including the IT services) Necessary to enable critical and essential business processes to continue operating at a minimum acceptable level • The time within which minimum levels of staffing, facilities and services should be recovered • The time within which all required business processes and supporting staff, facilities and services should be fully recovered • The relative business recovery priority for each of the IT services. One of the key outputs from a BIA exercise is a graph of the anticipated business impact caused by the loss of a business process or the loss of an IT service over time. This graph can then be used to drive the business and IT continuity strategies and plans. More preventive measures need to be adopted with regard to those processes and services with earlier and higher impacts, whereas greater emphasis should be placed on continuity and recovery measures for those where the impact is lower and takes longer to develop. A balanced approach of both measures should be adopted to those in between. These items provide the drivers for the level of ITSCM mechanisms that need to be considered or deployed. Once presented with these options, the business may decide that lower levels of service or increased delays are more Acceptable, based on a cost-benefit analysis, or it may be that comprehensive disaster prevention measures will need to be implemented. These assessments enable the mapping of critical service, application and technology components to critical business processes, thus helping to identify the ITSCM elements that need to be provided. The business requirements are ranked and the associated ITSCM elements confirmed and prioritized in terms of risk reduction and recovery planning. The results of the BIA, discussed earlier, are invaluable input to several areas of process design including SLM to understand the required service levels. Let us now proceed to the third activity known as Risk Analysis.

4.10 IT Service Continuity Management - Activities 3of11

When we are talking about the Risk Assessment, let us understand the framework mentioned as the Management of Risk framework (M-O-R Framework) The second driver in determining ITSCM requirements is the likelihood that a disaster or other serious service disruption will actually occur. This is an assessment of the level of threat and the extent to which an organization is vulnerable to that threat. Risk Analysis can also be used in assessing and reducing the chance of normal operational incidents and is a technique used by Availability Management to ensure the required availability and reliability levels can be maintained. Risk Analysis is also a key aspect of Information Security Management. A standard methodology, such as the Management of Risk (M_o_R), should be used to assess and manage risks within an organization. The M_o_R framework is illustrated in the figure mentioned in the slide. The M_o_R approach is based around the framework shown in the figure, which consists of the following: ? M_o_R principles: these principles are essential for the development of good risk management practice and are derived from corporate governance principles. ? M_o_R approach: an organization’s approach to these principles needs to be agreed and defined within the following living documents: ? Risk Management Policy ? Process Guide ? Plans ? risk registers ? Issue Logs. ? M_o_R Processes: the following four main steps describe the inputs, outputs and activities that ensure that risks are controlled: ? Identify: the threats and opportunities within an activity that could impact the ability to reach its objective ? Assess: the understanding of the net effect of the identified threats and opportunities associated with an activity when aggregated together ? Plan: to prepare a specific management response that will reduce the threats and maximize the opportunities ? Implement: the planned risk management actions, monitor their effectiveness and take corrective action where responses do not match expectations. ? Embedding and reviewing M_o_R: having put the principles, approach and processes in place, they need to be continually reviewed and improved to ensure they remain effective. ? Communication: having the appropriate communication activities in place to ensure that everyone is kept up-to-date with changes in threats, opportunities and any other aspects of risk management. In the next slide we will discuss about the ITSCM strategy.

4.11 IT Service Continuity Management - Activities 4of11

ITSCM Strategy is the fourth activity of the lifecyle. The results of the Business Impact Analysis and the Risk Analysis will enable appropriate Business and IT Service Continuity strategies to be produced in line with the business needs. The strategy will be an optimum balance of risk reduction and recovery or continuity options. This includes consideration of the relative service recovery priorities and the changes in relative service priority for the time of day, day of the week, and monthly and annual variations. Those services that have been identified as high impacts in the short term within the BIA will want to concentrate efforts on preventative risk reduction methods – for example, through full resilience and fault tolerance – while an organization that has low short-term impacts would be better suited to comprehensive recovery options, as described in the following sections. The fifth activity of ITSCM is known as Risk assessment measures. Let’s understand this with the help of diagram in the next slide.

4.12 IT Service Continuity Management - Activities 5of11

Most organizations will have to adopt a balanced approach where risk reduction and recovery are complementary and both are required. This entails reducing, as far as possible, the risks to the continued provision of the IT service and is usually achieved through Availability Management. However well planned, it is impossible to completely eliminate all risks – for example, a fire in a nearby building will probably result in damage, or at least denial of access, as a result of the implementation of a cordon. As a general rule, the invocation of a recovery capability should only be taken as a last resort. Ideally, an organization should assess all of the risks to reduce the potential requirement to recover the business, which is likely to include the IT services. The risk reduction measures need to be implemented and should be instigated in conjunction with Availability Management, as many of these reduce the probability of failure affecting the availability of service. Typical risk reduction measures include: • Installation of UPS and backup power to the computer • Fault-tolerant systems for critical applications where even minimal downtime is unacceptable – for example, a banking system • RAID arrays and disk mirroring for LAN servers to prevent against data loss and to ensure continued availability of data • Spare equipment/components to be used in the event of equipment or component failure – for example, a spare LAN server already configured with the standard configuration and available to replace a faulty server with minimum build and configuration time • The elimination of SpoFs(pronounce as one word), such as single access network points or single power supply into a building • Resilient IT systems and networks • Outsourcing services to more than one provider • Greater physical and IT-based security controls • Better controls to detect service disruptions, such as fire detection systems, coupled with suppression systems • A comprehensive backup and recovery strategy, including off-site storage. The above measures will not necessarily solve an ITSCM issue and remove the risk totally, but all or a combination of them may significantly reduce the risks associated with the way in which services are provided to the business. The next activity that we will look at is the ITSCM recovery options.

4.13 IT Service Continuity Management - Activities 6of11

An organization’s ITSCM strategy is a balance between the cost of risk reduction measures and recovery options to support the recovery of critical business processes within agreed timescales. The following is a list of the potential IT recovery options that need to be considered when developing the strategy. Manual work-arounds For certain types of services, manual work-around can be an effective interim measure for a limited time frame until the IT service is resumed. For instance, a Service Desk call logging service could survive for a limited time using paper forms linked to a laptop computer with a spreadsheet. Reciprocal arrangements In the past, reciprocal arrangements were typical contingency measures where agreements were put in place with another organization using similar technology. This is no longer effective or possible for most types of IT systems, but can still be used in specific cases – for example, setting up an agreement to share high-speed printing facilities. Reciprocal arrangements can also be used for the off-site storage of backups and other critical information. Gradual recovery This option (sometimes referred to as ‘cold standby’) includes the provision of empty accommodation, fully equipped with power, environmental controls and local network cabling infrastructure, telecommunications connections, and available in a disaster situation for an organization to install its own computer equipment. It does not include the actual computing equipment, so is not applicable for services requiring speedy recovery, as set-up time is required before recovery of services can begin. This recovery option is only recommended for services that can bear a delay of recovery time in days or weeks, not hours. Any non-critical service that can bear this type of delay should take into account the cost of this option versus the benefit to the business before determining if a gradual recovery option should be included in the ITSCM options for the organization. Intermediate recovery This option (sometimes referred to as ‘warm standby’) is selected by organizations that need to recover IT facilities within a predetermined time to prevent impacts to the business process. The predetermined time will have been agreed with the business during the BIA. Fast recovery This option (sometimes referred to as ‘hot standby’) provides for fast recovery and restoration of services and is sometimes provided as an extension to the intermediate recovery provided by a third-party recovery provider. Some organizations will provide their own facilities within the organization, but not on an alternative site to the one used for the normal operations. Others implement their own internal second locations on an alternative site to provide more resilient recovery. In the next slide we will discuss about implementation which is the third stage of the ITSCM activities.

4.14 IT Service Continuity Management - Activities 7of11

Stage 3 – Implementation Once the strategy has been approved, the IT Service Continuity Plans need to be produced in line with the Business Continuity Plans. ITSCM plans need to be developed to enable the necessary information for critical systems, services and facilities to either continue to be provided or to be reinstated within an acceptable period to the business. Following are the considerations: Location of and Access to the plans Change and configuration management How to return to normal operation ITSCM section in the SLAs Relation to other BCM plans Additionally, plans that will need to be integrated with the main BCP are: • Emergency Response Plan: to interface to all emergency services and activities • Damage Assessment Plan: containing details of damage assessment contacts, processes and plans • Salvage Plan: containing information on salvage contacts, activities and processes • Vital Records Plan: details of all vital records and information, together with their location, that are critical to the continued operation of the business • Crisis Management and Public Relations Plan: the plans on the command and control of different crisis situations and management of the media and public relations • Accommodation and Services Plan: detailing the management of accommodation, facilities and the services necessary for their continued operation • Security Plan: showing how all aspects of security will be managed on all home sites and recovery sites • Personnel Plan: containing details of how all personnel issues will be managed during a major incident • Communication Plan: showing how all aspects of communication will be handled and managed with all relevant areas and parties involved during a major incident • Finance and Administration Plan: containing details of alternative methods and processes for obtaining possible emergency authorization and access to essential funds during a major incident. Finally, each critical business area is responsible for the development of a plan detailing the individuals who will be in the recovery teams and the tasks to be undertaken on invocation of recovery arrangements. The ITSCM plan must contain all the information needed to recover the IT systems, networks and telecommunications in a disaster situation once a decision to invoke has been made, and then to manage the business return to normal operation once the service disruption has been resolved. One of the most important inputs into the plan development is the results of the BIA. Let us understand the next activity of ITSCM, organizational planning in the next slide.

4.15 IT Service Continuity Management - Activities 8of11

During the disaster recovery process, the organizational structure will inevitably be different from normal operation and will be based around theme which constitutes of Executives, Coordination and Recovery. Let us understand what exactly they stand for: • Executive This will include senior management/ executive board, with overall authority and control within the organization and responsible for crisis management and liaison with other departments, divisions, organizations, the media, regulators, emergency services etc. • Coordination Typically one level below the executive group, this is responsible for coordinating the overall recovery effort within the organization • Recovery A series of business and service recovery teams should represent the vital business functions and the services that need to be established to support these functions. Each team is responsible for executing the plans within its own areas and for liaison with staff, customers and third parties. Within IT, the recovery teams should be grouped by IT service and application. For example, the infrastructure team may have one or more people responsible for recovering external connections, voice services, local area networks etc. and the support teams may be split by platform, operating system or application. In addition, the recovery priorities for the service, application or its components identified during the BIA should be documented within the recovery plans and applied during their execution. The ninth activity of the ITSCM process is Testing, let us discuss on this in detail in the next slide.

4.16 IT Service Continuity Management - Activities 9of11

Experience has shown that recovery plans that have not been fully tested do not work as intended, if at all. Testing is therefore a critical part of the overall ITSCM process and the only way of ensuring that the selected strategy, standby arrangements, logistics, business recovery plans and procedures will actually work in practice. The IT service provider is responsible for ensuring that the IT services can be recovered in the required timescales with the required functionality and the required performance following a disaster. There are four basic types of tests that can be undertaken: • Walk-through tests can be conducted when the plan has been produced simply by getting the relevant people together to see if the plan(s) at least work in a simulated way. • Full tests should be conducted as soon as possible after the plan production and at regular intervals of at least annually thereafter. They should involve the business units to assist in proving the capability to recover the services appropriately. They should, as far as possible, replicate an actual invocation of all standby arrangements and should involve external parties if they are planned to be involved in an actual invocation. The tests must not only prove recovery of the IT services but also the recovery of the business processes. It is recommended that an independent observer records all the activities of the tests and the timings of the service recovery. • Partial tests can also be undertaken where recovery of certain elements of the overall plan is tested, such as single services or servers. These types of tests should be in addition to the full test not instead of the full test. The full test is the best way of testing that all services can be recovered in required timescales and can run together on the recovery systems. • Scenario tests can be used to test reactions and plans to specific conditions, events and scenarios. They can include testing that BCPs and IT Service Continuity Plans interface with each other, as well as interfacing with all other plans involved in the handling and management of a major incident. Let’s look at stage 4 of ITSCM which is the tenth activity in the next slide.

4.17 IT Service Continuity Management - Activities 10of11

Stage 4 – Ongoing operation This stage consists of the following: • Education, awareness and training – this should cover the organization and, in particular, the IT organization, for service continuity-specific items. This ensures that all staff are aware of the implications of business continuity and of service continuity and consider these as part of their normal working, and that everyone involved in the plan has been trained in how to implement their actions. • Review – regular review of all of the deliverables from the ITSCM process needs to be undertaken to ensure that they remain current. • Testing – following the initial testing, it is necessary to establish a programme of regular testing to ensure that the critical components of the strategy are tested, preferably at least annually, although testing of IT Service Continuity Plans should be arranged in line with business needs and the needs of the BCPs. All plans should also be tested after every major business change. It is important that any changes to the IT technology are also included in the strategy, implemented in an appropriate fashion and tested to ensure that they function correctly within the overall provision of the IT following a disaster. The backup and recovery of IT service should also be monitored and tested to ensure that when they are needed during a major incident, they will operate as needed. • Change Management – the Change Management process should ensure that all changes are assessed for their potential impact on the ITSCM plans. If the planned change will invalidate the plans, then the plan must be updated before the change is implemented, and it should be tested as part of the change testing. The last activity of the ITSCM process is Invocation, let us discuss about it in the next slide.

4.18 IT Service Continuity Management - Activities 11of11

Invocation is a key component of the plans, which must include the invocation process and guidance. It should be remembered that the decision to invoke, especially if a third-party recovery facility is to be used, should not be taken lightly. Costs will be involved and the process will involve disruption to the business. This decision is typically made by a ‘crisis management’ team, comprising senior managers from the business and support departments (including IT), using information gathered through damage assessment and other sources. A disruption could occur at any time of the day or night, so it is essential that guidance on the invocation process is readily available. Plans must be available to key staff in the office and away from the office. The decision to invoke must be made quickly, as there may be a lead-time involved in establishing facilities at a recovery site. In the case of a serious building fire, the decision may be fairly easy to make. However, in the case of power failure or hardware fault, where a resolution is expected within a short period, a deadline should be set by which time if the incident has not been resolved, invocation will take place. If using external service providers, they should be warned immediately if there is a chance that invocation might take place. The decision to invoke needs must take into account the: • Extent of the damage and scope of the potential invocation • Likely length of the disruption and unavailability of premises and or services • Time of day/month/year and the potential business impact. At year-end, the need to invoke may be more pressing, to ensure that year-end processing is completed on time. So far, we discussed about the stage and activities involved in the ITSCM process.

4.19 Exercise - 2

Here is a Scenario: Given XYZ’s growth strategy, you have been asked to deliver a presentation to the CIO and board who are considering implementing IT Service Continuity Management to streamline the service delivery effectively and efficiently. Your presentation will need to include: A brief description of IT Service Continuity Management • What are the Purpose & objectives of IT Service Continuity Management? • What are the key activities performed throughout the process? • Highlight the key benefits that will be delivered to the business. Answer the above questions by referring to the information covered in this learning unit.

4.20 IT Service Management - Triggers

Many events may trigger ITSCM activity. These include: • New or changed business needs, or new or changed services • New or changed targets within agreements, such as SLRs, SLAs, OLAs or contracts • Occurrence of a major incident that requires assessment for potential invocation of either Business or IT Continuity Plans • Periodic activities such as the BIA or Risk Analysis activities, maintenance of Continuity Plans or other reviewing, revising or reporting activities • Assessment of changes and attendance at Change Advisory Board meetings • Review and revision of business and IT plans and strategies • Review and revision of designs and strategies • Recognition or notification of a change of risk or impact of a business process or VBF, an IT service or component • Initiation of tests of continuity and recovery plans. Like any other process let’s look at the interfaces of the ITSCM in the next slide.

4.21 IT Service Continuity Management - Interfaces

Integration and interfaces exist from ITSCM to all other processes. Important examples are as follows: • Change Management – all changes need to be considered for their impact on the continuity plans, and if amendments are required to the plan, updates to the plan need to be part of the change. The plan itself must be under Change Management control. • Incident and Problem Management – incidents can easily evolve into major incidents or disasters. Clear criteria need to be agreed and documented on for the invocation of the ITSCM plans. • Availability Management – undertaking Risk Analysis and implementing risk responses should be closely coordinated with the availability process to optimize risk mitigation. • Service Level Management – recovery requirements will be agreed and documented in the SLAs. Different service levels could be agreed and documented that could be acceptable in a disaster situation. • Capacity Management – ensuring that there are sufficient resources to enable recovery onto replacement computers following a disaster. • Configuration Management – the CMS documents the components that make up the infrastructure and the relationship between the components. This information is invaluable for all the stages of the ITSCM lifecycle, the maintenance of plans and recovery facilities. • Information Security Management – a very close relationship exists between ITSCM and Information Security Management. A major security breach could be considered a disaster, so when conducting BIA and Risk Analysis, security will be a very important consideration. Let us look at the inputs and outputs of ITSCM in the next slide.

4.22 IT Service Continuity Management - Inputs and Outputs

Let us first look at the Inputs of the process followed by the outputs. There are many sources of input required by the ITSCM process: • Business information: from the organization’s business strategy, plans and financial plans, and information on their current and future requirements • IT information: from the IT strategy and plans and current budgets • A Business Continuity Strategy and a set of Business Continuity Plans • Service information • Financial information • Change information • CMS • Business Continuity Management and Availability Management testing schedules • IT Service Continuity Plans and test reports from supplier and partners The outputs of ITSCM process are as follows: • A revised ITSCM policy and strategy • A set of ITSCM plans • Business Impact Analysis exercises and reports • Risk Analysis and Management reviews and reports • An ITSCM testing schedule • ITSCM test scenarios • ITSCM test reports and reviews. Moving ahead, in the next slide we will discuss about the CSFs and KPIs of ITSCM.

4.23 IT Service Continuity Management - CSFs and KPIs

Let us look the Critical Success factors and their relevant KPIs. The first sample CSF is: “ IT services are delivered and can be recovered to meet business objectives.” The KPIs of the CSF are: • Regular audits of the ITSCM Plans to ensure that, at all times, the agreed recovery requirements of the business can be achieved • All service recovery targets are agreed and documented in SLAs and are achievable within the ITSCM Plans • Regular and comprehensive testing of ITSCM Plans • Regular reviews are undertaken, at least annually, of the business and IT continuity plans with the business areas • Negotiate and manage all necessary ITSCM contracts with third party • Overall reduction in the risk and impact of possible failure of IT services. Let’s look at another CSF sample here: “ Awareness throughout the organizations of the plans.” The KPIs for this CSF are: • Ensure awareness of business impact, needs and requirements throughout IT • Ensure that all IT service areas and staff are prepared and able to respond to an invocation of the ITSCM Plans • Regular communication of the ITSCM objectives and responsibilities within the appropriate business and IT service areas. Let us discuss about the challenges and risks of the ITSCM process in the next slide.

4.24 IT Service Continuity Management - Challenges and Risks

Firstly, let us look at the Challenges. The challenges that the process comes across are: • Providing appropriate plans where there is no BCM process • Avoiding wasting money on ineffective and expensive IT solutions • Business perception that continuity is IT responsibility • Alignment and integration with established BCM • Maintaining the alignment Let’s look at the Risks now and they are: • Lack of commitment • Lack of appropriate information on plans and strategies • Lack of resource and/or budget for the ITSCM process • Too much focus on technology issues • Risk analysis and management conducted in isolation • ITSCM plans and information become out of date Moving on, in the next slide we will discuss about Information management.

4.25 IT Service Continuity Management - Information Management

ITSCM need to record all of the information necessary to maintain a comprehensive set of ITSCM plans. This information base should include: • Information from the latest version of the BIA • Comprehensive information on risk within a Risk Register, including risk assessment and risk responses • The latest version of the BCM strategy and BCPs • Details relating to all completed tests and a schedule of all planned tests • Details of all ITSCM Plans and their contents • Details of all other plans associated with ITSCM Plans • Details of all existing recovery facilities, recovery suppliers and partners, recovery agreements and contracts, spare and alternative equipment • Details of all backup and recovery processes, schedules, systems and media and their respective locations. All the above information needs to be integrated and aligned with all BCM information and all the other information required by ITSCM. Interfaces with many other processes are required to ensure that this alignment is maintained. With this we come to the end of learning unit 4, let us move to learn about Information Security Management, before that a quick summary of this learning unit.

4.26 IT Service Continuity Management - Summary

In this learning unit we have learnt about the purpose, objective, scope , value to business of ITSCM. We also covered details on the activities involved in the ITSCM process followed by triggers, challenges, risks, inputs and outputs, CSFs and KPIs of this process. Before moving to the next learning unit, complete the quiz questions in the next section.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*